Escolar Documentos
Profissional Documentos
Cultura Documentos
Appliance Remote
Access Using Cisco
Easy VPN
Lesson 12
PAT 10.0.0.0/24
VPN Tunnel
192.168.1.3
ASA 5505 ASA 5520 Adaptive
Adaptive Security Security Appliance
Appliance (Cisco Easy (Cisco Easy VPN
VPN Remote) Server)
172.16.30.0/2
4
172.16.10.5 172.16.10.1 10.0.1.2
VPN Tunnel
ASA 5505
172.16.20.5 (Cisco Easy VPN
172.16.20.1 Remote)
172.16.20.6
Step 1: The Cisco VPN Client initiates the IKE Phase 1 process.
Step 2: The Cisco VPN Client negotiates an IKE SA.
Step 3: The Cisco Easy VPN Server accepts the SA proposal.
Step 4: The Cisco Easy VPN Server initiates a username/password
challenge.
Step 5: The mode configuration process is initiated.
Step 6: IKE quick mode completes the connection.
Remote PC with
Cisco Easy VPN
Security Appliance
Remote Client Cisco Easy VPN
Server
If the Cisco Easy VPN Server is configured for XAUTH, the VPN
Client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against
authentication entities.
All Cisco Easy VPN Servers should be configured to enforce user
authentication.
Eng
Internet
Mktg
Marketing
10.0.1.0/24
Training
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-36
Groups and Users
Groups: Users:
Base Group: Departments Individuals
Corporate
Finance Comptroller
/Base/Finance
ciscoasa(config)#
ciscoasa(config)#
ciscoasa(config)#
username name {nopassword | password password [mschap |
encrypted | nt-encrypted]} [privilege priv_level]
ciscoasa(config)#
username {name} attributes
MYPOOL
10.0.11.1-10.0.11.254
ciscoasa(config)#
ip local pool poolname first-address—last-address [mask
mask]
Creates an optional local address pool if the remote client is using
the remote server as an external DHCP server
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
tunnel-group name type type
Names the tunnel group
Defines the type of VPN connection that is to be established
ciscoasa(config)#
pre-shared-key key
Associates a PSK with the connection policy
asa1(config)# tunnel-group TRAINING ipsec-attributes
asa1(config-tunnel-ipsec)# pre-shared-key cisco123
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-47
Step 3: Specify Local IP Address Pool
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to Client
ciscoasa(config)#
tunnel-group name [general-attributes | ipsec-attributes]
Enters tunnel-group general-attributes submode to configure the address pool
ciscoasa(config-tunnel-general)#
address-pool [interface name] address_pool1
[...address_pool6]
Associates an address pool with the connection policy
asa1(config)# tunnel-group TRAINING general-attributes
asa1(config-tunnel-general)# address-pool MYPOOL
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-48
Step 4: Configure the Group Policy Type
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
group-policy {name internal [from group-policy name]}
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
dns-server {value ip_address [ip_address] | none}
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
wins-server value {ip_address} [ip_address] | none
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
default-domain {value domain-name | none}
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
vpn-idle-timeout {minutes | none}
192.168.1.5
Transform Set
DES
SHA-HMAC
ciscoasa(config)#
crypto ipsec transform-set transform-set-name transform1
[transform2]]
192.168.1.5
ciscoasa(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set
transform-set transform-set-name1 [… transform-set-
name9]
192.168.1.5
ciscoasa(config)#
192.168.1.5
ciscoasa(config)#
192.168.1.5
ciscoasa(config)#
aaa-server server-tag protocol server-protocol
192.168.1.5
ciscoasa(config)#
aaa-server server-tag [(interface-name)] host server-ip
[key] [timeout seconds]
192.168.1.5
XAUTH
ciscoasa(config-tunnel-general)#
authentication-server-group [(interface name)] server
group [LOCAL | NONE]
192.168.1.5
Encrypted — No Translation
Clear Text — Translation
192.168.1.5
1) DPD Send: Are you there?
2) DPD Reply: Yes, I am here.
ciscoasa(config-tunnel-ipsec)#
Student PC
VPN Client Web
FTP
172.26.26.P