CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers Rick Graziani Cabrillo College graziani@cabrillo.edu Last.

CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers
Rick Graziani Cabrillo College Last Updated: Fall 2010

Materials Book: Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE Exam By Diane Teare Book ISBN-10: ISBN-13: eBook ISBN-10: ISBN-13:

At the end of this presentation…
Created our broadband connection Configured a floating static route If Private WAN is down use Internet (ISP) Configured NAT for traffic over Internet Changes private source IP address for traffic over the Internet Configured IPsec Want all traffic including LAN-to-LAN to use Internet (ISP) Want to secure LAN-to-LAN traffic between Branch and HQ over the Internet using IPsec Problem: LAN-to-LAN traffic is being sent over Private WAN Solution: Modify NAT to create a NAT exemption Problem: IPsec does not support broadcasts and multicasts so cannot send EIGRP routing updates Solution: Use GRE tunnel – Encapsulate traffic inside a GRE point-to-point tunnel, then inside an IPsec tunnel Must add GRE tunnel network to EIGRP so all LAN-to-LAN traffic uses GRE tunnel

Lab will reinforce concepts and commands

Branch Office Design

Branch Office Requirements
There are common requirements that every branch network design needs to address: Connectivity Security Availability Voice Application

The challenges when addressing these requirements include the following:
Bandwidth and network requirements Video, voice, and data, and supporting mission critical functions and applications. Consolidated data centers Centralized security and management control Mobility The dispersion of the staff coupled with the consolidation of the IT resources Disparate networks Branch offices built in isolation running aging and separate voice and data networks. Management costs Patchwork of network devices in which branch offices often have very different equipment and architectures.

Upgrade Scenario HQ router routes to the branches using EIGRP as routing protocol Currently no redundancy The branch site also provides basic services: DHCP NAT

When deploying branch services, one must consider how the following trends and considerations affect the implementation plan: Consolidation Integration High availability VPNs as a WAN option

Implementation Plan To accomplish the branch office upgrade we will include configurations at both the branch and the headquarters routers, as follows: Step 1 Deploy broadband connectivity Step 2 Configure static routing Step 3 Document and verify other services Step 4 Implement and tune the IPsec VPN Step 5 Configure GRE tunnels

Step 1: Deploying Broadband Connectivity
Broadband technologies provide always on access which can support enhanced voice and video services. Often refers to any connection of 256 Kbps or greater.

Broadband (FYI) Broadband:
(General) Data transmission using multiplexing methodology to provide more efficient use of the bandwidth. (Cable) Frequency Division Multiplexing (FDM) of multiple signals in a wide radio frequency (RF) bandwidth over hybrid fiber-coaxial (HFC) network and the capability to handle large amounts of information. Frequency Division Multiplexing: FDM is a means by which information from multiple channels or frequencies can be allocated bandwidth on a single wire.

Broadband can include many different connection options, including:
Wireless broadband Broadband cable access Digital subscriber line (DSL)

Wireless Broadband New developments in broadband wireless technology include: Municipal Wi-Fi WiMAX Satellite Internet

Municipal Wi-Fi Uses a mesh (series) of access points (radio transmitters). Each access point can communicate with at least two other access points. Signals travel from access point to access point through this cloud until: Reach a node that has a wired connection to the Internet. Reach a backhaul node

WiMAX (Worldwide Interoperability for Microwave Access) - IEEE 802.16
Provides wireless data over long distances Advantages over WiFi, WiMAX operates: At higher speeds Over greater distances For a greater number of users than Wi-Fi A WiMAX tower station connects directly to the Internet using a high-bandwidth connection (ex: T3 line or mircrowave). WiMAX is able to provide coverage to rural areas out of reach of "last mile" cable and DSL technologies.

FYI: http://www.wimax.com/general/what-is-wimax
WiMAX is a wireless digital communications system, also known as IEEE , that is intended for wireless "metropolitan area networks". WiMAX can provide broadband wireless access (BWA) up to 30 miles (50 km) for fixed stations, and miles ( km) for mobile stations. In contrast, the WiFi/ wireless local area network standard is limited in most cases to only feet ( m).

Satellite There are three ways to connect to the Internet using satellites: One-way multicast satellite Most IP protocols require two-way communication (web pages) Full interactivity is not possible.

One-way terrestrial return satellite
Traditional dialup access to send outbound data through a modem Receive downloads from the satellite

Two-way satellite Satellites are used for sending and receiving data

Cable Background Information
Not popular for connecting branch sites Many businesses do not have access to cable because cable TV’s main customers are residential neighborhoods. Uses a coaxial cable that carries radio frequency (RF) signals across the network. Primary medium used to build cable TV systems.

Hybrid Fiber-Coaxial Networks (FYI)
Transportation Network HFC architecture is relatively simple. A web of fiber trunk cables connects the headend (or hub) to the nodes where optical-to-RF signal conversion takes place. The fiber carries the same broadband content as coax for: Internet connections telephone service streaming video

Hybrid Fiber-Coaxial Networks (FYI)
Transportation Network Coaxial feeder cables originate from the node that carries RF signals to the subscribers. The effective range or service area of a distribution network segment (feeder segment) is from 100 to as many as 2000 subscribers.

Putting it all together (FYI)
Step 1 In the downstream path, the local headend (LHE) receives television signals through the satellite dishes, antennas, analog and digital video servers, local programming and other headends. The CMTS (cable modem termination system) modulates digital data on an RF signal and combines that RF signal with the TV signals.

light Step 2 The combined signal is input to a fiber transmitter that converts the signal from RF to light (optical) and transmits to a fiber node further downstream. The Fiber Node is located relatively close to the subscribers.

Step 3 The Fiber Node coverts the light back to RF. RF transmitted over the coaxial network comprised of: amplifiers Taps drops.

Step 4 At the subscriber end: RF splitter divides the combined RF signal into video and data Cable Modem receives the data portion of the RF signal. Tuned to the data RF signal channels, demodulates the data RF signal back into digital data and finally passes the data to the computer over an Ethernet or a/b/g connection. Cable set-top box receives the video portion of the RF signal.

Outbound or Upstream Direction CM decodes the digital information from the Ethernet connection, modulates a separate RF signal with this digital information. CM transmits this signal at a certain RF power level. At the headend, the CMTS, tuned to the data RF channels, demodulates the data RF signal back to digital data and routes the digital data to the Internet.

DSL Background Information
Several years ago, research by Bell Labs identified that a typical voice conversation over a local loop only required the use of bandwidth of 300 Hz to 3400 Hz. This was enough of a frequency range for normal voice conversation – low to high. For many years, the telephone networks did not use the bandwidth beyond 4 kHz.

DSL DSL types fall into two major categories, taking into account downstream and upstream speeds: Symmetrical DSL: Upstream and downstream speeds are the same. Asymmetrical DSL: Upstream and downstream speeds are different. Downstream speed is typically higher than upstream speed. Term xDSL covers a number of DSL variations. Data rate that DSL service can provide depends on the distance between the subscriber and the CO. The shorter the distance: the higher the bandwidth available.

DSL Variants DSL Technology Data Rate Down/Up Maximum Distance Nature
Data & POTS same time ADSL 8 / 1 Mbps 18,000 ft. Asymmetric Yes RADSL Adaptable VDSL 55 / 13 Mbps 4,500 ft. Symmetric IDSL 144/144 Kbps No SDSL 768/768 Kbps 22,000 ft. G.SHDSL 2.3/2.3 Mbps 28,000 ft.

Data Transmission over ADSL
Three ways to encapsulate IP packets over DSL connection: RFC 1483/2684 Bridged PPP over Ethernet (PPPoE) PPP over ATM (PPPoA)

PPP over ATM (PPPoA) PPPoA used mainly with cable modem, DSL and ADSL services Provides: Authentication Encryption Compression Slightly more overhead than PPPoE PPPoA is a routed solution, unlike RFC 1483 Bridged and PPPoE.

Configuring PPPoA In our scenario, the Internet service provider has provided the branch site with a PPPoA connection to the Internet. The steps to configure PPPoA on the branch router, where components of both the DSL architecture and of basic branch IP services are required, are as follows: 1. Configure an ATM interface. 2. Configure a dialer interface. 3. Configure PAT. 4. Configure the branch router as a local DHCP server. 5. Configure a static default route.

Up upon successful DSL subscriber authentication.
ATM0/0 IP ATM ISP Router DHCP Server PVC CPE ATM and dialer interfaces will establish the ATM virtual circuits and the PPP sessions. A dialer interface is a virtual interface that is configured as an on-demand component. Up upon successful DSL subscriber authentication.

This presentation… Created our broadband connection
Configured a floating static route If Private WAN is down use Internet (ISP) Configured NAT for traffic over Internet Changes private source IP address for traffic over the Internet Configured IPsec Want all traffic including LAN-to-LAN to use Internet (ISP) Want to secure LAN-to-LAN traffic between Branch and HQ over the Internet using IPsec Problem: LAN-to-LAN traffic is being sent over Private WAN Solution: Modify NAT to create a NAT exemption Problem: IPsec does not support broadcasts and multicasts so cannot send EIGRP routing updates Solution: Use GRE tunnel – Encapsulate traffic inside a GRE point-to-point tunnel, then inside an IPsec tunnel Must add GRE tunnel network to EIGRP so all LAN-to-LAN traffic uses GRE tunnel

Here is a high-level overview of the Branch Router configuration

The branch router provides DHCP services to users connected to the inside LAN interface.
Users connecting to the inside LAN interface would be provided with a private address from the pool.

The configuration specifics of the ATM 0/0 interface and the permanent virtual circuit (PVC) are provided by the DSL service provider. Notice the combination of the ATM interface dialer pool-member 1 command and the dialer interface dialer-pool 1 commands. These two commands associate the ATM 0/0 interface to the Dialer 0 interface.

The Dialer 0 interface is a virtual interface that initiates PPP connectivity including authentication Notice that it is also identified as the outside NAT interface.

NAT is configured to translate traffic initiated at the LAN port to the IP address of the dialer interface, which is obtained via DHCP from the DSL provider.

Notice that the static default route points to the dialer interface.
The routing of traffic to this default route would trigger the dialer interface to activate.

Configuring Routing and Floating Static Route
Because PPP, ATM and DSL are beyond the scope of this chapter we will modify our scenario without DSL.

EIGRP Currently, the main connection to the HQ is via the private WAN network because it is configured for routing with EIGRP.

What happens if the private WAN link fails?
Default What happens if the private WAN link fails? Traffic to the HQ server or to the Internet would not be possible. By adding floating default static route to the branch router, we can accomplish resiliency. Whenever the link through the private WAN link fails, the floating would populate the routing table. When the private WAN reactivates, EIGRP would reroute traffic through the private WAN.

It would seem like this would work but ...
EIGRP Default It would seem like this would work but ... This scenario would really not be feasible, because the private addresses of the branch LAN would be filtered by the ISP router. Therefore, on the branch router, the internal private IP addresses must be translated via NAT to global public IP addresses.

Configuring NAT/PAT for Branch Services
Notice the NAT pool of global IP addresses available on the branch router. Also notice that the Branch server has a static NAT global address ( ). The branch router must be configured to deploy NAT as shown above. There are three generic steps to configuring NAT. Which traffic will be translated To what address will it be translated Which interfaces are involved in the translation selection

Configure the interfaces involved in this particular NAT translation (outside interface is ISP facing interface) Translate addresses coming from the branch LAN, regardless of destination. The NAT pool of public IP address is defined using the ip nat pool command. The NAT pool is named BRANCH-NAT-POOL and identifies a range of valid and available Internet IP address. ip nat inside source command: “From BRANCH-NAT-ACL to BRANCH-NAT-POOL” Creates a static translation entry in the router, where the inside local address is always translated to the global on the outside. interface serial 0/0/1 ip nat outside interface fastethernet 0/0 ip nat inside ip access-list extended BRANCH-NAT-ACL permit ip any ip nat pool BRANCH-NAT-POOL prefix-length 29 ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL ip nat inside source static

Other than the static translation to the inside web server, there are no dynamic translations listed in the NAT cache.

Displays the number of active translations, which in this case is one static and zero dynamic translation. Lists the interfaces involved in the NAT translations The specifics of the BRANCH-NAT-POOL in use, including the BRANCH-NAT-ACL access list used for the traffic to be translated.

telnet Telnet from inside Branch LAN to HQ router works (well, if we had a password set on the router)

Verifying and Tuning IPsec VPNs

Broadband connectivity Floating static route NAT
VPN So far we have… Broadband connectivity Floating static route NAT Now we need to secure our LAN-to-LAN Internet links using IPsec VPN tunnels over the Internet as a primary connectivity option (WAN link is too expensive) The intent of this section is not to provide detailed coverage of IPsec VPNs. This section is about understanding the impact on routing services and addressing schemes when deploying IPsec VPNs at branch office routers.

IPsec Technologies IPsec resolves two issues:
VPN IPsec resolves two issues: By default, all the traffic leaving on the public network is in clear text. Need to have LAN-to-LAN traffic travel as if it were over a private WAN using private IP addresses IPsec provides two significant benefits: Encryption IPsec encrypts the data exchanged over the public Internet. Encapsulation Using tunneling technology, IPsec encapsulates the data as it leaves site, thus protecting its original IP address.

IPsec Encryption IPsec encryption provides three major services:
Confidentiality Integrity Authentication

IPsec Encryption Confidentiality
Confidentiality provides encryption during the exchange of the data. Only the recipient in possession of the valid key can decrypt the packets. Uses cryptographic algorithms, such as Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). Protecting data from eavesdroppers VPNs achieve confidentiality using: encapsulation and encryption

IPsec Encryption Integrity
Integrity provides a check to confirm that the data was not altered during the transmission. Uses hashing algorithms such as message digest algorithm 5 (MD5) and Secure Hash (SHA). Data integrity guarantees that between the source and destination: No tampering or alternation to data VPNs typically use one of three technologies to ensure data integrity: one-way hash functions message authentication codes (MAC) digital signatures

IPsec Encryption Authentication
Provides assurance that the data is exchanged with the rightful party. Provided by signing the results of hashing algorithms Ensures that a message: comes from an authentic source and goes to an authentic destination VPN technologies use of several methods for establishing the identity of the party at the other end of a network: passwords digital certificates smart cards Biometrics

IPsec Encapsulation One of the benefits of IPsec is its capability to tunnel packets using an additional encapsulation. Tunneling is the transmission of data through a public network so that routing nodes in the public network are unaware that the transmission is part of a private network. Allows the use of public networks to carry data on behalf of users as though the users had access to a private network. This is where the name VPN comes from.

Tunneling: The original packet is encapsulated inside a new IP packet before it leaves the branch office.

The VPN routers at Branch and HQ are responsible for this encapsulation and decapsulation tasks (the tunnel). The IPsec encapsulation process: Adds an additional IP header to the original packet Can performs security functions (confidentiality, integrity, authentication)

Host at branch site 192.168.1.10 wants to contact HQ host 10.10.10.10.
The link is secured using a site-to-site IPsec VPN. The packet leaves the branch router, this traffic will be flagged as being interesting so An IPsec VPN (tunnel) is established between the branch and HQ routers. The two routers negotiate and secure a tunnel that encapsulates the original IP header into another, secure new IP header. The packet will then be forwarded to the HQ site. Packet arrives at the HQ site: Decrypts the packet with the correct preshared key Extracting the IP packet Forwards it to the HQ host

Configuration commands associated with IPsec VPNs are beyond the scope of this chapter.
We will focus on the commands to verify proper configuration and operation. The details of cryptographic services such as confidentiality, integrity, and VPN end-point authentication will be transparent to us.

IPsec Site-to-Site VPN Configuration
To better understand how to verify an IPsec VPN, we must ensure that certain concepts are understood. The steps to configure an IPsec VPN are as follows: 1. Configure the initial key (ISAKMP) details. 2. Configure the IPsec details. 3. Configure the crypto ACL. 4. Configure the VPN tunnel details.

Complete IPsec configuration for Branch router
The ISAKMP policy identifies the specifics for the initial key and security parameters exchange The IPsec details define how the IP packet will be encapsulated and how it will be identified by the named HQ VPN. The VPN tunnel information is identified in the crypto map named HQ-MAP, which combines the ISAKMP policies, IPsec packet detail, the peer address, and ACL 110. ACL 110 is the crypto access control list that identifies interesting traffic that will trigger the VPN to activate. The crypto map is applied to the tunnel interface Complete IPsec configuration for Branch router

ISAKMP Policy The first stage is to negotiate and exchange credentials (key and security parameters) with a peer. Uses the protocol called ISAKMP on UDP port 500. The ISAKMP parameters are configured using the crypto isakmp policy This command enables you to specify the following: Which encryption method to use How the authentication key is exchanged (Diffie-Hellman key size) Which hashing method to use How long of a random number to use when creating unique key strings between peers How long before these parameters have to be exchanged Configuring the Preshared key

IPsec Details IPsec is the framework that enables a VPN tunnel to be created. Uses crypto ipsec transform-set command to create a transform set (an acceptable combination of security protocols and algorithms) that the peers will agree on Identifies how the packets will be encapsulated (protected) by identifying an acceptable combination of: security protocols algorithms other settings During the IPsec security association (SA) negotiation, the peers agree to use a particular transform set when protecting a particular data flow. ESP Authentication Transform: ESP with the SHA (HMAC variant) authentication algorithm ESP Encryption Transform: ESP with the 168-bit DES encryption algorithm (3DES or Triple DES)

VPN Tunnel Information
Next the actual VPN tunnel specifics must be entered. The crypto map command enters a subconfiguration mode where you can create or edit a named entry that specifies the VPN settings to apply them to an interface. The crypto map is where you specify the following: Which IPsec transform set to use Which peer router to establish an IPsec VPN tunnel with Which ACL will be used to identify interesting traffic How long the security association should be kept before it is renegotiated

Conceptually, a crypto map is similar to a funnel.
You: Configure the IPsec settings Group them together in a crypto map Then apply the crypto map to the interface When traffic meets the criteria (interesting traffic defined by ACL or other means): It passes through the funnel Its policies are enforced Traffic that does not meet criteria configured in the crypto maps leaves the Internet-facing interface unencrypted.

VPN ACL – Defining the interesting traffic
The crypto ACL is an extended IP ACL that is used to identify the traffic that should be protected. A permit statement: Results in the traffic being encrypted (uses VPN tunnel) A deny statement: Results in the traffic being sent out unencrypted (does not use VPN tunnel) Both VPN peers must have reciprocating ACLs. The branch router requires an extended ACL to identify traffic going from its LAN to the HQ LAN The HQ router requires an ACL to identify traffic going from its LAN to the branch LAN.

Apply the Crypto Map Last, the named crypto map must be applied to the Internet-facing interface that the peering router will connect to using the crypto map interface configuration command. Once configured, if the traffic matches the ACL, the router will begin the process to encrypt and tunnel traffic across to the VPN peer.

Verifying an IPsec VP show crypto session
To display status information for active crypto sessions show crypto ipsec sa To display the settings used by current SAs

? Although the ping was successful, it appears that the tunnel is down. Recall that we also implemented NAT. Perhaps this is causing some problems with the IPsec tunnel being created. To test this, we will enable the debug ip nat command and reissue the extended ping

Again, the pings are successful.
Notice, however, that the internal IP address is being translated to a global NAT IP address, making the source traffic uninteresting – source IP is NOT /24 but from the NAT Pookl Corporate LAN-to-LAN IPsec traffic does not need to be translated by NAT. It should remain private in its path, because it is encapsulated inside another IP packet. However, NAT can interfere with this process. Because the NAT process takes place before the encryption process, by the time the traffic arrives at the crypto map ACL, it looks like it is from /29 going to

ACL 110 identifies interesting VPN traffic
Interesting traffic for VPN Traffic to be translated via NAT ACL 110 identifies interesting VPN traffic BRANCH-NAT-ACL identifies traffic to be translated The crypto map ACL 110 is configured to encrypt traffic between /24 to /24 but… The traffic arrives at the crypto process with a source IP address So, the crypto map does not encrypt it (does not use the VPN tunnel) So the current NAT configuration is creating a problem Solution is to create a NAT exemption. The NAT access list must also identify when traffic should not be translated.

For the NAT process (ACL that identified traffic to translate):
NAT exemption Existing command For the NAT process (ACL that identified traffic to translate): a deny line means "do not translate” Do not translate packets going from Branch LAN to HQ LAN a permit line in an access list means "translate" Do translate packets to Branch LAN to all other destinations

The ping is successful, but it appears that NAT still translated the inside LAN address.
Let’s verify the NAT translation …

Notice that the 192.168.1.1 address is still in the NAT cache.
This is the cause of our current problem. The NAT translations should be cleared, and only then will the branch router enforce the new BRANCH-NAT-ACL entries.

Now our VPN link has been activated
Notice four out of the five pings were successful. Typical for the initial traffic that initiates the VPN tunnel may time out

Verify

Multicast and Broadcast Impact on Routing A significant drawbacks of an IPsec VPN is that it cannot route multicast and broadcast packets. Routing protocols (IGPs) such as EIGRP and OSPF that use multicast packets cannot send routing advertisements through an IPsec VPN. However, IPsec can be combined with Generic Routing Encapsulation (GRE) to create a tunnel to circumvent the issue with IGP routing within VPN tunnels.

Configuring GRE Tunnels
There are four options to route dynamic routing protocols through an IPsec tunnel: Point-to-point generic routing encapsulation (P2P GRE) Virtual tunnel interface (VTI) Dynamic multipoint VPN (DMVPN) Group encrypted transport VPN (GET VPN) In this section, we focus on P2P GRE

GRE is a tunneling protocol developed by Cisco
IPsec Tunnel (LAN-toLAN) GRE Tunnel EIGRP traffic GRE is a tunneling protocol developed by Cisco Creates a virtual point-to-point link Common option to use GRE to pass dynamic routing protocol traffic across an IPsec tunnel. GRE and IPsec: Tunnel Within a Tunnel Does not provide encryption services. GRE is just an encapsulation protocol. Our GRE packets will be encrypted by IPsec

Point-to-point GRE encapsulates routing protocols in GRE first
Then the GRE packets are encapsulated in IPsec and encrypted.

Configuring GRE These following three configuration steps will help us accomplish our goal: Create tunnel interfaces for GRE. First configure the tunnel interfaces with GRE encapsulation. Make sure that the tunnel is up and running. Change the crypto ACL to encrypt GRE traffic. Make a change to the IPsec configuration to include GRE traffic to the crypto ACL. This will cause GRE traffic (routing updates) to be channeled across the IPsec VPN tunnel like other interesting traffic. Configure routing protocols to route through the GRE tunnel. Last configure our routing protocol to use the tunnel interface.

To avoid errant EIGRP neighbor messages from appearing, remove EIGRP
The tunnel IP address is /30, which will serve as the tunnel destination in the HQ router tunnel configuration. Internet-facing interface on the branch router. The tunnel source command Used to specify either the source interface or the source IP address We have chosen to specify the IP address. The tunnel destination address will be the reachable global IP address of the HQ router.

Repeat the preceding configurations on the HQ router
The tunnel IP address is /30, which will serve as the tunnel destination in the HQ router tunnel configuration. Internet-facing interface on the HQ router. The tunnel source command Used to specify either the source interface or the source IP address The tunnel destination address will be the reachable global IP address of the Branch router. Note: GRE over IP is the default for tunnel interfaces (tunnel mode gre ip)

Verify the current tunnel interface configuration
Tunnel is up and up Tunnel IP address Tunnel source and destination IP addresses Tunnel protocol is GRE over IP Verify the current tunnel interface configuration No traffic is currently using these tunnel interfaces because EIGRP is not yet aware that it has to use them to communicate.

We must now change the crypto ACL to make the GRE traffic interesting to enable the IPsec tunnel.
Remove the current crypto ACL and replace it We will address the LAN-to-LAN tunnel in a moment. The new crypto map ACL specifies that whenever the public IP address of the branch router attempts to send a GRE update to the public IP address of the HQ router an IPsec VPN should be enabled. The reciprocating crypto map is configured

Ping the tunnel interface on peer…
We should now have basic GRE over IPv4 connectivity. The pings are 80 percent successful, indicating that perhaps the first ping timed out because of the IPsec VPN being activated.

X Verify connectivity from the branch LAN to the HQ LAN
LANs can no longer reach each other.

X Default ? We have the network connected to the Tunnel 0 interface. Still have the default static route we configured earlier pointing to the ISP. However, the branch LAN does not know about the HQ LAN located on Private address space of /24 via the VPN tunnel.

Configure EIGRP to propagate the LAN and the tunnel routing information between the sites
LAN-to-LAN traffic will now use the Tunnel, encapsulated by GRE and therefore will use IPsec Verify

This confirms that packets are indeed traversing the IPsec VPN.

As you can see, regular traffic (non-LAN-to-LAN and non-router-to-router EIGRP traffic) does not take the GRE over IPsec VPN tunnel

GRE Tunnel Summary

Summary Created our broadband connection

Suggested Readings on VPNs
IPsec Virtual Private Network Fundamentals By James Henry Carmouche Implementing Cisco IOS Network Security (IINS): (CCNA Security exam ) (Authorized Self-Study Guide) By Catherine Paquet CIS 146 CCNA Security class Instructor: Gerlinde Brady Offered Spring 2011

Lab will reinforce concepts and commands

Planning for Mobile Worker Implementations
Please read this section on your own.

The enterprise mobile worker solution provides an always-on, secure, centrally managed connection from multiple global locations to the corporate network. Possible options: IPsec and Secure Sockets Layer (SSL) VPNs—Establish a secure tunnel over existing broadband connections to central site. Security—Safeguard the corporate network and prevent unguarded back doors. firewall intrusion prevention URL filtering services Authentication—Defines who gets access to resources and is achieved by deploying identity-based network services with authentication using: AAA servers 802.1X port-based access control Cisco security trust agents QoS—Quality of service addresses application availability and behavior. Prioritize traffic and optimize the use of WAN bandwidth Management—Centrally manages and supports the mobile worker connection and equipment, and transparently configures and pushes security and other policies to the remote devices.

The following components are required to provide remote access to mobile workers:
VPN router (for example, Cisco Easy VPN server) Mobile worker device (for example, Cisco Easy VPN client) IPsec VPN tunnel Internet connectivity

The headend VPN router is also known as the Easy VPN server in Easy VPN terminology.
It concentrates the bulk of the remote-end configuration, which "pushes" the policies to the client at the moment of connection. The remote end, the device used by the mobile worker, is known in Easy VPN terminology as the Easy VPN remote or Easy VPN client. The Easy VPN remote device starts an IPsec VPN tunnel to connect to the Easy VPN server across the public network.

The following steps are required to configure a router as an Easy VPN server:
Step 1 Allow IPsec traffic. Step 2 Define an address pool for connecting clients. Step 3 Provide routing services for VPN subnets. Step 4 Tune NAT for VPN traffic flows. Step 5 Verify IPsec VPN configuration.

Step 1 Allow IPsec traffic
First step is to make sure we are allowing IPsec traffic in our VPN router Router typically is running some sort of firewall service, or at least ACLs to implement antispoofing mechanisms and other security controls. There are different types of Cisco IOS firewalls: A classic firewall is based on ACLs - Referred to context-based access control (CBAC). A zone-based firewall (ZBF) - A more recent approach to implementing the service in routers.

show ip inspect command gives you the details on the classic firewall
show zone-pair security command gives you the details about the zone-based firewall

show ip interface fa0/1 - There is an inbound access list called FIREWALL-INBOUND applied to interface Fa0/1

The access list called FIREWALL-INBOUND, currently configured in R1, could be part of a bigger firewalling strategy Need to investigate further whether our IOS router is configured to act as a firewall.

We have a classic firewall (CBAC) configured inbound on R1.
We can also see which access lists are involved in the access control process, so we can quickly make a note and proceed to change the ACLs to allow IPsec traffic. The access list is conveniently called FIREWALL-INBOUND, which we looked at earlier.

show zone-pair security command on R1, we will see that zone-based firewall has not been configured

We know we have a CBAC. Let's add the IPsec support to the ACL (open up the ACL for IPsec). IPsec uses ESP to provide confidentiality through encryption. ESP, found at Layer 4 of the OSI model, uses protocol 50. IPsec can also AH if only integrity is required. AH uses protocol 51. During the first stage of IPsec, peer negotiations and credentials are exchanged using a protocol called ISAKMP, UDP port 500 ISAKMP is one of three components that make up IKE. Finally, UDP 4500 will need to be opened for NAT Traversal (NAT-T), another IPsec service.

Defining Address Pools
Step 1 Allow IPsec traffic. Step 2 Define an address pool for connecting clients.

Address pools for these VPN users typically using DHCP.
Hosts already have IP address to start with, which allows them to connect to their IP network But with IPsec tunnels, IPsec VPNs encapsulate original traffic within an additional packet, to allow that private traffic to be routed across a public network. So ultimately traffic needs to go between: a private host (located outside of the private network) a private resource The encapsulation process will use: private addressing in the original (encapsulated) packet public addressing for the "outer" (encapsulation) packet

Providing Routing Services for VPN Subnets
Step 1 Allow IPsec traffic. Step 2 Define an address pool for connecting clients. Step 3 Provide routing services for VPN subnets. Provide effective routing services so that traffic coming from VPN clients can reach internal resources and the return traffic can find its way back to those remote users.

VPN subnets, defined by the IP address pools allocated for remote-access clients, are ephemeral.
They appear and disappear as VPN clients connect and disconnect. Several methods, including the following, can be used to make those address pools known to routers in the internal network: Proxy ARP Simple method Client on same network a company ( Reverse route injection VPN Software Clients inject their assigned IP address as hosts routes. Static routes with redistribution (next)

The static route points to R1 as the next hop, which is 192.168.1.2
Redistribute Static One way to provide routing services to remote users is a hybrid solution using static and dynamic features. This is achieved by creating a static route pointing to the remote-access address pool and then redistributing that particular static route into your routing protocol. The commands used are ip route and redistribute static metric {metric_value} Create a static route using the IP route The static route points to R1 as the next hop, which is This next hop is responsible for initiating and terminating VPN tunnels. Redistribute the static route into EIGRP It is best practice to use route filters to ensure that only the desired routes are redistributed.

R2 is aware of the remote-access VPN subnet, 10.254.254.0/24.
Redistribute Static R2 is aware of the remote-access VPN subnet, /24. As soon as our VPN clients connect to our corporate network, R2 will be able to route traffic back to them.

Tuning NAT for VPN Traffic Flows

NAT X Only VPN destinations should bypass translation. All other Internet-bound traffic must be translated. Traffic originating from any IP address, but with a destination of /24, addresses of our remote users, will be denied translation. All other IP traffic will be subjected to translation.

CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers
Rick Graziani Cabrillo College Last Updated: Fall 2010

CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers Rick Graziani Cabrillo College graziani@cabrillo.edu Last.

Similar presentations

Presentation on theme: "CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers Rick Graziani Cabrillo College graziani@cabrillo.edu Last."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers Rick Graziani Cabrillo College graziani@cabrillo.edu Last.

Similar presentations

Presentation on theme: "CIS 185 CCNP ROUTE Ch. 7 Implementing Routing Facilities for Branch Offices and Mobile Workers Rick Graziani Cabrillo College graziani@cabrillo.edu Last."— Presentation transcript:

Similar presentations

About project

Feedback