Easy vpn
- 1. Configuring Security
Appliance Remote
Access Using Cisco
Easy VPN
Lesson 12
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-1
- 2. Outline
Introduction to Easy VPN
How Easy VPN Connection Process
Overview of Cisco VPN Client
Configuring Cisco VPN Client as Easy VPN Remote
Working with the Cisco VPN Client
Configuring Users and Groups
Configuring the Easy VPN Server for Extended Authentication
Summary
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-2
- 3. Introduction to
Cisco Easy VPN
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-3
- 4. Cisco Easy VPN
Cisco Easy VPN Remote Cisco Easy VPN Servers
Cisco VPN Client > 3.x
Cisco 800 and 900 Series Router
Cisco IOS Release >
12.2(8)T Router
Cisco 1700 and 1800 Series Router
Cisco 2800 and 3800 Series Router
Cisco PIX Firewall
Software Version > 6.2
Cisco PIX Firewall 501 and 506
Cisco ASA 5500 Series
Cisco ASA 5505 Security Appliance
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-4
- 5. Features of Cisco Easy VPN Server
Server support for Cisco Easy VPN Remote clients was
introduced with the release of the Cisco PIX Firewall Software
version 6.2 and Cisco IOS 12.2(8)T.
It allows remote end users to communicate using IPsec with
supported adaptive security appliance VPN gateways.
Centrally managed IPsec policies are pushed to the clients by the
server, minimizing configuration by the end users.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-5
- 6. Supported Cisco Easy VPN Servers
Cisco Easy VPN Servers
Cisco VPN Client > 3.x
Cisco 800 and 900 Series Router
Cisco IOS Release
> 12.2(8)T Router
Cisco 1700 and 1800 Series Router
Cisco 2800 and 3800 Series Router
Cisco PIX Firewall
Software Version > 6.2
Cisco PIX 501 and 506 Security
Appliance
Cisco ASA 5500 Series
Cisco ASA 5505
Adaptive Security Appliance
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-6
- 7. Supported Cisco Easy VPN Remote
Clients
Cisco Easy VPN Remote
Cisco VPN Client > 3.x
Cisco 800 and 900 Series Router
Cisco IOS Release
> 12.2(8)T Router
Cisco 1700 and 1800 Series Router
Cisco 2800 and 3800 Series Router
Cisco PIX Firewall
Software Version> 6.2
Cisco PIX 501 and 506 Security
Appliance
Cisco ASA 5500 Series
Cisco ASA 5505
Adaptive Security Appliance
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-7
- 8. Cisco Easy VPN Remote Modes of
Operation
Cisco Easy VPN Remote supports two modes of
operation:
Client mode
– Specifies that NAT or PAT be used.
– Enables the client to automatically configure NAT or PAT
translations and the ACLs that are needed to implement the
VPN tunnel.
– Supports split tunneling.
Network Extension mode
– Specifies that the hosts at the client end of the VPN connection
use fully routable IP addresses.
– NAT or PAT is not used.
– Supports split tunneling.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-8
- 9. Cisco Easy VPN Remote Client Mode
PAT 10.0.0.0/24
192.168.1.2 192.168.1.1 10.0.1.2
VPN Tunnel
192.168.1.3
ASA 5505 ASA 5520 Adaptive
Adaptive Security Security Appliance
Appliance (Cisco Easy (Cisco Easy VPN
VPN Remote) Server)
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-9
- 10. Cisco Easy VPN Remote Network
Extension Mode
172.16.30.0/24
172.16.10.5 172.16.10.1 10.0.1.2
VPN Tunnel
172.16.10.6 Cisco 1811 Router
(Cisco Easy VPN
Remote) ASA 5520
10.0.2.2 (Cisco Easy VPN
Server)
ASA 5505
172.16.20.5 (Cisco Easy VPN
172.16.20.1 Remote)
172.16.20.6
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-10
- 11. How Cisco Easy VPN
Connection Process
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-11
- 12. Cisco Easy VPN Remote Connection
Process
Step 1: The Cisco VPN Client initiates the IKE Phase 1 process.
Step 2: The Cisco VPN Client negotiates an IKE SA.
Step 3: The Cisco Easy VPN Server accepts the SA proposal.
Step 4: The Cisco Easy VPN Server initiates a username/password
challenge.
Step 5: The mode configuration process is initiated.
Step 6: IKE quick mode completes the connection.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-12
- 13. Step 1: Cisco VPN Client Initiates IKE
Phase 1 Process
Remote PC with
Cisco Easy VPN
Security Appliance
Remote Client
Cisco Easy VPN
Server
Using PSKs? Initiate aggressive mode.
Using digital certificates? Initiate main mode.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-13
- 14. Step 2: Cisco VPN Client Negotiates an
IKE SA
Remote PC with
Cisco Easy VPN
Remote Client Security Appliance
Cisco Easy VPN
Server
Proposal 1, Proposal 2, Proposal 3
The Cisco VPN Client attempts to establish an SA between peer
IP addresses by sending multiple IKE proposals to the Cisco Easy
VPN Server.
To reduce manual configuration on the Cisco VPN Client, these
IKE proposals include several combinations of the following:
– Encryption and hash algorithms
– Authentication methods
– DH group sizes
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-14
- 15. Step 3: Cisco Easy VPN Server Accepts
SA Proposal
Remote PC with
Cisco Easy VPN Security Appliance
Remote Client Cisco Easy VPN
Server
Proposal 1 Proposal
checking
finds
proposal 1
match.
The Cisco Easy VPN Server searches for a match:
– The first proposal to match the server list is accepted
(highest priority match).
– The most secure proposals are always listed at the top of the
Cisco Easy VPN Server proposal list (highest priority).
IKE SA is successfully established.
Device authentication ends and user authentication begins.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-15
- 16. Step 4: Cisco Easy VPN Server Initiates a
Username/Password Challenge
Remote PC with
Cisco Easy VPN Security Appliance
Remote Client Cisco Easy VPN
Server
Username/Password Challenge
AAA
Username/Password checking
If the Cisco Easy VPN Server is configured for XAUTH, the VPN
Client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against
authentication entities.
All Cisco Easy VPN Servers should be configured to enforce user
authentication.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-16
- 17. Step 5: Mode Configuration Process Is
Initiated
Remote PC with
Cisco Easy VPN Security Appliance
Remote Client Cisco Easy VPN
Server
Client Requests Parameters
System Parameters via
Mode Configuration
If the Cisco Easy VPN Server indicates successful authentication,
the Cisco VPN Client requests the remaining configuration
parameters from the Cisco Easy VPN Server:
– Mode configuration starts.
– The remaining system parameters (IP address, DNS, split
tunneling information, and so on) are downloaded to the
Cisco VPN Client.
Remember that the IP address is the only required parameter in a
group profile; all other parameters are optional.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-17
- 18. Step 6: IKE Quick Mode Completes
Connection
Remote PC with
Cisco Easy VPN
Remote Client Quick Mode Security Appliance
IPsec SA Cisco Easy VPN
Establishment Server
VPN Tunnel
After the configuration parameters have been successfully
received by the Cisco VPN Client, IKE quick mode is initiated to
negotiate IPsec SA establishment.
After IPsec SA establishment, the VPN connection
is complete.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-18
- 19. Configuring the
Easy VPN Server for
Extended Authentication
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-19
- 20. Cisco Easy VPN Server General
Configuration Tasks
The following general tasks are used to configure an Cisco
Easy VPN Server on a security appliance:
Task 1: Create ISAKMP policy for remote Cisco VPN Client access.
Task 2: Create IP address pool.
Task 3: Define group policy for mode configuration push.
Task 4: Create transform set.
Task 5: Create dynamic crypto map.
Task 6: Assign dynamic crypto map to static crypto map.
Task 7: Apply crypto map to security appliance interface.
Task 8: Configure Xauth.
Task 9: Configure NAT and NAT 0.
Task 10: Enable IKE DPD.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-20
- 21. Task 1: Create ISAKMP Policy for
Remote VPN Client Access
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ISAKMP
Pre-Share
DES
SHA
Group 2
asa1(config)# isakmp enable outside
asa1(config)# isakmp policy 20
asa1(config-isakmp-policy)# authentication pre-share
asa1(config-isakmp-policy)# encryption des
asa1(config-isakmp-policy)# hash sha
asa1(config-isakmp-policy)# group 2
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-21
- 22. Task 2: Create IP Address Pool
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
MYPOOL
10.0.11.1-10.0.11.254
ciscoasa(config)#
ip local pool poolname first-address—last-address [mask
mask]
Creates an optional local address pool if the remote client is using
the remote server as an external DHCP server
asa1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-22
- 23. Task 3: Define Group Policy for Mode
Configuration Push
Task 3 contains the following steps:
Step 1: Set the tunnel group type.
Step 2: Configure the IKE PSK.
Step 3: Specify the local IP address pool.
Step 4: Configure the group policy type.
Step 5: Enter the group-policy attributes submode.
Step 6: Specify the DNS servers.
Step 7: Specify the WINS servers.
Step 8: Specify the DNS domain.
Step 9: Specify idle timeout.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-23
- 24. Step 1: Set the Tunnel Group Type
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
tunnel-group name type type
Names the tunnel group
Defines the type of VPN connection that is to be established
asa1(config)# tunnel-group TRAINING type ipsec-ra
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-24
- 25. Step 2: Configure IKE Pre-Shared Key
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to Client
ciscoasa(config)#
tunnel-group name [general-attributes | ipsec-attributes]
Enters tunnel-group ipsec-attributes submode to configure
the key
ciscoasa(config-tunnel-ipsec)#
pre-shared-key key
Associates a PSK with the connection policy
asa1(config)# tunnel-group TRAINING ipsec-attributes
asa1(config-tunnel-ipsec)# pre-shared-key cisco123
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-25
- 26. Step 3: Specify Local IP Address Pool
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to Client
ciscoasa(config)#
tunnel-group name [general-attributes | ipsec-attributes]
Enters tunnel-group general-attributes submode to configure the address pool
ciscoasa(config-tunnel-general)#
address-pool [interface name] address_pool1
[...address_pool6]
Associates an address pool with the connection policy
asa1(config)# tunnel-group TRAINING general-attributes
asa1(config-tunnel-general)# address-pool MYPOOL
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-26
- 27. Step 4: Configure the Group Policy Type
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
group-policy {name internal [from group-policy name]}
asa1(config)# group-policy TRAINING internal
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-27
- 28. Step 5: Enter the Group-Policy Attributes
Subcommand Mode
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push VPN Group
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config)#
group-policy {name} attributes
asa1(config)# group-policy TRAINING attributes
asa1(config-group-policy)#
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-28
- 29. Step 6: Specify DNS Servers
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
dns-server {value ip_address [ip_address] | none}
asa1(config-group-policy)# dns-server value 10.0.0.15
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-29
- 30. Step 7: Specify WINS Servers
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
wins-server value {ip_address} [ip_address] | none
asa1(config-group-policy)# wins-server value 10.0.0.15
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-30
- 31. Step 8: Specify DNS Domain
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
default-domain {value domain-name | none}
asa1(config-group-policy)# default-domain value cisco.com
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-31
- 32. Step 9: Specify Idle Timeout
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN Group
Push
to Client Pre-Share
DNS Server
WINS Server
DNS Domain
Address Pool
Idle Time
ciscoasa(config-group-policy)#
vpn-idle-timeout {minutes | none}
asa1(config-group-policy)# vpn-idle-timeout 600
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-32
- 33. Task 4: Create Transform Set
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
Transform Set
DES
SHA-HMAC
ciscoasa(config)#
crypto ipsec transform-set transform-set-name transform1
[transform2]]
asa1(config)# crypto ipsec transform-set REMOTEUSER1
esp-des esp-sha-hmac
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-33
- 34. Task 5: Create Dynamic Crypto Map
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set
transform-set transform-set-name1 [… transform-set-
name9]
asa1(config)# crypto dynamic-map RMT-DYNA-MAP 10 set
transform-set REMOTEUSER1
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-34
- 35. Task 6: Assign Dynamic Crypto Map to
Static Crypto Map
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-
map-name
asa1(config)# crypto map RMT-USER-MAP 10 ipsec-isakmp
dynamic RMT-DYNA-MAP
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-35
- 36. Task 7: Apply Dynamic Crypto Map to
Security Appliance Outside Interface
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
crypto map map-name interface interface-name
asa1(config)# crypto map RMT-USER-MAP interface
outside
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-36
- 37. Task 8: Configure XAUTH
Task 8 contains the following steps:
Step 1: Enable AAA login authentication.
Step 2: Define AAA server IP address and encryption key.
Step 3: Enable IKE XAUTH for the tunnel group.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-37
- 38. Step 1: Enable AAA Login Authentication
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
aaa-server server-tag protocol server-protocol
asa1(config)# aaa-server MYTACACS protocol tacacs+
asa1(config-aaa-server-group)#
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-38
- 39. Step 2: Define AAA Server IP Address
and Encryption Key
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ciscoasa(config)#
aaa-server server-tag [(interface-name)] host server-ip
[key] [timeout seconds]
asa1(config)# aaa-server MYTACACS (inside) host 10.0.0.15
cisco123 timeout 5
asa1(config-aaa-server-host)#
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-39
- 40. Step 3: Enable IKE Xauth for Tunnel
Group
Remote Client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
XAUTH
ciscoasa(config-tunnel-general)#
authentication-server-group [(interface name)] server
group [LOCAL | NONE]
asa1(config)# tunnel-group TRAINING general-attributes
asa1(config-tunnel-general)# authentication-server-group
MYTACACS
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-40
- 41. Task 9: Configure NAT and NAT 0
Remote Client
Outside Inside
172.26.26.1
10.0.0.0 Server
Internet 10.0.0.15
192.168.1.5
Encrypted — No Translation
Clear Text — Translation
asa1(config)# access-list 101 permit ip 10.0.0.0
255.255.255.0 10.0.11.0 255.255.255.0
asa1(config)# nat (inside) 0 access-list 101
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
asa1(config)# global (outside) 1 interface
Matches ACL: Encrypted data and no translation (NAT 0)
Does not match ACL: Clear text and translation (PAT)
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-41
- 42. Task 10: Enable IKE DPD
Remote Client
Outside Inside
172.26.26.1
10.0.0.0 Server
Internet 10.0.0.15
192.168.1.5
1) DPD Send: Are you there?
2) DPD Reply: Yes, I am here.
ciscoasa(config-tunnel-ipsec)#
isakmp keepalive [threshold seconds] [retry seconds]
[disable]
Configures the IKE DPD parameters
asa1(config)# tunnel-group TRAINING ipsec-attributes
asa1(config-tunnel-ipsec)# isakmp keepalive threshold 30
retry 10
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-42
- 43. Summary
Cisco Easy VPN features greatly enhance deployment of remote
access solutions for Cisco IOS software customers.
The Cisco Easy VPN Server adds several new commands to
Cisco PIX Security Appliance Software Version 6.3 and later
versions.
The Cisco VPN Client enables software-based VPN remote
access.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-43
- 44. Lab Visual Objective
Student PC
VPN Client Web
FTP
RBB Security Appliance
172.26.26.0 192.168.P.0 10.0.P.0
.150 .1 .2 .1 .10
172.26.26.P
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-44
- 45. © 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—12-45