Скачать презентацию
Идет загрузка презентации. Пожалуйста, подождите
Презентация была опубликована 10 лет назад пользователемНаталия Лалетина
1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN
2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Easy VPN Server. Describe the Easy VPN Remote. Configure the Easy VPN Server. Configure the Easy VPN Remote using the Cisco VPN Client Release 3.6.
4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Introduction to the Cisco Easy VPN
5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA The Cisco Easy VPN Cisco IOS > 12.2(8)T router PIX Firewall > 6.2 Cisco VPN 3000 > 3.11 (> recommended) Cisco VPN Client 3. x Cisco 800 Series Router Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN 3002 Hardware Client Cisco PIX 501/506 Firewall Easy VPN Servers Easy VPN Remote
6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Overview of the Easy VPN Server
7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco Easy VPN Server Features The Cisco PIX Firewall Software Version 6.2 Easy VPN Server introduces server support for the Cisco Easy VPN Remote Clients. It allows remote end users to communicate using IPSec with supported PIX Firewall VPN gateways. Centrally managed IPSec policies are pushed to the clients by the server, minimizing configuration by the end users.
8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Version 6.3 Easy VPN Server Functions User-level authentication Updated VPN 3000 support Certificate support Diffie-Hellman group 5 support AES encryption support
9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Supported Easy VPN Servers Cisco IOS > 12.2(8)T router PIX Firewall > 6.2 Cisco VPN 3000 > 3.11 (> recommended) Cisco 900 Series Router Cisco 1700 Series Router Cisco PIX 501/506 Firewall Cisco VPN Client 3. x Cisco 800 Series Router Cisco VPN 3002 Hardware Client Easy VPN Servers
10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Overview of the Easy VPN Remote Feature
11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Implementing Easy VPN Remote PC with Easy Remote VPN Client 3. x Cisco 800 Series Router Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN 3002 Hardware Client Cisco PIX 501/506 Firewall PIX Firewall version 6.2 Easy VPN Server Easy VPN Remote
12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Supported Easy VPN Remote Clients Cisco VPN Client (software version) > 3. x Cisco VPN 3002 Hardware Client > 3. x Cisco PIX Firewall 501/506 VPN client > 6.2 Cisco Easy VPN Remote router clients –Cisco 800 Series –Cisco 900 Series –Cisco 1700 Series
13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Software Version > 3. x Software-based Cisco VPN Client Supports several operating systems Comes standard with the Cisco VPN 3000 Series Concentrator Available for download from Cisco.com Supports Cisco VPN Client protocol
14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN 3002 Hardware Client > 3. x Cisco VPN 3002 Hardware Client Cisco VPN E Hardware Client Private Public Console Hardware reset Power Private Public Console Hardware reset Power Supports Cisco VPN Client protocol
15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco PIX Firewall 501 and 506 VPN Client PIX Firewall 501 PIX Firewall 506/506E
16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco Easy VPN Remote Router Clients All models support the Cisco VPN Client protocol. Always check Cisco.com for the latest listing of supported Cisco Easy VPN Remote router clients. 800 Series900 Series1700 Series 806uBR uBR
17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Remote Modes of Operation Easy VPN Remote supports two modes of operation: Client mode –Specifies that NAT/PAT be used. –Client automatically configures the NAT/PAT translation and ACLs needed to implement the VPN tunnel. –Supports split tunneling. Network extension mode –Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses. –PAT is not used. –Supports split tunneling.
18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Remote Client Mode PIX Firewall 501/506 (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) /24 VPN tunnel PAT
19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Remote Network Extension Mode Cisco 1710 router (Easy VPN Remote) 12.2(8)YJ PIX Firewall 525 (Easy VPN Server) VPN tunnel PIX Firewall 501 Easy VPN Remote /24
20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Overview of the Cisco VPN 3.6 Client
21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Release
22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client 3.6 Features and Benefits The Cisco VPN Client provides the following features and benefits: Intelligent peer availability detection SCEP Data compression (LZS) Command-line options for connecting, disconnecting, and connection status Configuration file with option locking Support for Microsoft network login (all platforms) DNS, WINS, and IP address assignment Load balancing and backup server support Centrally controlled policies Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only) Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)
23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client 3.6 Specifications Supported tunneling protocols Supported encryption/authentication Supported key management techniques Supported data compression technique Digital certificate support Authentication methodologies Profile management Policy management
24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA How the Cisco Easy VPN Works
25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA The Easy VPN Remote Connection Process Step 1The VPN Client initiates the IKE Phase 1 process. Step 2The VPN Client negotiates an IKE SA. Step 3The Easy VPN Server accepts the SA proposal. Step 4The Easy VPN Server initiates a username/password challenge. Step 5The mode configuration process is initiated. Step 6IKE quick mode completes the connection.
26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Cisco VPN Client Initiates IKE Phase 1 Process Using preshared keys? Initiate AM. Using digital certificates? Initiate MM. Remote PC with Easy Remote VPN Client 3. x PIX Firewall 6.2 Easy VPN Server
27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Cisco VPN Client Negotiates an IKE SA The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server. To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following: –Encryption and hash algorithms –Authentication methods –DH group sizes Remote PC with Easy Remote VPN Client 3. x PIX Firewall 6.2 Easy VPN Server Proposal 1, proposal 2, proposal 3
28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3The Easy VPN Server Accepts SA Proposal The Easy VPN Server searches for a match: –The first proposal to match the servers list is accepted (highest priority match). –The most secure proposals are always listed at the top of the Easy VPN Servers proposal list (highest priority). IKE SA is successfully established. Device authentication ends and user authentication begins. Remote PC with Easy Remote VPN Client 3. x Proposal 1 Proposal checking finds proposal 1 match PIX Firewall 6.2 Easy VPN Server
29 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 4The Easy VPN Server Initiates a Username/Password Challenge If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge: –The user enters a username/password combination. –The username/password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication. Remote PC with Easy Remote VPN Client 3. x Username/password AAA checking Username/password challenge PIX Firewall 6.2 Easy VPN Server
30 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 5The Mode Configuration Process is Initiated If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server: –Mode configuration starts. –The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN Client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional. Remote PC with Easy Remote VPN Client 3. x Client requests parameters System parameters via mode config PIX Firewall 6.2 Easy VPN Server
31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 6IKE Quick Mode Completes the Connection After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete. Remote PC with Easy Remote VPN Client 3. x Quick mode IPSec SA establishment VPN tunnel PIX Firewall 6.2 Easy VPN Server
32 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the Easy VPN Server for Extended Authentication
33 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Server General Configuration Tasks The following general tasks are used to configure Easy VPN Server on a PIX Firewall: Task 1Create ISAKMP policy for remote VPN Client access. Task 2Create IP address pool. Task 3Define group policy for mode configuration push. Task 4Create transform set. Task 5Create dynamic crypto map. Task 6Assign dynamic crypto map to static crypto map. Task 7Apply crypto map to PIX Firewall interface. Task 8Configure XAUTH. Task 9Configure NAT and NAT 0. Task 10Enable IKE DPD.
34 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 1Create ISAKMP Policy for Remote VPN Client Access pix1(config)# isakmp enable outside pix1(config)# isakmp policy 20 authentication pre-share pix1(config)# isakmp policy 20 encryption des pix1(config)# isakmp policy 20 hash sha pix1(config)# isakmp policy 20 group 2 Remote client Server Internet Inside Outside ISAKMP Pre-share DES SHA Group 2
35 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 2Create IP Address Pool pixfirewall(config)# ip local pool pool_name address-pool pix1(config)# ip local pool vpnpool Creates an optional local address pool if the remote client is using the remote server as an external DHCP server. Remote client Server Internet Inside Outside vpnpool
36 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Group Policy Engineering Policy Push to client / /24 Mktg Eng Internet Engineering Marketing Training Marketing Policy Training Policy
37 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 3Define Group Policy for Mode Configuration Push Task 3 contains the following steps: Step 1Configure the IKE pre-shared key. Step 2Specify the DNS servers. Step 3Specify the WINS servers. Step 4Specify the DNS domain. Step 5Specify the local IP address pool. Step 6Specify idle timeout.
38 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Configure IKE Pre-Shared Key pixfirewall(config)# vpngroup group_name password preshared_key pix1(config)# vpngroup rmt_user_1 password cisco123 Remote client Server Internet Inside Outside VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time Push to client
39 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Specify DNS Servers pixfirewall(config)# vpngroup group_name dns-server dns_ip_prim [dns_ip_sec] pix1(config)# vpngroup rmt_user_1 dns-server Remote client Server Internet Inside Outside VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time Push to client
40 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Specify WINS Servers pixfirewall(config)# vpngroup group_name wins-server wins_ip_prim [wins_ip_sec] pix1(config)# vpngroup rmt_user_1 wins-server Remote client Server Internet Inside Outside Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time
41 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 4Specify DNS Domain pixfirewall(config)# vpngroup group_name default-domain domain_name pix1(config)# vpngroup rmt_user_1 default-domain cisco.com Remote client Server Cisco.com Internet Inside Outside Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time
42 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 5Specify Local IP Address Pool pixfirewall(config)# vpngroup group_name address-pool pool_name pix1(config)# vpngroup rmt_user_1 address-pool vpnpool Remote client Server Internet Inside Outside Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time
43 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 6Specify Idle Time pixfirewall(config)# vpngroup group_name idle-time idle_seconds pix1(config)# vpngroup rmt_user_1 idle-time 600 Remote client Server Internet Inside Outside Push to client VPN group Pre-share DNS server WINS server DNS domain Address pool Idle time
44 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Create Transform Set pix1(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] pix1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac Remote client Server Internet Inside Outside Transform set DES SHA-HMAC
45 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 5Create Dynamic Crypto Map pixfirewall(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 pix1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1 Remote client Server Internet Inside Outside
46 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 6Assign Dynamic Crypto Map to Static Crypto Map pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name] pix1(config)# crypto map rmt-user-map 10 ipsec- isakmp dynamic rmt-dyna-map Remote client Server Internet Inside Outside
47 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 7Apply Dynamic Crypto Map to PIX Firewall Outside Interface pix1(config)# crypto map rmt-user-map outside pixfirewall(config)# crypto map map-name interface interface-name Remote client Server Internet Inside Outside
48 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 8Configure XAUTH Task 8 contains the following steps: Step 1Enable AAA login authentication. Step 2Define AAA server IP address and encryption key. Step 3Enable IKE XAUTH for the dynamic crypto map.
49 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 1Enable AAA Login Authentication pixfirewall(config)# aaa-server server_tag protocol auth_protocol pix1(config)# aaa-server mytacacs protocol tacacs+ Remote client TACACS+ server Internet Inside Outside
50 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 2Define AAA Server IP Address and Encryption Key pixfirewall(config)# aaa-server server_tag [(if_name)] host server_ip [key][timeout seconds] pix1(config)# aaa-server mytacacs (inside) host cisco123 timeout 5 Remote client TACACS+ server Internet Inside Outside
51 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Step 3Enable IKE XAUTH for Crypto Map pixfirewall(config)# crypto map map-name client [token] authentication aaa- server-name pix1(config)# crypto map rmt-user-map client authentication mytacacs XAUTH Remote client TACACS+ server Internet Inside Outside
52 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 9Configure NAT and NAT 0 pix1(config)# access-list 101 permit ip pix1(config)# nat (inside) 0 access-list 101 pix1(config)# nat (inside) pix1(config)# global (outside) 1 interface Remote client TACACS+ server Internet Inside Outside Encrypted no translation Clear text translation Matches ACLEncrypted data and no translation (NAT 0) Does not match ACLClear text and translation (PAT)
53 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 10Enable IKE DPD Remote client TACACS+ server Internet Inside Outside ) DPD send: Are you there? 2) DPD reply: Yes, I am here. pixfirewall(config)# isakmp keepalive seconds [retry_seconds] pix1(config)# isakmp keepalive Number of seconds between DPD messages Number of seconds between retries
54 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Server Configuration Summary version 6.3(2) hostname pix1 !--- Configure Phase 1 Internet Security Association !-- and Key Management Protocol (ISAKMP) parameters. isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime !--- Configure IPSec transform set and dynamic crypto map. crypto ipsec transform-set remoteuser1 esp-aes esp-md5-hmac crypto dynamic-map rmt-dyna-map 10 set transform-set myset crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map !--- Apply crypto map to the outside interface. crypto map rmt-user-map interface outside
55 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Server Configuration Summary (Cont.) !--- Configure remote client pool of IP addresses ip local pool ippool !--- Configure VPNGroup parameters, to be sent down to the client. vpngroup rmt_user_1 address-pool ippool vpngroup rmt_user_1 dns-server vpngroup rmt_user_1 wins-server vpngroup rmt_user_1 default-domain cisco.com vpngroup rmt_user_1 idle-time 1800 vpngroup rmt_user_1 password ******** vpngroup rmt_user_1 idle-time 600 !--- Configure AAA-Server and Xauth parameters. aaa-server mytacacs protocol tacacs+ aaa-server mytacacs (inside) host cisco123 timeout 5 crypto map rmt-user-map client authentication mytacacs
56 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Server Configuration Summary (Cont.) !--- Specify "nonat" access list. access-list 101 permit ip !--- Configure Network Address Translation (NAT)/ !--- Port Address Translation (PAT) for regular traffic, !--- as well as NAT for IPSec traffic. nat (inside) 0 access-list 101 nat (inside) global (outside) 1 interface !--- Enable IKE keepalives on the PIX gateway. isakmp keepalive 30 10
57 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client 3.6 Manual Configuration Tasks
58 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client 3.6 Manual Configuration Tasks The following general tasks are used to configure Cisco VPN Client 3.6: Task 1Install Cisco VPN Client 3.X. Task 2Create a New Connection Entry. Task 3(Optional) Modify VPN Client Options. Task 4Configure VPN Client General Properties. Task 5Configure VPN Client Authentication Properties. Task 6Configure VPN Client Connection Properties.
59 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 1Install Cisco VPN Client 3.x
60 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 2Create New Connection Entry rmt_user_
61 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 3(Optional.) Modify Cisco VPN Client Options
62 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 4Configure Cisco VPN Client General Properties Win 95/98/MEWin-NT 4/2000/XP
63 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 5Configure Cisco VPN Client Authentication Properties The end user never sees this after the initial configuration
64 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Task 6Configure Cisco VPN Client Connections Properties
65 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Working with the Cisco VPN 3.6 Client
66 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Program Menu
67 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Log Viewer Tool bar Log display
68 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Setting MTU Size
69 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Connection Status General Tab
70 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco VPN Client Connection Status Statistics Tab
71 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
72 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers. The Easy VPN Server adds several new commands to PIX Firewall version 6.3. The Cisco VPN Client release 3.6 can be configured manually by users or automatically using preconfiguration files.
73 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
74 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Visual Objective P.0 Student PC VPN Client P 10.0.P PIX Firewall.150 Web FTP RBB
Еще похожие презентации в нашем архиве:
© 2024 MyShared Inc.
All rights reserved.