SlideShare a Scribd company logo

Easy vpn

Hồ Đắc Biên
Hồ Đắc Biên
1 of 45
Download to read offline
Configuring Security Appliance Remote Access Using Cisco Easy VPN Lesson 12 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-1
Outline  Introduction to Easy VPN  How Easy VPN Connection Process  Overview of Cisco VPN Client  Configuring Cisco VPN Client as Easy VPN Remote  Working with the Cisco VPN Client  Configuring Users and Groups  Configuring the Easy VPN Server for Extended Authentication  Summary © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-2
Introduction to Cisco Easy VPN © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-3
Cisco Easy VPN Cisco Easy VPN Remote Cisco Easy VPN Servers Cisco VPN Client > 3.x Cisco 800 and 900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version > 6.2 Cisco PIX Firewall 501 and 506 Cisco ASA 5500 Series Cisco ASA 5505 Security Appliance © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-4
Features of Cisco Easy VPN Server  Server support for Cisco Easy VPN Remote clients was introduced with the release of the Cisco PIX Firewall Software version 6.2 and Cisco IOS 12.2(8)T.  It allows remote end users to communicate using IPsec with supported adaptive security appliance VPN gateways.  Centrally managed IPsec policies are pushed to the clients by the server, minimizing configuration by the end users. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-5
Supported Cisco Easy VPN Servers Cisco Easy VPN Servers Cisco VPN Client > 3.x Cisco 800 and 900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version > 6.2 Cisco PIX 501 and 506 Security Appliance Cisco ASA 5500 Series Cisco ASA 5505 Adaptive Security Appliance © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-6
Supported Cisco Easy VPN Remote Clients Cisco Easy VPN Remote Cisco VPN Client > 3.x Cisco 800 and 900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version> 6.2 Cisco PIX 501 and 506 Security Appliance Cisco ASA 5500 Series Cisco ASA 5505 Adaptive Security Appliance © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-7
Cisco Easy VPN Remote Modes of Operation Cisco Easy VPN Remote supports two modes of operation:  Client mode – Specifies that NAT or PAT be used. – Enables the client to automatically configure NAT or PAT translations and the ACLs that are needed to implement the VPN tunnel. – Supports split tunneling.  Network Extension mode – Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses. – NAT or PAT is not used. – Supports split tunneling. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-8
Cisco Easy VPN Remote Client Mode PAT 10.0.0.0/24 192.168.1.2 192.168.1.1 10.0.1.2 VPN Tunnel 192.168.1.3 ASA 5505 ASA 5520 Adaptive Adaptive Security Security Appliance Appliance (Cisco Easy (Cisco Easy VPN VPN Remote) Server) © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-9
Cisco Easy VPN Remote Network Extension Mode 172.16.30.0/24 172.16.10.5 172.16.10.1 10.0.1.2 VPN Tunnel 172.16.10.6 Cisco 1811 Router (Cisco Easy VPN Remote) ASA 5520 10.0.2.2 (Cisco Easy VPN Server) ASA 5505 172.16.20.5 (Cisco Easy VPN 172.16.20.1 Remote) 172.16.20.6 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-10
How Cisco Easy VPN Connection Process © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-11
Cisco Easy VPN Remote Connection Process Step 1: The Cisco VPN Client initiates the IKE Phase 1 process. Step 2: The Cisco VPN Client negotiates an IKE SA. Step 3: The Cisco Easy VPN Server accepts the SA proposal. Step 4: The Cisco Easy VPN Server initiates a username/password challenge. Step 5: The mode configuration process is initiated. Step 6: IKE quick mode completes the connection. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-12
Step 1: Cisco VPN Client Initiates IKE Phase 1 Process Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server  Using PSKs? Initiate aggressive mode.  Using digital certificates? Initiate main mode. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-13
Step 2: Cisco VPN Client Negotiates an IKE SA Remote PC with Cisco Easy VPN Remote Client Security Appliance Cisco Easy VPN Server Proposal 1, Proposal 2, Proposal 3  The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Cisco Easy VPN Server.  To reduce manual configuration on the Cisco VPN Client, these IKE proposals include several combinations of the following: – Encryption and hash algorithms – Authentication methods – DH group sizes © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-14
Step 3: Cisco Easy VPN Server Accepts SA Proposal Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server Proposal 1 Proposal checking finds proposal 1 match.  The Cisco Easy VPN Server searches for a match: – The first proposal to match the server list is accepted (highest priority match). – The most secure proposals are always listed at the top of the Cisco Easy VPN Server proposal list (highest priority).  IKE SA is successfully established.  Device authentication ends and user authentication begins. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-15
Step 4: Cisco Easy VPN Server Initiates a Username/Password Challenge Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server Username/Password Challenge AAA Username/Password checking  If the Cisco Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge: – The user enters a username/password combination. – The username/password information is checked against authentication entities.  All Cisco Easy VPN Servers should be configured to enforce user authentication. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-16
Step 5: Mode Configuration Process Is Initiated Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server Client Requests Parameters System Parameters via Mode Configuration  If the Cisco Easy VPN Server indicates successful authentication, the Cisco VPN Client requests the remaining configuration parameters from the Cisco Easy VPN Server: – Mode configuration starts. – The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the Cisco VPN Client.  Remember that the IP address is the only required parameter in a group profile; all other parameters are optional. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-17
Step 6: IKE Quick Mode Completes Connection Remote PC with Cisco Easy VPN Remote Client Quick Mode Security Appliance IPsec SA Cisco Easy VPN Establishment Server VPN Tunnel  After the configuration parameters have been successfully received by the Cisco VPN Client, IKE quick mode is initiated to negotiate IPsec SA establishment.  After IPsec SA establishment, the VPN connection is complete. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-18
Configuring the Easy VPN Server for Extended Authentication © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-19
Cisco Easy VPN Server General Configuration Tasks The following general tasks are used to configure an Cisco Easy VPN Server on a security appliance: Task 1: Create ISAKMP policy for remote Cisco VPN Client access. Task 2: Create IP address pool. Task 3: Define group policy for mode configuration push. Task 4: Create transform set. Task 5: Create dynamic crypto map. Task 6: Assign dynamic crypto map to static crypto map. Task 7: Apply crypto map to security appliance interface. Task 8: Configure Xauth. Task 9: Configure NAT and NAT 0. Task 10: Enable IKE DPD. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-20
Task 1: Create ISAKMP Policy for Remote VPN Client Access Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ISAKMP Pre-Share DES SHA Group 2 asa1(config)# isakmp enable outside asa1(config)# isakmp policy 20 asa1(config-isakmp-policy)# authentication pre-share asa1(config-isakmp-policy)# encryption des asa1(config-isakmp-policy)# hash sha asa1(config-isakmp-policy)# group 2 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-21
Task 2: Create IP Address Pool Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 MYPOOL 10.0.11.1-10.0.11.254 ciscoasa(config)# ip local pool poolname first-address—last-address [mask mask]  Creates an optional local address pool if the remote client is using the remote server as an external DHCP server asa1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-22
Task 3: Define Group Policy for Mode Configuration Push Task 3 contains the following steps: Step 1: Set the tunnel group type. Step 2: Configure the IKE PSK. Step 3: Specify the local IP address pool. Step 4: Configure the group policy type. Step 5: Enter the group-policy attributes submode. Step 6: Specify the DNS servers. Step 7: Specify the WINS servers. Step 8: Specify the DNS domain. Step 9: Specify idle timeout. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-23
Step 1: Set the Tunnel Group Type Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config)# tunnel-group name type type  Names the tunnel group  Defines the type of VPN connection that is to be established asa1(config)# tunnel-group TRAINING type ipsec-ra © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-24
Step 2: Configure IKE Pre-Shared Key Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 Push to Client ciscoasa(config)# tunnel-group name [general-attributes | ipsec-attributes]  Enters tunnel-group ipsec-attributes submode to configure the key ciscoasa(config-tunnel-ipsec)# pre-shared-key key  Associates a PSK with the connection policy asa1(config)# tunnel-group TRAINING ipsec-attributes asa1(config-tunnel-ipsec)# pre-shared-key cisco123 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-25
Step 3: Specify Local IP Address Pool Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 Push to Client ciscoasa(config)# tunnel-group name [general-attributes | ipsec-attributes]  Enters tunnel-group general-attributes submode to configure the address pool ciscoasa(config-tunnel-general)# address-pool [interface name] address_pool1 [...address_pool6]  Associates an address pool with the connection policy asa1(config)# tunnel-group TRAINING general-attributes asa1(config-tunnel-general)# address-pool MYPOOL © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-26
Step 4: Configure the Group Policy Type Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config)# group-policy {name internal [from group-policy name]} asa1(config)# group-policy TRAINING internal © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-27
Step 5: Enter the Group-Policy Attributes Subcommand Mode Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 Push VPN Group to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config)# group-policy {name} attributes asa1(config)# group-policy TRAINING attributes asa1(config-group-policy)# © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-28
Step 6: Specify DNS Servers Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# dns-server {value ip_address [ip_address] | none} asa1(config-group-policy)# dns-server value 10.0.0.15 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-29
Step 7: Specify WINS Servers Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# wins-server value {ip_address} [ip_address] | none asa1(config-group-policy)# wins-server value 10.0.0.15 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-30
Step 8: Specify DNS Domain Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# default-domain {value domain-name | none} asa1(config-group-policy)# default-domain value cisco.com © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-31
Step 9: Specify Idle Timeout Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# vpn-idle-timeout {minutes | none} asa1(config-group-policy)# vpn-idle-timeout 600 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-32
Task 4: Create Transform Set Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 Transform Set DES SHA-HMAC ciscoasa(config)# crypto ipsec transform-set transform-set-name transform1 [transform2]] asa1(config)# crypto ipsec transform-set REMOTEUSER1 esp-des esp-sha-hmac © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-33
Task 5: Create Dynamic Crypto Map Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [… transform-set- name9] asa1(config)# crypto dynamic-map RMT-DYNA-MAP 10 set transform-set REMOTEUSER1 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-34
Task 6: Assign Dynamic Crypto Map to Static Crypto Map Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic- map-name asa1(config)# crypto map RMT-USER-MAP 10 ipsec-isakmp dynamic RMT-DYNA-MAP © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-35
Task 7: Apply Dynamic Crypto Map to Security Appliance Outside Interface Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# crypto map map-name interface interface-name asa1(config)# crypto map RMT-USER-MAP interface outside © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-36
Task 8: Configure XAUTH Task 8 contains the following steps: Step 1: Enable AAA login authentication. Step 2: Define AAA server IP address and encryption key. Step 3: Enable IKE XAUTH for the tunnel group. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-37
Step 1: Enable AAA Login Authentication Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# aaa-server server-tag protocol server-protocol asa1(config)# aaa-server MYTACACS protocol tacacs+ asa1(config-aaa-server-group)# © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-38
Step 2: Define AAA Server IP Address and Encryption Key Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds] asa1(config)# aaa-server MYTACACS (inside) host 10.0.0.15 cisco123 timeout 5 asa1(config-aaa-server-host)# © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-39
Step 3: Enable IKE Xauth for Tunnel Group Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 XAUTH ciscoasa(config-tunnel-general)# authentication-server-group [(interface name)] server group [LOCAL | NONE] asa1(config)# tunnel-group TRAINING general-attributes asa1(config-tunnel-general)# authentication-server-group MYTACACS © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-40
Task 9: Configure NAT and NAT 0 Remote Client Outside Inside 172.26.26.1 10.0.0.0 Server Internet 10.0.0.15 192.168.1.5 Encrypted — No Translation Clear Text — Translation asa1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0 asa1(config)# nat (inside) 0 access-list 101 asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 asa1(config)# global (outside) 1 interface  Matches ACL: Encrypted data and no translation (NAT 0)  Does not match ACL: Clear text and translation (PAT) © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-41
Task 10: Enable IKE DPD Remote Client Outside Inside 172.26.26.1 10.0.0.0 Server Internet 10.0.0.15 192.168.1.5 1) DPD Send: Are you there? 2) DPD Reply: Yes, I am here. ciscoasa(config-tunnel-ipsec)# isakmp keepalive [threshold seconds] [retry seconds] [disable]  Configures the IKE DPD parameters asa1(config)# tunnel-group TRAINING ipsec-attributes asa1(config-tunnel-ipsec)# isakmp keepalive threshold 30 retry 10 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-42
Summary  Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers.  The Cisco Easy VPN Server adds several new commands to Cisco PIX Security Appliance Software Version 6.3 and later versions.  The Cisco VPN Client enables software-based VPN remote access. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-43
Lab Visual Objective Student PC VPN Client Web FTP RBB Security Appliance 172.26.26.0 192.168.P.0 10.0.P.0 .150 .1 .2 .1 .10 172.26.26.P © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-44
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-45

Recommended

Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASACisco Russia
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)Suraj Kumar
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...Nur Shiqim Chok
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 

Recommended

Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASACisco Russia
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)Suraj Kumar
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...
[Cisco Connect 2018 - Vietnam] Anh duc le reap the benefits of sdn with cisco...Nur Shiqim Chok
 
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...
Cisco asa 5500 x series migration options-asa 5555-x, asa 5525-x & asa 55...IT Tech
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Salim Haniff
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationFelipe Prado
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstackOpenStack Korea Community
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Babaa Naya
 
Cisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers DatasheetCisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers Datasheet美兰 曾
 
Brksec 2101 deploying web security
Brksec 2101 deploying web securityBrksec 2101 deploying web security
Brksec 2101 deploying web securityAlfredo Boiero Sanders
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to HeroDhruv Sharma
 
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPCCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPVuz Dở Hơi
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationVuz Dở Hơi
 
vSRX
vSRXvSRX
vSRXMarketingArrowECS_CZ
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
Дизайн отказоустойчивых локальных сетей
Дизайн отказоустойчивых локальных сетейДизайн отказоустойчивых локальных сетей
Дизайн отказоустойчивых локальных сетейCisco Russia
 
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and TroubleshootingCCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and TroubleshootingVuz Dở Hơi
 
Ike
IkeIke
Ikeshashi712
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange ProtocolPrateek Singh Bapna
 

More Related Content

What's hot

20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Salim Haniff
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationFelipe Prado
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstackOpenStack Korea Community
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Babaa Naya
 
Cisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers DatasheetCisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers Datasheet美兰 曾
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to HeroDhruv Sharma
 
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPCCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPVuz Dở Hơi
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationVuz Dở Hơi
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
Дизайн отказоустойчивых локальных сетей
Дизайн отказоустойчивых локальных сетейДизайн отказоустойчивых локальных сетей
Дизайн отказоустойчивых локальных сетейCisco Russia
 
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and TroubleshootingCCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and TroubleshootingVuz Dở Hơi
 

What's hot (20)

20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2Fortinet Ansible Solution Part 2
Fortinet Ansible Solution Part 2
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
 
[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack[2015-11월 정기 세미나]K8s on openstack
[2015-11월 정기 세미나]K8s on openstack
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
 
Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8Ccna sv2 instructor_ppt_ch8
Ccna sv2 instructor_ppt_ch8
 
Cisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers DatasheetCisco 900 Series Integrated Services Routers Datasheet
Cisco 900 Series Integrated Services Routers Datasheet
 
Brksec 2101 deploying web security
Brksec 2101 deploying web securityBrksec 2101 deploying web security
Brksec 2101 deploying web security
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
 
Introduction to nexux from zero to Hero
Introduction to nexux from zero to HeroIntroduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
 
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCPCCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCP
 
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and ConfigurationCCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
CCNAv5 - S2: Chapter2 Basic Switching Concepts and Configuration
 
vSRX
vSRXvSRX
vSRX
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 
Дизайн отказоустойчивых локальных сетей
Дизайн отказоустойчивых локальных сетейДизайн отказоустойчивых локальных сетей
Дизайн отказоустойчивых локальных сетей
 
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and TroubleshootingCCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
CCNAv5 - S3: Chapter8 EIGRP Advanced Configurations and Troubleshooting
 

Viewers also liked

Internet Key Exchange (ikev2) Protocol
Internet Key Exchange (ikev2) ProtocolInternet Key Exchange (ikev2) Protocol
Internet Key Exchange (ikev2) ProtocolNetwax Lab
 
Russian Transportation Systems
Russian Transportation SystemsRussian Transportation Systems
Russian Transportation SystemsValerie Ivanova
 
3 Ways to use Social to Rally Volunteers and Build an Engaged Community
3 Ways to use Social to Rally Volunteers and Build an Engaged Community3 Ways to use Social to Rally Volunteers and Build an Engaged Community
3 Ways to use Social to Rally Volunteers and Build an Engaged CommunityDerek Laney
 
Happiness Advocacy, or How Positive Psychology Will Save Us From Zombies
Happiness Advocacy, or How Positive Psychology Will Save Us From ZombiesHappiness Advocacy, or How Positive Psychology Will Save Us From Zombies
Happiness Advocacy, or How Positive Psychology Will Save Us From ZombiesAnnie Passanisi
 
Photos Urban Investment Network Summit Amsterdam
Photos Urban Investment Network Summit AmsterdamPhotos Urban Investment Network Summit Amsterdam
Photos Urban Investment Network Summit Amsterdamlizwaller1
 
Seven Freedom Memorials of Washington D.C.
Seven Freedom Memorials of Washington D.C.Seven Freedom Memorials of Washington D.C.
Seven Freedom Memorials of Washington D.C.Kazim Alam
 
Front entrance display 2.23.11
Front entrance display 2.23.11Front entrance display 2.23.11
Front entrance display 2.23.11mrsreno1
 
Huyagaa sudalgaa
Huyagaa sudalgaaHuyagaa sudalgaa
Huyagaa sudalgaaSumiya_bu
 
ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013
ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013
ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013lizwaller1
 
Helping Make Revenue Rockstars
Helping Make Revenue RockstarsHelping Make Revenue Rockstars
Helping Make Revenue RockstarsDerek Laney
 
City Site Visits and Leadership Dinner 23/11/2011
City Site Visits and Leadership Dinner 23/11/2011City Site Visits and Leadership Dinner 23/11/2011
City Site Visits and Leadership Dinner 23/11/2011lizwaller1
 
Structure of dna
Structure of dnaStructure of dna
Structure of dnakelliot23
 
ULI Europe Young Leaders Masterclass 2012
ULI Europe Young Leaders Masterclass 2012ULI Europe Young Leaders Masterclass 2012
ULI Europe Young Leaders Masterclass 2012lizwaller1
 
Building a Multi-Country Social Media Program (AdTech Singapore)
Building a Multi-Country Social Media Program (AdTech Singapore)Building a Multi-Country Social Media Program (AdTech Singapore)
Building a Multi-Country Social Media Program (AdTech Singapore)Derek Laney
 
The Freedom Memorials of Washington D.C.
The Freedom Memorials of Washington D.C.The Freedom Memorials of Washington D.C.
The Freedom Memorials of Washington D.C.Kazim Alam
 

Viewers also liked (20)

Ike
IkeIke
Ike
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
 
Internet Key Exchange (ikev2) Protocol
Internet Key Exchange (ikev2) ProtocolInternet Key Exchange (ikev2) Protocol
Internet Key Exchange (ikev2) Protocol
 
Protocole IKE/IPsec
Protocole IKE/IPsecProtocole IKE/IPsec
Protocole IKE/IPsec
 
Russian Transportation Systems
Russian Transportation SystemsRussian Transportation Systems
Russian Transportation Systems
 
3 Ways to use Social to Rally Volunteers and Build an Engaged Community
3 Ways to use Social to Rally Volunteers and Build an Engaged Community3 Ways to use Social to Rally Volunteers and Build an Engaged Community
3 Ways to use Social to Rally Volunteers and Build an Engaged Community
 
Happiness Advocacy, or How Positive Psychology Will Save Us From Zombies
Happiness Advocacy, or How Positive Psychology Will Save Us From ZombiesHappiness Advocacy, or How Positive Psychology Will Save Us From Zombies
Happiness Advocacy, or How Positive Psychology Will Save Us From Zombies
 
Are You Smarter Than A GEAR UP Student?
Are You Smarter Than A GEAR UP Student?Are You Smarter Than A GEAR UP Student?
Are You Smarter Than A GEAR UP Student?
 
Photos Urban Investment Network Summit Amsterdam
Photos Urban Investment Network Summit AmsterdamPhotos Urban Investment Network Summit Amsterdam
Photos Urban Investment Network Summit Amsterdam
 
Seven Freedom Memorials of Washington D.C.
Seven Freedom Memorials of Washington D.C.Seven Freedom Memorials of Washington D.C.
Seven Freedom Memorials of Washington D.C.
 
Front entrance display 2.23.11
Front entrance display 2.23.11Front entrance display 2.23.11
Front entrance display 2.23.11
 
Huyagaa sudalgaa
Huyagaa sudalgaaHuyagaa sudalgaa
Huyagaa sudalgaa
 
ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013
ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013
ULI United Kingdom and EIB Conference, Birmingham, April 17th, 2013
 
Helping Make Revenue Rockstars
Helping Make Revenue RockstarsHelping Make Revenue Rockstars
Helping Make Revenue Rockstars
 
City Site Visits and Leadership Dinner 23/11/2011
City Site Visits and Leadership Dinner 23/11/2011City Site Visits and Leadership Dinner 23/11/2011
City Site Visits and Leadership Dinner 23/11/2011
 
Structure of dna
Structure of dnaStructure of dna
Structure of dna
 
ULI Europe Young Leaders Masterclass 2012
ULI Europe Young Leaders Masterclass 2012ULI Europe Young Leaders Masterclass 2012
ULI Europe Young Leaders Masterclass 2012
 
Building a Multi-Country Social Media Program (AdTech Singapore)
Building a Multi-Country Social Media Program (AdTech Singapore)Building a Multi-Country Social Media Program (AdTech Singapore)
Building a Multi-Country Social Media Program (AdTech Singapore)
 
The Freedom Memorials of Washington D.C.
The Freedom Memorials of Washington D.C.The Freedom Memorials of Washington D.C.
The Freedom Memorials of Washington D.C.
 
Glosario
GlosarioGlosario
Glosario
 

Similar to Easy vpn

Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideIT Tech
 
Cisco asa5540, best guard for enterprise
Cisco asa5540, best guard for enterpriseCisco asa5540, best guard for enterprise
Cisco asa5540, best guard for enterpriseIT Tech
 
Cisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallCisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallIT Tech
 
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.Amanda Meng
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)SDNRG ITB
 
cisco-nim-es2-8-datasheet.pdf
cisco-nim-es2-8-datasheet.pdfcisco-nim-es2-8-datasheet.pdf
cisco-nim-es2-8-datasheet.pdfHi-Network.com
 
Cisco asa firewall
Cisco asa firewallCisco asa firewall
Cisco asa firewallIT Tech
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringxKinAnx
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityVuz Dở Hơi
 
Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...xKinAnx
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PROIDEA
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...xKinAnx
 
從INTEL技術談網路卡
從INTEL技術談網路卡從INTEL技術談網路卡
從INTEL技術談網路卡zman
 
Presentation cisco data center security deep dive
Presentation cisco data center security deep divePresentation cisco data center security deep dive
Presentation cisco data center security deep divexKinAnx
 

Similar to Easy vpn (20)

Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
 
Cisco asa5540, best guard for enterprise
Cisco asa5540, best guard for enterpriseCisco asa5540, best guard for enterprise
Cisco asa5540, best guard for enterprise
 
Cisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewallCisco rv110 w wireless n vpn firewall
Cisco rv110 w wireless n vpn firewall
 
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
 
cisco-nim-es2-8-datasheet.pdf
cisco-nim-es2-8-datasheet.pdfcisco-nim-es2-8-datasheet.pdf
cisco-nim-es2-8-datasheet.pdf
 
Cisco asa firewall
Cisco asa firewallCisco asa firewall
Cisco asa firewall
 
Presentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualiseringPresentation cisco plus tech datacenter virtualisering
Presentation cisco plus tech datacenter virtualisering
 
CCNA Icnd110 s03l02
CCNA Icnd110 s03l02CCNA Icnd110 s03l02
CCNA Icnd110 s03l02
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
 
Icnd210 s02l04
Icnd210 s02l04Icnd210 s02l04
Icnd210 s02l04
 
icon Cisco 2006.ppt
icon Cisco 2006.ppticon Cisco 2006.ppt
icon Cisco 2006.ppt
 
Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...Presentation cisco prime for ip ngn technical education series introduction...
Presentation cisco prime for ip ngn technical education series introduction...
 
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
PLNOG 8: Gaweł Mikołajczyk - Securing the Cloud Infrastructure - from Hyperv...
 
6500overview
6500overview6500overview
6500overview
 
Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...Presentation asa 5585-x next generation multi-service adaptive security app...
Presentation asa 5585-x next generation multi-service adaptive security app...
 
從INTEL技術談網路卡
從INTEL技術談網路卡從INTEL技術談網路卡
從INTEL技術談網路卡
 
Presentation cisco data center security deep dive
Presentation cisco data center security deep divePresentation cisco data center security deep dive
Presentation cisco data center security deep dive
 
Packet icons 2 2-06
Packet icons 2 2-06Packet icons 2 2-06
Packet icons 2 2-06
 

Easy vpn

  • 1. Configuring Security Appliance Remote Access Using Cisco Easy VPN Lesson 12 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-1
  • 2. Outline  Introduction to Easy VPN  How Easy VPN Connection Process  Overview of Cisco VPN Client  Configuring Cisco VPN Client as Easy VPN Remote  Working with the Cisco VPN Client  Configuring Users and Groups  Configuring the Easy VPN Server for Extended Authentication  Summary © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-2
  • 3. Introduction to Cisco Easy VPN © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-3
  • 4. Cisco Easy VPN Cisco Easy VPN Remote Cisco Easy VPN Servers Cisco VPN Client > 3.x Cisco 800 and 900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version > 6.2 Cisco PIX Firewall 501 and 506 Cisco ASA 5500 Series Cisco ASA 5505 Security Appliance © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-4
  • 5. Features of Cisco Easy VPN Server  Server support for Cisco Easy VPN Remote clients was introduced with the release of the Cisco PIX Firewall Software version 6.2 and Cisco IOS 12.2(8)T.  It allows remote end users to communicate using IPsec with supported adaptive security appliance VPN gateways.  Centrally managed IPsec policies are pushed to the clients by the server, minimizing configuration by the end users. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-5
  • 6. Supported Cisco Easy VPN Servers Cisco Easy VPN Servers Cisco VPN Client > 3.x Cisco 800 and 900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version > 6.2 Cisco PIX 501 and 506 Security Appliance Cisco ASA 5500 Series Cisco ASA 5505 Adaptive Security Appliance © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-6
  • 7. Supported Cisco Easy VPN Remote Clients Cisco Easy VPN Remote Cisco VPN Client > 3.x Cisco 800 and 900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version> 6.2 Cisco PIX 501 and 506 Security Appliance Cisco ASA 5500 Series Cisco ASA 5505 Adaptive Security Appliance © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-7
  • 8. Cisco Easy VPN Remote Modes of Operation Cisco Easy VPN Remote supports two modes of operation:  Client mode – Specifies that NAT or PAT be used. – Enables the client to automatically configure NAT or PAT translations and the ACLs that are needed to implement the VPN tunnel. – Supports split tunneling.  Network Extension mode – Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses. – NAT or PAT is not used. – Supports split tunneling. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-8
  • 9. Cisco Easy VPN Remote Client Mode PAT 10.0.0.0/24 192.168.1.2 192.168.1.1 10.0.1.2 VPN Tunnel 192.168.1.3 ASA 5505 ASA 5520 Adaptive Adaptive Security Security Appliance Appliance (Cisco Easy (Cisco Easy VPN VPN Remote) Server) © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-9
  • 10. Cisco Easy VPN Remote Network Extension Mode 172.16.30.0/24 172.16.10.5 172.16.10.1 10.0.1.2 VPN Tunnel 172.16.10.6 Cisco 1811 Router (Cisco Easy VPN Remote) ASA 5520 10.0.2.2 (Cisco Easy VPN Server) ASA 5505 172.16.20.5 (Cisco Easy VPN 172.16.20.1 Remote) 172.16.20.6 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-10
  • 11. How Cisco Easy VPN Connection Process © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-11
  • 12. Cisco Easy VPN Remote Connection Process Step 1: The Cisco VPN Client initiates the IKE Phase 1 process. Step 2: The Cisco VPN Client negotiates an IKE SA. Step 3: The Cisco Easy VPN Server accepts the SA proposal. Step 4: The Cisco Easy VPN Server initiates a username/password challenge. Step 5: The mode configuration process is initiated. Step 6: IKE quick mode completes the connection. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-12
  • 13. Step 1: Cisco VPN Client Initiates IKE Phase 1 Process Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server  Using PSKs? Initiate aggressive mode.  Using digital certificates? Initiate main mode. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-13
  • 14. Step 2: Cisco VPN Client Negotiates an IKE SA Remote PC with Cisco Easy VPN Remote Client Security Appliance Cisco Easy VPN Server Proposal 1, Proposal 2, Proposal 3  The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Cisco Easy VPN Server.  To reduce manual configuration on the Cisco VPN Client, these IKE proposals include several combinations of the following: – Encryption and hash algorithms – Authentication methods – DH group sizes © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-14
  • 15. Step 3: Cisco Easy VPN Server Accepts SA Proposal Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server Proposal 1 Proposal checking finds proposal 1 match.  The Cisco Easy VPN Server searches for a match: – The first proposal to match the server list is accepted (highest priority match). – The most secure proposals are always listed at the top of the Cisco Easy VPN Server proposal list (highest priority).  IKE SA is successfully established.  Device authentication ends and user authentication begins. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-15
  • 16. Step 4: Cisco Easy VPN Server Initiates a Username/Password Challenge Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server Username/Password Challenge AAA Username/Password checking  If the Cisco Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge: – The user enters a username/password combination. – The username/password information is checked against authentication entities.  All Cisco Easy VPN Servers should be configured to enforce user authentication. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-16
  • 17. Step 5: Mode Configuration Process Is Initiated Remote PC with Cisco Easy VPN Security Appliance Remote Client Cisco Easy VPN Server Client Requests Parameters System Parameters via Mode Configuration  If the Cisco Easy VPN Server indicates successful authentication, the Cisco VPN Client requests the remaining configuration parameters from the Cisco Easy VPN Server: – Mode configuration starts. – The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the Cisco VPN Client.  Remember that the IP address is the only required parameter in a group profile; all other parameters are optional. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-17
  • 18. Step 6: IKE Quick Mode Completes Connection Remote PC with Cisco Easy VPN Remote Client Quick Mode Security Appliance IPsec SA Cisco Easy VPN Establishment Server VPN Tunnel  After the configuration parameters have been successfully received by the Cisco VPN Client, IKE quick mode is initiated to negotiate IPsec SA establishment.  After IPsec SA establishment, the VPN connection is complete. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-18
  • 19. Configuring the Easy VPN Server for Extended Authentication © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-19
  • 20. Cisco Easy VPN Server General Configuration Tasks The following general tasks are used to configure an Cisco Easy VPN Server on a security appliance: Task 1: Create ISAKMP policy for remote Cisco VPN Client access. Task 2: Create IP address pool. Task 3: Define group policy for mode configuration push. Task 4: Create transform set. Task 5: Create dynamic crypto map. Task 6: Assign dynamic crypto map to static crypto map. Task 7: Apply crypto map to security appliance interface. Task 8: Configure Xauth. Task 9: Configure NAT and NAT 0. Task 10: Enable IKE DPD. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-20
  • 21. Task 1: Create ISAKMP Policy for Remote VPN Client Access Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ISAKMP Pre-Share DES SHA Group 2 asa1(config)# isakmp enable outside asa1(config)# isakmp policy 20 asa1(config-isakmp-policy)# authentication pre-share asa1(config-isakmp-policy)# encryption des asa1(config-isakmp-policy)# hash sha asa1(config-isakmp-policy)# group 2 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-21
  • 22. Task 2: Create IP Address Pool Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 MYPOOL 10.0.11.1-10.0.11.254 ciscoasa(config)# ip local pool poolname first-address—last-address [mask mask]  Creates an optional local address pool if the remote client is using the remote server as an external DHCP server asa1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-22
  • 23. Task 3: Define Group Policy for Mode Configuration Push Task 3 contains the following steps: Step 1: Set the tunnel group type. Step 2: Configure the IKE PSK. Step 3: Specify the local IP address pool. Step 4: Configure the group policy type. Step 5: Enter the group-policy attributes submode. Step 6: Specify the DNS servers. Step 7: Specify the WINS servers. Step 8: Specify the DNS domain. Step 9: Specify idle timeout. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-23
  • 24. Step 1: Set the Tunnel Group Type Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config)# tunnel-group name type type  Names the tunnel group  Defines the type of VPN connection that is to be established asa1(config)# tunnel-group TRAINING type ipsec-ra © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-24
  • 25. Step 2: Configure IKE Pre-Shared Key Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 Push to Client ciscoasa(config)# tunnel-group name [general-attributes | ipsec-attributes]  Enters tunnel-group ipsec-attributes submode to configure the key ciscoasa(config-tunnel-ipsec)# pre-shared-key key  Associates a PSK with the connection policy asa1(config)# tunnel-group TRAINING ipsec-attributes asa1(config-tunnel-ipsec)# pre-shared-key cisco123 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-25
  • 26. Step 3: Specify Local IP Address Pool Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 Push to Client ciscoasa(config)# tunnel-group name [general-attributes | ipsec-attributes]  Enters tunnel-group general-attributes submode to configure the address pool ciscoasa(config-tunnel-general)# address-pool [interface name] address_pool1 [...address_pool6]  Associates an address pool with the connection policy asa1(config)# tunnel-group TRAINING general-attributes asa1(config-tunnel-general)# address-pool MYPOOL © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-26
  • 27. Step 4: Configure the Group Policy Type Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config)# group-policy {name internal [from group-policy name]} asa1(config)# group-policy TRAINING internal © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-27
  • 28. Step 5: Enter the Group-Policy Attributes Subcommand Mode Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 Push VPN Group to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config)# group-policy {name} attributes asa1(config)# group-policy TRAINING attributes asa1(config-group-policy)# © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-28
  • 29. Step 6: Specify DNS Servers Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# dns-server {value ip_address [ip_address] | none} asa1(config-group-policy)# dns-server value 10.0.0.15 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-29
  • 30. Step 7: Specify WINS Servers Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# wins-server value {ip_address} [ip_address] | none asa1(config-group-policy)# wins-server value 10.0.0.15 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-30
  • 31. Step 8: Specify DNS Domain Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# default-domain {value domain-name | none} asa1(config-group-policy)# default-domain value cisco.com © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-31
  • 32. Step 9: Specify Idle Timeout Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 VPN Group Push to Client Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time ciscoasa(config-group-policy)# vpn-idle-timeout {minutes | none} asa1(config-group-policy)# vpn-idle-timeout 600 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-32
  • 33. Task 4: Create Transform Set Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 Transform Set DES SHA-HMAC ciscoasa(config)# crypto ipsec transform-set transform-set-name transform1 [transform2]] asa1(config)# crypto ipsec transform-set REMOTEUSER1 esp-des esp-sha-hmac © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-33
  • 34. Task 5: Create Dynamic Crypto Map Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [… transform-set- name9] asa1(config)# crypto dynamic-map RMT-DYNA-MAP 10 set transform-set REMOTEUSER1 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-34
  • 35. Task 6: Assign Dynamic Crypto Map to Static Crypto Map Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic- map-name asa1(config)# crypto map RMT-USER-MAP 10 ipsec-isakmp dynamic RMT-DYNA-MAP © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-35
  • 36. Task 7: Apply Dynamic Crypto Map to Security Appliance Outside Interface Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# crypto map map-name interface interface-name asa1(config)# crypto map RMT-USER-MAP interface outside © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-36
  • 37. Task 8: Configure XAUTH Task 8 contains the following steps: Step 1: Enable AAA login authentication. Step 2: Define AAA server IP address and encryption key. Step 3: Enable IKE XAUTH for the tunnel group. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-37
  • 38. Step 1: Enable AAA Login Authentication Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# aaa-server server-tag protocol server-protocol asa1(config)# aaa-server MYTACACS protocol tacacs+ asa1(config-aaa-server-group)# © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-38
  • 39. Step 2: Define AAA Server IP Address and Encryption Key Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 ciscoasa(config)# aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds] asa1(config)# aaa-server MYTACACS (inside) host 10.0.0.15 cisco123 timeout 5 asa1(config-aaa-server-host)# © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-39
  • 40. Step 3: Enable IKE Xauth for Tunnel Group Remote Client Outside Inside 172.26.26.1 Server Internet 10.0.0.15 192.168.1.5 XAUTH ciscoasa(config-tunnel-general)# authentication-server-group [(interface name)] server group [LOCAL | NONE] asa1(config)# tunnel-group TRAINING general-attributes asa1(config-tunnel-general)# authentication-server-group MYTACACS © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-40
  • 41. Task 9: Configure NAT and NAT 0 Remote Client Outside Inside 172.26.26.1 10.0.0.0 Server Internet 10.0.0.15 192.168.1.5 Encrypted — No Translation Clear Text — Translation asa1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0 asa1(config)# nat (inside) 0 access-list 101 asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 asa1(config)# global (outside) 1 interface  Matches ACL: Encrypted data and no translation (NAT 0)  Does not match ACL: Clear text and translation (PAT) © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-41
  • 42. Task 10: Enable IKE DPD Remote Client Outside Inside 172.26.26.1 10.0.0.0 Server Internet 10.0.0.15 192.168.1.5 1) DPD Send: Are you there? 2) DPD Reply: Yes, I am here. ciscoasa(config-tunnel-ipsec)# isakmp keepalive [threshold seconds] [retry seconds] [disable]  Configures the IKE DPD parameters asa1(config)# tunnel-group TRAINING ipsec-attributes asa1(config-tunnel-ipsec)# isakmp keepalive threshold 30 retry 10 © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-42
  • 43. Summary  Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers.  The Cisco Easy VPN Server adds several new commands to Cisco PIX Security Appliance Software Version 6.3 and later versions.  The Cisco VPN Client enables software-based VPN remote access. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-43
  • 44. Lab Visual Objective Student PC VPN Client Web FTP RBB Security Appliance 172.26.26.0 192.168.P.0 10.0.P.0 .150 .1 .2 .1 .10 172.26.26.P © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-44
  • 45. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-45