CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Foundation Summary

The "Foundation Summary" provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this summary provides a convenient way to review the day before the exam.

Cisco Easy VPN greatly simplifies VPN deployment for remote offices and telecommuters. The Cisco Easy VPN centralizes management across all Cisco VPN devices, thus greatly reducing the complexity in configuring and deploying VPN configurations. It comprises the following two components:

• Easy VPN Server

• Easy VPN Remote feature

The PIX Firewall Version 6.3 VPN Server supports the following major features:

• Support for Easy VPN Remote Clients

• Ability for remote users to communicate using IPSec with supported PIX Firewall gateways

• Central management of IPSec policies that are pushed to the clients by the server

The PIX Firewall Version 6.3 VPN Server supports the following functionality:

• Mode configuration version 6

• XAUTH version 6

• IKE DPD

• Split tunneling control

• Initial Contact

• Group-based policy control

The Cisco Easy VPN Remote feature enables certain IOS® routers, Cisco PIX Firewalls, Cisco VPN 3002 Hardware Clients, and Cisco VPN Software Clients to act as remote Cisco VPN Clients. The Cisco Easy VPN Remote feature provides for automatic management of the following items:

• Negotiating tunnel parameters

• Establishing tunnels according to parameters

• Automatically creating the NAT/PAT and associated access list if necessary

• Authenticating users

• Managing security keys for encryption and decryption

• Authenticating, encrypting, and decrypting data through the tunnel

The Easy VPN Remote feature supports the following client platforms:

• Cisco VPN Software Client

• Cisco VPN 3002 Hardware Client

• Cisco PIX 501 and 506/506E VPN Clients

• Cisco Easy VPN Remote router clients

When the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway, the interaction between the peers involves the following major steps:

XAUTH enables the Easy VPN Server to require username/password authentication to establish the VPN connection. This authentication is performed by a AAA server. To configure the Easy VPN Server to use XAUTH for remote VPN Clients, you need to perform the following tasks:

• Create an ISAKMP policy for remote Cisco VPN Client access

• Create an IP address pool

• Define a group policy for mode configuration push

• Create a transform set

• Create a dynamic crypto map

• Assign the dynamic crypto map to a static crypto map

• Apply the static crypto map to an interface

• Configure XAUTH

• Configure NAT and NAT 0

• Enable IKE DPD

The Easy VPN Remote feature supports the following two modes of operation:

• Client mode

• Network extension mode

The Cisco VPN Software Client is software that enables you to establish secure end-to-end encrypted tunnels to any Easy VPN Server. Some of the major benefits of the Cisco VPN Software Client are the following:

• Intelligent peer availability detection

• SCEP

• Data compression (LZS)

• Command-line options for connecting, disconnecting, and monitoring connection status

• Configuration file with option locking

• Support for Microsoft network login (all platforms)

• DNS, WINS, and IP address assignment

• Load balancing and backup server support

• Centrally controlled policies

• Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only)

• Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)

The Easy VPN Server controls the policy enforced on the PIX Firewall Easy VPN Remote device. To establish the initial connection to the Easy VPN Server, you must complete some configuration locally on the client end such as configuring the client device mode. You also can enable the following two features on the Easy VPN Server:

• SUA

• IUA

Beginning with software version 6.2, you can configure the PIX Firewall as a PPPoE client. Using PPPoE, the PIX Firewall can secure various broadband connections including the following:

• DSL

• Cable modem

• Fixed wireless

PPPoE is composed of the following two main phases:

• Active discovery phase

• PPP session phase

The PIX Firewall PPPoE Client can operate in environments that are using other firewall features such as the following:

• NAT to or from the outside interface (or over a VPN)

• URL content before transmission (to or from outside interface)

• Firewall rules on traffic before transmission to or from the outside interface (or over a VPN)

Configuring the PPPoE client on the PIX Firewall involves the following tasks:

• Configuring the VPDN group

• Configuring VPDN group authentication

• Assigning the VPDN group username

• Configuring the VPDN username and password

• Enabling the PPPoE client

Any PIX Firewall (Version 5.2 or later) provides both DHCP server and DHCP client functionality. As a DHCP server, the PIX Firewall provides hosts protected by the firewall with the network parameters necessary for them to access the enterprise or corporate network. As a DHCP client, the PIX Firewall can obtain its own IP address and network mask and optionally a default route from the DHCP server.

Configuring the PIX Firewall to operate as a DHCP server involves the following tasks:

• Configuring the address pool

• Specifying WINS, DNS, and the domain name

• Configuring DHCP options

• Configuring the DHCP lease length

• Enabling the DHCP server