111 © 2001, Cisco Systems, Inc. All rights reserved. Presentation_ID.
RE161 111 © 2003, Cisco Systems, Inc. All rights reserved.
-
Upload
marvin-eaton -
Category
Documents
-
view
214 -
download
0
Transcript of RE161 111 © 2003, Cisco Systems, Inc. All rights reserved.
RE16 1
111© 2003, Cisco Systems, Inc. All rights reserved.
RE16 2
Module 14
PIX VPN
RE16 3
Learning Objectives
• Upon completion of this module, you will be able to perform the following tasks:– Identify how the PIX Firewall enables a secure VPN.
– Identify the tasks to configure PIX Firewall IPSec support.
– Identify the commands to configure PIX Firewall IPSec support.
– Configure a VPN between PIX Firewalls.
– Describe the Cisco VPN Client.
Overview
This module will cover the creation and configuration of secure VPNs. VPNs are a very useful tool in securing traffic between two remote networks. Both site-to-site and remote access VPNs will be covered.
Key Terms
• IPSec• IKE• DES, 3DES, AES• SHA-1, MD5• RSA• Digital Certificates• Pre-shared keys• Diffie-Hellman
RE16 6
The PIX Firewall Enables a Secure VPN
RE16 7
PIX Firewall VPN Topologies
RE16 8
IPSec Enables PIX Firewall VPN Features
– Data confidentiality– Data integrity– Data authentication– Anti-replay
RE16 9
What Is IPSec?
• IETF standard that enables encrypted communication between peers
– Consists of open standards for securing private communications.
– Network layer encryption ensuring data confidentiality, integrity, and authentication.
– Scales from small to very large networks.
– Included in PIX Firewall version 5.0 and later.
RE16 10
IPSec Standards Supported by the PIX Firewall
– IPSec (IP Security protocol)• Authentication Header (AH)• Encapsulating Security Payload (ESP)
– Internet Key Exchange (IKE)– Data Encryption Standard (DES)– Triple DES (3DES)– Diffie-Hellman (DH)– Message Digest 5 (MD5)– Secure Hash Algorithm (SHA)– Ravist, Shamir, Adelman signatures (RSA)– Certificate Authorities (CA)
RE16 11
IPSec Configuration Tasks
RE16 12
Task 1—Prepare to Configure VPN Support
RE16 13
IPSec Configuration Tasks Overview
– Task 1—Prepare to configure VPN support.
– Task 2—Configure IKE parameters.
– Task 3—Configure IPSec parameters.
– Task 4—Test and verify VPN configuration.
RE16 14
Task 1—Prepare to Configure VPN Support
– Step 1—Determine the IKE (IKE phase one) policy.– Step 2—Determine the IPSec (IKE phase two) policy.– Step 3—Ensure that the network works without encryption.– Step 4—Implicitly permit IPSec packets to bypass PIX Firewall
access lists, access groups, and conduits.
Plan for IKE
IKE Phase One Policy Parameters
Determine IKE Phase One Policy
IKE SA lifetime
Authentication method
Encryption algorithm
Hash algorithm
Site 1
86,400 seconds
DES
SHA
Site 2
DES
SHA
Pre-share
Parameter
768-bit D-HKey exchange
Pre-share
768-bit D-H
86,400 seconds
Plan for IPSec
Determine IPSec (IKE Phase Two) Policy
RE16 20
Ensure the Network Works
pixfirewall# ping 172.30.2.2
RE16 21
Ensure ACLs do not Block IPSec Traffic
RE16 22
Task 2—Configure IKE Parameters
RE16 23
Step 1—Enable or Disable IKE
– Enables or disables IKE on the PIX Firewall interfaces.
– IKE is enabled by default.– Disable IKE on interfaces not used
for IPSec.
isakmp enable interface-name
pixfirewall (config)#
pixfirewall(config)# isakmp enable outside
RE16 24
Step 2—Configure an IKE Phase One Policy
– Creates a policy suite grouped by priority number.– Creates policy suites that match peers.– Can use default values.
pixfirewall(config)# isakmp policy 10 encryption des
pixfirewall(config)# isakmp policy 10 hash sha
pixfirewall(config)# isakmp policy 10 authentication pre-share
pixfirewall(config)# isakmp policy 10 group 1
pixfirewall(config)# isakmp policy 10 lifetime 86400
RE16 25
isakmp key keystring address peer-address [netmask]
pixfirewall(config)#
Step 3—Configure the IKE Pre-shared Key
– Pre-shared keystring must be identical at both peers.– Use any combination of alphanumeric characters up to 128 bytes for
keystring.– Specify peer-address as a host or wildcard address.– Easy to configure, yet is not scalable.
pixfirewall(config)# isakmp key cisco123 address 192.168.6.2
RE16 26
pixfirewall# show isakmp policyProtection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step 4—Verify IKE Phase One Policies
– Displays configured and default IKE protection suites.
RE16 27
Task 3—Configure IPSec Parameters
RE16 28
access-list acl_ID {deny | permit} protocol source_addr source_mask destination_addr destination_mask
pixfirewall(config)#
Step 1—Configure Interesting Traffic
– permit = encrypt– deny = do not encrypt– access-list selects IP traffic by address, network, or subnet
pixfirewall# access-list 101 permit ip host 192.168.1.10 host 192.168.6.10
pix1(config)# show staticstatic (inside,outside) 192.168.1.10 10.0.1.11 netmask
255.255.255.255 0 0
pix1(config)# show access-listaccess-list 110 permit ip host 192.168.1.10 host 192.168.6.10
PIX1
pix6(config)# show staticstatic (inside,outside) 192.168.6.10 10.0.6.11 netmask
255.255.255.255 0 0
pix2(config)# show access-listaccess-list 101 permit ip host 192.168.6.10 host 192.168.1.10
PIX6
Example Crypto ACLs
– Lists should always be symmetrical.
RE16 30
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
pixfirewall(config)#
Step 2—Configure an IPSec Transform Set
– Sets are limited to up to one AH and up to two ESP transforms.– Default mode is tunnel.– Configure matching sets between IPSec peers.
pix1(config)# crypto ipsec transform-set pix6 esp-des
RE16 31
Available IPSec Transforms
ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth
RE16 32
Step 3—Configure the Crypto Map
– Specifies IPSec (IKE phase two) parameters.– Map names and sequence numbers group entries into a policy.
pixfirewall(config)# crypto map MYMAP 10 ipsec-isakmp
pixfirewall(config)# crypto map MYMAP 10 match address 101
pixfirewall(config)# crypto map MYMAP 10 set peer 192.168.6.2
pixfirewall(config)# crypto map MYMAP 10 set transform-set pix6
pixfirewall(config)# crypto map MYMAP 10 set pfs group1
pixfirewall(config)# crypto map MYMAP 10 set security-association lifetime seconds 28800
RE16 33
crypto map map-name interface interface-name
pixfirewall(config)#
Step 4—Apply the Crypto Map to an Interface
– Applies the crypto map to an interface.– Activates IPSec policy.
pixfirewall(config)# crypto map MYMAP interface outside
pix1(config)# show crypto map
Crypto Map "peer2" 10 ipsec-isakmp Peer = 192.168.2.2 access-list 101 permit ip host 192.168.1.11 host 192.168.2.11 (hitcnt=0) Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, }
Example Crypto Map for PIX1
pix2(config)# show crypto map
Crypto Map "peer1" 10 ipsec-isakmp Peer = 192.168.1.2 access-list 101 permit ip host 192.168.2.11 host 192.168.1.11 (hitcnt=0) Current peer: 192.168.1.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, }
Example Crypto Map for PIX2
RE16 36
Task 4—Test and Verify VPN Configuration
RE16 37
Task 4—Test and Verify VPN Configuration
– Verify ACLs and interesting traffic.show access-list
– Verify correct IKE configuration. show isakmpshow isakmp policy
– Verify correct IPSec configuration.show crypto ipsec transform-set
RE16 38
Task 4—Test and Verify VPN Configuration (cont.)
– Verify the correct crypto map configuration.show crypto map
– Clear the IPSec SA.clear crypto ipsec sa
– Clear the IKE SA.clear crypto isakmp sa
– Debug IKE and IPSec traffic through thePIX Firewall.debug crypto ipsecdebug crypto isakmp
RE16 39
The Cisco VPN Client
Topology Overview
RE16 41
Cisco VPN Client Features
– Support for Windows ME, Windows 2000, and Windows XP
– Data compression– Split tunneling– User authentication by way of VPN central-site device– Automatic VPN Client configuration– Internal MTU adjustment– CLI to the VPN Dialer– Start Before Logon– Software update notifications from the VPN device upon connection
RE16 42
PIX Firewall to VPN ClientPre-Shared Example
pixfirewall# write terminal
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0
255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip local pool MYPOOL 10.0.20.1-10.0.20.254
nat (inside) 0 access-list 80
route outside 0 0 192.168.0.1
aaa-server MYTACACS protocol tacacs+
aaa-server MYTACACS (inside) host 10.0.0.10 tacacskey timeout 5
aaa authentication include any inbound 0 0 0 0 MYTACACS
sysopt connection permit-ipsec
crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
RE16 43
PIX Firewall to VPN Client Pre-Shared Example (cont.)
pixfirewall# write terminal
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER client authentication MYTACACS
crypto map VPNPEER interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup TRAINING address-pool MYPOOL
vpngroup TRAINING idle-time 1800
vpngroup TRAINING password ********
RE16 44
VPN Client to PIX Firewall Example
– A new connection entry named vpnpeer0 iscreated.
– The remote server IPis the PIX Firewall outside interface.
vpnpeer0
RE16 45
VPN Client to PIX Firewall Example (cont.)
– The group name matches the vpngroup name in the PIX Firewall.
– The password is the pre-shared key and must match the vpngroup password.
– You can use the digital certificate for authentication.
TRAINING
TRAINING
TRAINING
PIX Firewall Assigns the IP Address to the VPN Client
RE16 47
Scale PIX Firewall VPNs
CA Server Fulfilling Requests from IPSec Peers
•Each IPSec peer individually enrolls with the CA server.
RE16 49
Enroll a PIX Firewallwith a CA
– Configure CA support– Generate public or private keys– Authenticate the CA– Request signed certificates from the CA– CA administrator verifies request and
sends signed certificates
RE16 50
Summary
RE16 51
Summary
– The PIX Firewall enables a secure VPN.
– IPSec configuration tasks include configuring IKE and IPSec parameters.
– CAs enable scaling to a large number of IPSec peers.
– Remote users can establish secure VPN tunnels between PCs running Cisco VPN Client software and any Cisco VPN-enabled product, such as the PIX Firewall, that supports the Unified Client framework.
RE16 52
525252© 2003, Cisco Systems, Inc. All rights reserved.