Network Security 2 - Kapsi Internet-käyttäjät...
Transcript of Network Security 2 - Kapsi Internet-käyttäjät...
-
1111
-
2
Network Security 2
Module 6 Configure Remote Access VPN
-
3
Learning Objectives
6.1 Introduction to Cisco Easy VPN
6.2 Configure the Easy VPN Server
6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x
6.4 Configure Cisco Easy VPN Remote for Access Routers
6.5 Configure the PIX Security Appliance as an Easy VPN Server
6.6 Configure a PIX 501 or 506E as an Easy VPN Client
6.7 Configure the Adaptive Security Appliance to Support WebVPN
-
4
Module 6 Configure Remote Access VPN
6.1 Introduction to Cisco EasyVPN
-
5
Cisco Easy VPN Components
The Cisco Easy VPN is made up of two components
Easy VPN Server Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote featureEasy VPN Remote Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Hardware Clients or Software Clients to act as remote VPN Clients
-
6
Remote Access Using Cisco Easy VPNPC with Easy Remote VPN Client 4.x
Cisco 800 Router
Cisco 900 Router
Cisco 1700 Router
Cisco VPN 3002 Hardware Client
Cisco PIX Security Appliance 501
Cisco IOS router 12.3(11)T(or later) Easy VPN Server
-
7
Easy VPN Remote Connection Process
Step 1 The VPN Client initiates the IKE Phase 1 process.
Step 2 The VPN Client establishes an ISAKMP SA.
Step 3 The Easy VPN Server accepts the SA proposal.
Step 4 The Easy VPN Server initiates a username/password challenge.
Step 5 The mode configuration process is initiated.
Step 6 The RRI process is initiated.
Step 7 IPSec quick mode completes the connection.
-
8
Step 1 The VPN Client Initiates the IKE Phase 1 Process
Cisco IOS router
12.3(11)TEasy VPN
Server
Remote PC with Easy Remote VPN Client 4.x
Using pre-shared keys? Initiate aggressive mode (AM).
Using digital certificates? Initiate main mode (MM).
-
9
Step 2 The VPN Client Establishes an ISAKMP SA
Cisco IOS router
12.3(11)TEasy VPN
Server
Remote PC with Easy Remote VPN Client 4.x
Proposal 1, proposal 2, proposal 3
The VPN Client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.
To reduce manual configuration on the VPN Client, these ISAKMP proposals include several combinations of the following
Encryption and hash algorithms
Authentication methods
Diffie-Hellman group sizes
-
10
Step 3 The Easy VPN Server Accepts the SA Proposal
The Easy VPN Server searches for a match
The first proposal to match the servers list is accepted (highest-priority match).
The most secure proposals are always listed at the top of the Easy VPN Servers proposal list (highest priority).
ISAKMP SA is successfully established.
Device authentication ends and user authentication begins.
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router
12.3(11)TEasy VPN
ServerProposal 1
Proposal checking
finds proposal 1
match
-
11
Step 4 Username/Password Challenge
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router
12.3(11)TEasy VPN
Server
Username/password
AAA checking
Username/password challenge
If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge
The user enters a username/password combination.
The username/password information is checked against authentication entities using AAA.
All Easy VPN Servers should be configured to enforce user authentication.
-
12
Step 5 The Mode Configuration Process Is Initiated
If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server
Mode configuration starts.
The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the VPN Client.
Remember that the IP address is the only required parameter in a group profile. All other parameters are optional.
Remote PC with Easy Remote VPN Client 4.x
Cisco IOS router 12.3(11)TEasy VPN
ServerClient Requests Parameters
System Parameters via Mode Config
-
13
Step 6 The RRI Process Is InitiatedRemote PC with
Easy Remote VPN Client 4.x
Cisco IOS router 12.3(11)T
Easy VPN Server
RRIstatic route
creationVPN Tunnel
After the Easy VPN Server knows the VPN Clients assigned IP address, it must determine how to route packets through the appropriate VPN tunnel
RRI creates a static route on the Easy VPN Server for each VPN Clients internal IP address.
RRI must be enabled on the crypto maps supporting VPN Clients.
RRI need not be enabled on a crypto map applied to a GRE tunnel that is already being used to distribute routing information.
-
14
Step 7 IPSec Quick Mode Completes the Connection
Cisco IOS router
12.3(11)TEasy VPN
Server
Remote PC with Easy Remote VPN Client 4.x Quick mode
IPSec SA establishment
VPN tunnel
After the configuration parameters have been successfully received by the VPN Client, ISAKMP quick mode is initiated to negotiate IPSec SAestablishment.
After IPSec SA establishment, the VPN connection is complete.
-
15
Module 6 Configure Remote Access VPN
6.2 Configure the EasyVPN Server
-
16
Easy VPN Server General Configuration Tasks
The following general tasks are used to configure Easy VPN Server on a Cisco router
Task 1 Create IP address pool.Task 2 Configure group policy lookup.Task 3 Create ISAKMP policy for remote VPN Client access.Task 4 Define group policy for mode configuration push.Task 5 Create a transform set.Task 6 Create a dynamic crypto map with RRI.Task 7 Apply mode configuration to the dynamic crypto map.Task 8 Apply the crypto map to the router interface.Task 9 Enable IKE DPD.Task 10 Configure XAUTH.Task 11 (Optional) Enable XAUTH save password feature.
-
17
Task 1 Create IP Address Pool
REMOTE-POOL
10.0.1.100 to 10.0.1.150
Pool
vpngate1
Remote client
router(config)#ip local pool {default | pool-namelow-ip-address [high-ip-address]}
vpngate1(config)# ip local pool REMOTE-POOL 10.0.1.100 10.0.1.150
Creating a local address pool is optional if an external DHCP server is in use on the network.
-
18
Task 2 Configure Group Policy Lookup
vpngate1
Remote client
VPN-REMOTE-ACCESS
Group
router(config)#aaa new-model
router(config)#aaa authorization network list-name local [method1 [method2]]
vpngate1(config)# aaa new-model
vpngate1(config)# aaa authorization network VPN-REMOTE-ACCESS local
Creates a user group for local AAA policy lookup
-
19
Task 3 Create ISAKMP Policy for Remote VPN Client Access
Authen Preshared keys
Encryption 3-DES
Diffie-Hellman Group 2
Other settings Default
Policy 1
vpngate1
Remote client
vpngate1(config)# crypto isakmp enable
vpngate1(config)# crypto isakmp policy 1
vpngate1(config-isakmp)# authen pre-share
vpngate1(config-isakmp)# encryption 3des
vpngate1(config-isakmp)# group 2
vpngate1(config-isakmp)# exit
Use standard ISAKMP configuration commands.
-
20
Task 4 Define Group Policy for Mode Configuration Push
Task 4 contains the following steps Step 1 Add the group profile to be defined.Step 2 Configure the ISAKMP pre-shared key.Step 3 Specify the DNS servers.Step 4 Specify the WINS servers.Step 5 Specify the DNS domain.Step 6 Specify the local IP address pool.
-
21
Task 4-Step 1 Add the Group Profile to Be Defined
router(config)#
Key MYVPNKEY
DNS DNS1 & DNS2
WINS WINS1 & WINS2
Domain cisco.com
Pool name REMOTE-POOL
Pool 10.0.1.100 to 10.0.1.150
Group VPN-REMOTE-ACCESS
vpngate1
Remote client
crypto isakmp client configuration group {group-name | default}
vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS
vpngate1(config-isakmp-group)#
-
22
Task 4-Step 2 Configure the IKE Pre-Shared Key
Key MYVPNKEY
DNS DNS1 & DNS2
WINS WINS1 & WINS2
Domain cisco.com
Pool name REMOTE-POOL
Pool 10.0.1.100 to 10.0.1.150
Group VPN-REMOTE-ACCESS
Remote client
vpngate1vpngate1
router(config-isakmp-group)#key name
vpngate1(config-isakmp-group)# key MYVPNKEY
-
23
Task 4-Step 3 Specify the DNS Servers
Key MYVPNKEY
DNS DNS1 & DNS2
WINS WINS1 & WINS2
Domain cisco.com
Pool name REMOTE-POOL
Pool 10.0.1.100 to 10.0.1.150
Group VPN-REMOTE-ACCESS
Remote client
vpngate1
router(config-isakmp-group)#dns primary-server secondary-server
vpngate1(config-isakmp-group)# dns DNS1 DNS2
vpngate1(config-isakmp-group)# dns 172.26.26.120 172.26.26.130
-
24
Task 4-Step 4 Specify the WINS Servers
Key MYVPNKEY
DNS DNS1 & DNS2
WINS WINS1 & WINS2
Domain cisco.com
Pool name REMOTE-POOL
Pool 10.0.1.100 to 10.0.1.150
Group VPN-REMOTE-ACCESS
Remote client
vpngate1
router(config-isakmp-group)#wins primary-server secondary-server
vpngate1(config-isakmp-group)# wins WINS1 WINS2
vpngate1(config-isakmp-group)# wins 172.26.26.160 172.26.26.170
-
25
Task 4-Step 5 Specify the DNS Domain
Key MYVPNKEY
DNS DNS1 & DNS2
WINS WINS1 & WINS2
Domain cisco.com
Pool name REMOTE-POOL
Pool 10.0.1.100 to 10.0.1.150
Group VPN-REMOTE-ACCESS
vpngate1
Remote client
router(config-isakmp-group)#domain name
vpngate1(config-isakmp-group)# domain cisco.com
-
26
Task 4-Step 6 Specify the Local IP Address Pool
vpngate1
Remote client
Key MYVPNKEY
DNS DNS1 & DNS2
WINS WINS1 & WINS2
Domain cisco.com
Pool name REMOTE-POOL
Pool 10.0.1.100 to 10.0.1.150
Group VPN-REMOTE-ACCESS
router(config-isakmp-group)#pool name
vpngate1(config-isakmp-group)# pool REMOTE-POOL
-
27
Task 5 Create Transform Set
Transform set name
router(config)#crypto ipsec transform-set transform-set-nametransform1 [transform2 [transform3]]
vpngate1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac
vpngate1(cfg-crypto-trans)# exit
VPNTRANSFORM
vpngate1
Remote client
-
28
Task 6 Create a Dynamic Crypto Map with RRI
Task 6 contains the following steps Step 1 Create a dynamic crypto map.
Step 2 Assign a transform set.
Step 3 Enable RRI.
-
29
Task 6-Step 1 Create a Dynamic Crypto Map
DYNMAP 1
Dynamic Crypto map name/sequence #
vpngate1
Remote client
router(config)#
crypto dynamic-map dynamic-map-namedynamic-seq-num
vpngate1(config)# crypto dynamic-map DYNMAP 1
vpngate1(config-crypto-map)#
-
30
Task 6-Step 2 Assign Transform Set to Dynamic Crypto Map
VPNTRANSFORM
Transform set name
Remote client
vpngate1
router(config-crypto-map)#set transform-set transform-set-name[transform-set-name2transform-set-name6]
vpngate1(config-crypto-map)# set transform-set VPNTRANSFORM
-
31
Task 6-Step 3 Enable RRI
vpngate1
Remote client10.0.1.100 File
serverTunnel
RRI routingannouncement to
inside network
router(config-crypto-map)#reverse-route
vpngate1(config-crypto-map)# reverse-route
vpngate1(config-crypto-map)# exit
-
32
Task 7 Apply Mode Configuration to Crypto Map
Task 7 contains the following steps Step 1 Configure the router to respond to mode configuration requests.
Step 2 Enable IKE querying for a group policy.
Step 3 Apply the dynamic crypto map to the crypto map.
-
33
Task 7-Step 1 Configure Router to Respond to Mode Configuration Requests
vpngate1
Remote client
router(config)#crypto map map-name client configuration address {initiate | respond}
vpngate1(config)# crypto map CLIENTMAP client configuration address respond
-
34
Task 7-Step 2 Enable ISAKMP Querying for Group Policy
vpngate1
Remote clientVPN-REMOTE-ACCESS
Group
router(config)#crypto map map-name isakmp authorization list list-name
vpngate1(config)# crypto map CLIENTMAP isakmp authorization list VPN-REMOTE-ACCESS
-
35
Task 7-Step 3 Apply Dynamic Crypto Map to the Crypto Map
Crypto map name/sequence #
CLIENTMAP 65535
vpngate1
Remote client
router(config)#crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
vpngate1(config)# crypto map CLIENTMAP 65535ipsec-isakmp dynamic DYNMAP
-
36
Task 8 Apply the Crypto Map to Router Outside Interface
CLIENTMAP
Crypto map name
vpngate1
e0/1
Remote client
vpngate1(config)# interface ethernet0/1
vpngate1(config-if)# crypto map CLIENTMAP
vpngate1(config-if)# exit
-
37
Task 9 Enable ISAKMP DPD
vpngate1
Remote client1) DPD send Are you there?
2) DPD Reply Yes I am here.2) DPD reply Yes, I am here.
router(config)#crypto isakmp keepalive secs retries
vpngate1(config)# crypto isakmp keepalive 20 10
-
38
Task 10 Configure XAUTH
Task 10 contains the following steps Step 1 Enable AAA login authentication.
Step 2 Set the XAUTH timeout value.
Step 3 Enable ISAKMP XAUTH for the dynamic crypto map.
-
39
Task 10, Step 1 Enable AAA Login Authentication
vpngate1
Remote clientVPNUSERS
VPN user group
router(config)#aaa authentication login list-name method1[method2]
vpngate1(config)# aaa authentication login VPNUSERS local
-
40
Task 10, Step 2 Set XAUTH Timeout Value
vpngate1
Remote client20 seconds
VPNUSERSVPN user group
router(config)#crypto isakmp xauth timeout seconds
vpngate1(config)# crypto isakmp xauth timeout 20
-
41
Task 10, Step 3 Enable ISAKMP XAUTH for Crypto Map
vpngate1
Remote clientVPNUSERS
VPN user group
CLIENTMAP
Crypto map name
router(config)#crypto map map-name client authentication list list-name
vpngate1(config)# crypto map CLIENTMAP client authentication list VPNUSERS
-
42
Task 11 (Optional) Enable XAUTH Save Password
VPN-REMOTE-ACCESS
GroupRemote client
vpngate1
router(config-isakmp-group)#save-password
vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS
vpngate1(config-isakmp-group)# save-password
This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration groupcommand.
-
43
Easy VPN Server Configuration Exampleversion 12.3hostname Router1!aaa new-modelaaa authentication login VPNAUTHEN localaaa authorization network VPNAUTHOR localip domain-name cisco.comip dhcp excluded-address 10.0.1.1 10.0.1.12!ip dhcp pool POD1_INSIDE
network 10.0.1.0 255.255.255.0default-router 10.0.1.2
!crypto isakmp policy 3
hash md5authentication pre-sharegroup 2
!ip local pool IPPOOL 11.0.1.20 11.0.1.30crypto isakmp xauth timeout 20
-
44
Easy VPN Server Configuration Examplecrypto isakmp client configuration group SALES
key cisco123domain cisco.compool IPPOOLsave-password
!crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac!crypto dynamic-map DYNMAP 10
set transform-set MYSETreverse-route
!crypto map CLIENTMAP client authentication list VPNAUTHENcrypto map CLIENTMAP isakmp authorization list VPNAUTHORcrypto map CLIENTMAP client configuration address respondcrypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP!interface FastEthernet 0/1
ip address 172.30.1.2 255.255.255.0crypto map CLIENTMAP
crypto isakmp keepalive 20 10
-
45
Task 12 Verify
router#
show crypto map [interface interface | tag map-name]
Router# show crypto map interface ethernet 0
Displays crypto map configuration.
router#
show run
Router# show run
Displays running configuration.
-
46
Module 6 Configure Remote Access VPN
6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x
-
47
Configuring Easy VPN Remote for the Cisco VPN Client 4.x General Tasks
Task 1 Install Cisco VPN Client 4.x.Task 2 Create a new client connection entry.Task 3 Choose an authentication method.
Task 4 Configure transparent tunneling.Task 5 Enable and add backup servers.Task 6 Configure connection to the Internet through dial-up
networking.
-
48
Task 1 Install Cisco VPN Client 4.x
Installation file on IP-disks
-
49
Error Message
-
50
Task 2 Create a New Client Connection Entry
-
51
Task 3 Configure Client Authentication Properties
-
52
Task 4 Configure Transparent Tunneling
-
53
Task 5 Enable and Add Backup Servers
-
54
Task 6 Configure Connection to the Internet through Dial-up Networking
-
55
Module 6 Configure Remote Access VPN
6.4 Configure Cisco Easy VPN Remote for Access Routers
-
56
Easy VPN Remote Client Mode
Cisco 831 router Cisco router (Easy VPN
Server) 12.3(11)T
10.0.0.3
10.0.0.4
10.0.0.2
192.168.100.X
VPN tunnel
-
57
Easy VPN Remote Network Extension Mode
Cisco 831(Easy VPN Remote)
Cisco router
(Easy VPN Server)
12.3(11)T
172.16.10.5
172.16.10.6
.4
172.16.X.X
VPN tunnel
-
58
Easy VPN Remote Configuration General Tasks for Access Routers
Task 1 (Optional) Configure the DHCP server pool.Task 2 Configure and assign the Cisco Easy VPN client profile.Task 3 (Optional) Configure XAUTH password save.Task 4 Initiate the VPN tunnel.Task 5 Verify the Cisco Easy VPN configuration.
-
59
Task 1 Configure the DHCP Server Pool
router(config)#ip dhcp pool pool-name
router(dhcp-config)#network ip-address [ mask | /prefix-length]
default-router address [address2 ... addressN]
import all
lease {days [ hours][ minutes] | infinite}
exit
router(config)#ip dhcp excluded-address lan-ip-address
-
60
Task 1 Example DHCP Server Pool
20.20.20.0
vpnRemote1(config)# ip dhcp pool CLIENT
vpnRemote1(dhcp-config)# network 10.10.10.0 255.255.255.0
vpnRemote1(dhcp-config)# default-router 10.10.10.1
vpnRemote1(dhcp-config)# import all
vpnRemote1(dhcp-config)# lease 3
vpnRemote1(dhcp-config)# exit
vpnRemote1(config)# ip dhcp excluded-address 10.10.10.1
VPNREMOTE1 VPNGATE1
30.30.30.010.10.10.0
.2.1.1
-
61
Task 2 Configure the Cisco Easy VPN Client Profile
router(config)#crypto ipsec client ezvpn name
router(config-crypto-ezvpn)#group group-name key group-key
peer [ ip-address | hostname]
mode {client | network-extension | network-plus}
exit
-
62
Task 2 Example Configure the Cisco Easy VPN Client Profile
VPNREMOTE1 VPNGATE1
30.30.30.010.10.10.0.2.1Group: VPN-REMOTE-ACCESS
Peer: 20.20.20.2Key: MYVPNKEYMode: Client
VPNGATE1
.1
20.20.20.0
vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1
vpnRemote1(config-crypto-ezvpn)# group VPNREMOTE1 key MYVPNKEY
vpnRemote1(config-crypto-ezvpn)# peer 20.20.20.2
vpnRemote1(config-crypto-ezvpn)# mode client
vpnRemote1(config-crypto-ezvpn)# exit
vpnRemote1(config)#
-
63
Task 2 Example Assign Easy VPN Remote to the Interface
vpnRemote1(config)# interface ethernet1
vpnRemote1(config-if)# crypto ipsec client ezvpn VPNGATE1
vpnRemote1(config-if)# exit
VPNGate1
VPNREMOTE1 VPNGATE1
30.30.30.010.10.10.0.2.1
20.20.20.0
.1
router(config-if)#crypto ipsec client ezvpn name [inside | outside]
-
64
Task 3 (Optional) Configure XAUTH Save Password Feature
router(config)#crypto ipsec client ezvpn name
router(config-crypto-ezvpn)#username aaa-username password aaa-password
vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1
vpnRemote1(config-crypto-ezvpn)# username VPNUSER password VPNPASS
vpnRemote1(config-crypto-ezvpn)# exit
-
65
Task 4 (Optional) Initiate the VPN Tunnel (XAUTH)
Cisco IOS message: Waiting for valid XAUTH username and password.
01:34:42: EZVPN: Pending XAuth Request, Please enter the following command:
01:34:42: EZVPN: crypto ipsec client ezvpn xauth
router#crypto ipsec client ezvpn xauth
vpnRemote1# crypto ipsec client ezvpn xauthEnter Username and Password: vpnusersPassword: ********
With XAUTH: When SA expires, username and password must be manually entered.
With XAUTH Password Save enabled: When SA expires, the last valid username and password will be reused automatically.
-
66
Task 5 Verify the Cisco Easy VPN Configuration
vpnRemote1# show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : VPNGATE1Inside interface list: Ethernet0,Outside interface: Ethernet1Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 30.30.30.24Mask: 255.255.255.255DNS Primary: 30.30.30.10DNS Secondary: 30.30.30.11NBMS/WINS Primary: 30.30.30.12NBMS/WINS Secondary: 30.30.30.13Default Domain: cisco.com
-
67
Easy VPN Remote Configuration Exampleversion 12.2hostname VPNREMOTE1!username admin privilege 15 password 7 070E25414707485744ip subnet-zeroip domain-name cisco.comip dhcp excluded-address 10.10.10.1!ip dhcp pool CLIENT
import allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 3
!crypto ipsec client ezvpn VPNGATE1connect autogroup VPNREMOTE1 key 0 MYVPNKEYmode clientpeer 20.20.20.2username VPNUSER password 0 VPNPASS
-
68
Easy VPN Remote Configuration Example (Cont.)
interface Ethernet0ip address 10.10.10.1 255.255.255.0crypto ipsec client ezvpn VPNGATE1 inside!interface Ethernet1ip address 20.20.20.1 255.255.255.0crypto ipsec client ezvpn VPNGATE1!ip classlessip route 0.0.0.0 0.0.0.0 Ethernet1ip route 30.30.30.0 255.255.255.0 Ethernet1 ip http serverno ip http secure-server!line con 0no modem enablestopbits 1line aux 0line vty 0 4! end
-
69
Module 6 Configure Remote Access VPN
6.5 Configure the PIX Security Appliance as an Easy VPN Server
-
70
EasyVPN Server General Configuration Tasks
Task 1 Create an ISAKMP policy for remote Cisco VPN Client access.
Task 2 Create an IP address pool. Task 3 Define a group policy for a mode configuration push. Task 4 Create a transform set. Task 5 Create a dynamic crypto map. Task 6 Assign a dynamic crypto map to a static crypto map. Task 7 Apply a dynamic crypto map to the PIX Security
Appliance interface. Task 8 Configure XAUTH. Task 9 Configure NAT and NAT 0. Task 10 Enable IKE dead peer detection (DPD).
-
71
Create ISAKMP Policy
-
72
Create IP Address Pool
-
73
Define Group Policy for Mode Configuration Push
Step 1 Set the Tunnel Group Type
Step 2 Configure the IKE Pre-shared Key
Step 3 Specify the Local IP Address Pool
Step 4 Configure the Group Policy Type
Step 5 Enter the Group Policy Attributes Submode
Step 6 Specify the DNS Servers
Step 7 Specify the WINS Servers
Step 8 Specify the DNS Domain
Step 9 Specify the Idle Timeout
-
74
Set Tunnel Group Type
-
75
Configure IKE Pre-Shared Key
-
76
Specify Local IP Address Pool
-
77
Configure the Group Policy Type
-
78
Enter the Group Policy Attributes Submode
-
79
Specify DNS Servers
-
80
Specify WINS Servers
-
81
Specify DNS Domain
-
82
Specify Idle Time
-
83
Create Transform Set
-
84
Create Dynamic Crypto Map
-
85
Assign Dynamic Crypto Map to Static Crypto Map
-
86
Apply Dynamic Crypto Map
-
87
Configure XAUTH
Step 1 Enable AAA login authentication.
Step 2 Define AAA server IP address and encryption key.
Step 3 Enable IKE XAUTH for the crypto map.
-
88
Configure NAT and NAT 0
-
89
Enable IKE DPD
-
90
Module 6 Configure Remote Access VPN
6.6 Configure a PIX 501 or 506E as an Easy VPN Client
-
91
PIX Easy VPN Remote
-
92
Easy VPN Remote Client Configuration
-
93
Easy VPN Client Device Mode
-
94
Module 6 Configure Remote Access VPN
6.7 Configure the Adaptive Security Appliance to Support WebVPN
-
95
Home Page
-
96
Website Access
-
97
Port Forwarding
-
98
Enabling WebVPN
-
99
Home Page Look and Feel Configuration
-
100
Enabling WebVPN
-
101
Servers and URL Configuration Example
-
102
Enable Port Forwarding
-
103
Port Forwarding Configuration Example
-
104
Enable Email Proxy
-
105
Email Proxy Configuration Example
-
106
HTML Content Filtering
-
107
HTML Content Filtering
-
108
WebVPN ACLs
Network Security 2Learning ObjectivesModule 6 Configure Remote Access VPNCisco Easy VPN ComponentsRemote Access Using Cisco Easy VPNEasy VPN Remote Connection ProcessStep 1 The VPN Client Initiates the IKE Phase 1 ProcessStep 2 The VPN Client Establishes an ISAKMP SAStep 3 The Easy VPN Server Accepts the SA ProposalStep 4 Username/Password ChallengeStep 5 The Mode Configuration Process Is InitiatedStep 6 The RRI Process Is InitiatedStep 7 IPSec Quick Mode Completes the ConnectionModule 6 Configure Remote Access VPNEasy VPN Server General Configuration TasksTask 1 Create IP Address PoolTask 2 Configure Group Policy LookupTask 3 Create ISAKMP Policy for Remote VPN Client AccessTask 4 Define Group Policy for Mode Configuration PushTask 4-Step 1 Add the Group Profile to Be DefinedTask 4-Step 3 Specify the DNS ServersTask 4-Step 4 Specify the WINS ServersTask 4-Step 5 Specify the DNS DomainTask 4-Step 6 Specify the Local IP Address PoolTask 5 Create Transform SetTask 6 Create a Dynamic Crypto Map with RRITask 6-Step 1 Create a Dynamic Crypto MapTask 6-Step 2 Assign Transform Set to Dynamic Crypto MapTask 6-Step 3 Enable RRITask 7 Apply Mode Configuration to Crypto MapTask 7-Step 1 Configure Router to Respond to Mode Configuration RequestsTask 7-Step 2 Enable ISAKMP Querying for Group PolicyTask 7-Step 3 Apply Dynamic Crypto Map to the Crypto MapTask 8 Apply the Crypto Map to Router Outside InterfaceTask 9 Enable ISAKMP DPDTask 10 Configure XAUTHTask 10, Step 1 Enable AAA Login AuthenticationTask 10, Step 2 Set XAUTH Timeout ValueTask 10, Step 3 Enable ISAKMP XAUTH for Crypto MapTask 11 (Optional) Enable XAUTH Save PasswordEasy VPN Server Configuration ExampleEasy VPN Server Configuration ExampleTask 12 VerifyModule 6 Configure Remote Access VPNConfiguring Easy VPN Remote for the Cisco VPN Client 4.x General TasksTask 1 Install Cisco VPN Client 4.xError MessageTask 2 Create a New Client Connection EntryTask 3 Configure Client Authentication PropertiesTask 4 Configure Transparent TunnelingTask 5 Enable and Add Backup ServersTask 6 Configure Connection to the Internet through Dial-up NetworkingModule 6 Configure Remote Access VPNEasy VPN Remote Client ModeEasy VPN Remote Network Extension ModeEasy VPN Remote Configuration General Tasks for Access RoutersTask 1 Configure the DHCP Server PoolTask 1 Example DHCP Server PoolTask 2 Configure the Cisco Easy VPN Client ProfileTask 2 Example Configure the Cisco Easy VPN Client ProfileTask 2 Example Assign Easy VPN Remote to the InterfaceTask 3 (Optional) Configure XAUTH Save Password FeatureTask 4 (Optional) Initiate the VPN Tunnel (XAUTH)Task 5 Verify the Cisco Easy VPN ConfigurationEasy VPN Remote Configuration ExampleEasy VPN Remote Configuration Example (Cont.)Module 6 Configure Remote Access VPNEasyVPN Server General Configuration TasksCreate ISAKMP PolicyCreate IP Address PoolDefine Group Policy for Mode Configuration PushSet Tunnel Group TypeConfigure IKE Pre-Shared KeySpecify Local IP Address PoolConfigure the Group Policy TypeEnter the Group Policy Attributes SubmodeSpecify DNS ServersSpecify WINS ServersSpecify DNS DomainSpecify Idle TimeCreate Transform SetCreate Dynamic Crypto MapAssign Dynamic Crypto Map to Static Crypto MapApply Dynamic Crypto MapConfigure XAUTHConfigure NAT and NAT 0Enable IKE DPDModule 6 Configure Remote Access VPNPIX Easy VPN RemoteEasy VPN Remote Client ConfigurationEasy VPN Client Device ModeModule 6 Configure Remote Access VPNHome PageWebsite AccessPort ForwardingEnabling WebVPNHome Page Look and Feel ConfigurationEnabling WebVPNServers and URL Configuration ExampleEnable Port ForwardingPort Forwarding Configuration ExampleEnable Email ProxyEmail Proxy Configuration ExampleHTML Content FilteringHTML Content FilteringWebVPN ACLs