Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.

Published byShona Cooper Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN

2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-2 Objectives

3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Easy VPN Server. Describe the Easy VPN Remote. Configure the Easy VPN Server. Configure the Easy VPN Remote using the Cisco VPN Client Release 3.6.

4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-4 Introduction to the Cisco Easy VPN

5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-5 The Cisco Easy VPN Cisco IOS > 12.2(8)T router PIX Firewall > 6.2 Cisco VPN 3000 > 3.11 (> 3.5.1 recommended) Cisco VPN Client 3.x Cisco 800 Series Router Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN 3002 Hardware Client Cisco PIX 501/506 Firewall Easy VPN Servers Easy VPN Remote

6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-6 Overview of the Easy VPN Server

7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-7 Cisco Easy VPN Server Features The Cisco PIX Firewall Software Version 6.2 Easy VPN Server introduces server support for the Cisco Easy VPN Remote Clients. It allows remote end users to communicate using IPSec with supported PIX Firewall VPN gateways. Centrally managed IPSec policies are pushed to the clients by the server, minimizing configuration by the end users.

8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-8 PIX Firewall Version 6.3 Easy VPN Server Functions User-level authentication Updated VPN 3000 support Certificate support Diffie-Hellman group 5 support AES encryption support

9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-9 Supported Easy VPN Servers Cisco IOS > 12.2(8)T router PIX Firewall > 6.2 Cisco VPN 3000 > 3.11 (> 3.5.1 recommended) Cisco 900 Series Router Cisco 1700 Series Router Cisco PIX 501/506 Firewall Cisco VPN Client 3.x Cisco 800 Series Router Cisco VPN 3002 Hardware Client Easy VPN Servers

10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-10 Overview of the Easy VPN Remote Feature

11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-11 Implementing Easy VPN Remote PC with Easy Remote VPN Client 3.x Cisco 800 Series Router Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN 3002 Hardware Client Cisco PIX 501/506 Firewall PIX Firewall version 6.2 Easy VPN Server Easy VPN Remote

12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-12 Supported Easy VPN Remote Clients Cisco VPN Client (software version) > 3.x Cisco VPN 3002 Hardware Client > 3.x Cisco PIX Firewall 501/506 VPN client > 6.2 Cisco Easy VPN Remote router clients –Cisco 800 Series –Cisco 900 Series –Cisco 1700 Series

13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-13 Cisco VPN Client Software Version > 3.x Software-based Cisco VPN Client Supports several operating systems Comes standard with the Cisco VPN 3000 Series Concentrator Available for download from Cisco.com Supports Cisco VPN Client protocol

14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-14 Cisco VPN 3002 Hardware Client > 3.x Cisco VPN 3002 Hardware Client Cisco VPN 3002-8E Hardware Client Private Public Console Hardware reset Power Private Public Console Hardware reset Power Supports Cisco VPN Client protocol

15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-15 Cisco PIX Firewall 501 and 506 VPN Client PIX Firewall 501 PIX Firewall 506/506E

16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-16 Cisco Easy VPN Remote Router Clients All models support the Cisco VPN Client protocol. Always check Cisco.com for the latest listing of supported Cisco Easy VPN Remote router clients. 800 Series900 Series1700 Series 806uBR9051710 826uBR9251720 8271721 8281750 1751 1760

17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-17 Easy VPN Remote Modes of Operation Easy VPN Remote supports two modes of operation: Client mode –Specifies that NAT/PAT be used. –Client automatically configures the NAT/PAT translation and ACLs needed to implement the VPN tunnel. –Supports split tunneling. Network extension mode –Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses. –PAT is not used. –Supports split tunneling.

18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-18 Easy VPN Remote Client Mode PIX Firewall 501/506 (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) 192.168.1.2 10.0.0.0/24 VPN tunnel 10.0.1.2 192.168.1.3 192.168.1.1 PAT

19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-19 Easy VPN Remote Network Extension Mode Cisco 1710 router (Easy VPN Remote) 12.2(8)YJ PIX Firewall 525 (Easy VPN Server) 172.16.10.5 172.16.10.6 172.16.10.4 VPN tunnel PIX Firewall 501 Easy VPN Remote 172.16.20.5 172.16.20.6 10.0.0.0/24

20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-20 Overview of the Cisco VPN 3.6 Client

21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-21 Cisco VPN Client Release 3.6 192.168.1.5

22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-22 Cisco VPN Client 3.6 Features and Benefits The Cisco VPN Client provides the following features and benefits: Intelligent peer availability detection SCEP Data compression (LZS) Command-line options for connecting, disconnecting, and connection status Configuration file with option locking Support for Microsoft network login (all platforms) DNS, WINS, and IP address assignment Load balancing and backup server support Centrally controlled policies Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only) Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)

23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-23 Cisco VPN Client 3.6 Specifications Supported tunneling protocols Supported encryption/authentication Supported key management techniques Supported data compression technique Digital certificate support Authentication methodologies Profile management Policy management

24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-24 How the Cisco Easy VPN Works

25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-25 The Easy VPN Remote Connection Process Step 1—The VPN Client initiates the IKE Phase 1 process. Step 2—The VPN Client negotiates an IKE SA. Step 3—The Easy VPN Server accepts the SA proposal. Step 4—The Easy VPN Server initiates a username/password challenge. Step 5—The mode configuration process is initiated. Step 6—IKE quick mode completes the connection.

26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-26 Step 1—Cisco VPN Client Initiates IKE Phase 1 Process Using preshared keys? Initiate AM. Using digital certificates? Initiate MM. Remote PC with Easy Remote VPN Client 3.x PIX Firewall 6.2 Easy VPN Server

27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-27 Step 2—Cisco VPN Client Negotiates an IKE SA The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server. To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following: –Encryption and hash algorithms –Authentication methods –DH group sizes Remote PC with Easy Remote VPN Client 3.x PIX Firewall 6.2 Easy VPN Server Proposal 1, proposal 2, proposal 3

28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-28 Step 3—The Easy VPN Server Accepts SA Proposal The Easy VPN Server searches for a match: –The first proposal to match the servers list is accepted (highest priority match). –The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority). IKE SA is successfully established. Device authentication ends and user authentication begins. Remote PC with Easy Remote VPN Client 3.x Proposal 1 Proposal checking finds proposal 1 match PIX Firewall 6.2 Easy VPN Server

29 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-29 Step 4—The Easy VPN Server Initiates a Username/Password Challenge If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge: –The user enters a username/password combination. –The username/password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication. Remote PC with Easy Remote VPN Client 3.x Username/password AAA checking Username/password challenge PIX Firewall 6.2 Easy VPN Server

30 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-30 Step 5—The Mode Configuration Process is Initiated If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server: –Mode configuration starts. –The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN Client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional. Remote PC with Easy Remote VPN Client 3.x Client requests parameters System parameters via mode config PIX Firewall 6.2 Easy VPN Server

31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-31 Step 6—IKE Quick Mode Completes the Connection After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete. Remote PC with Easy Remote VPN Client 3.x Quick mode IPSec SA establishment VPN tunnel PIX Firewall 6.2 Easy VPN Server

32 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-32 Configuring the Easy VPN Server for Extended Authentication

33 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-33 Easy VPN Server General Configuration Tasks The following general tasks are used to configure Easy VPN Server on a PIX Firewall: Task 1—Create ISAKMP policy for remote VPN Client access. Task 2—Create IP address pool. Task 3—Define group policy for mode configuration push. Task 4—Create transform set. Task 5—Create dynamic crypto map. Task 6—Assign dynamic crypto map to static crypto map. Task 7—Apply crypto map to PIX Firewall interface. Task 8—Configure XAUTH. Task 9—Configure NAT and NAT 0. Task 10—Enable IKE DPD.

34 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-34 Task 1—Create ISAKMP Policy for Remote VPN Client Access pix1(config)# isakmp enable outside pix1(config)# isakmp policy 20 authentication pre-share pix1(config)# isakmp policy 20 encryption des pix1(config)# isakmp policy 20 hash sha pix1(config)# isakmp policy 20 group 2 Remote client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1 ISAKMP Pre-share DES SHA Group 2

35 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-35 Task 2—Create IP Address Pool pixfirewall(config)# ip local pool pool_name address-pool pix1(config)# ip local pool vpnpool 10.0.11.1- 10.0.11.254 Creates an optional local address pool if the remote client is using the remote server as an external DHCP server. Remote client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1 10.0.11.1-10.0.11.254 vpnpool

36 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-36 Group Policy Engineering Policy Push to client 10.0.0.0 /24 10.0.1.0/24 Mktg Eng Internet Engineering Marketing Training Marketing Policy Training Policy

37 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-37 Task 3—Define Group Policy for Mode Configuration Push Task 3 contains the following steps: Step 1—Configure the IKE pre-shared key. Step 2—Specify the DNS servers. Step 3—Specify the WINS servers. Step 4—Specify the DNS domain. Step 5—Specify the local IP address pool. Step 6—Specify idle timeout.

38 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-38 Step 1—Configure IKE Pre-Shared Key pixfirewall(config)# vpngroup group_name password preshared_key pix1(config)# vpngroup rmt_user_1 password cisco123 Remote client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time Push to client

39 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-39 Step 2—Specify DNS Servers pixfirewall(config)# vpngroup group_name dns-server dns_ip_prim [dns_ip_sec] pix1(config)# vpngroup rmt_user_1 dns-server 10.0.0.15 Remote client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time Push to client

40 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-40 Step 3—Specify WINS Servers pixfirewall(config)# vpngroup group_name wins-server wins_ip_prim [wins_ip_sec] pix1(config)# vpngroup rmt_user_1 wins-server 10.0.0.15 Remote client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time

41 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-41 Step 4—Specify DNS Domain pixfirewall(config)# vpngroup group_name default-domain domain_name pix1(config)# vpngroup rmt_user_1 default-domain cisco.com Remote client Server 10.0.0.15 Cisco.com Internet Inside Outside 172.26.26.1 Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time

42 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-42 Step 5—Specify Local IP Address Pool pixfirewall(config)# vpngroup group_name address-pool pool_name pix1(config)# vpngroup rmt_user_1 address-pool vpnpool Remote client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time

43 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-43 Step 6—Specify Idle Time pixfirewall(config)# vpngroup group_name idle-time idle_seconds pix1(config)# vpngroup rmt_user_1 idle-time 600 Remote client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time

44 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-44 Task 4—Create Transform Set pix1(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] pix1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac Remote client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1 Transform set DES SHA-HMAC

45 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-45 Task 5—Create Dynamic Crypto Map pixfirewall(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 pix1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1 Remote client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1

46 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-46 Task 6—Assign Dynamic Crypto Map to Static Crypto Map pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name] pix1(config)# crypto map rmt-user-map 10 ipsec- isakmp dynamic rmt-dyna-map Remote client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1

47 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-47 Task 7—Apply Dynamic Crypto Map to PIX Firewall Outside Interface pix1(config)# crypto map rmt-user-map outside pixfirewall(config)# crypto map map-name interface interface-name Remote client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1

48 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-48 Task 8—Configure XAUTH Task 8 contains the following steps: Step 1—Enable AAA login authentication. Step 2—Define AAA server IP address and encryption key. Step 3—Enable IKE XAUTH for the dynamic crypto map.

49 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-49 Step 1—Enable AAA Login Authentication pixfirewall(config)# aaa-server server_tag protocol auth_protocol pix1(config)# aaa-server mytacacs protocol tacacs+ Remote client 192.168.1.5 TACACS+ server 10.0.0.15 Internet Inside Outside 172.26.26.1

50 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-50 Step 2—Define AAA Server IP Address and Encryption Key pixfirewall(config)# aaa-server server_tag [(if_name)] host server_ip [key][timeout seconds] pix1(config)# aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5 Remote client 192.168.1.5 TACACS+ server 10.0.0.15 Internet Inside Outside 172.26.26.1

51 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-51 Step 3—Enable IKE XAUTH for Crypto Map pixfirewall(config)# crypto map map-name client [token] authentication aaa- server-name pix1(config)# crypto map rmt-user-map client authentication mytacacs XAUTH Remote client 192.168.1.5 TACACS+ server 10.0.0.15 Internet Inside Outside 172.26.26.1

52 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-52 Task 9—Configure NAT and NAT 0 pix1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0 pix1(config)# nat (inside) 0 access-list 101 pix1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 pix1(config)# global (outside) 1 interface Remote client 192.168.1.5 TACACS+ server 10.0.0.15 Internet Inside Outside 10.0.11.0 Encrypted — no translation Clear text — translation 10.0.0.0 Matches ACL—Encrypted data and no translation (NAT 0) Does not match ACL—Clear text and translation (PAT)

53 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-53 Task 10—Enable IKE DPD Remote client TACACS+ server 10.0.0.15 Internet Inside Outside 10.0.11.010.0.0.0 1) DPD send: Are you there? 2) DPD reply: Yes, I am here. pixfirewall(config)# isakmp keepalive seconds [retry_seconds] pix1(config)# isakmp keepalive 30 10 Number of seconds between DPD messages Number of seconds between retries

54 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-54 Easy VPN Server Configuration Summary version 6.3(2) hostname pix1 !--- Configure Phase 1 Internet Security Association !-- and Key Management Protocol (ISAKMP) parameters. isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 !--- Configure IPSec transform set and dynamic crypto map. crypto ipsec transform-set remoteuser1 esp-aes esp-md5-hmac crypto dynamic-map rmt-dyna-map 10 set transform-set myset crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map !--- Apply crypto map to the outside interface. crypto map rmt-user-map interface outside

55 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-55 Easy VPN Server Configuration Summary (Cont.) !--- Configure remote client pool of IP addresses ip local pool ippool 10.0.11.1-10.0.11.254 !--- Configure VPNGroup parameters, to be sent down to the client. vpngroup rmt_user_1 address-pool ippool vpngroup rmt_user_1 dns-server 10.0.0.15 vpngroup rmt_user_1 wins-server 10.0.0.15 vpngroup rmt_user_1 default-domain cisco.com vpngroup rmt_user_1 idle-time 1800 vpngroup rmt_user_1 password ******** vpngroup rmt_user_1 idle-time 600 !--- Configure AAA-Server and Xauth parameters. aaa-server mytacacs protocol tacacs+ aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5 crypto map rmt-user-map client authentication mytacacs

56 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-56 Easy VPN Server Configuration Summary (Cont.) !--- Specify "nonat" access list. access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0 !--- Configure Network Address Translation (NAT)/ !--- Port Address Translation (PAT) for regular traffic, !--- as well as NAT for IPSec traffic. nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 interface !--- Enable IKE keepalives on the PIX gateway. isakmp keepalive 30 10

57 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-57 Cisco VPN Client 3.6 Manual Configuration Tasks

58 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-58 Cisco VPN Client 3.6 Manual Configuration Tasks The following general tasks are used to configure Cisco VPN Client 3.6: Task 1—Install Cisco VPN Client 3.X. Task 2—Create a New Connection Entry. Task 3—(Optional) Modify VPN Client Options. Task 4—Configure VPN Client General Properties. Task 5—Configure VPN Client Authentication Properties. Task 6—Configure VPN Client Connection Properties.

59 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-59 Task 1—Install Cisco VPN Client 3.x

60 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-60 Task 2—Create New Connection Entry rmt_user_1 192.168.1.5

61 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-61 Task 3—(Optional.) Modify Cisco VPN Client Options

62 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-62 Task 4—Configure Cisco VPN Client General Properties Win 95/98/MEWin-NT 4/2000/XP

63 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-63 Task 5—Configure Cisco VPN Client Authentication Properties The end user never sees this after the initial configuration

64 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-64 Task 6—Configure Cisco VPN Client Connections Properties

65 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-65 Working with the Cisco VPN 3.6 Client

66 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-66 Cisco VPN Client Program Menu

67 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-67 Cisco VPN Client Log Viewer Tool bar Log display

68 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-68 Setting MTU Size

69 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-69 Cisco VPN Client Connection Status— General Tab

70 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-70 Cisco VPN Client Connection Status— Statistics Tab

71 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-71 Summary

72 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-72 Summary Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers. The Easy VPN Server adds several new commands to PIX Firewall version 6.3. The Cisco VPN Client release 3.6 can be configured manually by users or automatically using preconfiguration files.

73 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-73 Lab Exercise

74 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-74 Lab Visual Objective 192.168.P.0 Student PC VPN Client.1 172.26.26.P 10.0.P.0.2.1 PIX Firewall.150 Web FTP.10 172.26.26.0 RBB

Download ppt "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN."

Similar presentations

What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.

Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google