© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.014-1 Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec. - презентация

1 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Lesson 14 Configuring the Cisco Virtual Private Network 3000 Series Concentrator for IPSec over UDP and IPSec over TCP

2 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Objectives Upon the completion of this lesson, you will be able to perform the following tasks: Describe how address translation works at the port level. Explain the IPSec address translation issue. Describe the three Concentrator translation options. Configure the Concentrator for IPSec over UDP. Configure the Concentrator for NAT Traversal. Configure the Concentrator for IPSec over TCP. Monitor session statistics.

3 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Overview of Port Address Translation

4 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN NAT Application server NAT Remote office Corporate office Internet

5 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN NAT (cont.) Application server NAT Remote office Corporate office ? Internet

6 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN PAT – Port Application server Port PAT Remote office Corporate office Port – Port Internet

7 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN PAT (cont.) Application server PAT Remote office Corporate office Internet

8 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IKE and UDP Issue Concentrator NAT IKE IPSec Dropped Internet

9 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec over UDPProprietary IPSec over UDP (Proprietary) Cisco VPN Client PAT device Internet Hash Data IP ESP UDP IP

10 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN NAT TraversalStandards-Based IPSec over UDP NAT-T (Standards-based IPSec over UDP) PAT device Internet 4500 Initiator UDP (X,500) … VID UDP (X, 4500) …NAT-D, NAT-D Responder UDP (500, X) …VID, NAT-D, NAT-D UDP (4500, X) … Concentrator Hash Data IP ESP UDP IP Cisco VPN Client

11 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec over TCP IPSec over TCP (System-wide) PAT device Internet Hash Data IP ESP TCP IP Cisco VPN Client

12 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN IPSec Through PAT Mode

13 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring IPSec over UDP

14 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Configuration IPSec over UDP Client Concentrator Internet Hash Data IP ESP UDP IP

15 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software Client Configuration IPSec over UDP Client Concentrator Internet

16 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring NAT Traversal

17 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator ConfigurationNAT-T Client Concentrator Internet Hash Data IP ESP UDP IP

18 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software Client ConfigurationNAT-T Client Concentrator Internet

19 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Configuring IPSec over TCP

20 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN ConcentratorIPSec over TCP Configuration Client Concentrator Internet Hash Data IP ESP TCP IP

21 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Hardware ClientIPSec over TCP Configuration Concentrator Internet SOHO Hash Data IP ESP TCP IP

22 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software ClientIPSec over TCP Configuration Client Concentrator Internet

23 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Monitoring Session Statistics

24 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Software Client Connection Status Client Concentrator Internet

25 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Hardware Client Connection Status Client Concentrator Internet

26 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Monitor Session Client Concentrator Internet Hash Data IP ESP TCP IP

27 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Concentrator Monitor Session Detail

28 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary

29 © 2003, Cisco Systems, Inc. All rights reserved. CSVPN Summary IPSec does not translate through a NAT or PAT device. Configure IPSec over UDP, NAT-T, or TCP in both the Concentrator and clients. For each tunnel type, an applicable port number is defined. IPSec over TCP, NAT-T, or UDP statistics are viewable on both the Concentrator and clients.