© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX...

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1

Lesson 15

Configuring PIX Firewall Remote Access Using Cisco Easy VPN


Objectives


Objectives

Upon completion of this lesson, you will be able to perform the following tasks:• Describe the Easy VPN Server.• Describe the Easy VPN Remote.• Configure the Easy VPN Server.• Configure the Easy VPN Remote using the Cisco

VPN Client Release 3.6.


Introduction to the Cisco Easy VPN


The Cisco Easy VPN

Cisco IOS > 12.2(8)T router

PIX Firewall > 6.2

Cisco VPN 3000 > 3.11(> 3.5.1 recommended)

Cisco VPN Client 3.x

Cisco 800 Series Router



Cisco VPN 3002 Hardware Client

Cisco PIX 501/506 Firewall

Easy VPN ServersEasy VPN Remote


Overview of the Easy VPN Server


Cisco Easy VPN Server Features

• The Cisco PIX Firewall Software Version 6.2 Easy VPN Server introduces server support for the Cisco Easy VPN Remote Clients.• It allows remote end users to communicate

using IPSec with supported PIX Firewall VPN gateways.• Centrally managed IPSec policies are pushed to

the clients by the server, minimizing configuration by the end users.


PIX Firewall Version 6.3 Easy VPN Server Functions

• User-level authentication• Updated VPN 3000 support• Certificate support• Diffie-Hellman group 5 support• AES encryption support


Supported Easy VPN Servers

Cisco IOS > 12.2(8)T router

PIX Firewall > 6.2

Cisco VPN 3000 > 3.11(> 3.5.1 recommended)




Cisco VPN Client 3.xCisco 800 Series Router


Easy VPN Servers


Overview of the Easy VPN Remote Feature


Implementing Easy VPN RemotePC with Easy Remote VPN Client 3.x






PIX Firewall version 6.2

Easy VPN Server

Easy VPN Remote


Supported Easy VPN Remote Clients

• Cisco VPN Client (software version) > 3.x• Cisco VPN 3002 Hardware Client > 3.x• Cisco PIX Firewall 501/506 VPN client > 6.2• Cisco Easy VPN Remote router clients–Cisco 800 Series–Cisco 900 Series–Cisco 1700 Series


Cisco VPN Client Software Version > 3.x

• Software-based Cisco VPN Client

• Supports several operating systems

• Comes standard with the Cisco VPN 3000 Series Concentrator

• Available for download from Cisco.com

• Supports Cisco VPN Client protocol


Cisco VPN 3002 Hardware Client > 3.x

Cisco VPN 3002 Hardware Client Cisco VPN 3002-8E Hardware Client

PrivatePublic

ConsoleHardware

reset

Power

PrivatePublic

Console

Hardware reset

Power

Supports Cisco VPN Client protocol


Cisco PIX Firewall 501 and 506 VPN Client

PIX Firewall 501 PIX Firewall 506/506E


Cisco Easy VPN Remote Router Clients

• All models support the Cisco VPN Client protocol.

• Always check Cisco.com for the latest listing of supported Cisco Easy VPN Remote router clients.

800 Series 900 Series 1700 Series806 uBR905 1710826 uBR925 1720827 1721828 1750

17511760


Easy VPN Remote Modes of Operation

Easy VPN Remote supports two modes of operation: • Client mode– Specifies that NAT/PAT be used.– Client automatically configures the NAT/PAT

translation and ACLs needed to implement the VPN tunnel.

– Supports split tunneling.• Network extension mode– Specifies that the hosts at the client end of the VPN

connection use fully routable IP addresses.– PAT is not used.– Supports split tunneling.


Easy VPN Remote Client Mode

PIX Firewall 501/506(Easy VPN Remote)

PIX Firewall 525 (Easy VPN Server)

192.168.1.2

10.0.0.0/24

VPN tunnel

10.0.1.2

192.168.1.3

192.168.1.1

PAT


Easy VPN Remote Network Extension Mode

Cisco 1710 router (Easy VPN Remote)

12.2(8)YJ

PIX Firewall 525 (Easy VPN Server)

172.16.10.5

172.16.10.6

172.16.10.4

VPN tunnel

VPN tunnel

PIX Firewall 501

Easy VPN Remote

172.16.20.5

172.16.20.6

10.0.0.0/24


Overview of the Cisco VPN 3.6 Client


Cisco VPN Client Release 3.6

192.168.1.5


Cisco VPN Client 3.6 Features and Benefits

The Cisco VPN Client provides the following features and benefits:• Intelligent peer availability detection• SCEP• Data compression (LZS)• Command-line options for connecting, disconnecting, and connection

status• Configuration file with option locking• Support for Microsoft network login (all platforms)• DNS, WINS, and IP address assignment• Load balancing and backup server support• Centrally controlled policies• Integrated personal firewall (stateful firewall): Zone Labs technology

(Windows only)• Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)


Cisco VPN Client 3.6 Specifications

• Supported tunneling protocols• Supported encryption/authentication• Supported key management techniques• Supported data compression technique• Digital certificate support• Authentication methodologies• Profile management• Policy management


How the Cisco Easy VPN Works


The Easy VPN Remote Connection Process

• Step 1—The VPN Client initiates the IKE Phase 1 process.• Step 2—The VPN Client negotiates an IKE SA.• Step 3—The Easy VPN Server accepts the SA proposal.• Step 4—The Easy VPN Server initiates a

username/password challenge.• Step 5—The mode configuration process is initiated.• Step 6—IKE quick mode completes the connection.


Step 1—Cisco VPN Client Initiates IKE Phase 1 Process

• Using preshared keys? Initiate AM.• Using digital certificates? Initiate MM.

Remote PC with Easy Remote VPN Client 3.x PIX Firewall 6.2

Easy VPN Server


Step 2—Cisco VPN Client Negotiates an IKE SA

• The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server.

• To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following:– Encryption and hash algorithms– Authentication methods– DH group sizes

Remote PC with Easy Remote VPN Client 3.x PIX Firewall 6.2

Easy VPN Server

Proposal 1, proposal 2, proposal 3


Step 3—The Easy VPN Server Accepts SA Proposal

• The Easy VPN Server searches for a match:– The first proposal to match the servers list is accepted

(highest priority match).– The most secure proposals are always listed at the top of

the Easy VPN Server’s proposal list (highest priority).• IKE SA is successfully established. • Device authentication ends and user authentication begins.

Remote PC with Easy Remote VPN Client 3.x

Proposal 1 Proposal checking

finds proposal 1

match

PIX Firewall 6.2Easy VPN Server


Step 4—The Easy VPN Server Initiates a Username/Password Challenge

• If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge:– The user enters a username/password combination.– The username/password information is checked against

authentication entities using AAA.• All Easy VPN Servers should be configured to enforce user

authentication.


Username/passwordAAA

checking

Username/password challenge



Step 5—The Mode Configuration Process is Initiated

• If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server:– Mode configuration starts.– The remaining system parameters (IP address, DNS, split

tunneling information, and so on) are downloaded to the VPN Client.

• Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.


Client requests parameters

System parameters via mode config



Step 6—IKE Quick Mode Completes the Connection

• After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment.

• After IPSec SA establishment, the VPN connection is complete.

Remote PC with Easy Remote VPN Client 3.x Quick mode

IPSec SA establishment

VPN tunnel



Configuring the Easy VPN Server for Extended

Authentication


Easy VPN Server General Configuration Tasks

The following general tasks are used to configure Easy VPN Server on a PIX Firewall:• Task 1—Create ISAKMP policy for remote VPN Client access.• Task 2—Create IP address pool.• Task 3—Define group policy for mode configuration push.• Task 4—Create transform set.• Task 5—Create dynamic crypto map.• Task 6—Assign dynamic crypto map to static crypto map.• Task 7—Apply crypto map to PIX Firewall interface.• Task 8—Configure XAUTH.• Task 9—Configure NAT and NAT 0.• Task 10—Enable IKE DPD.


Task 1—Create ISAKMP Policy for Remote VPN Client Access

pix1(config)# isakmp enable outside

pix1(config)# isakmp policy 20 authentication pre-share

pix1(config)# isakmp policy 20 encryption des

pix1(config)# isakmp policy 20 hash sha

pix1(config)# isakmp policy 20 group 2

Remote client

192.168.1.5

Server10.0.0.15Internet

InsideOutside172.26.26.1

ISAKMPPre-share

DESSHA

Group 2


Task 2—Create IP Address Pool

pixfirewall(config)#ip local pool pool_name address-pool

pix1(config)# ip local pool vpnpool 10.0.11.1-10.0.11.254

• Creates an optional local address pool if the remote client is using the remote server as an external DHCP server.

Remote client

192.168.1.5Server

10.0.0.15Internet


10.0.11.1-10.0.11.254

vpnpool


Group Policy

EngineeringPolicyPush

to client

10.0.0.0 /24

10.0.1.0/24

Mktg

Eng

Internet

Engineering

Marketing

Training

MarketingPolicyTrainingPolicy


Task 3—Define Group Policy for Mode Configuration Push

Task 3 contains the following steps:• Step 1—Configure the IKE pre-shared key.• Step 2—Specify the DNS servers.• Step 3—Specify the WINS servers.• Step 4—Specify the DNS domain.• Step 5—Specify the local IP address pool.• Step 6—Specify idle timeout.


Step 1—Configure IKE Pre-Shared Key

pixfirewall(config)#vpngroup group_name password preshared_key

pix1(config)# vpngroup rmt_user_1 password cisco123

Remote client



VPN groupPre-share

DNS serverWINS serverDNS domainAddress pool

Idle time

Pushto client


Step 2—Specify DNS Servers

pixfirewall(config)#vpngroup group_name dns-server dns_ip_prim [dns_ip_sec]

pix1(config)# vpngroup rmt_user_1 dns-server 10.0.0.15

Remote client



VPN groupPre-share


Idle time

Pushto client


Step 3—Specify WINS Servers

pixfirewall(config)#vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]

pix1(config)# vpngroup rmt_user_1 wins-server 10.0.0.15

Remote client



Pushto client

VPN groupPre-share


Idle time


Step 4—Specify DNS Domain

pixfirewall(config)#vpngroup group_name default-domain domain_name

pix1(config)# vpngroup rmt_user_1 default-domain cisco.com

Remote client

Server10.0.0.15

Cisco.comInternet


Pushto client

VPN groupPre-share


Idle time


Step 5—Specify Local IP Address Pool

pixfirewall(config)#vpngroup group_name address-pool pool_name

pix1(config)# vpngroup rmt_user_1 address-pool vpnpool

Remote client



Pushto client

VPN groupPre-share


Idle time


Step 6—Specify Idle Time

pixfirewall(config)#vpngroup group_name idle-time idle_seconds

pix1(config)# vpngroup rmt_user_1 idle-time 600

Remote client



Pushto client

VPN groupPre-share


Idle time


Task 4—Create Transform Set

pix1(config)#crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

pix1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac

Remote client

192.168.1.5



Transform setDES

SHA-HMAC


Task 5—Create Dynamic Crypto Map

pixfirewall(config)#

crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1

pix1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1

Remote client

192.168.1.5




Task 6—Assign Dynamic Crypto Map to Static Crypto Map

pixfirewall(config)#crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name]

pix1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map

Remote client

192.168.1.5




Task 7—Apply Dynamic Crypto Map to PIX Firewall Outside Interface

pix1(config)# crypto map rmt-user-map outside

pixfirewall(config)#crypto map map-name interface interface-name

Remote client

192.168.1.5




Task 8—Configure XAUTH

Task 8 contains the following steps:• Step 1—Enable AAA login authentication.• Step 2—Define AAA server IP address and

encryption key.• Step 3—Enable IKE XAUTH for the dynamic

crypto map.


Step 1—Enable AAA Login Authentication

pixfirewall(config)#aaa-server server_tag protocol auth_protocol

pix1(config)# aaa-server mytacacs protocol tacacs+

Remote client

192.168.1.5

TACACS+server

10.0.0.15Internet



Step 2—Define AAA Server IP Address and Encryption Key

pixfirewall(config)#aaa-server server_tag [(if_name)] host server_ip [key][timeout seconds]

pix1(config)# aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5

Remote client

192.168.1.5

TACACS+server

10.0.0.15Internet



Step 3—Enable IKE XAUTH for Crypto Map

pixfirewall(config)#crypto map map-name client [token] authentication aaa-server-name

pix1(config)# crypto map rmt-user-map client authentication mytacacs

XAUTH

Remote client

192.168.1.5

TACACS+server

10.0.0.15Internet



Task 9—Configure NAT and NAT 0

pix1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0

pix1(config)# nat (inside) 0 access-list 101pix1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0pix1(config)# global (outside) 1 interface

Remote client

192.168.1.5

TACACS+server

10.0.0.15Internet


Encrypted — no translation

Clear text — translation

10.0.0.0

• Matches ACL—Encrypted data and no translation (NAT 0)• Does not match ACL—Clear text and translation (PAT)


Task 10—Enable IKE DPD

Remote clientTACACS+

server10.0.0.15

Internet

InsideOutside10.0.11.0 10.0.0.0

1) DPD send: Are you there?2) DPD reply: Yes, I am here.

pixfirewall(config)#isakmp keepalive seconds [retry_seconds]

pix1(config)# isakmp keepalive 30 10

• Number of seconds between DPD messages• Number of seconds between retries


Easy VPN Server Configuration Summary

version 6.3(2)hostname pix1!--- Configure Phase 1 Internet Security Association!-- and Key Management Protocol (ISAKMP) parameters.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption aesisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400

!--- Configure IPSec transform set and dynamic crypto map.crypto ipsec transform-set remoteuser1 esp-aes esp-md5-hmaccrypto dynamic-map rmt-dyna-map 10 set transform-set mysetcrypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map!--- Apply crypto map to the outside interface.crypto map rmt-user-map interface outside


Easy VPN Server Configuration Summary (Cont.)

!--- Configure remote client pool of IP addressesip local pool ippool 10.0.11.1-10.0.11.254!--- Configure VPNGroup parameters, to be sent down to the client.

vpngroup rmt_user_1 address-pool ippoolvpngroup rmt_user_1 dns-server 10.0.0.15vpngroup rmt_user_1 wins-server 10.0.0.15vpngroup rmt_user_1 default-domain cisco.comvpngroup rmt_user_1 idle-time 1800vpngroup rmt_user_1 password ********vpngroup rmt_user_1 idle-time 600!--- Configure AAA-Server and Xauth parameters.aaa-server mytacacs protocol tacacs+aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5

crypto map rmt-user-map client authentication mytacacs


Easy VPN Server Configuration Summary (Cont.)

!--- Specify "nonat" access list.access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0

!--- Configure Network Address Translation (NAT)/!--- Port Address Translation (PAT) for regular traffic,!--- as well as NAT for IPSec traffic.nat (inside) 0 access-list 101nat (inside) 1 0.0.0.0 0.0.0.0 0 0global (outside) 1 interface!--- Enable IKE keepalives on the PIX gateway.isakmp keepalive 30 10


Cisco VPN Client 3.6 Manual Configuration Tasks


Cisco VPN Client 3.6 Manual Configuration Tasks

The following general tasks are used to configure Cisco VPN Client 3.6:• Task 1—Install Cisco VPN Client 3.X.• Task 2—Create a New Connection Entry.• Task 3—(Optional) Modify VPN Client Options.• Task 4—Configure VPN Client General Properties.• Task 5—Configure VPN Client Authentication Properties.• Task 6—Configure VPN Client Connection Properties.


Task 1—Install Cisco VPN Client 3.x


Task 2—Create New Connection Entry

rmt_user_1

192.168.1.5


Task 3—(Optional.) Modify Cisco VPN Client Options


Task 4—Configure Cisco VPN Client General Properties

Win 95/98/ME Win-NT 4/2000/XP


Task 5—Configure Cisco VPN Client Authentication Properties

The end user never sees this after the

initial configuration


Task 6—Configure Cisco VPN Client Connections Properties


Working with the Cisco VPN 3.6 Client


Cisco VPN Client Program Menu


Cisco VPN Client Log Viewer

Tool bar

Log display


Setting MTU Size


Cisco VPN Client Connection Status—General Tab


Cisco VPN Client Connection Status—Statistics Tab


Summary


Summary

• Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers.• The Easy VPN Server adds several new

commands to PIX Firewall version 6.3.• The Cisco VPN Client release 3.6 can be

configured manually by users or automatically using preconfiguration files.


Lab Exercise


Lab Visual Objective

192.168.P.0

Student PCVPN Client

.1172.26.26.P

10.0.P.0

.2 .1

PIX Firewall

.150WebFTP.10

172.26.26.0RBB

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX...

Documents

Transcript of © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX...