Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.

Published byLawrence Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1."— Presentation transcript:

1 Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1

2 Introduction to Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-2

3 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-3 Cisco Easy VPN Cisco IOS > 12.2(8)T Router PIX Firewall/ASA > 6.2 Cisco VPN 3000 > 3.11 (> 3.5.1 recommended) Cisco VPN Client > 3.x Cisco 800 Series Router Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN 3002 Hardware Client Cisco PIX Firewall 501 and 506 Easy VPN Servers Easy VPN Remote

4 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-4 Features of Cisco Easy VPN Server Server support for Cisco Easy VPN Remote Clients was introduced with the release of the Cisco PIX Firewall Software v6.2. It allows remote end users to communicate using IPSec with supported security appliance VPN gateways. Centrally managed IPSec policies are pushed to the clients by the server, minimizing configuration by the end users.

5 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-5 Supported Easy VPN Servers Cisco IOS > 12.2(8)T router PIX Firewall/ASA > 6.2 Cisco VPN 3000 > 3.11 (> 3.5.1 recommended) Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN Client > 3.x Cisco 800 Series Router Cisco VPN 3002 Hardware Client Easy VPN Servers Cisco PIX Firewall 501 and 506

6 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-6 Supported Easy VPN Remote Clients Cisco VPN Software Client > 3.x Cisco VPN 3002 Hardware Client > 3.x Cisco PIX Firewall 501 and 506 VPN Client > 6.2 Cisco Easy VPN Remote Router Clients –Cisco 800 Series –Cisco 900 Series –Cisco 1700 Series

7 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-7 Easy VPN Remote Modes of Operation Easy VPN Remote supports two modes of operation: Client mode –Specifies that NAT and PAT be used. –Client automatically configures the NAT and PAT translations and the ACLs that are needed to implement the VPN tunnel. –Supports split tunneling. Network extension mode –Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses. –PAT is not used. –Supports split tunneling.

8 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-8 Easy VPN Remote Client Mode PIX Firewall 501/506 (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) 192.168.1.2 10.0.0.0/24 VPN Tunnel 10.0.1.2 192.168.1.3 192.168.1.1 PAT

9 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-9 Easy VPN Remote Network Extension Mode Cisco 1710 Router (Easy VPN Remote) 12.2(8)YJ PIX Firewall 525 (Easy VPN Server) 172.16.10.5 172.16.10.6 172.16.10.4 VPN Tunnel PIX Firewall 501 (Easy VPN Remote) 172.16.20.5 172.16.20.6 10.0.0.0/24

10 Overview of Cisco VPN Client © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-10

11 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-11 Cisco VPN Software Client for Windows

12 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-12 Cisco VPN Client Features and Benefits Cisco VPN Client provides the following features and benefits: Intelligent peer availability detection SCEP Data compression (LZS) Command-line options for connecting, disconnecting, and connection status Configuration file with option locking Support for Microsoft network login (all platforms) DNS, WINS, and IP address assignment Load balancing and backup server support Centrally controlled policies Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only) Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)

13 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-13 Cisco VPN Client Specifications Supported tunneling protocols Supported encryption and authentication Supported key management techniques Supported data compression technique Digital certificate support Authentication methodologies Profile management Policy management

14 How Cisco Easy VPN Works © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-14

15 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-15 Easy VPN Remote Connection Process Step 1: The VPN Client initiates the IKE Phase 1 process. Step 2: The VPN Client negotiates an IKE SA. Step 3: The Easy VPN Server accepts the SA proposal. Step 4: The Easy VPN Server initiates a username/password challenge. Step 5: The mode configuration process is initiated. Step 6: IKE quick mode completes the connection.

16 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-16 Step 1: Cisco VPN Client Initiates IKE Phase 1 Process Using pre-shared keys? Initiate AM. Using digital certificates? Initiate MM. Remote PC with Easy VPN Remote Client Security Appliance Easy VPN Server

17 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-17 Step 2: Cisco VPN Client Negotiates an IKE SA The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server. To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following: –Encryption and hash algorithms –Authentication methods –DH group sizes Remote PC with Easy VPN Remote Client Security Appliance Easy VPN Server Proposal 1, Proposal 2, Proposal 3

18 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-18 Step 3: Easy VPN Server Accepts SA Proposal The Easy VPN Server searches for a match: –The first proposal to match the server’s list is accepted (highest priority match). –The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority). IKE SA is successfully established. Device authentication ends and user authentication begins. Remote PC with Easy VPN Remote Client Proposal 1 Proposal checking finds proposal 1 match. Security Appliance Easy VPN Server

19 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-19 Step 4: Easy VPN Server Initiates a Username/Password Challenge If the Easy VPN Server is configured for Xauth, the VPN Client waits for a username/password challenge: –The user enters a username/password combination. –The username/password information is checked against authentication entities. All Easy VPN Servers should be configured to enforce user authentication. Remote PC with Easy VPN Remote Client Username/Password AAA checking Username/Password Challenge Security Appliance Easy VPN Server

20 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-20 Step 5: Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server: –Mode configuration starts. –The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN Client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional. Remote PC with Easy VPN Remote Client Client Requests Parameters System Parameters via Mode Configuration Security Appliance Easy VPN Server

21 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-21 Step 6: IKE Quick Mode Completes Connection After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete. Remote PC with Easy VPN Remote Client Quick Mode IPSec SA Establishment VPN Tunnel Security Appliance Easy VPN Server

22 Configuring Users and Groups © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-22

23 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-23 Group Policy Engineering Policy Push to Client 10.0.0.0 /24 10.0.1.0/24 Mktg Eng Internet Engineering Marketing Training Marketing Policy Training Policy

24 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-24 Base Group: Corporate Customer Service /Base/Service MIS /Base/Sales Finance /Base/Finance VP of MIS Groups: Departments Users: Individuals VP of Finance Groups and Users

25 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-25 group-policy Command To create or edit a group policy, use the group-policy command in global configuration mode. A default group policy, named DfltGrpPolicy, always exists on the security appliance. firewall(config)# group-policy {name internal [from group-policy name]} fw1(config)# group-policy training internal

26 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-26 group-policy attributes Command Use the group-policy attributes command in global configuration mode to enter the group-policy attributes submode. firewall(config)# group-policy {name} attributes fw1(config)# group-policy training attributes fw1(config-group-policy)#

27 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-27 Users and User Attributes To add a user to the security appliance database, enter the username command in global configuration mode. firewall(config)# username {name} {nopassword | password password [encrypted]} [privilege priv_level]} fw1(config)# username user1 password 12345678 fw1(config)# username user1 attributes fw1(config-username)# firewall(config)# username {name} attributes

28 Configuring the Easy VPN Server for Extended Authentication © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-28

29 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-29 Easy VPN Server General Configuration Tasks The following general tasks are used to configure an Easy VPN Server on a security appliance: Task 1: Create ISAKMP policy for remote VPN Client access. Task 2: Create IP address pool. Task 3: Define group policy for mode configuration push. Task 4: Create transform set. Task 5: Create dynamic crypto map. Task 6: Assign dynamic crypto map to static crypto map. Task 7: Apply crypto map to security appliance interface. Task 8: Configure Xauth. Task 9: Configure NAT and NAT 0. Task 10: Enable IKE DPD.

30 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-30 Task 1: Create ISAKMP Policy for Remote VPN Client Access fw1(config)# isakmp enable outside fw1(config)# isakmp policy 20 authentication pre-share fw1(config)# isakmp policy 20 encryption des fw1(config)# isakmp policy 20 hash sha fw1(config)# isakmp policy 20 group 2 Remote Client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1 ISAKMP Pre-Share DES SHA Group 2

31 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-31 Task 2: Create IP Address Pool firewall(config)# ip local pool poolname first-address—last-address [mask mask] fw1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254 Creates an optional local address pool if the remote client is using the remote server as an external DHCP server 10.0.11.1-10.0.11.254 vpnpool Remote Client 192.168.1.5 Server 10.0.0.15 Internet Inside Outside 172.26.26.1

32 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-32 Task 3: Define Group Policy for Mode Configuration Push Task 3 contains the following steps: Step 1: Set the tunnel group type. Step 2: Configure the IKE pre-shared key. Step 3: Specify the local IP address pool. Step 4: Configure the group policy type. Step 5: Enter the group-policy attributes submode. Step 6: Specify the DNS servers. Step 7: Specify the WINS servers. Step 8: Specify the DNS domain. Step 9: Specify idle timeout.

33 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-33 Step 1: Set the Tunnel Group Type firewall(config)# tunnel-group name type type fw1(config)# tunnel-group training type ipsec-ra VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Names the tunnel group Defines the type of VPN connection that is to be established Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

34 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-34 Step 2: Configure IKE Pre-Shared Key Push to Client tunnel-group name [general-attributes | ipsec-attributes] firewall(config)# Enters tunnel-group ipsec-attributes submode to configure the key pre-shared-key key firewall(config-ipsec)# Associates a pre-shared key with the connection policy fw1(config)# tunnel-group training ipsec-attributes fw1(config-ipsec)# pre-shared-key cisco123 Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

35 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-35 Step 3: Specify Local IP Address Pool tunnel-group name [general-attributes | ipsec-attributes] firewall(config)# Enters tunnel-group general-attributes submode to configure the address pool address-pool [interface name] address_pool1 [...address_pool6] firewall(config-general)# Associates an address pool with the connection policy fw1(config)# tunnel-group training general-attributes fw1(config-general)# address-pool MYPOOL Push to Client Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

36 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-36 Step 4: Configure the Group Policy Type firewall(config)# group-policy {name internal [from group-policy name]} fw1(config)# group-policy training internal VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

37 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-37 Step 5: Enter the Group-Policy Attributes Subcommand Mode firewall(config)# group-policy {name} attributes fw1(config)# group-policy training attributes fw1(config-group-policy)# VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

38 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-38 Step 6: Specify DNS Servers firewall(config-group-policy)# dns-server {value ip_address [ip_address] | none} fw1(config-group-policy)# dns-server value 10.0.0.15 VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

39 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-39 Step 7: Specify WINS Servers VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 firewall(config-group-policy)# wins-server value {ip_address} [ip_address] | none fw1(config-group-policy)# wins-server value 10.0.0.15

40 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-40 Step 8: Specify DNS Domain VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server 10.0.0.15 Cisco.com Internet Inside Outside 172.26.26.1 firewall(config-group-policy)# default-domain {value domain-name | none} fw1(config-group-policy)# default-domain value cisco.com

41 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-41 Step 9: Specify Idle Timeout VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1 firewall(config-group-policy)# vpn-idle-timeout {minutes | none} fw1(config-group-policy)# vpn-idle-timeout 600

42 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-42 Task 4: Create Transform Set firewall(config)# crypto ipsec transform-set transform-set-name transform1 [transform2]] fw1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac 192.168.1.5 Transform Set DES SHA-HMAC Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

43 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-43 Task 5: Create Dynamic Crypto Map firewall(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [… transform-set- name9] fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1 192.168.1.5 Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

44 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-44 Task 6: Assign Dynamic Crypto Map to Static Crypto Map firewall(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic- map-name fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map 192.168.1.5 Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

45 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-45 Task 7: Apply Dynamic Crypto Map to Security Appliance Outside Interface fw1(config)# crypto map rmt-user-map interface outside firewall(config)# crypto map map-name interface interface-name 192.168.1.5 Remote Client Server 10.0.0.15 Internet Inside Outside 172.26.26.1

46 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-46 Task 8: Configure Xauth Task 8 contains the following steps: Step 1: Enable AAA login authentication. Step 2: Define AAA server IP address and encryption key. Step 3: Enable IKE Xauth for the tunnel group.

47 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-47 Step 1: Enable AAA Login Authentication firewall(config)# aaa-server server-tag protocol server-protocol fw1(config)# aaa-server mytacacs protocol tacacs+ fw1(config-aaa-server-group)# 192.168.1.5 Remote Client TACACS+ Server 10.0.0.15 Internet Inside Outside 172.26.26.1

48 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-48 Step 2: Define AAA Server IP Address and Encryption Key firewall(config)# aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds] fw1(config)# aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5 fw1(config-aaa-server-host)# 192.168.1.5 Remote Client TACACS+ Server 10.0.0.15 Internet Inside Outside 172.26.26.1

49 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-49 Step 3: Enable IKE Xauth for Tunnel Group firewall(config-general)# authentication-server-group [(interface name)] server group [LOCAL | NONE] fw1(config)# tunnel-group training general-attributes fw1(config-general)# authentication-server-group mytacacs Xauth 192.168.1.5 Remote Client TACACS+ Server 10.0.0.15 Internet Inside Outside 172.26.26.1

50 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-50 Task 9: Configure NAT and NAT 0 Matches ACL: Encrypted data and no translation (NAT 0) Does not match ACL: Clear text and translation (PAT) fw1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0 fw1(config)# nat (inside) 0 access-list 101 fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 fw1(config)# global (outside) 1 interface 192.168.1.5 Encrypted — No Translation Clear Text — Translation Remote Client TACACS+ Server 10.0.0.15 Internet Inside Outside 10.0.11.010.0.0.0

51 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-51 Task 10: Enable IKE DPD 1) DPD Send: Are you there? 2) DPD Reply: Yes, I am here. isakmp keepalive [threshold seconds] [retry seconds] [disable] firewall(config-ipsec)# Configures the IKE DPD parameters fw1(config)# tunnel-group training ipsec-attributes fw1(config-ipsec)# isakmp keepalive threshold 30 retry 10 Remote Client TACACS+ Server 10.0.0.15 Internet Inside Outside 10.0.11.010.0.0.0

52 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-52 Easy VPN Server Configuration Summary PIX Version 7.0(1) hostname fw1 !--- Configure Phase 1 Internet Security Association !-- and Key Management Protocol (ISAKMP) parameters. isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 !--- Configure IPSec transform set and dynamic crypto map. crypto ipsec transform-set myset esp-aes esp-md5-hmac crypto dynamic-map rmt-dyna-map 10 set transform-set myset crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map !--- Apply crypto map to the outside interface. crypto map rmt-user-map interface outside

53 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-53 Easy VPN Server Configuration Summary (Cont.) !--- Configure remote client pool of IP addresses ip local pool ippool 10.0.11.1-10.0.11.254 !--- Configure group policy parameters. group-policy training internal group-policy training attributes wins-server value 10.0.0.15 dns-server value 10.0.0.15 vpn-idle-timeout 600 default-domain value cisco.com !--- Configure tunnel group policy parameters. tunnel-group training type ipsec-ra tunnel-group training general-attributes address-pool ippool authentication-server-group MYTACACS defaultgroup-policy training tunnel-group training ipsec-attributes pre-shared-key training isakmp keepalive threshold 30 retry 10

54 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-54 Easy VPN Server Configuration Summary (Cont.) !--- Configure AAA-Server parameters. aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS host 10.0.0.15 timeout 5 key secretkey !--- Specify "nonat" access list. access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0 !--- Configure Network Address Translation (NAT)/ !--- Port Address Translation (PAT) for regular traffic, !--- as well as NAT for IPSec traffic. nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 interface

55 Configure Security Appliance Hub-and-Spoke VPNs © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-55

56 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-56 Benefits of Hub-and-Spoke VPNs Internet Telecommuter—Spoke Central site Server—Spoke Remote Site—Spoke Mobile—Spoke Provide support for small sites with small LAN and low-end PIXs because only one IPSec tunnel is needed at the spoke routers. Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Very easy to add sites and security appliances, as no changes to the existing spoke or hub security appliance are required. Hub

57 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-57 Limitations of Benefits of Hub-and-Spoke VPNs IPSec performance is aggregated at the hub. All spoke-spoke packets are decrypted and reencrypted at the hub. When using hub-and-spoke with dynamic crypto maps, the IPSec encryption tunnel must be initiated by the spoke routers. Internet Telecommuter—Spoke Central site Server—Spoke Remote Site—Spoke Mobile—Spoke Hub

58 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-58 Configure Hub-and-Spoke VPN VPN spokes can be terminated on a single interface. Traffic from the same security level can also be permitted. same-security-traffic permit [inter-interface | intra- interface] firewall(config)# Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface fw1(config)# same-security-traffic permit intra-interface Internet Telecommuter—Spoke Server—Spoke Remote Site—Spoke Mobile—Spoke Hub 10.0.0.0 40.0.0.0 30.0.0.0 50.0.0.0

59 Cisco VPN Client Manual Configuration Tasks © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-59

60 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-60 Cisco VPN Client Manual Configuration Tasks The following general tasks are used to configure Cisco VPN Client: Task 1: Install Cisco VPN Client. Task 2: Create a new connection entry. Task 3: (Optional) Configure Cisco VPN Client transport properties. Task 4: (Optional) Configure Cisco VPN Client backup servers properties. Task 5: (Optional) Configure Dialup properties.

61 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-61 Task 1: Install Cisco VPN Client

62 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-62 Task 2: Create New Connection Entry

63 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-63 Task 3: (Optional) Configure Cisco VPN Client Transport Properties

64 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-64 Task 4: (Optional) Configure Cisco VPN Client Backup Servers Properties

65 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-65 Task 5: (Optional) Configure Dialup Properties

66 Working with the Cisco VPN Client © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-66

67 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-67 Cisco VPN Client Program Menu

68 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-68 Virtual Adapter

69 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-69 Setting MTU Size

70 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-70 Cisco VPN Client Statistics Menu

71 © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-71 Summary Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers. The Easy VPN Server adds several new commands to Cisco PIX Firewall Security Appliance Software v6.3 and later versions. The Cisco VPN Client enables software-based VPN remote access.

Download ppt "Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1."

Similar presentations

What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.

Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

Similar presentations

Ads by Google