SNPA50SL12

Configuring Security
Appliance Remote
Access Using Cisco
Easy VPN
Lesson 12
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-1

Outline
 Introduction to Easy VPN

 How Easy VPN Connection Process
 Overview of Cisco VPN Client
 Configuring Cisco VPN Client as Easy VPN Remote
 Working with the Cisco VPN Client
 Configuring Users and Groups
 Configuring the Easy VPN Server for Extended Authentication
 Summary

Introduction to
Cisco Easy VPN

Cisco Easy VPN
Cisco Easy VPN Remote Cisco Easy VPN Servers
Cisco VPN Client > 3.x
Cisco 800 and 900 Series Router
Cisco IOS Release >

12.2(8)T Router
Cisco 1700 and 1800 Series
Router

Cisco PIX Firewall
Software Version > 6.2
Cisco PIX Firewall 501 and 506
Cisco ASA 5500 Series

Cisco ASA 5505 Security Appliance
Features of Cisco Easy VPN Server
 Server support for Cisco Easy VPN Remote clients was

introduced with the release of the Cisco PIX Firewall Software
version 6.2 and Cisco IOS 12.2(8)T.
 It allows remote end users to communicate using IPsec with
supported adaptive security appliance VPN gateways.
 Centrally managed IPsec policies are pushed to the clients by the
server, minimizing configuration by the end users.

Supported Cisco Easy VPN Servers
Cisco Easy VPN Servers
Cisco VPN Client > 3.x
Cisco IOS Release

> 12.2(8)T Router
Router

Cisco PIX Firewall
Software Version > 6.2
Cisco PIX 501 and 506 Security
Appliance

Cisco ASA 5505
Adaptive Security Appliance
Supported Cisco Easy VPN Remote
Clients
Cisco Easy VPN Remote Cisco VPN Client > 3.x
Cisco IOS Release

> 12.2(8)T Router
Router

Cisco PIX Firewall
Software Version> 6.2
Cisco PIX 501 and 506 Security
Appliance

Cisco ASA 5505
Adaptive Security Appliance
Cisco Easy VPN Remote Modes of
Operation
Cisco Easy VPN Remote supports two modes of

operation:
 Client mode
– Specifies that NAT or PAT be used.
– Enables the client to automatically configure NAT or PAT
translations and the ACLs that are needed to implement the
VPN tunnel.
– Supports split tunneling.
 Network Extension mode
– Specifies that the hosts at the client end of the VPN
connection use fully routable IP addresses.
– NAT or PAT is not used.
– Supports split tunneling.
Cisco Easy VPN Remote Client Mode
PAT 10.0.0.0/24
192.168.1.2 192.168.1.1 10.0.1.2
VPN Tunnel
192.168.1.3
ASA 5505 ASA 5520 Adaptive
Adaptive Security Security Appliance
Appliance (Cisco Easy (Cisco Easy VPN
VPN Remote) Server)

Cisco Easy VPN Remote Network
Extension Mode
172.16.30.0/2
4
172.16.10.5 172.16.10.1 10.0.1.2
VPN Tunnel
172.16.10.6 Cisco 1811 Router

(Cisco Easy VPN n el
Tun
Remote) N
VP ASA 5520
10.0.2.2 (Cisco Easy VPN
Server)
ASA 5505
172.16.20.5 (Cisco Easy VPN
172.16.20.1 Remote)
172.16.20.6

How Cisco Easy VPN
Connection Process

Cisco Easy VPN Remote Connection
Process
Step 1: The Cisco VPN Client initiates the IKE Phase 1 process.
Step 2: The Cisco VPN Client negotiates an IKE SA.
Step 3: The Cisco Easy VPN Server accepts the SA proposal.
Step 4: The Cisco Easy VPN Server initiates a username/password
challenge.
Step 5: The mode configuration process is initiated.
Step 6: IKE quick mode completes the connection.

Step 1: Cisco VPN Client Initiates IKE
Phase 1 Process
Remote PC with
Cisco Easy VPN
Security Appliance
Remote Client Cisco Easy VPN
Server
 Using PSKs? Initiate aggressive mode.

 Using digital certificates? Initiate main mode.

Step 2: Cisco VPN Client Negotiates an
IKE SA
Remote PC with
Cisco Easy VPN
Remote Client Security Appliance
Cisco Easy VPN
Server
Proposal 1, Proposal 2, Proposal 3
 The Cisco VPN Client attempts to establish an SA between peer

IP addresses by sending multiple IKE proposals to the Cisco
Easy VPN Server.
 To reduce manual configuration on the Cisco VPN Client, these
IKE proposals include several combinations of the following:
– Encryption and hash algorithms
– Authentication methods
– DH group sizes
Step 3: Cisco Easy VPN Server Accepts
SA Proposal
Remote PC with
Cisco Easy VPN Security Appliance
Server
Proposal 1 Proposal
checking
finds
proposal 1
match.
 The Cisco Easy VPN Server searches for a match:
– The first proposal to match the server list is accepted
(highest priority match).
– The most secure proposals are always listed at the top of the
Cisco Easy VPN Server proposal list (highest priority).
 IKE SA is successfully established.
 Device authentication ends and user authentication begins.

Step 4: Cisco Easy VPN Server Initiates a
Username/Password Challenge
Remote PC with
Server
Username/Password Challenge
AAA
Username/Password checking
 If the Cisco Easy VPN Server is configured for XAUTH, the VPN
Client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against
authentication entities.
 All Cisco Easy VPN Servers should be configured to enforce user
authentication.

Step 5: Mode Configuration Process Is
Initiated
Remote PC with
Server
Client Requests Parameters
System Parameters via

Mode Configuration
 If the Cisco Easy VPN Server indicates successful authentication,

the Cisco VPN Client requests the remaining configuration
parameters from the Cisco Easy VPN Server:
– Mode configuration starts.
– The remaining system parameters (IP address, DNS, split
tunneling information, and so on) are downloaded to the
Cisco VPN Client.
 Remember that the IP address is the only required parameter in a
group profile; all other parameters are optional.
Step 6: IKE Quick Mode Completes
Connection
Remote PC with
Cisco Easy VPN
Remote Client Quick Mode Security Appliance
IPsec SA Cisco Easy VPN
Establishment Server
VPN Tunnel
 After the configuration parameters have been successfully

received by the Cisco VPN Client, IKE quick mode is initiated to
negotiate IPsec SA establishment.
 After IPsec SA establishment, the VPN connection
is complete.

Overview of
Cisco VPN Client

Cisco VPN Software Client for Windows

Cisco VPN Client Features and Benefits
Cisco VPN Client provides the following features and benefits:

 API in Cisco VPN Client v4.6
 System coexistence with Microsoft L2TP/IPsec client
 MSI available for Windows NT, 2000, and XP
 Intelligent peer availability detection or dead peer detection (DPD)
 SCEP
 LZS data compression
 Command-line options for connecting, disconnecting, and connection status
 Configuration file with option locking
 Support for Microsoft network login (all platforms)
 DNS including DDNS and DHCP, Split DNS, Microsoft WINS, and IP address assignment
 Load balancing and backup server support
 Centrally controlled policies (including backup server list)
 Integrated personal firewall (stateful firewall): Zone Labs technology—Windows only
 Personal firewall enforcement: Cisco Security Agent, Symantec Sygate, [insert “and” or “or” per
response to query in bulleted list regarding this] Check Point Zone Alarm—Windows only
 Integration with iPass remote access client software—Windows only
 Client connection auto initiation for wireless LAN environments

Cisco VPN Client Specifications
 Supported tunneling protocols

 Supported encryption and authentication
 Supported key management techniques
 Supported data compression technique
 Digital certificate support
 Authentication methodologies
 Profile management
 Policy management

Configuring
Cisco VPN Client as
Easy VPN Remote

Cisco VPN Client as Cisco Easy VPN
Remote
The following general tasks are used to configure Cisco

VPN Client as Cisco Easy VPN Remote:
Task 1: Install Cisco VPN Client.
Task 2: Create a new connection entry.
Task 3: (Optional) Configure Cisco VPN Client transport properties.
Task 4: (Optional) Configure Cisco VPN Client backup servers
properties.
Task 5: (Optional) Configure dialup properties.

Task 1: Install Cisco VPN Client

Task 2: Create New Connection Entry

Task 3: (Optional) Configure Cisco VPN
Client Transport Properties

Task 4: (Optional) Configure Cisco VPN
Client Backup Servers Properties

Task 5: (Optional) Configure Dialup
Properties

Working with the
Cisco VPN Client

Cisco VPN Client Program Menu

Virtual Adapter

Setting MTU Size

Cisco VPN Client Statistics Menu

Configuring Users
and Groups

Group Policy
Engineering
Push Policy
to Client Marketing
Policy
Training 10.0.0.0 /24
Engineering Policy
Eng
Internet
Mktg
Marketing
10.0.1.0/24
Training
Groups and Users
Groups: Users:
Base Group: Departments Individuals
Corporate
MIS UNIX Systems

/Base/Sales Administrator
Customer Service Customer Support

/Base/Service Engineer
Finance Comptroller
/Base/Finance

group-policy Command
 To create or edit a group policy, use the group-policy command

in global configuration mode.
 A default group policy, named DfltGrpPolicy, always exists on the
security appliance.
ciscoasa(config)#
group-policy {name internal [from group-policy_name]| name

external server-group server group password server
password}}
asa1(config)# group-policy TRAINING internal

group-policy attributes Command
 Use the group-policy attributes command in global

configuration mode to enter the group-policy attributes submode.
ciscoasa(config)#
group-policy {name} attributes
asa1(config)# group-policy training attributes

asa1(config-group-policy)#

Users and User Attributes
 To add a user to the security appliance database, enter the

username command in global configuration mode.
ciscoasa(config)#
username name {nopassword | password password [mschap |
encrypted | nt-encrypted]} [privilege priv_level]
ciscoasa(config)#
username {name} attributes
asa1(config)# username user1 password 12345678

asa1(config)# username user1 attributes
asa1(config-username)#
Configuring the
Easy VPN Server for
Extended Authentication

Cisco Easy VPN Server General
Configuration Tasks
The following general tasks are used to configure an Cisco

Easy VPN Server on a security appliance:
Task 1: Create ISAKMP policy for remote Cisco VPN Client access.
Task 2: Create IP address pool.
Task 3: Define group policy for mode configuration push.
Task 4: Create transform set.
Task 5: Create dynamic crypto map.
Task 6: Assign dynamic crypto map to static crypto map.
Task 7: Apply crypto map to security appliance interface.
Task 8: Configure Xauth.
Task 9: Configure NAT and NAT 0.
Task 10: Enable IKE DPD.

Task 1: Create ISAKMP Policy for
Remote VPN Client Access
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ISAKMP
Pre-Share
DES
SHA
Group 2
asa1(config)# isakmp enable outside

asa1(config)# isakmp policy 20
asa1(config-isakmp-policy)# authentication pre-share
asa1(config-isakmp-policy)# encryption des
asa1(config-isakmp-policy)# hash sha
asa1(config-isakmp-policy)# group 2
Task 2: Create IP Address Pool
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
MYPOOL
10.0.11.1-10.0.11.254
ciscoasa(config)#
ip local pool poolname first-address—last-address [mask
mask]
 Creates an optional local address pool if the remote client is using
the remote server as an external DHCP server
asa1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254

Task 3: Define Group Policy for Mode
Configuration Push
Task 3 contains the following steps:

Step 1: Set the tunnel group type.
Step 2: Configure the IKE PSK.
Step 3: Specify the local IP address pool.
Step 4: Configure the group policy type.
Step 5: Enter the group-policy attributes submode.
Step 6: Specify the DNS servers.
Step 7: Specify the WINS servers.
Step 8: Specify the DNS domain.
Step 9: Specify idle timeout.

Step 1: Set the Tunnel Group Type
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
tunnel-group name type type
 Names the tunnel group
 Defines the type of VPN connection that is to be established
asa1(config)# tunnel-group TRAINING type ipsec-ra

Step 2: Configure IKE Pre-Shared Key
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to Client
ciscoasa(config)#
tunnel-group name [general-attributes | ipsec-attributes]

 Enters tunnel-group ipsec-attributes submode to configure
the key
ciscoasa(config-tunnel-ipsec)#
pre-shared-key key
 Associates a PSK with the connection policy
asa1(config)# tunnel-group TRAINING ipsec-attributes
asa1(config-tunnel-ipsec)# pre-shared-key cisco123
Step 3: Specify Local IP Address Pool
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to Client
ciscoasa(config)#
tunnel-group name [general-attributes | ipsec-attributes]
 Enters tunnel-group general-attributes submode to configure the address pool
ciscoasa(config-tunnel-general)#
address-pool [interface name] address_pool1
[...address_pool6]
 Associates an address pool with the connection policy
asa1(config)# tunnel-group TRAINING general-attributes
asa1(config-tunnel-general)# address-pool MYPOOL
Step 4: Configure the Group Policy Type
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
group-policy {name internal [from group-policy name]}
asa1(config)# group-policy TRAINING internal

Step 5: Enter the Group-Policy Attributes
Subcommand Mode
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push VPN Group

to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
group-policy {name} attributes
asa1(config)# group-policy TRAINING attributes

asa1(config-group-policy)#
Step 6: Specify DNS Servers
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
dns-server {value ip_address [ip_address] | none}
asa1(config-group-policy)# dns-server value 10.0.0.15

Step 7: Specify WINS Servers
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
wins-server value {ip_address} [ip_address] | none
asa1(config-group-policy)# wins-server value 10.0.0.15

Step 8: Specify DNS Domain
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
default-domain {value domain-name | none}
asa1(config-group-policy)# default-domain value cisco.com

Step 9: Specify Idle Timeout
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
vpn-idle-timeout {minutes | none}
asa1(config-group-policy)# vpn-idle-timeout 600

Task 4: Create Transform Set
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
Transform Set
DES
SHA-HMAC
ciscoasa(config)#
crypto ipsec transform-set transform-set-name transform1
[transform2]]
asa1(config)# crypto ipsec transform-set REMOTEUSER1

esp-des esp-sha-hmac

Task 5: Create Dynamic Crypto Map
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set
transform-set transform-set-name1 [… transform-set-
name9]
asa1(config)# crypto dynamic-map RMT-DYNA-MAP 10 set

transform-set REMOTEUSER1

Task 6: Assign Dynamic Crypto Map to
Static Crypto Map
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-

map-name
asa1(config)# crypto map RMT-USER-MAP 10 ipsec-isakmp

dynamic RMT-DYNA-MAP

Task 7: Apply Dynamic Crypto Map to
Security Appliance Outside Interface
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
crypto map map-name interface interface-name
asa1(config)# crypto map RMT-USER-MAP interface

outside

Task 8: Configure XAUTH
Task 8 contains the following steps:

Step 1: Enable AAA login authentication.
Step 2: Define AAA server IP address and encryption key.
Step 3: Enable IKE XAUTH for the tunnel group.

Step 1: Enable AAA Login Authentication
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
aaa-server server-tag protocol server-protocol
asa1(config)# aaa-server MYTACACS protocol tacacs+

asa1(config-aaa-server-group)#

Step 2: Define AAA Server IP Address
and Encryption Key
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
aaa-server server-tag [(interface-name)] host server-ip
[key] [timeout seconds]
asa1(config)# aaa-server MYTACACS (inside) host 10.0.0.15

cisco123 timeout 5
asa1(config-aaa-server-host)#

Step 3: Enable IKE Xauth for Tunnel
Group
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
XAUTH
ciscoasa(config-tunnel-general)#
authentication-server-group [(interface name)] server
group [LOCAL | NONE]
asa1(config)# tunnel-group TRAINING general-attributes

asa1(config-tunnel-general)# authentication-server-group
MYTACACS

Task 9: Configure NAT and NAT 0
Remote Client
Outside Inside
172.26.26.1
10.0.0.0 Server
Internet 10.0.0.15
192.168.1.5
Encrypted — No Translation
Clear Text — Translation
asa1(config)# access-list 101 permit ip 10.0.0.0

255.255.255.0 10.0.11.0 255.255.255.0
asa1(config)# nat (inside) 0 access-list 101
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
asa1(config)# global (outside) 1 interface
 Matches ACL: Encrypted data and no translation (NAT 0)

 Does not match ACL: Clear text and translation (PAT)

Task 10: Enable IKE DPD
Remote Client
Outside Inside
172.26.26.1
10.0.0.0 Server
Internet 10.0.0.15
192.168.1.5
1) DPD Send: Are you there?
2) DPD Reply: Yes, I am here.
ciscoasa(config-tunnel-ipsec)#
isakmp keepalive [threshold seconds] [retry seconds]

[disable]
 Configures the IKE DPD parameters
asa1(config)# tunnel-group TRAINING ipsec-attributes
asa1(config-tunnel-ipsec)# isakmp keepalive threshold 30
retry 10

Summary
 Cisco Easy VPN features greatly enhance deployment of remote

access solutions for Cisco IOS software customers.
 The Cisco Easy VPN Server adds several new commands to
Cisco PIX Security Appliance Software Version 6.3 and later
versions.
 The Cisco VPN Client enables software-based VPN remote
access.

Lab Visual Objective
Student PC
VPN Client Web
FTP
RBB Security Appliance

172.26.26.0 192.168.P.0 10.0.P.0
.150 .1 .2 .1 .10
172.26.26.P


SNPA50SL12

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

SNPA50SL12

Enviado por

Direitos autorais:

Formatos disponíveis

Configuring Security

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-1

 Introduction to Easy VPN

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-3

Cisco IOS Release >

Cisco 2800 and 3800 Series Router

Cisco PIX Firewall 501 and 506

Cisco ASA 5500 Series

 Server support for Cisco Easy VPN Remote clients was

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-5

Cisco IOS Release

Cisco 2800 and 3800 Series Router

Cisco ASA 5500 Series

Cisco IOS Release

Cisco 2800 and 3800 Series Router

Cisco ASA 5500 Series

Cisco Easy VPN Remote supports two modes of

192.168.1.2 192.168.1.1 10.0.1.2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-9

172.16.10.6 Cisco 1811 Router

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-10

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-11

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-12

 Using PSKs? Initiate aggressive mode.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-13

 The Cisco VPN Client attempts to establish an SA between peer

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-15

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-16

System Parameters via

 If the Cisco Easy VPN Server indicates successful authentication,

 After the configuration parameters have been successfully

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-18

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-19

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-20

Cisco VPN Client provides the following features and benefits:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-21

 Supported tunneling protocols

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-22

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-23

The following general tasks are used to configure Cisco

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-24

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-25

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-26

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-27

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-28

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-29

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-30

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-31

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-32

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-33

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-34

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-35

MIS UNIX Systems

Customer Service Customer Support

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-37

 To create or edit a group policy, use the group-policy command

group-policy {name internal [from group-policy_name]| name

asa1(config)# group-policy TRAINING internal

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-38

 Use the group-policy attributes command in global

group-policy {name} attributes

asa1(config)# group-policy training attributes