Network Security 2 - Kapsi Internet-käyttäjät...

2

Network Security 2

Module 6 Configure Remote Access VPN

3

Learning Objectives

6.1 Introduction to Cisco Easy VPN

6.2 Configure the Easy VPN Server

6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x

6.4 Configure Cisco Easy VPN Remote for Access Routers

6.5 Configure the PIX Security Appliance as an Easy VPN Server

6.6 Configure a PIX 501 or 506E as an Easy VPN Client

6.7 Configure the Adaptive Security Appliance to Support WebVPN

4


6.1 Introduction to Cisco EasyVPN

5

Cisco Easy VPN Components

The Cisco Easy VPN is made up of two components

Easy VPN Server Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote featureEasy VPN Remote Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Hardware Clients or Software Clients to act as remote VPN Clients

6

Remote Access Using Cisco Easy VPNPC with Easy Remote VPN Client 4.x

Cisco 800 Router

Cisco 900 Router

Cisco 1700 Router

Cisco VPN 3002 Hardware Client

Cisco PIX Security Appliance 501

Cisco IOS router 12.3(11)T(or later) Easy VPN Server

7

Easy VPN Remote Connection Process

Step 1 The VPN Client initiates the IKE Phase 1 process.

Step 2 The VPN Client establishes an ISAKMP SA.

Step 3 The Easy VPN Server accepts the SA proposal.

Step 4 The Easy VPN Server initiates a username/password challenge.

Step 5 The mode configuration process is initiated.

Step 6 The RRI process is initiated.

Step 7 IPSec quick mode completes the connection.

8

Step 1 The VPN Client Initiates the IKE Phase 1 Process

Cisco IOS router

12.3(11)TEasy VPN

Server

Remote PC with Easy Remote VPN Client 4.x

Using pre-shared keys? Initiate aggressive mode (AM).

Using digital certificates? Initiate main mode (MM).

9

Step 2 The VPN Client Establishes an ISAKMP SA

Cisco IOS router

12.3(11)TEasy VPN

Server


Proposal 1, proposal 2, proposal 3

The VPN Client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.

To reduce manual configuration on the VPN Client, these ISAKMP proposals include several combinations of the following

Encryption and hash algorithms

Authentication methods

Diffie-Hellman group sizes

10

Step 3 The Easy VPN Server Accepts the SA Proposal

The Easy VPN Server searches for a match

The first proposal to match the servers list is accepted (highest-priority match).

The most secure proposals are always listed at the top of the Easy VPN Servers proposal list (highest priority).

ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.


Cisco IOS router

12.3(11)TEasy VPN

ServerProposal 1

Proposal checking

finds proposal 1

match

11

Step 4 Username/Password Challenge


Cisco IOS router

12.3(11)TEasy VPN

Server

Username/password

AAA checking

Username/password challenge

If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge

The user enters a username/password combination.

The username/password information is checked against authentication entities using AAA.

All Easy VPN Servers should be configured to enforce user authentication.

12

Step 5 The Mode Configuration Process Is Initiated

If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server

Mode configuration starts.

The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the VPN Client.

Remember that the IP address is the only required parameter in a group profile. All other parameters are optional.


Cisco IOS router 12.3(11)TEasy VPN

ServerClient Requests Parameters

System Parameters via Mode Config

13

Step 6 The RRI Process Is InitiatedRemote PC with

Easy Remote VPN Client 4.x

Cisco IOS router 12.3(11)T

Easy VPN Server

RRIstatic route

creationVPN Tunnel

After the Easy VPN Server knows the VPN Clients assigned IP address, it must determine how to route packets through the appropriate VPN tunnel

RRI creates a static route on the Easy VPN Server for each VPN Clients internal IP address.

RRI must be enabled on the crypto maps supporting VPN Clients.

RRI need not be enabled on a crypto map applied to a GRE tunnel that is already being used to distribute routing information.

14

Step 7 IPSec Quick Mode Completes the Connection

Cisco IOS router

12.3(11)TEasy VPN

Server

Remote PC with Easy Remote VPN Client 4.x Quick mode

IPSec SA establishment

VPN tunnel

After the configuration parameters have been successfully received by the VPN Client, ISAKMP quick mode is initiated to negotiate IPSec SAestablishment.

After IPSec SA establishment, the VPN connection is complete.

15


6.2 Configure the EasyVPN Server

16

Easy VPN Server General Configuration Tasks

The following general tasks are used to configure Easy VPN Server on a Cisco router

Task 1 Create IP address pool.Task 2 Configure group policy lookup.Task 3 Create ISAKMP policy for remote VPN Client access.Task 4 Define group policy for mode configuration push.Task 5 Create a transform set.Task 6 Create a dynamic crypto map with RRI.Task 7 Apply mode configuration to the dynamic crypto map.Task 8 Apply the crypto map to the router interface.Task 9 Enable IKE DPD.Task 10 Configure XAUTH.Task 11 (Optional) Enable XAUTH save password feature.

17

Task 1 Create IP Address Pool

REMOTE-POOL

10.0.1.100 to 10.0.1.150

Pool

vpngate1

Remote client

router(config)#ip local pool {default | pool-namelow-ip-address [high-ip-address]}

vpngate1(config)# ip local pool REMOTE-POOL 10.0.1.100 10.0.1.150

Creating a local address pool is optional if an external DHCP server is in use on the network.

18

Task 2 Configure Group Policy Lookup

vpngate1

Remote client

VPN-REMOTE-ACCESS

Group

router(config)#aaa new-model

router(config)#aaa authorization network list-name local [method1 [method2]]

vpngate1(config)# aaa new-model

vpngate1(config)# aaa authorization network VPN-REMOTE-ACCESS local

Creates a user group for local AAA policy lookup

19

Task 3 Create ISAKMP Policy for Remote VPN Client Access

Authen Preshared keys

Encryption 3-DES

Diffie-Hellman Group 2

Other settings Default

Policy 1

vpngate1

Remote client

vpngate1(config)# crypto isakmp enable

vpngate1(config)# crypto isakmp policy 1

vpngate1(config-isakmp)# authen pre-share

vpngate1(config-isakmp)# encryption 3des

vpngate1(config-isakmp)# group 2

vpngate1(config-isakmp)# exit

Use standard ISAKMP configuration commands.

20

Task 4 Define Group Policy for Mode Configuration Push

Task 4 contains the following steps Step 1 Add the group profile to be defined.Step 2 Configure the ISAKMP pre-shared key.Step 3 Specify the DNS servers.Step 4 Specify the WINS servers.Step 5 Specify the DNS domain.Step 6 Specify the local IP address pool.

21

Task 4-Step 1 Add the Group Profile to Be Defined

router(config)#

Key MYVPNKEY

DNS DNS1 & DNS2

WINS WINS1 & WINS2

Domain cisco.com

Pool name REMOTE-POOL

Pool 10.0.1.100 to 10.0.1.150

Group VPN-REMOTE-ACCESS

vpngate1

Remote client

crypto isakmp client configuration group {group-name | default}

vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS

vpngate1(config-isakmp-group)#

22

Task 4-Step 2 Configure the IKE Pre-Shared Key

Key MYVPNKEY

DNS DNS1 & DNS2

WINS WINS1 & WINS2

Domain cisco.com


Pool 10.0.1.100 to 10.0.1.150


Remote client

vpngate1vpngate1

router(config-isakmp-group)#key name

vpngate1(config-isakmp-group)# key MYVPNKEY

23

Task 4-Step 3 Specify the DNS Servers

Key MYVPNKEY

DNS DNS1 & DNS2

WINS WINS1 & WINS2

Domain cisco.com


Pool 10.0.1.100 to 10.0.1.150


Remote client

vpngate1

router(config-isakmp-group)#dns primary-server secondary-server

vpngate1(config-isakmp-group)# dns DNS1 DNS2

vpngate1(config-isakmp-group)# dns 172.26.26.120 172.26.26.130

24

Task 4-Step 4 Specify the WINS Servers

Key MYVPNKEY

DNS DNS1 & DNS2

WINS WINS1 & WINS2

Domain cisco.com


Pool 10.0.1.100 to 10.0.1.150


Remote client

vpngate1

router(config-isakmp-group)#wins primary-server secondary-server

vpngate1(config-isakmp-group)# wins WINS1 WINS2

vpngate1(config-isakmp-group)# wins 172.26.26.160 172.26.26.170

25

Task 4-Step 5 Specify the DNS Domain

Key MYVPNKEY

DNS DNS1 & DNS2

WINS WINS1 & WINS2

Domain cisco.com


Pool 10.0.1.100 to 10.0.1.150


vpngate1

Remote client

router(config-isakmp-group)#domain name

vpngate1(config-isakmp-group)# domain cisco.com

26

Task 4-Step 6 Specify the Local IP Address Pool

vpngate1

Remote client

Key MYVPNKEY

DNS DNS1 & DNS2

WINS WINS1 & WINS2

Domain cisco.com


Pool 10.0.1.100 to 10.0.1.150


router(config-isakmp-group)#pool name

vpngate1(config-isakmp-group)# pool REMOTE-POOL

27

Task 5 Create Transform Set

Transform set name

router(config)#crypto ipsec transform-set transform-set-nametransform1 [transform2 [transform3]]

vpngate1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac

vpngate1(cfg-crypto-trans)# exit

VPNTRANSFORM

vpngate1

Remote client

28

Task 6 Create a Dynamic Crypto Map with RRI

Task 6 contains the following steps Step 1 Create a dynamic crypto map.

Step 2 Assign a transform set.

Step 3 Enable RRI.

29

Task 6-Step 1 Create a Dynamic Crypto Map

DYNMAP 1

Dynamic Crypto map name/sequence #

vpngate1

Remote client

router(config)#

crypto dynamic-map dynamic-map-namedynamic-seq-num

vpngate1(config)# crypto dynamic-map DYNMAP 1

vpngate1(config-crypto-map)#

30

Task 6-Step 2 Assign Transform Set to Dynamic Crypto Map

VPNTRANSFORM

Transform set name

Remote client

vpngate1

router(config-crypto-map)#set transform-set transform-set-name[transform-set-name2transform-set-name6]

vpngate1(config-crypto-map)# set transform-set VPNTRANSFORM

31

Task 6-Step 3 Enable RRI

vpngate1

Remote client10.0.1.100 File

serverTunnel

RRI routingannouncement to

inside network

router(config-crypto-map)#reverse-route

vpngate1(config-crypto-map)# reverse-route

vpngate1(config-crypto-map)# exit

32

Task 7 Apply Mode Configuration to Crypto Map

Task 7 contains the following steps Step 1 Configure the router to respond to mode configuration requests.

Step 2 Enable IKE querying for a group policy.

Step 3 Apply the dynamic crypto map to the crypto map.

33

Task 7-Step 1 Configure Router to Respond to Mode Configuration Requests

vpngate1

Remote client

router(config)#crypto map map-name client configuration address {initiate | respond}

vpngate1(config)# crypto map CLIENTMAP client configuration address respond

34

Task 7-Step 2 Enable ISAKMP Querying for Group Policy

vpngate1

Remote clientVPN-REMOTE-ACCESS

Group

router(config)#crypto map map-name isakmp authorization list list-name

vpngate1(config)# crypto map CLIENTMAP isakmp authorization list VPN-REMOTE-ACCESS

35

Task 7-Step 3 Apply Dynamic Crypto Map to the Crypto Map

Crypto map name/sequence #

CLIENTMAP 65535

vpngate1

Remote client

router(config)#crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name

vpngate1(config)# crypto map CLIENTMAP 65535ipsec-isakmp dynamic DYNMAP

36

Task 8 Apply the Crypto Map to Router Outside Interface

CLIENTMAP

Crypto map name

vpngate1

e0/1

Remote client

vpngate1(config)# interface ethernet0/1

vpngate1(config-if)# crypto map CLIENTMAP

vpngate1(config-if)# exit

37

Task 9 Enable ISAKMP DPD

vpngate1

Remote client1) DPD send Are you there?

2) DPD Reply Yes I am here.2) DPD reply Yes, I am here.

router(config)#crypto isakmp keepalive secs retries

vpngate1(config)# crypto isakmp keepalive 20 10

38

Task 10 Configure XAUTH

Task 10 contains the following steps Step 1 Enable AAA login authentication.

Step 2 Set the XAUTH timeout value.

Step 3 Enable ISAKMP XAUTH for the dynamic crypto map.

39

Task 10, Step 1 Enable AAA Login Authentication

vpngate1

Remote clientVPNUSERS

VPN user group

router(config)#aaa authentication login list-name method1[method2]

vpngate1(config)# aaa authentication login VPNUSERS local

40

Task 10, Step 2 Set XAUTH Timeout Value

vpngate1

Remote client20 seconds

VPNUSERSVPN user group

router(config)#crypto isakmp xauth timeout seconds

vpngate1(config)# crypto isakmp xauth timeout 20

41

Task 10, Step 3 Enable ISAKMP XAUTH for Crypto Map

vpngate1

Remote clientVPNUSERS

VPN user group

CLIENTMAP

Crypto map name

router(config)#crypto map map-name client authentication list list-name

vpngate1(config)# crypto map CLIENTMAP client authentication list VPNUSERS

42

Task 11 (Optional) Enable XAUTH Save Password

VPN-REMOTE-ACCESS

GroupRemote client

vpngate1

router(config-isakmp-group)#save-password

vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS

vpngate1(config-isakmp-group)# save-password

This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration groupcommand.

43

Easy VPN Server Configuration Exampleversion 12.3hostname Router1!aaa new-modelaaa authentication login VPNAUTHEN localaaa authorization network VPNAUTHOR localip domain-name cisco.comip dhcp excluded-address 10.0.1.1 10.0.1.12!ip dhcp pool POD1_INSIDE

network 10.0.1.0 255.255.255.0default-router 10.0.1.2

!crypto isakmp policy 3

hash md5authentication pre-sharegroup 2

!ip local pool IPPOOL 11.0.1.20 11.0.1.30crypto isakmp xauth timeout 20

44

Easy VPN Server Configuration Examplecrypto isakmp client configuration group SALES

key cisco123domain cisco.compool IPPOOLsave-password

!crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac!crypto dynamic-map DYNMAP 10

set transform-set MYSETreverse-route

!crypto map CLIENTMAP client authentication list VPNAUTHENcrypto map CLIENTMAP isakmp authorization list VPNAUTHORcrypto map CLIENTMAP client configuration address respondcrypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP!interface FastEthernet 0/1

ip address 172.30.1.2 255.255.255.0crypto map CLIENTMAP

crypto isakmp keepalive 20 10

45

Task 12 Verify

router#

show crypto map [interface interface | tag map-name]

Router# show crypto map interface ethernet 0

Displays crypto map configuration.

router#

show run

Router# show run

Displays running configuration.

46


6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x

47

Configuring Easy VPN Remote for the Cisco VPN Client 4.x General Tasks

Task 1 Install Cisco VPN Client 4.x.Task 2 Create a new client connection entry.Task 3 Choose an authentication method.

Task 4 Configure transparent tunneling.Task 5 Enable and add backup servers.Task 6 Configure connection to the Internet through dial-up

networking.

48

Task 1 Install Cisco VPN Client 4.x

Installation file on IP-disks

49

Error Message

50

Task 2 Create a New Client Connection Entry

51

Task 3 Configure Client Authentication Properties

52

Task 4 Configure Transparent Tunneling

53

Task 5 Enable and Add Backup Servers

54

Task 6 Configure Connection to the Internet through Dial-up Networking

55


6.4 Configure Cisco Easy VPN Remote for Access Routers

56

Easy VPN Remote Client Mode

Cisco 831 router Cisco router (Easy VPN

Server) 12.3(11)T

10.0.0.3

10.0.0.4

10.0.0.2

192.168.100.X

VPN tunnel

57

Easy VPN Remote Network Extension Mode

Cisco 831(Easy VPN Remote)

Cisco router

(Easy VPN Server)

12.3(11)T

172.16.10.5

172.16.10.6

.4

172.16.X.X

VPN tunnel

58

Easy VPN Remote Configuration General Tasks for Access Routers

Task 1 (Optional) Configure the DHCP server pool.Task 2 Configure and assign the Cisco Easy VPN client profile.Task 3 (Optional) Configure XAUTH password save.Task 4 Initiate the VPN tunnel.Task 5 Verify the Cisco Easy VPN configuration.

59

Task 1 Configure the DHCP Server Pool

router(config)#ip dhcp pool pool-name

router(dhcp-config)#network ip-address [ mask | /prefix-length]

default-router address [address2 ... addressN]

import all

lease {days [ hours][ minutes] | infinite}

exit

router(config)#ip dhcp excluded-address lan-ip-address

60

Task 1 Example DHCP Server Pool

20.20.20.0

vpnRemote1(config)# ip dhcp pool CLIENT

vpnRemote1(dhcp-config)# network 10.10.10.0 255.255.255.0

vpnRemote1(dhcp-config)# default-router 10.10.10.1

vpnRemote1(dhcp-config)# import all

vpnRemote1(dhcp-config)# lease 3

vpnRemote1(dhcp-config)# exit

vpnRemote1(config)# ip dhcp excluded-address 10.10.10.1

VPNREMOTE1 VPNGATE1

30.30.30.010.10.10.0

.2.1.1

61

Task 2 Configure the Cisco Easy VPN Client Profile

router(config)#crypto ipsec client ezvpn name

router(config-crypto-ezvpn)#group group-name key group-key

peer [ ip-address | hostname]

mode {client | network-extension | network-plus}

exit

62

Task 2 Example Configure the Cisco Easy VPN Client Profile

VPNREMOTE1 VPNGATE1

30.30.30.010.10.10.0.2.1Group: VPN-REMOTE-ACCESS

Peer: 20.20.20.2Key: MYVPNKEYMode: Client

VPNGATE1

.1

20.20.20.0

vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1

vpnRemote1(config-crypto-ezvpn)# group VPNREMOTE1 key MYVPNKEY

vpnRemote1(config-crypto-ezvpn)# peer 20.20.20.2

vpnRemote1(config-crypto-ezvpn)# mode client

vpnRemote1(config-crypto-ezvpn)# exit

vpnRemote1(config)#

63

Task 2 Example Assign Easy VPN Remote to the Interface

vpnRemote1(config)# interface ethernet1

vpnRemote1(config-if)# crypto ipsec client ezvpn VPNGATE1

vpnRemote1(config-if)# exit

VPNGate1

VPNREMOTE1 VPNGATE1

30.30.30.010.10.10.0.2.1

20.20.20.0

.1

router(config-if)#crypto ipsec client ezvpn name [inside | outside]

64

Task 3 (Optional) Configure XAUTH Save Password Feature

router(config)#crypto ipsec client ezvpn name

router(config-crypto-ezvpn)#username aaa-username password aaa-password

vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1

vpnRemote1(config-crypto-ezvpn)# username VPNUSER password VPNPASS

vpnRemote1(config-crypto-ezvpn)# exit

65

Task 4 (Optional) Initiate the VPN Tunnel (XAUTH)

Cisco IOS message: Waiting for valid XAUTH username and password.

01:34:42: EZVPN: Pending XAuth Request, Please enter the following command:

01:34:42: EZVPN: crypto ipsec client ezvpn xauth

router#crypto ipsec client ezvpn xauth

vpnRemote1# crypto ipsec client ezvpn xauthEnter Username and Password: vpnusersPassword: ********

With XAUTH: When SA expires, username and password must be manually entered.

With XAUTH Password Save enabled: When SA expires, the last valid username and password will be reused automatically.

66

Task 5 Verify the Cisco Easy VPN Configuration

vpnRemote1# show crypto ipsec client ezvpn

Easy VPN Remote Phase: 2

Tunnel name : VPNGATE1Inside interface list: Ethernet0,Outside interface: Ethernet1Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 30.30.30.24Mask: 255.255.255.255DNS Primary: 30.30.30.10DNS Secondary: 30.30.30.11NBMS/WINS Primary: 30.30.30.12NBMS/WINS Secondary: 30.30.30.13Default Domain: cisco.com

67

Easy VPN Remote Configuration Exampleversion 12.2hostname VPNREMOTE1!username admin privilege 15 password 7 070E25414707485744ip subnet-zeroip domain-name cisco.comip dhcp excluded-address 10.10.10.1!ip dhcp pool CLIENT

import allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 3

!crypto ipsec client ezvpn VPNGATE1connect autogroup VPNREMOTE1 key 0 MYVPNKEYmode clientpeer 20.20.20.2username VPNUSER password 0 VPNPASS

68

Easy VPN Remote Configuration Example (Cont.)

interface Ethernet0ip address 10.10.10.1 255.255.255.0crypto ipsec client ezvpn VPNGATE1 inside!interface Ethernet1ip address 20.20.20.1 255.255.255.0crypto ipsec client ezvpn VPNGATE1!ip classlessip route 0.0.0.0 0.0.0.0 Ethernet1ip route 30.30.30.0 255.255.255.0 Ethernet1 ip http serverno ip http secure-server!line con 0no modem enablestopbits 1line aux 0line vty 0 4! end

69


6.5 Configure the PIX Security Appliance as an Easy VPN Server

70

EasyVPN Server General Configuration Tasks

Task 1 Create an ISAKMP policy for remote Cisco VPN Client access.

Task 2 Create an IP address pool. Task 3 Define a group policy for a mode configuration push. Task 4 Create a transform set. Task 5 Create a dynamic crypto map. Task 6 Assign a dynamic crypto map to a static crypto map. Task 7 Apply a dynamic crypto map to the PIX Security

Appliance interface. Task 8 Configure XAUTH. Task 9 Configure NAT and NAT 0. Task 10 Enable IKE dead peer detection (DPD).

71

Create ISAKMP Policy

72

Create IP Address Pool

73

Define Group Policy for Mode Configuration Push

Step 1 Set the Tunnel Group Type

Step 2 Configure the IKE Pre-shared Key

Step 3 Specify the Local IP Address Pool

Step 4 Configure the Group Policy Type

Step 5 Enter the Group Policy Attributes Submode

Step 6 Specify the DNS Servers

Step 7 Specify the WINS Servers

Step 8 Specify the DNS Domain

Step 9 Specify the Idle Timeout

74

Set Tunnel Group Type

75

Configure IKE Pre-Shared Key

76

Specify Local IP Address Pool

77

Configure the Group Policy Type

78

Enter the Group Policy Attributes Submode

79

Specify DNS Servers

80

Specify WINS Servers

81

Specify DNS Domain

82

Specify Idle Time

83

Create Transform Set

84

Create Dynamic Crypto Map

85

Assign Dynamic Crypto Map to Static Crypto Map

86

Apply Dynamic Crypto Map

87

Configure XAUTH

Step 1 Enable AAA login authentication.

Step 2 Define AAA server IP address and encryption key.

Step 3 Enable IKE XAUTH for the crypto map.

88

Configure NAT and NAT 0

89

Enable IKE DPD

90


6.6 Configure a PIX 501 or 506E as an Easy VPN Client

91

PIX Easy VPN Remote

92

Easy VPN Remote Client Configuration

93

Easy VPN Client Device Mode

94


6.7 Configure the Adaptive Security Appliance to Support WebVPN

95

Home Page

96

Website Access

97

Port Forwarding

98

Enabling WebVPN

99

Home Page Look and Feel Configuration

100

Enabling WebVPN

101

Servers and URL Configuration Example

102

Enable Port Forwarding

103

Port Forwarding Configuration Example

104

Enable Email Proxy

105

Email Proxy Configuration Example

106

HTML Content Filtering

107

HTML Content Filtering

108

WebVPN ACLs

Network Security 2Learning ObjectivesModule 6 Configure Remote Access VPNCisco Easy VPN ComponentsRemote Access Using Cisco Easy VPNEasy VPN Remote Connection ProcessStep 1 The VPN Client Initiates the IKE Phase 1 ProcessStep 2 The VPN Client Establishes an ISAKMP SAStep 3 The Easy VPN Server Accepts the SA ProposalStep 4 Username/Password ChallengeStep 5 The Mode Configuration Process Is InitiatedStep 6 The RRI Process Is InitiatedStep 7 IPSec Quick Mode Completes the ConnectionModule 6 Configure Remote Access VPNEasy VPN Server General Configuration TasksTask 1 Create IP Address PoolTask 2 Configure Group Policy LookupTask 3 Create ISAKMP Policy for Remote VPN Client AccessTask 4 Define Group Policy for Mode Configuration PushTask 4-Step 1 Add the Group Profile to Be DefinedTask 4-Step 3 Specify the DNS ServersTask 4-Step 4 Specify the WINS ServersTask 4-Step 5 Specify the DNS DomainTask 4-Step 6 Specify the Local IP Address PoolTask 5 Create Transform SetTask 6 Create a Dynamic Crypto Map with RRITask 6-Step 1 Create a Dynamic Crypto MapTask 6-Step 2 Assign Transform Set to Dynamic Crypto MapTask 6-Step 3 Enable RRITask 7 Apply Mode Configuration to Crypto MapTask 7-Step 1 Configure Router to Respond to Mode Configuration RequestsTask 7-Step 2 Enable ISAKMP Querying for Group PolicyTask 7-Step 3 Apply Dynamic Crypto Map to the Crypto MapTask 8 Apply the Crypto Map to Router Outside InterfaceTask 9 Enable ISAKMP DPDTask 10 Configure XAUTHTask 10, Step 1 Enable AAA Login AuthenticationTask 10, Step 2 Set XAUTH Timeout ValueTask 10, Step 3 Enable ISAKMP XAUTH for Crypto MapTask 11 (Optional) Enable XAUTH Save PasswordEasy VPN Server Configuration ExampleEasy VPN Server Configuration ExampleTask 12 VerifyModule 6 Configure Remote Access VPNConfiguring Easy VPN Remote for the Cisco VPN Client 4.x General TasksTask 1 Install Cisco VPN Client 4.xError MessageTask 2 Create a New Client Connection EntryTask 3 Configure Client Authentication PropertiesTask 4 Configure Transparent TunnelingTask 5 Enable and Add Backup ServersTask 6 Configure Connection to the Internet through Dial-up NetworkingModule 6 Configure Remote Access VPNEasy VPN Remote Client ModeEasy VPN Remote Network Extension ModeEasy VPN Remote Configuration General Tasks for Access RoutersTask 1 Configure the DHCP Server PoolTask 1 Example DHCP Server PoolTask 2 Configure the Cisco Easy VPN Client ProfileTask 2 Example Configure the Cisco Easy VPN Client ProfileTask 2 Example Assign Easy VPN Remote to the InterfaceTask 3 (Optional) Configure XAUTH Save Password FeatureTask 4 (Optional) Initiate the VPN Tunnel (XAUTH)Task 5 Verify the Cisco Easy VPN ConfigurationEasy VPN Remote Configuration ExampleEasy VPN Remote Configuration Example (Cont.)Module 6 Configure Remote Access VPNEasyVPN Server General Configuration TasksCreate ISAKMP PolicyCreate IP Address PoolDefine Group Policy for Mode Configuration PushSet Tunnel Group TypeConfigure IKE Pre-Shared KeySpecify Local IP Address PoolConfigure the Group Policy TypeEnter the Group Policy Attributes SubmodeSpecify DNS ServersSpecify WINS ServersSpecify DNS DomainSpecify Idle TimeCreate Transform SetCreate Dynamic Crypto MapAssign Dynamic Crypto Map to Static Crypto MapApply Dynamic Crypto MapConfigure XAUTHConfigure NAT and NAT 0Enable IKE DPDModule 6 Configure Remote Access VPNPIX Easy VPN RemoteEasy VPN Remote Client ConfigurationEasy VPN Client Device ModeModule 6 Configure Remote Access VPNHome PageWebsite AccessPort ForwardingEnabling WebVPNHome Page Look and Feel ConfigurationEnabling WebVPNServers and URL Configuration ExampleEnable Port ForwardingPort Forwarding Configuration ExampleEnable Email ProxyEmail Proxy Configuration ExampleHTML Content FilteringHTML Content FilteringWebVPN ACLs

Network Security 2 - Kapsi Internet-käyttäjät...

Documents

Transcript of Network Security 2 - Kapsi Internet-käyttäjät...