CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation and Supplemental Topics

Introduction to Cisco Easy VPN

Cisco Easy VPN greatly simplifies VPN deployment for remote offices and telecommuters. Based on a Cisco Unified Client Framework, Cisco Easy VPN centralizes management across all Cisco VPN devices, thus greatly reducing the complexity in configuring and deploying VPN configurations. The Cisco Easy VPN consists of the following two components (see Figure 12-1):

• Easy VPN Server

• Easy VPN Remote feature

Easy VPN Server

The Easy VPN Server enables Cisco IOS® routers, PIX Firewalls, and Cisco VPN 3000 Series concentrators to serve as VPN headend devices when remote offices are running the Easy VPN Remote feature. The configuration works for both site-to-site and remote access configurations. With Cisco Easy VPN, security policies defined at the headend are pushed to the remote VPN device, ensuring that the connection has up-to-date policies in place before the connection is established.

Mobile workers running the VPN Client software on their PCs can initiate Internet Protocol Security (IPSec) tunnels that are terminated on the Easy VPN Server. This flexibility enables telecommuters and traveling employees to access critical data and applications easily that reside at the headquarter facilities.

Easy VPN Remote Feature

The Easy VPN Remote feature enables PIX Firewalls, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain Cisco IOS® routers to act as remote VPN clients. The Easy VPN Server can push security policies to these clients, thus minimizing VPN configuration requirements at remote locations. This cost-effective solution is ideal for remote offices with little information technology (IT) support as well as large deployments where it is impractical to configure individual remote devices.

Overview of the Easy VPN Server

The Easy VPN Server serves as the headend for your VPN configuration. To utilize Cisco Easy VPN effectively, you need to understand the following characteristics of the PIX Firewall Easy VPN Server:

• Major features

• Server functions

• Supported servers

Major Features

The PIX Firewall Version 6.3 VPN Server includes the following major features:

• Support for Easy VPN Remote clients

• Ability for remote users to communicate using IPSec with supported PIX Firewall gateways

• Central management of IPSec policies that are pushed to the clients by the server

Server Functions

The PIX Firewall Version 6.3 VPN Server supports the following functionality:

• Mode Configuration version 6

• Extended Authentication (XAUTH) version 6

• Internet Key Exchange (IKE) dead peer detection (DPD)

• Split tunneling control

• Initial Contact

• Group-based policy control

The Cisco Easy VPN supports the IPSec options and attributes shown in Table 12-2.

Supported Servers

The Easy VPN Remote feature requires that the destination peer be a VPN gateway or concentrator that supports the Easy VPN Server. Some of the currently supported Easy VPN Server platforms include the following:

• Cisco 806, 826, 827, and 828 routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco 1700 Series routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco 2600 Series routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco 3620, 3640, and 3660 routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco 7100 Series VPN routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco 7200 Series routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco 7500 Series routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco uBR905 and uBR925 cable access routers (Cisco IOS Software Release 12.2[8]T or later)

• Cisco VPN 3000 Series (Software Release 3.11 or later)

• Cisco PIX 500 Series (Software Release 6.2 or later)

Overview of Easy VPN Remote Feature

The Cisco Easy VPN Remote feature enables Cisco PIX Firewalls, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain IOS routers to act as remote Cisco VPN Clients. The Cisco Easy VPN Remote feature provides for automatic management of the following items:

• Negotiating tunnel parameters

• Establishing tunnels according to parameters

• Automatically creating the Network Address Translation (NAT)/Port Address Translation (PAT) and associated access list if necessary

• Authenticating users

• Managing security keys for encryption and decryption

• Authenticating, encrypting, and decrypting data through the VPN tunnel

This section explains the following characteristics of the Easy VPM Remote feature:

• Supported clients

• Easy VPN remote connection process

• XAUTH configuration

Supported Clients

The Easy VPN Remote feature supports the following client platforms:

• CiscoVPN Software Client

• CiscoVPN 3002 Hardware Client

• Cisco PIX 501 and 506/506E VPN Clients

• Cisco Easy VPN Remote router clients

Cisco VPN Software Client

The Cisco Easy VPN Remote feature supports the Cisco VPN Client software (software version 3. x and later). Simple to deploy and operate, this client software enables customers to establish secure, end-to-end encrypted tunnels to any Easy VPN Server. The Cisco VPN Software Client is available from the Cisco.com website for any central-site remote access VPN product and is included free of charge with the Cisco VPN 3000 Concentrator.

VPN access policies and configurations are downloaded to the Cisco VPN Software Client from the Easy VPN Server when the client establishes a connection. This configuration simplifies deployment, management, and scalability. By preconfiguring the client software, the initial user login requires little user intervention even in mass deployment scenarios.

The Cisco VPN Software Client operates with the following operating systems:

• Microsoft Windows 95, 98, Me, NT 4.0, 2000, and XP

• Linux

• Solaris (UltraSPARC 32- and 64-bit)

• MAC OS X 10.1

Cisco VPN 3002 Hardware Client

The Cisco VPN Hardware Client has the Cisco VPN Software Client software built into it, enabling it to emulate the Cisco 3000 Series VPN Concentrator Software Client. You simply can connect the remote PCs into the Hardware Client instead of loading the Cisco VPN Software Client software on the remote PCs.

The Hardware Client comes in the following two versions:

• Hardware Client

• Hardware Client 8E

Note

Both Hardware Client models have one public Ethernet interface. The difference between the two Hardware Clients is that the 8E has eight private 10/100BaseT ports instead of only one. These eight ports utilize auto Medium Dependent Interface Crossover (MDIX) technology that eliminates the need for crossover cables when connecting a device to a port.

The Hardware Client operates in one of the following two modes:

• Client mode

• Network extension mode

You can select the modes locally using the command-line interface (CLI) or the graphical user interface (GUI) or remotely using an IPSec tunnel or Secure Shell (SSH).

The Hardware Client is powered by an external power supply and can auto sense either 110V or 220V.

Cisco PIX 501 and 506 VPN Clients

The following two PIX Firewall models are commonly used as VPN clients:

• PIX 501

• PIX 506/506E

The PIX 501 delivers enterprise-class security for small offices and telecommuters. For small offices with always-on broadband connections, the PIX 501 provides security functionality, numerous networking features, and powerful remote management capabilities in a compact single-box solution.

Up to four individual systems can share a single broadband connection, using the integrated four-port auto-sensing, auto MDIX switch for the inside interface. Like the Hardware Client, this switch eliminates the need for crossover cables when connecting a device to a port. The Ethernet ports support 10/100BASE-T (100BASE-T with the 6.3 software release). The PIX 501 also provides a RS-232 console port interface (RJ-45 connector and 9600 baud).

The PIX 506/506E enables companies to utilize the power of the Internet to enable users to work remotely from home securely. It delivers full firewall protection in conjunction with IPSec and VPN functionality. Connecting simultaneously with up to 25 VPN peers, the PIX 506/506E provides a complete implementation of IPSec standards. It comes with two integrated 10/100BASE-T (100BASE-T with the 6.3 software release) ports in a compact platform (8 inches by 12 inches by 1.7 inches). Updates to image files are downloaded using the Trivial File Transfer Protocol (TFTP).

Note

Before software release 6.3, the Ethernet ports on the PIX 501 and 506/506E were 10BASE-T. After upgrading to the 6.3 software release on either the PIX 501 or 506/506E, these ports become 10/100BASE-T ports. This speed enhancement is accomplished strictly by a software update (no hardware upgrades are necessary).

Cisco Easy VPN Remote Router Clients

To provide a comprehensive solution, Cisco Easy VPN also supports several router-based clients. You can use the following router platforms as Cisco Easy VPN remote clients:

• Cisco 800 Series routers (806, 826, 827,828)

• Cisco 900 Series routers (uBR905, uBR925)

• Cisco 1700 Series routers (1710, 1720, 1721, 1750, 1751, 1760)

Cable modems, xDSL routers, and other forms of broadband access provide Internet access, but many situations require VPN connections to secure data that traverses the Internet. Establishing a VPN connection between two VPN endpoints, however, can be complicated because it usually requires coordination between administrators to perform the tedious tasks necessary to define the connection parameters.

Cisco Easy VPN Remote eliminates most of the tedious work by implementing the Cisco VPN Client protocol. This protocol allows many of the VPN parameters to be configured on the access server. Once the access server is configured, the additional configuration on the VPN Client is minimal. When the IPSec client initiates the VPN connection, the VPN remote access server pushes the required IPSec policies to the IPSec client and creates the corresponding IPSec tunnel.

Easy VPN Remote Connection Process

When the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway, the interaction between the peers involves the following major steps:

Extended Authentication Configuration

XAUTH enables the Easy VPN Server to require username/password authentication in order to establish the VPN connection. This authentication is performed by an AAA server. To configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the Easy VPN Server and configure it to perform XAUTH. The complete configuration process involves performing the following tasks:

• Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for remote Cisco VPN Client access

• Create an IP address pool

• Define a group policy for mode configuration push

• Create a transform set

• Create a dynamic crypto map

• Assign the dynamic crypto map to a static crypto map

• Apply the static crypto map to an interface

• Configure XAUTH

• Configure NAT and NAT 0

• Enable IKE DPD

Create an Internet Security Association and Key Management Protocol Policy

To create the ISAKMP policy you must use the standard ISAKMP configuration commands to define the following parameters:

• Authentication type

• Encryption algorithm

• Hash algorithm

• Diffie-Hellman group ID

• SA lifetime

The syntax for these commands is as follows:

 isakmp policy   priority   authentication  { pre-share  |  rsa-sig }
 isakmp policy   priority   encryption  { aes | aes-192 | aes-256 | des | 3des }
 isakmp policy   priority   group  { 1 | 2 | 5 }
 isakmp policy   priority   hash  { md5 | sha }
 isakmp policy   priority   lifetime   seconds 

Table 12-3 outlines the parameters for the isakmp policy command.

For instance, suppose that you want to configure an ISAKMP policy based on the following criteria:

• Preshare key initial authentication

• AES encryption algorithm (128-bit)

• SHA hash algorithm

• Diffie-Hellman group 5

The commands to define this ISAKMP policy are as follows:

Pix(config)#  isakmp enable outside 
Pix(config)#  isakmp policy 30 authentication pre-share 
Pix(config)#  isakmp policy 30 encryption aes 
Pix(config)#  isakmp policy 30 hash sha 
Pix(config)#  isakmp policy 30 group 5 

Create an Internet Protocol Address Pool

If the remote client is using the Easy VPN Server to obtain its IP address, you must define a local address pool using the ip local pool command. The syntax for this command is as follows:

 ip local pool  { pool_name low_ip_address  [ -  high_ip_address ]}

For instance, suppose that you want to assign the remote clients addresses in the range from 10.20.100.1 through 10.20.100.254. Using a pool name of vpn-pool , then the command line would be as follows:

Pix(config)#  ip local pool vpn_pool 10.20.100.1-10.20.100.254 

Define Group Policy for Mode Configuration Push

Several parameters are pushed to the VPN Client from the Easy VPN Server. These parameters are specified by the group policy assigned to a set of remote VPN Clients. The major group policy parameters are as follows:

• IKE preshared key

• DNS servers

• Windows Internet Naming Service (WINS) servers

• DNS domain

• Local IP address pool

• Idle timeout

Note

Each remote VPN user belongs to a specific VPN group. As users establish VPN tunnels to the Easy VPN Server, they identify to which group they belong.

You configure these parameters using the vpngroup command. The syntax for these commands is as follows:

 vpngroup   group_name   password   preshared_key 
 vpngroup   group_name   dns-server   primary-server  [ secondary-server ]
 vpngroup   group_name   wins-server   primary-server  [ secondary-server ]
 vpngroup   group_name   default-domain   domain_name 
 vpngroup   group_name   address-pool   pool_name 
 vpngroup   group_name   idle-time   seconds 

Create Transform Set

A transform identifies an encryption algorithm and hash algorithm pair. A group of transforms defines a transform set. For each group policy, you can define one or more transforms to indicate which pairs of algorithms are acceptable for new IPSec connections. You specify the transform information for your group policy using the crypto ipsec transform-set command. The syntax for this command is as follows:

 crypto ipsec transform-set   transform-set-name transform1  [ transform2  [ transform3 ]]

You can assign up to three different transforms to a specific transform set name. The order in which the transforms are listed indicates the order in which the transforms will be checked. Therefore, you must place the highest-priority (most secure) transforms first so that they will be matched before less-secure transforms. A remote client, however, can end up using any of the transforms that you specify in the list.

Note

For an IPSec-manual crypto map, you can specify only a single transform. When using IPSec-ISAKMP or dynamic crypto map entries, however, you can specify up to six transform sets.

The transform sets that you can use are as follows:

• ah-md5-hmac

• ah-sha-hmac

• esp-aes

• esp-aes-192

• esp-aes-256

• esp-des

• esp-3des

• esp-null

• esp-md5-hmac

• esp-sha-hmac

Each transform defines either ah or esp (indicating either Authentication Header [AH] or Encapsulating Security Payload [ESP]). The keyword used in the transform is an algorithm abbreviation (see Table 12-4).

Create a Dynamic Crypto Map

When your VPN Clients connect to the Easy VPN Server, they will negotiate the parameters of the IPSec session. Creating a dynamic crypto map enables you to define a crypto map that does not have all of the parameters configured. It acts as a sort of policy template in which the missing parameters get configured to match the remote peer's requirements (as part of the IPSec negotiation). By using dynamic crypto maps, your Easy VPN Servers do not have to be preconfigured for all of the requirements of your remote peers, thus making the configuration process more flexible.

Note

Dynamic crypto maps are not used to initiate IPSec SAs with remote peers. They are used only when remote peers initiate IPSec SAs and during the evaluation of traffic coming to the server.

You create dynamic crypto maps using the crypto dynamic-map command. The syntax for this command is as follows:

 crypto dynamic-map   dynamic-map-name dynamic-map-seqnum 

Assign a Dynamic Crypto Map to a Static Crypto Map

After creating a dynamic crypto map, you need to assign the dynamic crypto map to a static crypto map using the crypto map command. The syntax for this command is as follows:

 crypto map   map-name seq-num  { ipsec-isakmp|ipsec-manual } [ dynamic   dynamic-map-name ]

Apply the Static Crypto Map to an Interface

Once the static crypto map has been created, you need to identify to which interface the map needs to be applied by using another variation of the crypto map command. The syntax for this command is as follows:

 crypto map   map-name   interface   interface-name 

Configure Extended Authentication

Configuring XAUTH on the Easy VPN Server for your remote VPN Clients involves the following three steps:

To enable AAA login authentication, you use the aaa-server command. The syntax for this command is as follows:

 aaa-server   server-tag   protocol  { tacacs+|radius }

Besides enabling AAA login authentication, you need to configure the location of the AAA server by specifying its IP address. The syntax for this variation of the aaa-server command is as follows:

 aaa-server   server-tag  [( if_name )]  host   server-ip  [ key ][ timeout   seconds ]

Finally, you need to enable IKE XAUTH for the crypto map that you defined using another variation of the crypto map command. This syntax for this command is as follows:

 crypto map   map-name   client  [ token ]  authentication   aaa-server-name 

Note

The optional keyword token when specified informs the PIX Firewall that the AAA server uses a token-card system and to thus prompt the user for a username and password during the IKE authentication.

An example configuration for XAUTH that utilizes Terminal Access Controller Access Control System Plus (TACACS+) is as follows:

pix515a(config)#  aaa-server MYSERVER protocol tacacs+ 
pix515a(config)#  aaa-server MYSERVER (inside) host 192.168.1.15 S3cr3TK3y! 
pix515a(config)#  crypto map MYMAP client authentication MYSERVER 

Configure Network Address Translation and NAT 0

The traffic traversing the IPSec tunnel is encrypted. Some traffic originating from the Easy VPN Server network, however, simply must be translated using NAT and then sent without being encrypted. Figure 12-2 shows a situation in which a remote VPN Client is connecting across the Internet to the PIX VPN Server.

Traffic from the TACACS+ server destined for 192.168.120.120 needs to be encrypted and sent through the IPSec tunnel without translation. Traffic to the Internet (from the TACACS+ server), however, needs to be translated (by NAT) but not encrypted. The commands to perform this configuration are as follows:

pix515a(config)#  access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.120.120 
 255.255.255.255 
pix515a(config)#  nat (inside) 0 access-list 101 
pix515a(config)#  nat (inside) 1 0.0.0.0 0.0.0.0 
pix515a(config)#  global (outside) 1 interface 

Traffic that matches access-list 101 is encrypted and sent through the IPSec tunnel to the remote system. Other traffic is translated (by NAT) and transmitted without encryption out the same interface.

Enable Internet Key Exchange Dead Peer Detection

Dead peer detection (DPD) allows two IPSec peers to determine that the other is still "alive" during the lifetime of the VPN connection. In many situations, the one peer may reboot or the link may be unexpectedly disconnected for some other reason. The other peer may not quickly detect that the connection has been terminated. DPD enables an IPSec peer to send notification of the disconnection to the user, attempt to switch to another IPSec host, or clean up valuable resources that were allocated to a peer that is no longer connected.

A Cisco VPN device can be configured to send and reply to DPD messages. DPD messages are sent when no other traffic is traversing the IPSec tunnel. If a configured amount of time passes without a reply to a DPD message, a dead peer can be detected. DPD messages are unidirectional and are automatically sent by Cisco VPN Clients. DPD is configured on the server only if the server wishes to send DPD messages to VPN Clients to assess their health.

You use the isakmp keepalive command to enable the PIX Firewall gateway to send IKE DPD messages. You need to specify the number of seconds between DPD messages and the number of seconds between retries (if a DPD message does not receive a response). The syntax for this command is as follows:

 isakmp keepalive   seconds  [ retry_seconds ]

Easy VPN Remote Modes of Operation

The Easy VPN Remote supports the following two modes of operation:

• Client mode

• Network extension mode

In client mode, the Easy VPN Server automatically creates NAT/PAT associations that allow the PCs and other hosts on the client side of the VPN connection to form a private network that does not use any IP addresses in the address space of the Easy VPN Server.

Note

The NAT/PAT translations and access control list (ACL) configurations created by the Easy VPN Remote feature are not written to either the startup configuration or the running configuration. You can view these configurations, however, using the show ip nat statistics and show access-list commands (or the show vpnclient detail on the PIX Firewall) when the configuration is active.

In network extension mode, the PCs and other hosts at the client end of the IPSec tunnel are assigned fully routable IP addresses that are reachable from the server network (by the IPSec tunnel session), forming one logical network. In this mode, PAT is not used so that client systems have direct access to the PCs and hosts on the destination network.

Client Mode

Client mode enables you to deploy a VPN quickly and easily in a small office/home office (SOHO) environment. In situations where there is no need to access the devices behind the VPN client directly and ease of use and quick installation are important, the client mode is the ideal solution.

In client mode, the Easy VPN Remote device uses PAT to isolate the private network from the public network. PAT causes all of the traffic from the SOHO network to appear on the private network as a single source IP address. Figure 12-3 illustrates the Easy VPN Remote client mode of operation. The remote clients are on the 192.168.10.0 network. Traffic from these clients is converted (by PAT) to a single address (10.20.10.2).

Network Extension Mode

In network extension mode, all SOHO PCs connected to the Easy VPN Remote device are uniquely addressable by the VPN tunnel. This allows devices to connect directly to PCs behind the Easy VPN Remote device. Figure 12-4 illustrates the Easy VPN Remote network extension mode. The remote client hosts are assigned IP addresses that are fully routable by the destination network through the tunnel.

Overview of Cisco VPN Software Client

The Cisco VPN Software Client is software that enables you to establish secure end-to-end encrypted tunnels to any Easy VPN Server. The Cisco VPN Software Client is IPSec compliant and available from Cisco.com for customers with SMARTnet support and is included free of charge with the concentrator.

The Cisco VPN Software Client can easily be preconfigured for mass deployment situations. Initial logins require very little user intervention because VPN access policies and configurations are downloaded from the Easy VPN Server and pushed to the Cisco VPN Client when a connection is established, enabling simple deployment and management.

The Cisco VPN Software Client provides support for the following operating systems:

• Windows 95, 98, Me, NT 4.0, 2000, and XP

• Linux

• Solaris (UltraSPARC 32- and 64-bit)

• MAC OS X 10.1

Features

The Cisco VPN Software Client provides numerous features and benefits. Some of the major benefits of the Cisco VPN Software Client include the following:

• Intelligent peer availability detection

• Simple Certificate Enrollment Protocol (SCEP)

• Data compression (LZS)

• Command-line options for connecting, disconnecting, and monitoring connection status

• Configuration file with option locking

• Support for Microsoft network login (all Windows platforms)

• DNS, WINS, and IP address assignment

• Load balancing and backup server support

• Centrally controlled policies

• Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only)

• Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)

Note

The Cisco VPN Software Client supports more features than the Easy VPN Server platforms. You should always compare the Cisco VPN Software Client specifications against the Easy VPN Server supported and unsupported feature list. For instance, although the Cisco VPN Client supports Zone Labs and BlackICE firewall features, the Easy VPN Server does not. The features supported on the Easy VPN Server determine which policies and configurations can be pushed from the Easy VPN Server to the VPN Client.

Specifications

Effectively utilizing the Cisco VPN Software Client on your network requires an understanding of its major functional specifications. The specifications for the Cisco VPN Software Client fall into the following major categories:

• Tunneling protocols

• Encryption and authentication

• Key management techniques

• Data compression

• Digital certificates

• Authentication methodologies

• Policy and profile management

Tunneling Protocols

The Cisco VPN Software Client supports the following tunneling options:

• IPSec Encapsulating Security Payload (ESP)

• IPSec over Transmission Control Protocol (TCP): NAT or PAT

• IPSec over User Datagram Protocol (UDP): NAT, PAT, or firewall

Note

IPSec over TCP and IPSec over UDP refer to the VPN Client encapsulating the IPSec traffic inside of either TCP or UDP packets. By encapsulating the complete IPSec packets inside of another transport protocol (such as UDP), the integrity checks on the IPSec packets remain valid even when a NAT device changes the IP addresses on the outer transport protocol.

Encryption and Authentication

The Cisco VPN Software Client supports the following encryption algorithms:

• DES

• 3DES

• AES (128- and 256-bit)

It also supports the following cryptographic hash algorithms:

• MD5

• SHA-1

Key Management Techniques

The Cisco VPN Client supports the following key management techniques:

• IKE main mode

• IKE aggressive mode

• Diffie-Hellman (DH) groups 1, 2, 5, and 7

Data Compression

The only supported data compression technique is LZS. LZS provides an algorithm for compressing Point-to-Point Protocol (PPP)encapsulated packets (see RFC 1974).

Digital Certificates

Digital certificates help to verify the identity of the peers in an IPSec session. The digital certificate functionality provided by the Cisco VPN Software Client falls into the following categories:

• Enrollment mechanisms

• Certificate authorities

• Smart cards

Enrollment mechanisms define the means by which digital certificates are securely issued. Certificate authorities (CAs) actually issue the certificates by signing them with their own private key. The Cisco VPN Software Client supports the following CAs:

• Entrust

• GTE Cybertrust

• Netscape

• Baltimore

• RSA Keon

• VeriSign

• Microsoft

Using smart cards also can help secure the login process by verifying the identification of the user. The Cisco VPN Software Client supports various smart cards by using the Microsoft crypto application programming interface (API) CRYPT-NOHASHOID, including the following:

• ActivCard (Schlumberger cards)

• eToken from Aladdin

• Gemplus

• Datakey

Authentication Methodologies

Authentication is crucial for providing secure remote access through VPN tunnels. The Cisco VPN Software Client supports XAUTH and Remote Authentication Dial-In User Service (RADIUS) with support for the following:

• State (token cards)

• Security Dynamics (RSA SecurID ready)

• Microsoft Windows NT domain authentication

• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)Windows NT password authentication

• X.509 version 3 digital certificates

Policy and Profile Management

You can easily distribute Cisco VPN Software Clients with preconfigured Profile Configuration Files (PCFs) that regulate the operation of the client software. You can also centrally control policies such as the following:

• DNS information

• WINS information

• IP address

• Default domain name

Cisco VPN Client Manual Configuration Tasks

When using the Cisco VPN Software Client, the Easy VPN Server can push the VPN policy to help facilitate the management of the client systems. Initially, however, you still need to install the Cisco VPN Software Client on the remote system. This manual process involves the following tasks:

• Installing the Cisco VPN Software Client

• Creating a new connection entry

• Modifying VPN Client options (optional)

Installing the Cisco VPN Software Client

Installation of the Cisco VPN Software Client varies slightly between the different supported operating systems. The best source of detailed installation information is the release notes that accompany the Cisco VPN Softwae Client that you are installing. Installing the Cisco VPN Software Client on a Windows-based system follows the usual software installation process. The on-screen instructions ensure the installation is quick and not very complicated.

After the software is installed, the following new options are added to your Programs menu (see Figure 12-5):

• Help Accesses the Cisco VPN Client Help text

• Set MTU Enables you to set the maximum transmission unit (MTU) for a specific interface

• VPN Client Launches the Cisco VPN Client so that you can choose a connection and establish a VPN session

If you try to launch the Cisco VPN Client when you already have a session established, it displays the same window you see when you launch the Cisco VPN Client Software (see Figure 12-6).

Either typing Ctrl-S or selecting Statistics from the Status drop-down menu displays the following information about your connection (see Figure 12-7):

• Client IP address The IP address assigned to the Cisco VPN Client for the current session.

• Server IP address The IP address of the Easy VPN Server to which the client is currently connected.

• Bytes Received The total number of bytes received by the client software.

• Bytes Sent The total number of bytes sent by the client software.

• Packets Encrypted The total number of data packets transmitted.

• Packets Decrypted The total number of data packets received.

• Packets Discarded The total number of packets rejected because they did not come from the Easy VPN Server.

• Packets Bypassed The total number of packets that were not processed (such as Address Resolution Protocol [ARP] and Dynamic Host Configuration Protocol [DHCP] packets).

• Encryption The data encryption method in use for traffic in the tunnel.

• Authentication The data or packet authentication method used for traffic through the tunnel.

• Transparent Tunneling The status of transparent tunneling (either active or inactive).

• Local LAN Access Indicates whether local local area network (LAN) access is enabled or disabled.

• Compression Indicates whether data compression is in effect and identifies the compression being used (currently, only LZS compression is supported).

Creating a New Connection Entry

After installing the Cisco VPN Software Client on your system, you need to create a connection entry that will define the properties of your VPN connection, such as the following:

• IP address of Easy VPN Remote server

• Group name

• Group password

Creating a new connection entry involves the following steps on a Windows 2000 system:

Modifying VPN Client Options

Besides creating a new connection entry, you can also optionally define various characteristics of the connection entry. These options are accessible by using the Options drop-down menu on the main Cisco VPN Software Client screen (see Figure 12-8).

From the Options drop-down menu, you can configure the characteristics of the current connection entry as listed in Table 12-5.

Note

If you want to know the version of the Cisco VPN Software Client installed on your PC, you can right-click the Cisco VPN Dialer icon in the system tray. This will also indicate if the stateful firewall functionality is always on because Stateful Firewall (Always On) will have a check mark next to it if enabled.

Clicking the Modify icon enables you to configure the following characteristics of the Cisco VPN Client:

• VPN Client authentication properties

• VPN Client transport properties

• VPN Client backup servers

• VPN Client dialup properties

Although these properties vary slightly between the supported operating systems, the major general properties that you can configure are as follows:

• Enabling transparent tunneling

• Allowing IPSec over UDP

• Allowing IPSec over TCP

• Allowing local LAN access

• Configuring peer response timeout

Note

Allowing IPSec over TCP (or UDP) enables you to use the VPN Client in an environment where your traffic must go though a firewall or router that is using NAT or PAT. This option must also be configured on the Easy VPN Server for it to operate correctly.

The Authentication tab of the VPN Client Properties window enables you to configure the VPN Client to use either a group name and password or digital certificates for authentication (see Figure 12-9).

The Transport tab in the VPN Client Properties window enables you to configure the transparent tunneling properties for the VPN connection (see Figure 12-10). Transparent tunneling enables your VPN connection to travel across devices that are performing NAT or PAT on the traffic. Without transparent tunneling, the traffic would be considered invalid because the integrity checks on the packets would fail.

The Backup Servers tab of the VPN Client Properties window defines backup Easy VPN Servers (see Figure 12-11), and the Dial-Up tab of the VPN Client Properties window defines whether the connection to the Internet using dialup networking is enabled (see Figure 12-12).

An enterprise network may have multiple Easy VPN Servers. Backup servers for the connections enable your Cisco VPN Clients to utilize these alternate Easy VPN Servers if the primary Easy VPN Server is unavailable. When establishing a VPN connection, clients attempt to connect to the primary Easy VPN Server first. If that device is unavailable, one of the backup servers will be used.

Note

You also can configure the backup servers on the Easy VPN Server and have them pushed to the VPN Client after a successful connection. Then, on subsequent connections, the VPN Client can use these backup servers if the primary server is unavailable.

PIX Easy VPN Remote Configuration

The Easy VPN Server controls the policy enforced on the PIX Firewall Easy VPN Remote device. To establish the initial connection to the Easy VPN Server, you must complete some configuration locally on the remote client device. You can perform this configuration using the Cisco PIX Device Manager (PDM) or by using the command-line interface. These configuration tasks fall into the following categories:

• Basic configuration

• Client device mode

• SUA

• Individual User Authentication (IUA)

Basic Configuration

To enable the PIX Easy VPN Remote client to communicate with the Easy VPN Server, you need to identify the location of the Easy VPN Server using the vpnclient server command. The syntax for this command is as follows:

 vpnclient server  { Primary_IP } [ Secondary_IPs ]

You need to specify the IP address of the primary Easy VPN Server. In addition to the primary Easy VPN Server, you also can specify up to ten additional secondary Easy VPN Servers. If the primary server is not accessible, the client will use one of the secondary servers.

To enable the VPN Client you need to use the vpnclient enable command. The syntax for this command is as follows:

vpnclient enable

If you use preshared keys, you also must specify this key value using the vpnclient vpngroup command. The syntax for this command is as follows:

 vpnclient vpngroup  { groupname }  password  { preshared_key }

The client needs to use the preshared key to encrypt the information being transmitted to the server.

One other basic configuration task involves XAUTH. If you use XAUTH, you need to specify the username and password for the VPN Client using AAA or the vpnclient username command. The syntax for this command is as follows:

 vpnclient username  { xuath_username }  password  { xauth_password }

Client Device Mode

The Cisco VPN Client operates in the following two modes (see the "Easy VPN Remote Modes of Operation" section earlier in the chapter for more information):

• Client mode

• Network extension mode

To configure the client device mode, you use the vpnclient mode command. The syntax for this command is as follows:

 vpnclient mode  { client-mode|network-extension-mode }

Client mode applies NAT/PAT to all IP addresses of the clients connected to the higher-security (inside) interface. Network extension mode, on the other hand, does not apply NAT/ PAT to any IP addresses of clients on the higher-security interface.

Secure Unit Authentication

Secure Unit Authentication (SUA) is a feature introduced in PIX Firewall Software Version 6.3 to improve security when using a PIX Firewall as an Easy VPN Remote device. With SUA, the Easy VPN Remote Server can require one-time passwords, two-factor authentication, and similar authentication schemes before the establishment of a VPN tunnel to the Easy VPN Server.

SUA is configured as part of the VPN policy on the Easy VPN Server and cannot be configured directly on the VPN Remote device. The Easy VPN Remote device downloads the VPN policy (after connecting to the Easy VPN Server), which enables or disables SUA.

Client Operation with Secure Unit Authentication Disabled

When SUA is disabled and the Easy VPN Remote device is operating in network extension mode, a connection is automatically initiated by the PIX VPN Remote device for the remote protected hosts. In client mode, the connection is initiated whenever traffic from the remote protected network is sent through the PIX Firewall to the network protected by the Easy VPN Server.

Client Operation with Secure Unit Authentication Enabled

When SUA is enabled, static credentials included in the local configuration of the Easy VPN Remote device are ignored. A connection request is initiated as soon as any Hypertext Transfer Protocol (HTTP) request is sent from the remote network to the network protected by the Easy VPN Remote Server. All other traffic to the network protected by the Easy VPN Server is dropped until a VPN tunnel is established.

Note

You also can initiate a connection request from the command-line interface (CLI) of the Easy VPN Remote device.

Before a VPN tunnel is established, any HTTP request to the network protected by the Easy VPN Server is redirected to a Uniform Resource Locator (URL) in the following format:

 https:// < inside-ip-address >/ vpnclient/connstatu185 

inside-ip-address is the inside (protected) interface of the Easy VPN Remote device. For instance, if the inside interface of the Easy VPN Remote device is 10.10.10.1, the requests will be redirected to the following URL:

 https://10.10.10.1/vpnclient/connstatu185 

You can check the status of the VPN tunnel by manually entering this URL into your browser (from one of the remote protected hosts). This URL displays a page containing a Connect link that displays an authentication page. If authentication is successful, the VPN tunnel has been established.

Note

You can also activate the connection by manually entering this URL into your browser (on a remote protected host).

To enable SUA, you use the following command on the Easy VPN Server:

 vpngroup   groupname   secure-unit-authentication 

groupname is the alphanumeric identifier for the VPN group for which you want to enable SUA.

After the tunnel is established, other users on the remote network (protected by the Easy VPN Remote device) can access the network protected by the Easy VPN Server without further authentication. If you want to control access by individual users, you need to implement Individual User Authentication (IUA). IUA is explained in the next section.

Individual User Authentication

IUA causes the hosts on the remote protected network (behind the Easy VPN Remote device) to be authenticated individually based on the IP address of the inside host. IUA supports authentication based on both static and dynamic password mechanisms.

Similar to SUA, IUA is enabled by the VPN policy downloaded from the Easy VPN Server and cannot be configured locally. When IUA is enabled, each user on the remote protected network is prompted for a username and password when trying to initiate a connection to the network protected by the Easy VPN Server. Unlike SUA, which requires an HTTP connection to initiate the authentication request, when IUA is enabled the user will automatically be prompted for authentication (to establish the tunnel) whenever any traffic is sent across the tunnel.

A PIX Firewall (serving as an Easy VPN Server) downloads the contact information for the AAA server to the Easy VPN Remote device. The Easy VPN Remote device then sends authentication requests directly to the AAA server.

Note

A Cisco 3000 Series VPN Concentrator used as an Easy VPN Server performs proxy authentication to the AAA server. The Easy VPN Remote device sends each authentication request to the Cisco 3000 Series VPN Concentrator instead of directly to the AAA server.

To enable IUA, you use the following command on the Easy VPN Server:

 VPNgroup   groupname   user-authentication 

groupname is the alphanumeric identifier for the VPN group for which you want to enable IUA.

You also must use the following command on the Easy VPN Server to specify the AAA server to use for authentication:

 VPNgroup   groupname   authentication-server   server-tag 

The server-tag identifies the AAA server to use for the specified VPN group.

To specify the length of time that the VPN tunnel will remain open without any user activity, you use the following command on the Easy VPN Server:

 VPNgroup   groupname   user-idle-timeout   seconds 

You specify the idle time for the specified VPN group in seconds.

Point-to-Point Protocol over Ethernet and the PIX Firewall

Beginning with software version 6.2, you can configure the PIX Firewall as a Point-to-Point Protocol over Ethernet (PPPoE) client. Many Internet service providers (ISPs) deploy PPPoE because it provides high-speed broadband access using their existing remote access infrastructure. PPPoE is also easy for customers to use.

Figure 12-13 depicts a typical PPPoE network configuration that uses a PIX Firewall to secure a low-cost always-on Internet connection. The PIX Firewall can secure various broadband connections including the following:

• Digital Subscriber Line (DSL)

• Cable modem

• Fixed wireless

PPPoE (see RFC 2516) provides an authenticated method for assigning IP addresses to client systems by combining the following two widely accepted standards:

• Point-to-Point Protocol (PPP)

• Ethernet

PPPoE is composed of the following two main phases:

• Active discovery phase

• PPP session phase

PPPoE connects a network of systems over a simple bridging access device to a remote Access Concentrator (AC). In the active discovery phase, the PPPoE client locates the AC (or PPPoE server). After locating an AC, the PPPoE client establishes a PPP session.

When establishing a session, PPP options are negotiated and authentication is performed. Once the session is completely established, the information from the client is sent across the Ethernet network by encapsulating the PPP messages in unicast Ethernet packets. The session ID enables the AC to determine to which client the PPP messages belong.

After configuration, the PIX Firewall automatically connects to a service provider's AC without user intervention. By setting the MTU to 1492 bytes, the PIX Firewall can encapsulate PPPoE messages inside regular Ethernet frames by attaching PPPoE/PPP headers.

The PIX Firewall PPPoE Client can operate in environments that are using other firewall features such as the following:

• NAT to or from the outside interface (or over a VPN)

• URL content filtering before transmission (to or from outside interface)

• Firewall rules on traffic before transmission to or from the outside interface (or over a VPN)

If your ISP distributes certain configuration parameters, such as DNS and WINS, the PIX Firewall's PPPoE Client can retrieve these parameters and automatically pass these parameters to its Dynamic Host Configuration Protocol (DHCP) clients. You need to use the dhcpd auto-config command on the PIX Firewall to enable your DHCP clients to receive the configuration parameters automatically from the PPPoE client.

Note

Although the PIX Firewall DHCP server operates with the PPPoE client, the PPPoE client and the DHCP clients are mutually exclusive. Therefore, if you configure the PPPoE client on the outside interface, the DHCP client functionality is automatically disabled on that interface. Similarly, if you enable the DHCP client on the outside interface, the PPPoE client is automatically disabled on the outside interface.

Note

The PIX Firewall's PPPoE Client is not interoperable with failover, Layer Two Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP).

Configuring the PPPoE client on the PIX Firewall involves the following tasks:

• Configuring the Virtual Private Dial-Up Networking (VPDN) group

• Configuring VPDN group authentication

• Assigning the VPDN group username

• Configuring the VPDN username and password

• Enabling the PPPoE client

Configuring the Virtual Private Dial-Up Networking Group

The first task in configuring the PIX Firewall PPPoE Client is to define the VPDN group using the following command:

 vpdn group   group-name   request dialout pppoe 

Configuring Virtual Private Dial-Up Networking Group Authentication

Your ISP may require you to use authentication with PPPoE. The PIX Firewall PPPoE Client supports the following authentication protocols:

• Password Authentication Protocol (PAP)

• Challenge Handshake Authentication Protocol (CHAP)

• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

To define the authentication protocol for the PPPoE client, you use the following command:

 vpdn group   group-name   ppp authentication pap|chap|mschap 

Note

ISPs that use CHAP or MS-CHAP may refer to the username as the remote system name and the password as the CHAP secret.

Assigning the Virtual Private Dial-Up Networking Group Username

To assign the username provided by your ISP to the VPDN group you use the following command:

 vpdn group   group-name   localname   username 

Configuring the Virtual Private Dial-Up Networking Username and Password

The PIX Firewall uses a username and password pair to authenticate to the AC. To assign a username and password pair for PPPoE authentication, you use the following command:

 vpdn username   username   password   password 

Note

The username specified must be the username that has already been associated with the VPDN group specified for PPPoE (using the vpdn group command).

Enabling the Point-to-Point over Ethernet Client

By default the PPPoE client on the PIX Firewall is disabled. Use the following command to enable the PPPoE client:

 ip address   interface-name   pppoe  [ setroute ]

You also can enable PPPoE by manually entering the IP address using the following command:

 ip address   interface-name ip-address netmask   pppoe  [ setroute ]

This command causes the PIX Firewall to use the specified IP address instead of negotiating with the PPPoE server to assign an address dynamically.

The parameters for the ip address command are shown in Table 12-6.

The setroute keyword causes a default route to be created based on the default gateway parameter returned by either the DHCP or PPPoE server. This keyword, however, cannot override an existing default route. If you use the setroute keyword when a default route already exists, the PIX Firewall will be unable to override the existing default route with the information learned from PPPoE. Therefore, if you already have an existing default route configured on the PIX Firewall, you must delete the default route before using the setroute keyword.

Monitoring the Point-to-Point over Ethernet Client

The show vpdn command displays information about the PPPoE traffic on the PIX Firewall. Without any other keywords, this command displays information about the PPPoE tunnels and sessions, such as in the following:

pix515a#  show vpdn 
%No active L2TP tunnels
PPPoE Tunnel and Session Information (Total tunnels=1 sessions=1)
Tunnel id 0, 1 active sessions
time since change 4294967 secs
Remote MAC Address 00:02:3B:02:32:2E
9005625 packets sent, 11376588 received, 1755681415 bytes sent, -407696198 received
Remote MAC is 00:02:3B:02:32:2E
Session state is SESSION_UP
Time since event change 4294967 secs, interface outside
PPP interface id is 1
9005625 packets sent, 1265856 received, 1755681415 bytes sent, 865125131 received
pix515a#

To view the information only on your VPDN sessions, you can add the session keyword to the show vpdn command, as in the following:

pix515a# show  vpdn session 
%No active L2TP tunnels
PPPoE Tunnel and Session Information (Total tunnels=1 sessions=1)
Remote MAC is 00:02:3B:02:32:2E
Session state is SESSION_UP
Time since event change 4294967 secs, interface outside
PPP interface id is 1
9005664 packets sent, 1265894 received, 1755684373 bytes sent, 865127247 received
pix515a#

To view the information only on your VPDN tunnels, you can add the tunnel keyword to the show vpdn command, as in the following:

pix515a# show  vpdn tunnel 
%No active L2TP tunnels
PPPoE Tunnel and Session Information (Total tunnels=1 sessions=1)
Tunnel id 0, 1 active sessions
time since change 4294967 secs
Remote MAC Address 00:02:3B:02:32:2E
9005704 packets sent, 11376666 received, 1755687225 bytes sent, -407691806 received
pix515a#

You can use the show vpdn pppinterface command when a PPPoE connection is established to view the address of the AC. If the PIX Firewall cannot locate the AC, the address displayed is 0.0.0.0. The syntax for this command is as follows:

 show vpdn pppinterface  [ id  interface_name]

The output of the show vpdn pppinterface command is similar to the following:

pix515a#  show vpdn pppinterface 
PPP virtual interface id = 1
PPP authentication protocol is PAP
Server ip address is 214.8.252.151
Our ip address is 88.235.123.14
Transmitted Pkts: 1002469, Received Pkts: 1265984, Error Pkts: 0
MPPE key strength is None
MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0
MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0
Rcvd_Out_Of_Seq_MPPE_Pkts: 0
pix515a#

To view the local usernames, you use the show vpdn username command, and the show vpdn group command displays the configured VPDN groups. The syntax for these commands is as follows:

 show vpdn username  [ specific-name ]
 show vpdn group  [ specific-group-name ]

To view the IP address assigned by the PPPoE server on an established PPPoE session, you use the show ip address command using the interface on which PPPoE is enabled. The syntax for this command is as follows:

 show ip address   interface-name   pppoe 

Finally, you can debug the PPPoE packets processed by the PIX Firewall with the debug pppoe command. The syntax for this command is as follows:

 debug pppoe  { event | error | packet }

Dynamic Host Configuration Protocol Server Configuration

DHCP provides automatic allocation of reusable network addresses on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. Without DHCP, IP addresses must be manually entered on each computer or device that is connected to the network. Automatic allocation dramatically reduces administration and user error.

DHCP can also distribute other configuration parameters such as DNS and WINS server addresses and domain names. The system requesting an IP address and configuration parameters is known as the DHCP client . The system that automatically allocates the IP addresses is known as the DHCP server .

Note

Because the DHCP client does not know the IP address of the DHCP server, the initial DHCP requests are broadcast to every host on the network segment. Instead of deploying a DHCP server on every network segment, you can configure your IOS® router to forward the DHCP requests to a single DHCP server by using the ip helper-address command.

Any PIX Firewall (Version 5.2 or later) provides both DHCP server and DHCP client functionality. As a DHCP server, the PIX Firewall provides hosts protected by the firewall with the network parameters necessary for them to access the enterprise or corporate network. As a DHCP client, the PIX Firewall can obtain its own IP address and network mask and optionally a default route from the DHCP server.

DHCP Overview

DHCP communications consist of several messages sent between the DHCP client and DHCP server by broadcast messages. This exchange of messages consists of the following events:

Note

If the selected DHCP server cannot satisfy the DHCPREQUEST (for instance, the requested address has already been assigned to another system), it sends a DHCPNAK message to the DHCP client.

Configuring the PIX Firewall Dynamic Host Configuration Protocol Server

Configuring the PIX Firewall to operate as a DHCP server involves the following tasks:

• Configuring the address pool

• Specifying WINS, DNS, and the domain name

• Configuring the DHCP options

• Configuring the DHCP lease length

• Enabling the DHCP server

Note

Configuring the PIX Firewall to serve as a DHCP server also requires you to assign a static IP address to the inside interface. This is one of the basic configuration tasks when setting up your PIX Firewall.

Configuring the Address Pool

A DHCP server needs to know which addresses it can assign to DHCP clients. It must also keep track of the IP addresses that it has already given out. The dhcpd address command specifies the range of IP addresses for the PIX DHCP server to distribute. The syntax for this command is as follows:

 dhcpd address   ipaddress1  [ -ipaddress2 ] [ interface ]

Note

To remove an existing DHCP address pool, use the no dhcpd address command.

Table 12-7 shows the parameters for the dhcpd address command.

Note

The DHCP address pool is limited to 32 addresses for the PIX Firewall 501 with a 10-user license. With the 50-user license, 128 addresses are supported. The maximum size of the address pool is 256 addresses for the Unlimited license and for all other PIX models.

Specifying WINS, DNS, and the Domain Name

Besides providing IP addresses to DHCP clients, a DHCP server can also provide other configuration parameters, such as the following:

• WINS servers

• DNS servers

• Domain name

To configure the DNS servers that the PIX DHCP server provides in its DHCPOFFER messages, you use the dhcpd dns command. The syntax for this command is as follows:

 dhcpd dns   dns-server1  [ dns-server2 ]

To configure the WINS servers that the PIX DHCP server provides in its DHCPOFFER messages, you use the dhcpd wins command. The syntax for this command is as follows:

 dhcpd wins   wins-server1  [ wins-server2 ]

Finally, you also can specify the domain name that will be provided to the DHCP clients using the dhcpd domain command. The syntax for this command is as follows:

 dhcpd domain   domain_name 

Configuring Dynamic Host Configuration Protocol Options

Because Cisco IP Phones use TFTP to load phone images, the PIX Firewall supports the dhcpd option command to define the TFTP servers that will be identified to the client by DHCP. The syntax for this command is as follows:

 dhcpd option 66 ascii  { server-name | server-ip-str }
 dhcpd option 150 ip   server-ip1  [ server-ip2 ]

Note

The difference between these two commands is that the option 150 enables you to specify a list of TFTP servers to be used by the DHCP client.

Configuring Dynamic Host Configuration Protocol Lease Length

The dhcpd lease command specifies the amount of time (in seconds) that the DHCP clients can use the assigned IP address received from the DHCP server. The syntax for this command is as follows:

 dhcpd lease   lease_length 

Note

The default lease length is 3600 seconds. The minimum lease length that you can specify is 300 seconds, and the maximum lease length that you can specify is 2,147,483,647 seconds.

Enabling the Dynamic Host Configuration Protocol Server

You enable DHCP on the PIX Firewall on a per-interface basis. The command to enable the DHCP daemon on an interface is dhcpd enable . The syntax for this command is as follows:

 dhcpd enable  [ interface-name ]

For instance, to enable DHCP on the inside interface you would use the following command:

 dhcpd enable inside 

Dynamic Host Configuration Protocol Server Auto Configuration

The PIX Firewall can serve as a DHCP server, DHCP client, or a DHCP server and DHCP client simultaneously. When the PIX Firewall is operating as a DHCP client, it can pass the configuration parameters learned (such as DNS, WINS, and the domain name) automatically to the clients that its DHCP server services. To enable the PIX Firewall to pass the learned DHCP configuration parameters to its DHCP clients automatically, you use the dhcpd auto-config command. The syntax for this command is as follows:

 dhcpd auto-config  [ client_interface_name ]

Note

The dhcpd auto-config command also enables the PIX Firewall to pass information learned from its PPPoE interface to its DHCP clients.

The client_interface_name represents the interface on which you have enabled the PIX Firewall to operate as a DHCP client using the ip address interface dhcp command.

Dynamic Host Configuration Protocol Debugging Commands

To help debug the operation of your PIX DHCP server and PIX DHCP client, you can use the following two commands:

 debug dhcpd  { event | packet }
 debug dhcpc  { detail | error | packet }

The debug dhcpd command displays information associated with the DHCP server running on the PIX Firewall. The event keyword displays information about the events related to the DHCP server, and the packet keyword displays information about the packets received for the DHCP server.

The debug dhcpc command displays information about the PIX DHCP client running on the PIX Firewall. The packet keyword specifies information about the packets received for the DHCP client. The detail keyword provides detailed information on the packets received by the DHCP client. The error keyword enables you to view information on the error messages associated with the DHCP client running on the PIX Firewall.

To show or clear the IP address bindings that the PIX DHCP server has issued, you use the following two commands:

 show dhcpd  [binding|statistics]
 clear dhcpd  [ binding | statistics ]

Both of these commands accept the same two keywords. The binding keyword causes the command to operate only on the DHCP leases (binding of an IP address to a specific Layer 2 Ethernet address). The statistics keyword operates on the statistics that are tracked on the DHCP server. The following information illustrates the output from the show dhcpd commands:

pix515a#  show dhcpd 
dhcpd address 10.10.10.129-10.10.10.254 inside
dhcpd lease 84400
dhcpd ping timeout 750
dhcpd dns 10.200.10.32 10.100.20.40
dhcpd enable inside
pix515a#  show dhcpd statistics 
Address pools        1
Automatic bindings   1
Expired bindings     1
Malformed messages   0
Message              Received
BOOTREQUEST          0
DHCPDISCOVER         1
DHCPREQUEST          2
DHCPDECLINE          0
DHCPRELEASE          0
DHCPINFORM           0
Message              Sent
BOOTREPLY            0
DHCPOFFER            1
DHCPACK              1
DHCPNAK              0
pix515a(config)#  show dhcpd bindings 
IP address      Hardware address     Lease expiration         Type
10.10.10.129    00A0.CC5C.8163       46500 seconds          automatic
10.10.10.130    00E0.B605.43B2       32503 seconds          automatic
pix515a#