Escolar Documentos
Profissional Documentos
Cultura Documentos
Access VPN
• Cable modems, DSL routers, and other forms of broadband access provide
high-performance connections to the Internet, but many applications also
require the security of VPN connections that perform a high level of
authentication and that encrypt the data between two particular endpoints.
• However, establishing a VPN connection between two routers can be
complicated and typically requires tedious coordination between network
administrators to configure the VPN parameters of the two routers.
• The Cisco Easy VPN Remote feature eliminates much of this tedious work by
implementing Cisco Unity Client Protocol, which allows most VPN parameters
to be defined at a Cisco Easy VPN server. This server can be a dedicated VPN
device, such as a Cisco VPN 3000 concentrator a PIX Security Appliance, or
an IOS router that supports the Cisco Unity Client Protocol.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• The Easy VPN Server enables Cisco IOS routers, PIX Security
Appliances, and Cisco VPN 3000 Series Concentrators to act as VPN
headend devices in site-to-site or remote-access VPNs, where the
remote office devices are using the Easy VPN Remote feature.
• Using this feature, security policies defined at the headend are pushed
to the remote VPN device, ensuring that those connections have up-to-
date policies in place before the connection is established.
• The Easy VPN Remote feature enables Cisco IOS routers, PIX Security Appliances, and
Cisco VPN 3002 Hardware Clients or Software Clients to act as remote VPN Clients.
These devices can receive security policies from an Easy VPN Server, minimizing VPN
configuration requirements at the remote location.
• In the example in Figure , the VPN gateway is a Cisco IOS router running the Easy VPN
Server feature. Remote Cisco IOS routers and VPN Software Clients connect to the
Cisco IOS router Easy VPN Server for access to the corporate intranet.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• The Cisco VPN Client for Windows, referred to in this lesson as VPN
Client, is software that runs on a Microsoft Windows-based PC.
• The VPN Client on a remote PC, communicating with a Cisco Easy
VPN server on an enterprise network or with a service provider,
creates a secure connection over the Internet.
• Task 1 (continue) – install the Cisco VPN Client 4.x on the remote PC
• If a VPN Client has been previously installed, when the vpnclient_en.exe
command or vpnclien_en.msi is executed, an error message displays . The
previously installed VPN Client must be uninstalled before proceeding with the
new installation.
• To remove a VPN Client installed with the MSI installer, use the Windows
Add/Remove Programs control panel. To remove a VPN Client installed with
InstallShield, select Start > Programs > Cisco Systems VPN Client >
Uninstall Client.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• Task 2 (continue)– configure and assign the Cisco Easy VPN Client
profile
– Step 1
Use the crypto ipsec client ezvpn name command to create a profile.
This places the administrator in Cisco Easy VPN Remote configuration
mode.
– Step 2
Use the group group-name key group-key command to specify the IPSec
group and IPSec key values to be associated with this profile. The values
of group-name and group-key must match the values assigned in the Easy
VPN Server.
– Step 3
Use the peer command to specify the IP address or hostname for the
destination peer. This is typically the IP address of the outside interface of
the Easy VPN Server. If a hostname is used, a DNS server must be
configured and available in order for this to work.
– Step 4
Use the mode command to specify the type of VPN connection that should
be made. The options are client mode or network extension mode.
– Step 5
Enter the exit command to leave Easy VPN Remote configuration mode.
• Task 2 (continue)– configure and assign the Cisco Easy VPN Client
profile
– An example of an Easy VPN Client profile configuration is shown in Figure.
– Use the crypto ipsec client ezvpn name command in interface
configuration mode to assign the Easy VPN client profile to a router
interface.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• Specify which transform sets are allowed for the crypto map entry using the
crypto ipsec transform-set command . When using this command, be sure
to list multiple transform sets in order of priority, with the highest priority first.
Note that this is the only configuration statement required in dynamic crypto
map entries.
• Dead peer detection (DPD) allows two IPSec peers to determine if the other is
still alive during the lifetime of a VPN connection. DPD is useful because a host
may reboot or the dialup link of a remote user may disconnect without notifying
the peer that the VPN connection is gone away. When the IPSec host
determines that a VPN connection no longer exists, it can notify the user,
attempt to switch to another IPSec host, or clean up valuable resources that
were allocated for the peer that no longer exists.
• When using PIX Security Appliance Software Version 6.2 and higher, a
PIX 501 or PIX 506/506E can be used as an Easy VPN Remote device
when connecting to an Easy VPN Server, such as a Cisco VPN 3000
Concentrator, Cisco IOS router, or another PIX . Easy VPN Remote
device functionality, sometimes called a hardware client, allows the PIX
to establish a VPN tunnel to the Easy VPN Server. Hosts running on
the LAN behind the PIX can connect through the Easy VPN Remote
without individually running any VPN client software.
• Each Easy VPN Remote device is assigned to a group. The
administrator use the vpngroup command to associate security policy
attributes with a VPN group name. As Easy VPN Remote devices
establish a VPN tunnel to the Easy VPN Server, the attributes
associated with their group are pushed to the Easy VPN Remote
device.
• The Easy VPN Server controls the policy enforced on the PIX Security
Appliance Easy VPN Remote device. However, to establish the initial
connection to the Easy VPN Server, some configuration must be
completed locally. This configuration can be done by using Cisco PIX
Device Manager (PDM) or by using the command line interface as
described in the following points .
• Set the Easy VPN Remote device to one of two modes, client mode or
network extension mode. In client mode, the remote PIX Security
Appliance applies PAT to all client IP addresses connected to the
inside interface. In the example in the figure, when PC 10.1.1.2
attempts connect to the server at the central site, the remote PIX
translates the original PC IP address and port number using the IP
address and a port number of the outside interface, port address
translation. Due to the translation, the IP address of PC1 is not visible
from the central site.
• The other option is network extension mode (NEM) . With NEM, the IP
address of the inside PCs are received without change at the central
site. In this instance, the IP address of the PC is visible from the central
site. In the example in the figure, the remote inside PC makes a
connection to a server on the central site. The original PC IP address,
10.1.1.2, is not translated by the remote PIX Security Appliance.
• Set the Easy VPN Remote device mode by entering the following command :
vpnclient mode {client-mode | network-extension-mode}
• Client mode applies NAT to all IP addresses of clients connected to the inside (higher
security) interface of the PIX Security Appliance.
• Network extension mode – This option does not apply NAT to any IP addresses of clients
on the inside, higher security, interface of the PIX Security Appliance.
• Port Forwarding
The administrator can configure certain client/server applications for
use by the end user. Starting Application Access, or Port Forwarding,
opens a secure connection between the end user computer and the
remote server. When the window is open or minimized, the connection
is active. If the end user quits the window, the connection closes.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• Use the functions command in webvpn mode to enable file access and file browsing,
MAPI Proxy, and URL entry over WebVPN for this user or group policy . To remove a
configured function, use the no form of this command. To remove all configured
functions, including a null value created by issuing the functions none command, use
the no form of this command without arguments. The no option allows inheritance of a
value from another group policy. To prevent inheriting function values, use the functions
none command. Functions are disabled by default.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• Use the port-forward command in global configuration mode to configure the set of
applications that WebVPN users can access over forwarded TCP ports . To configure
access to multiple applications, use this command with the same listname multiple times,
once for each application. To remove an entire configured list, use the no port-forward
listname command. To remove a configured application, use the no port-forward
listname localport command. The remoteserver and remoteport parameters do not need
to be included in the command.
• Use the server command in the applicable e-mail proxy mode to specify a
default e-mail proxy server . The Adaptive Security Appliance sends requests
to the default e-mail server when the user connects to the e-mail proxy without
specifying a server. If a default server is not configured, and a user does not
specify a server, the security appliance returns an error.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com
• Use the filter command in webvpn mode to specify the name of the access list
to use for WebVPN connections for this group policy or username . To remove
the access list, including a null value created by issuing the filter none
command, use the no form of this command. The no option allows inheritance
of a value from another group policy. To prevent inheriting filter values, use the
filter value none command.
Học viện mạng Cisco Bách Khoa - Website: www.ciscobachkhoa.com