Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems,...

Lesson 12

Configuring Security Appliance Remote Access Using Cisco Easy VPN

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1

Introduction to Cisco Easy VPN



Cisco Easy VPN

Cisco IOS > 12.2(8)T Router

PIX Firewall/ASA > 6.2

Cisco VPN 3000 > 3.11(> 3.5.1 recommended)

Cisco VPN Client > 3.x

Cisco 800 Series Router



Cisco VPN 3002 Hardware Client

Cisco PIX Firewall 501 and 506

Easy VPN ServersEasy VPN Remote


Features of Cisco Easy VPN Server

• Server support for Cisco Easy VPN Remote Clients was introduced with the release of the Cisco PIX Firewall Software v6.2.

• It allows remote end users to communicate using IPSec with supported security appliance VPN gateways.

• Centrally managed IPSec policies are pushed to the clients by the server, minimizing configuration by the end users.


Supported Easy VPN Servers

Cisco IOS > 12.2(8)T router

PIX Firewall/ASA > 6.2

Cisco VPN 3000 > 3.11(> 3.5.1 recommended)



Cisco VPN Client > 3.xCisco 800 Series Router

Cisco VPN 3002 Hardware Client

Easy VPN Servers

Cisco PIX Firewall 501 and 506


Supported Easy VPN Remote Clients

• Cisco VPN Software Client > 3.x• Cisco VPN 3002 Hardware Client > 3.x• Cisco PIX Firewall 501 and 506 VPN Client > 6.2• Cisco Easy VPN Remote Router Clients

– Cisco 800 Series– Cisco 900 Series– Cisco 1700 Series


Easy VPN Remote Modes of Operation

Easy VPN Remote supports two modes of operation: • Client mode

– Specifies that NAT and PAT be used.– Client automatically configures the NAT and PAT

translations and the ACLs that are needed to implement the VPN tunnel.

– Supports split tunneling.• Network extension mode

– Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses.

– PAT is not used.– Supports split tunneling.


Easy VPN Remote Client Mode

PIX Firewall 501/506(Easy VPN Remote)

PIX Firewall 525 (Easy VPN Server)

192.168.1.2

10.0.0.0/24

VPN Tunnel

10.0.1.2

192.168.1.3

192.168.1.1

PAT


Easy VPN Remote Network Extension Mode

Cisco 1710 Router (Easy VPN Remote)

12.2(8)YJ

PIX Firewall 525 (Easy VPN Server)

172.16.10.5

172.16.10.6

172.16.10.4

VPN Tunnel

VPN Tunnel

PIX Firewall 501(Easy VPN Remote)

172.16.20.5

172.16.20.6

10.0.0.0/24

Overview of Cisco VPN Client



Cisco VPN Software Client for Windows


Cisco VPN Client Features and Benefits

Cisco VPN Client provides the following features and benefits:• Intelligent peer availability detection• SCEP• Data compression (LZS)• Command-line options for connecting, disconnecting, and

connection status• Configuration file with option locking• Support for Microsoft network login (all platforms)• DNS, WINS, and IP address assignment• Load balancing and backup server support• Centrally controlled policies• Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only)• Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)


Cisco VPN Client Specifications

• Supported tunneling protocols• Supported encryption and authentication• Supported key management techniques• Supported data compression technique• Digital certificate support• Authentication methodologies• Profile management• Policy management

How Cisco Easy VPN Works



Easy VPN Remote Connection Process

• Step 1: The VPN Client initiates the IKE Phase 1 process.

• Step 2: The VPN Client negotiates an IKE SA.• Step 3: The Easy VPN Server accepts the

SA proposal.• Step 4: The Easy VPN Server initiates a

username/password challenge.• Step 5: The mode configuration process

is initiated.• Step 6: IKE quick mode completes the connection.


Step 1: Cisco VPN Client Initiates IKE Phase 1 Process

• Using pre-shared keys? Initiate AM.• Using digital certificates? Initiate MM.

Remote PC with Easy VPN

Remote Client Security Appliance

Easy VPN Server


Step 2: Cisco VPN Client Negotiates an IKE SA

• The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server.

• To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following:– Encryption and hash algorithms– Authentication methods– DH group sizes


Remote Client Security Appliance Easy VPN ServerProposal 1, Proposal 2, Proposal 3


Step 3: Easy VPN Server Accepts SA Proposal

• The Easy VPN Server searches for a match:– The first proposal to match the server’s list is accepted

(highest priority match).– The most secure proposals are always listed at the top of

the Easy VPN Server’s proposal list (highest priority).• IKE SA is successfully established. • Device authentication ends and user authentication begins.


Remote Client

Proposal 1 Proposal checking

finds proposal 1

match.

Security ApplianceEasy VPN Server


Step 4: Easy VPN Server Initiates a Username/Password Challenge

• If the Easy VPN Server is configured for Xauth, the VPN Client waits for a username/password challenge:– The user enters a username/password combination.– The username/password information is checked

against authentication entities.• All Easy VPN Servers should be configured to enforce

user authentication.


Remote Client

Username/PasswordAAA

checking

Username/Password Challenge

Security Appliance

Easy VPN Server


Step 5: Mode Configuration Process Is Initiated

• If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server:– Mode configuration starts.– The remaining system parameters (IP address, DNS, split

tunneling information, and so on) are downloaded to the VPN Client.

• Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.


Remote Client

Client Requests Parameters

System Parameters via Mode Configuration

Security Appliance

Easy VPN Server


Step 6: IKE Quick Mode Completes Connection

• After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment.

• After IPSec SA establishment, the VPN connection is complete.


Remote Client Quick Mode IPSec SA

Establishment

VPN Tunnel

Security Appliance

Easy VPN Server

Configuring Users and Groups



Group Policy

EngineeringPolicyPush

to Client

10.0.0.0 /24

10.0.1.0/24

Mktg

Eng

Internet

Engineering

Marketing

Training

MarketingPolicyTrainingPolicy


Base Group:Corporate

Customer Service/Base/Service

MIS/Base/Sales

Finance/Base/Finance

VP ofMIS

Groups:Departments

Users:Individuals

VP ofFinance

Groups and Users


group-policy Command

• To create or edit a group policy, use the group-policy command in global configuration mode.

• A default group policy, named DfltGrpPolicy, always exists on the security appliance.

firewall(config)#

group-policy {name internal [from group-policy name]}

fw1(config)# group-policy training internal


group-policy attributes Command

• Use the group-policy attributes command in global configuration mode to enter the group-policy attributes submode.

firewall(config)#

group-policy {name} attributes

fw1(config)# group-policy training attributes

fw1(config-group-policy)#


Users and User Attributes

• To add a user to the security appliance database, enter the username command in global configuration mode.

firewall(config)#

username {name} {nopassword | password password [encrypted]} [privilege priv_level]}

fw1(config)# username user1 password 12345678

fw1(config)# username user1 attributes

fw1(config-username)#

firewall(config)#

username {name} attributes

Configuring the Easy VPN Server for Extended Authentication



Easy VPN Server General Configuration Tasks

The following general tasks are used to configure an Easy VPN Server on a security appliance:• Task 1: Create ISAKMP policy for remote VPN Client access.• Task 2: Create IP address pool.• Task 3: Define group policy for mode configuration push.• Task 4: Create transform set.• Task 5: Create dynamic crypto map.• Task 6: Assign dynamic crypto map to static crypto map.• Task 7: Apply crypto map to security appliance interface.• Task 8: Configure Xauth.• Task 9: Configure NAT and NAT 0.• Task 10: Enable IKE DPD.


Task 1: Create ISAKMP Policy for Remote VPN Client Access

fw1(config)# isakmp enable outside

fw1(config)# isakmp policy 20 authentication pre-share

fw1(config)# isakmp policy 20 encryption des

fw1(config)# isakmp policy 20 hash sha

fw1(config)# isakmp policy 20 group 2

Remote Client

192.168.1.5

Server10.0.0.15Internet

InsideOutside172.26.26.1

ISAKMPPre-Share

DESSHA

Group 2


Task 2: Create IP Address Pool

firewall(config)#

ip local pool poolname first-address—last-address [mask mask]

fw1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254

• Creates an optional local address pool if the remote client is using the remote server as an external DHCP server

10.0.11.1-10.0.11.254

vpnpool

Remote Client

192.168.1.5




Task 3: Define Group Policy for Mode Configuration Push

Task 3 contains the following steps:• Step 1: Set the tunnel group type.• Step 2: Configure the IKE pre-shared key. • Step 3: Specify the local IP address pool.• Step 4: Configure the group policy type.• Step 5: Enter the group-policy attributes submode.• Step 6: Specify the DNS servers.• Step 7: Specify the WINS servers.• Step 8: Specify the DNS domain.• Step 9: Specify idle timeout.


Step 1: Set the Tunnel Group Type

firewall(config)#

tunnel-group name type type

fw1(config)# tunnel-group training type ipsec-ra

VPN GroupPre-Share

DNS ServerWINS ServerDNS DomainAddress Pool

Idle Time

Pushto Client

• Names the tunnel group• Defines the type of VPN connection that is to be established

Remote Client




Step 2: Configure IKE Pre-Shared Key

Pushto Client

tunnel-group name [general-attributes | ipsec-attributes]

firewall(config)#

• Enters tunnel-group ipsec-attributes submode to configure the key

pre-shared-key key

firewall(config-ipsec)#

• Associates a pre-shared key with the connection policy

fw1(config)# tunnel-group training ipsec-attributesfw1(config-ipsec)# pre-shared-key cisco123

Remote Client




Step 3: Specify Local IP Address Pool

tunnel-group name [general-attributes | ipsec-attributes]firewall(config)#

• Enters tunnel-group general-attributes submode to configure the address pool

address-pool [interface name] address_pool1 [...address_pool6]

firewall(config-general)#

• Associates an address pool with the connection policy

fw1(config)# tunnel-group training general-attributesfw1(config-general)# address-pool MYPOOL

Pushto Client

Remote Client




Step 4: Configure the Group Policy Type

firewall(config)#

group-policy {name internal [from group-policy name]}

fw1(config)# group-policy training internal

VPN GroupPre-Share


Idle Time

Pushto Client

Remote Client




Step 5: Enter the Group-Policy Attributes Subcommand Mode

firewall(config)#

group-policy {name} attributes

fw1(config)# group-policy training attributes

fw1(config-group-policy)#

VPN GroupPre-Share


Idle Time

Pushto Client

Remote Client




Step 6: Specify DNS Servers

firewall(config-group-policy)#

dns-server {value ip_address [ip_address] | none}

fw1(config-group-policy)# dns-server value 10.0.0.15

VPN GroupPre-Share


Idle Time

Pushto Client

Remote Client




Step 7: Specify WINS Servers

VPN GroupPre-Share


Idle Time

Pushto Client

Remote Client




wins-server value {ip_address} [ip_address] | none

fw1(config-group-policy)# wins-server value 10.0.0.15


Step 8: Specify DNS Domain

VPN GroupPre-Share


Idle Time

Pushto Client

Remote Client

Server10.0.0.15

Cisco.comInternet



default-domain {value domain-name | none}

fw1(config-group-policy)# default-domain value cisco.com


Step 9: Specify Idle Timeout

VPN GroupPre-Share


Idle Time

Pushto Client

Remote Client




vpn-idle-timeout {minutes | none}

fw1(config-group-policy)# vpn-idle-timeout 600


Task 4: Create Transform Set

firewall(config)#

crypto ipsec transform-set transform-set-name transform1 [transform2]]

fw1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac

192.168.1.5

Transform SetDES

SHA-HMAC

Remote Client




Task 5: Create Dynamic Crypto Map

firewall(config)#

crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [… transform-set-name9]

fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1

192.168.1.5

Remote Client




Task 6: Assign Dynamic Crypto Map to Static Crypto Map

firewall(config)#

crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name

fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map

192.168.1.5

Remote Client




Task 7: Apply Dynamic Crypto Map to Security Appliance Outside Interface

fw1(config)# crypto map rmt-user-map interface outside

firewall(config)#

crypto map map-name interface interface-name

192.168.1.5

Remote Client




Task 8: Configure Xauth

Task 8 contains the following steps:• Step 1: Enable AAA login authentication.• Step 2: Define AAA server IP address and

encryption key.• Step 3: Enable IKE Xauth for the tunnel group.


Step 1: Enable AAA Login Authentication

firewall(config)#

aaa-server server-tag protocol server-protocol

fw1(config)# aaa-server mytacacs protocol tacacs+

fw1(config-aaa-server-group)#

192.168.1.5

Remote ClientTACACS+




Step 2: Define AAA Server IP Address and Encryption Key

firewall(config)#

aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds]

fw1(config)# aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5

fw1(config-aaa-server-host)#

192.168.1.5





Step 3: Enable IKE Xauth for Tunnel Group

firewall(config-general)#

authentication-server-group [(interface name)] server group [LOCAL | NONE]

fw1(config)# tunnel-group training general-attributes

fw1(config-general)# authentication-server-group mytacacs

Xauth192.168.1.5





Task 9: Configure NAT and NAT 0

• Matches ACL: Encrypted data and no translation (NAT 0)• Does not match ACL: Clear text and translation (PAT)

fw1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0

fw1(config)# nat (inside) 0 access-list 101fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0fw1(config)# global (outside) 1 interface

192.168.1.5

Encrypted — No Translation

Clear Text — Translation



InsideOutside10.0.11.0 10.0.0.0


Task 10: Enable IKE DPD

1) DPD Send: Are you there?2) DPD Reply: Yes, I am here.

isakmp keepalive [threshold seconds] [retry seconds] [disable]

firewall(config-ipsec)#

• Configures the IKE DPD parameters

fw1(config)# tunnel-group training ipsec-attributesfw1(config-ipsec)# isakmp keepalive threshold 30 retry 10



InsideOutside10.0.11.0 10.0.0.0


Easy VPN Server Configuration Summary

PIX Version 7.0(1)hostname fw1!--- Configure Phase 1 Internet Security Association!-- and Key Management Protocol (ISAKMP) parameters.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption aesisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400

!--- Configure IPSec transform set and dynamic crypto map.crypto ipsec transform-set myset esp-aes esp-md5-hmaccrypto dynamic-map rmt-dyna-map 10 set transform-set mysetcrypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map!--- Apply crypto map to the outside interface.crypto map rmt-user-map interface outside


Easy VPN Server Configuration Summary (Cont.)

!--- Configure remote client pool of IP addressesip local pool ippool 10.0.11.1-10.0.11.254!--- Configure group policy parameters.group-policy training internal group-policy training attributes wins-server value 10.0.0.15 dns-server value 10.0.0.15 vpn-idle-timeout 600 default-domain value cisco.com !--- Configure tunnel group policy parameters.tunnel-group training type ipsec-ratunnel-group training general-attributes address-pool ippool authentication-server-group MYTACACS defaultgroup-policy trainingtunnel-group training ipsec-attributes pre-shared-key training isakmp keepalive threshold 30 retry 10


Easy VPN Server Configuration Summary (Cont.)

!--- Configure AAA-Server parameters.aaa-server MYTACACS protocol tacacs+aaa-server MYTACACS host 10.0.0.15 timeout 5 key secretkey!--- Specify "nonat" access list.access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0

!--- Configure Network Address Translation (NAT)/!--- Port Address Translation (PAT) for regular traffic,!--- as well as NAT for IPSec traffic.nat (inside) 0 access-list 101nat (inside) 1 0.0.0.0 0.0.0.0 0 0global (outside) 1 interface

Configure Security Appliance Hub-and-Spoke VPNs



Benefits of Hub-and-Spoke VPNs

Internet

Telecommuter—Spoke

Central site

Server—Spoke

Remote Site—Spoke

Mobile—Spoke

• Provide support for small sites with small LAN and low-end PIXs because only one IPSec tunnel is needed at the spoke routers.

• Scale the network through scaling of the network at specific hub point. • Only the hub needs to have a static and global IP address. All the spoke PIXs can have

DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. • Very easy to add sites and security appliances, as no changes to the existing spoke or hub

security appliance are required.

Hub


Limitations of Benefits of Hub-and-Spoke VPNs

• IPSec performance is aggregated at the hub. • All spoke-spoke packets are decrypted and reencrypted at the hub. • When using hub-and-spoke with dynamic crypto maps, the IPSec

encryption tunnel must be initiated by the spoke routers.

Internet


Central site

Server—Spoke

Remote Site—Spoke

Mobile—SpokeHub


Configure Hub-and-Spoke VPN

• VPN spokes can be terminated on a single interface.

• Traffic from the same security level can also be permitted.

same-security-traffic permit [inter-interface | intra-interface]

firewall(config)#

• Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface

fw1(config)# same-security-traffic permit intra-interface

Internet


Server—Spoke

Remote Site—Spoke

Mobile—Spoke

Hub10.0.0.0

40.0.0.0

30.0.0.0

50.0.0.0

Cisco VPN Client Manual Configuration Tasks



Cisco VPN Client Manual Configuration Tasks

The following general tasks are used to configure Cisco VPN Client:• Task 1: Install Cisco VPN Client.• Task 2: Create a new connection entry.• Task 3: (Optional) Configure Cisco VPN Client

transport properties.• Task 4: (Optional) Configure Cisco VPN Client

backup servers properties.• Task 5: (Optional) Configure Dialup properties.


Task 1: Install Cisco VPN Client


Task 2: Create New Connection Entry


Task 3: (Optional) Configure Cisco VPN Client Transport Properties


Task 4: (Optional) Configure Cisco VPN Client Backup Servers Properties


Task 5: (Optional) Configure Dialup Properties

Working with the Cisco VPN Client



Cisco VPN Client Program Menu


Virtual Adapter


Setting MTU Size


Cisco VPN Client Statistics Menu


Summary

• Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers.

• The Easy VPN Server adds several new commands to Cisco PIX Firewall Security Appliance Software v6.3 and later versions.

• The Cisco VPN Client enables software-based VPN remote access.

Date post:	17-Jan-2018
Category:	Documents
Upload:	lawrence-gallagher
View:	218 times
Download:	0 times

Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems,...

Documents