Foundation and Supplemental TopicsIntroduction to Cisco Easy VPNCisco Easy VPN greatly simplifies VPN deployment for remote offices and telecommuters. Based on a Cisco Unified Client Framework, Cisco Easy VPN centralizes management across all Cisco VPN devices, thus greatly reducing the complexity in configuring and deploying VPN configurations. The Cisco Easy VPN consists of the following two components (see Figure 12-1):
Figure 12-1. Cisco Easy VPNEasy VPN ServerThe Easy VPN Server enables Cisco IOS® routers, PIX Firewalls, and Cisco VPN 3000 Series concentrators to serve as VPN headend devices when remote offices are running the Easy VPN Remote feature. The configuration works for both site-to-site and remote access configurations. With Cisco Easy VPN, security policies defined at the headend are pushed to the remote VPN device, ensuring that the connection has up-to-date policies in place before the connection is established. Mobile workers running the VPN Client software on their PCs can initiate Internet Protocol Security (IPSec) tunnels that are terminated on the Easy VPN Server. This flexibility enables telecommuters and traveling employees to access critical data and applications easily that reside at the headquarter facilities. Easy VPN Remote FeatureThe Easy VPN Remote feature enables PIX Firewalls, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain Cisco IOS® routers to act as remote VPN clients. The Easy VPN Server can push security policies to these clients, thus minimizing VPN configuration requirements at remote locations. This cost-effective solution is ideal for remote offices with little information technology (IT) support as well as large deployments where it is impractical to configure individual remote devices. Overview of the Easy VPN ServerThe Easy VPN Server serves as the headend for your VPN configuration. To utilize Cisco Easy VPN effectively, you need to understand the following characteristics of the PIX Firewall Easy VPN Server:
Major FeaturesThe PIX Firewall Version 6.3 VPN Server includes the following major features:
Server FunctionsThe PIX Firewall Version 6.3 VPN Server supports the following functionality:
The Cisco Easy VPN supports the IPSec options and attributes shown in Table 12-2.
Supported ServersThe Easy VPN Remote feature requires that the destination peer be a VPN gateway or concentrator that supports the Easy VPN Server. Some of the currently supported Easy VPN Server platforms include the following:
Overview of Easy VPN Remote FeatureThe Cisco Easy VPN Remote feature enables Cisco PIX Firewalls, Cisco VPN 3002 Hardware Clients, Cisco VPN Software Clients, and certain IOS routers to act as remote Cisco VPN Clients. The Cisco Easy VPN Remote feature provides for automatic management of the following items:
This section explains the following characteristics of the Easy VPM Remote feature:
Supported ClientsThe Easy VPN Remote feature supports the following client platforms:
Cisco VPN Software ClientThe Cisco Easy VPN Remote feature supports the Cisco VPN Client software (software version 3. x and later). Simple to deploy and operate, this client software enables customers to establish secure, end-to-end encrypted tunnels to any Easy VPN Server. The Cisco VPN Software Client is available from the Cisco.com website for any central-site remote access VPN product and is included free of charge with the Cisco VPN 3000 Concentrator. VPN access policies and configurations are downloaded to the Cisco VPN Software Client from the Easy VPN Server when the client establishes a connection. This configuration simplifies deployment, management, and scalability. By preconfiguring the client software, the initial user login requires little user intervention even in mass deployment scenarios. The Cisco VPN Software Client operates with the following operating systems:
Cisco VPN 3002 Hardware ClientThe Cisco VPN Hardware Client has the Cisco VPN Software Client software built into it, enabling it to emulate the Cisco 3000 Series VPN Concentrator Software Client. You simply can connect the remote PCs into the Hardware Client instead of loading the Cisco VPN Software Client software on the remote PCs. The Hardware Client comes in the following two versions:
Note Both Hardware Client models have one public Ethernet interface. The difference between the two Hardware Clients is that the 8E has eight private 10/100BaseT ports instead of only one. These eight ports utilize auto Medium Dependent Interface Crossover (MDIX) technology that eliminates the need for crossover cables when connecting a device to a port. The Hardware Client operates in one of the following two modes:
You can select the modes locally using the command-line interface (CLI) or the graphical user interface (GUI) or remotely using an IPSec tunnel or Secure Shell (SSH). The Hardware Client is powered by an external power supply and can auto sense either 110V or 220V. Cisco PIX 501 and 506 VPN ClientsThe following two PIX Firewall models are commonly used as VPN clients:
The PIX 501 delivers enterprise-class security for small offices and telecommuters. For small offices with always-on broadband connections, the PIX 501 provides security functionality, numerous networking features, and powerful remote management capabilities in a compact single-box solution. Up to four individual systems can share a single broadband connection, using the integrated four-port auto-sensing, auto MDIX switch for the inside interface. Like the Hardware Client, this switch eliminates the need for crossover cables when connecting a device to a port. The Ethernet ports support 10/100BASE-T (100BASE-T with the 6.3 software release). The PIX 501 also provides a RS-232 console port interface (RJ-45 connector and 9600 baud). The PIX 506/506E enables companies to utilize the power of the Internet to enable users to work remotely from home securely. It delivers full firewall protection in conjunction with IPSec and VPN functionality. Connecting simultaneously with up to 25 VPN peers, the PIX 506/506E provides a complete implementation of IPSec standards. It comes with two integrated 10/100BASE-T (100BASE-T with the 6.3 software release) ports in a compact platform (8 inches by 12 inches by 1.7 inches). Updates to image files are downloaded using the Trivial File Transfer Protocol (TFTP). Note Before software release 6.3, the Ethernet ports on the PIX 501 and 506/506E were 10BASE-T. After upgrading to the 6.3 software release on either the PIX 501 or 506/506E, these ports become 10/100BASE-T ports. This speed enhancement is accomplished strictly by a software update (no hardware upgrades are necessary). Cisco Easy VPN Remote Router ClientsTo provide a comprehensive solution, Cisco Easy VPN also supports several router-based clients. You can use the following router platforms as Cisco Easy VPN remote clients:
Cable modems, xDSL routers, and other forms of broadband access provide Internet access, but many situations require VPN connections to secure data that traverses the Internet. Establishing a VPN connection between two VPN endpoints, however, can be complicated because it usually requires coordination between administrators to perform the tedious tasks necessary to define the connection parameters. Cisco Easy VPN Remote eliminates most of the tedious work by implementing the Cisco VPN Client protocol. This protocol allows many of the VPN parameters to be configured on the access server. Once the access server is configured, the additional configuration on the VPN Client is minimal. When the IPSec client initiates the VPN connection, the VPN remote access server pushes the required IPSec policies to the IPSec client and creates the corresponding IPSec tunnel. Easy VPN Remote Connection ProcessWhen the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway, the interaction between the peers involves the following major steps:
Extended Authentication ConfigurationXAUTH enables the Easy VPN Server to require username/password authentication in order to establish the VPN connection. This authentication is performed by an AAA server. To configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the Easy VPN Server and configure it to perform XAUTH. The complete configuration process involves performing the following tasks:
Create an Internet Security Association and Key Management Protocol PolicyTo create the ISAKMP policy you must use the standard ISAKMP configuration commands to define the following parameters:
The syntax for these commands is as follows:
isakmp policy priority authentication { pre-share | rsa-sig }
isakmp policy priority encryption { aes | aes-192 | aes-256 | des | 3des }
isakmp policy priority group { 1 | 2 | 5 }
isakmp policy priority hash { md5 | sha }
isakmp policy priority lifetime seconds
Table 12-3 outlines the parameters for the isakmp policy command.
For instance, suppose that you want to configure an ISAKMP policy based on the following criteria:
The commands to define this ISAKMP policy are as follows: Pix(config)# isakmp enable outside Pix(config)# isakmp policy 30 authentication pre-share Pix(config)# isakmp policy 30 encryption aes Pix(config)# isakmp policy 30 hash sha Pix(config)# isakmp policy 30 group 5 Create an Internet Protocol Address PoolIf the remote client is using the Easy VPN Server to obtain its IP address, you must define a local address pool using the ip local pool command. The syntax for this command is as follows:
ip local pool { pool_name low_ip_address [ - high_ip_address ]}
For instance, suppose that you want to assign the remote clients addresses in the range from 10.20.100.1 through 10.20.100.254. Using a pool name of vpn-pool , then the command line would be as follows: Pix(config)# ip local pool vpn_pool 10.20.100.1-10.20.100.254 Define Group Policy for Mode Configuration PushSeveral parameters are pushed to the VPN Client from the Easy VPN Server. These parameters are specified by the group policy assigned to a set of remote VPN Clients. The major group policy parameters are as follows:
Note Each remote VPN user belongs to a specific VPN group. As users establish VPN tunnels to the Easy VPN Server, they identify to which group they belong. You configure these parameters using the vpngroup command. The syntax for these commands is as follows: vpngroup group_name password preshared_key vpngroup group_name dns-server primary-server [ secondary-server ] vpngroup group_name wins-server primary-server [ secondary-server ] vpngroup group_name default-domain domain_name vpngroup group_name address-pool pool_name vpngroup group_name idle-time seconds Create Transform SetA transform identifies an encryption algorithm and hash algorithm pair. A group of transforms defines a transform set. For each group policy, you can define one or more transforms to indicate which pairs of algorithms are acceptable for new IPSec connections. You specify the transform information for your group policy using the crypto ipsec transform-set command. The syntax for this command is as follows: crypto ipsec transform-set transform-set-name transform1 [ transform2 [ transform3 ]] You can assign up to three different transforms to a specific transform set name. The order in which the transforms are listed indicates the order in which the transforms will be checked. Therefore, you must place the highest-priority (most secure) transforms first so that they will be matched before less-secure transforms. A remote client, however, can end up using any of the transforms that you specify in the list. Note For an IPSec-manual crypto map, you can specify only a single transform. When using IPSec-ISAKMP or dynamic crypto map entries, however, you can specify up to six transform sets. The transform sets that you can use are as follows:
Each transform defines either ah or esp (indicating either Authentication Header [AH] or Encapsulating Security Payload [ESP]). The keyword used in the transform is an algorithm abbreviation (see Table 12-4).
Create a Dynamic Crypto MapWhen your VPN Clients connect to the Easy VPN Server, they will negotiate the parameters of the IPSec session. Creating a dynamic crypto map enables you to define a crypto map that does not have all of the parameters configured. It acts as a sort of policy template in which the missing parameters get configured to match the remote peer's requirements (as part of the IPSec negotiation). By using dynamic crypto maps, your Easy VPN Servers do not have to be preconfigured for all of the requirements of your remote peers, thus making the configuration process more flexible. Note Dynamic crypto maps are not used to initiate IPSec SAs with remote peers. They are used only when remote peers initiate IPSec SAs and during the evaluation of traffic coming to the server. You create dynamic crypto maps using the crypto dynamic-map command. The syntax for this command is as follows: crypto dynamic-map dynamic-map-name dynamic-map-seqnum Assign a Dynamic Crypto Map to a Static Crypto MapAfter creating a dynamic crypto map, you need to assign the dynamic crypto map to a static crypto map using the crypto map command. The syntax for this command is as follows:
crypto map map-name seq-num { ipsec-isakmp|ipsec-manual } [ dynamic dynamic-map-name ]
Apply the Static Crypto Map to an InterfaceOnce the static crypto map has been created, you need to identify to which interface the map needs to be applied by using another variation of the crypto map command. The syntax for this command is as follows: crypto map map-name interface interface-name Configure Extended AuthenticationConfiguring XAUTH on the Easy VPN Server for your remote VPN Clients involves the following three steps:
To enable AAA login authentication, you use the aaa-server command. The syntax for this command is as follows:
aaa-server server-tag protocol { tacacs+|radius }
Besides enabling AAA login authentication, you need to configure the location of the AAA server by specifying its IP address. The syntax for this variation of the aaa-server command is as follows: aaa-server server-tag [( if_name )] host server-ip [ key ][ timeout seconds ] Finally, you need to enable IKE XAUTH for the crypto map that you defined using another variation of the crypto map command. This syntax for this command is as follows: crypto map map-name client [ token ] authentication aaa-server-name Note The optional keyword token when specified informs the PIX Firewall that the AAA server uses a token-card system and to thus prompt the user for a username and password during the IKE authentication. An example configuration for XAUTH that utilizes Terminal Access Controller Access Control System Plus (TACACS+) is as follows: pix515a(config)# aaa-server MYSERVER protocol tacacs+ pix515a(config)# aaa-server MYSERVER (inside) host 192.168.1.15 S3cr3TK3y! pix515a(config)# crypto map MYMAP client authentication MYSERVER Configure Network Address Translation and NAT 0The traffic traversing the IPSec tunnel is encrypted. Some traffic originating from the Easy VPN Server network, however, simply must be translated using NAT and then sent without being encrypted. Figure 12-2 shows a situation in which a remote VPN Client is connecting across the Internet to the PIX VPN Server. Figure 12-2. Configuring NAT and NAT 0Traffic from the TACACS+ server destined for 192.168.120.120 needs to be encrypted and sent through the IPSec tunnel without translation. Traffic to the Internet (from the TACACS+ server), however, needs to be translated (by NAT) but not encrypted. The commands to perform this configuration are as follows: pix515a(config)# access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.120.120 255.255.255.255 pix515a(config)# nat (inside) 0 access-list 101 pix515a(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pix515a(config)# global (outside) 1 interface Traffic that matches access-list 101 is encrypted and sent through the IPSec tunnel to the remote system. Other traffic is translated (by NAT) and transmitted without encryption out the same interface. Enable Internet Key Exchange Dead Peer DetectionDead peer detection (DPD) allows two IPSec peers to determine that the other is still "alive" during the lifetime of the VPN connection. In many situations, the one peer may reboot or the link may be unexpectedly disconnected for some other reason. The other peer may not quickly detect that the connection has been terminated. DPD enables an IPSec peer to send notification of the disconnection to the user, attempt to switch to another IPSec host, or clean up valuable resources that were allocated to a peer that is no longer connected. A Cisco VPN device can be configured to send and reply to DPD messages. DPD messages are sent when no other traffic is traversing the IPSec tunnel. If a configured amount of time passes without a reply to a DPD message, a dead peer can be detected. DPD messages are unidirectional and are automatically sent by Cisco VPN Clients. DPD is configured on the server only if the server wishes to send DPD messages to VPN Clients to assess their health. You use the isakmp keepalive command to enable the PIX Firewall gateway to send IKE DPD messages. You need to specify the number of seconds between DPD messages and the number of seconds between retries (if a DPD message does not receive a response). The syntax for this command is as follows: isakmp keepalive seconds [ retry_seconds ] Easy VPN Remote Modes of OperationThe Easy VPN Remote supports the following two modes of operation:
In client mode, the Easy VPN Server automatically creates NAT/PAT associations that allow the PCs and other hosts on the client side of the VPN connection to form a private network that does not use any IP addresses in the address space of the Easy VPN Server. Note The NAT/PAT translations and access control list (ACL) configurations created by the Easy VPN Remote feature are not written to either the startup configuration or the running configuration. You can view these configurations, however, using the show ip nat statistics and show access-list commands (or the show vpnclient detail on the PIX Firewall) when the configuration is active. In network extension mode, the PCs and other hosts at the client end of the IPSec tunnel are assigned fully routable IP addresses that are reachable from the server network (by the IPSec tunnel session), forming one logical network. In this mode, PAT is not used so that client systems have direct access to the PCs and hosts on the destination network. Client ModeClient mode enables you to deploy a VPN quickly and easily in a small office/home office (SOHO) environment. In situations where there is no need to access the devices behind the VPN client directly and ease of use and quick installation are important, the client mode is the ideal solution. In client mode, the Easy VPN Remote device uses PAT to isolate the private network from the public network. PAT causes all of the traffic from the SOHO network to appear on the private network as a single source IP address. Figure 12-3 illustrates the Easy VPN Remote client mode of operation. The remote clients are on the 192.168.10.0 network. Traffic from these clients is converted (by PAT) to a single address (10.20.10.2). Figure 12-3. Easy VPN Remote Client ModeNetwork Extension ModeIn network extension mode, all SOHO PCs connected to the Easy VPN Remote device are uniquely addressable by the VPN tunnel. This allows devices to connect directly to PCs behind the Easy VPN Remote device. Figure 12-4 illustrates the Easy VPN Remote network extension mode. The remote client hosts are assigned IP addresses that are fully routable by the destination network through the tunnel. Figure 12-4. Easy VPN Remote Network Extension ModeOverview of Cisco VPN Software ClientThe Cisco VPN Software Client is software that enables you to establish secure end-to-end encrypted tunnels to any Easy VPN Server. The Cisco VPN Software Client is IPSec compliant and available from Cisco.com for customers with SMARTnet support and is included free of charge with the concentrator. The Cisco VPN Software Client can easily be preconfigured for mass deployment situations. Initial logins require very little user intervention because VPN access policies and configurations are downloaded from the Easy VPN Server and pushed to the Cisco VPN Client when a connection is established, enabling simple deployment and management. The Cisco VPN Software Client provides support for the following operating systems: FeaturesThe Cisco VPN Software Client provides numerous features and benefits. Some of the major benefits of the Cisco VPN Software Client include the following:
Note The Cisco VPN Software Client supports more features than the Easy VPN Server platforms. You should always compare the Cisco VPN Software Client specifications against the Easy VPN Server supported and unsupported feature list. For instance, although the Cisco VPN Client supports Zone Labs and BlackICE firewall features, the Easy VPN Server does not. The features supported on the Easy VPN Server determine which policies and configurations can be pushed from the Easy VPN Server to the VPN Client. SpecificationsEffectively utilizing the Cisco VPN Software Client on your network requires an understanding of its major functional specifications. The specifications for the Cisco VPN Software Client fall into the following major categories:
Tunneling ProtocolsThe Cisco VPN Software Client supports the following tunneling options:
Note IPSec over TCP and IPSec over UDP refer to the VPN Client encapsulating the IPSec traffic inside of either TCP or UDP packets. By encapsulating the complete IPSec packets inside of another transport protocol (such as UDP), the integrity checks on the IPSec packets remain valid even when a NAT device changes the IP addresses on the outer transport protocol. Encryption and AuthenticationThe Cisco VPN Software Client supports the following encryption algorithms:
It also supports the following cryptographic hash algorithms:
Key Management TechniquesThe Cisco VPN Client supports the following key management techniques:
Data CompressionThe only supported data compression technique is LZS. LZS provides an algorithm for compressing Point-to-Point Protocol (PPP)encapsulated packets (see RFC 1974). Digital CertificatesDigital certificates help to verify the identity of the peers in an IPSec session. The digital certificate functionality provided by the Cisco VPN Software Client falls into the following categories:
Enrollment mechanisms define the means by which digital certificates are securely issued. Certificate authorities (CAs) actually issue the certificates by signing them with their own private key. The Cisco VPN Software Client supports the following CAs:
Using smart cards also can help secure the login process by verifying the identification of the user. The Cisco VPN Software Client supports various smart cards by using the Microsoft crypto application programming interface (API) CRYPT-NOHASHOID, including the following:
Authentication MethodologiesAuthentication is crucial for providing secure remote access through VPN tunnels. The Cisco VPN Software Client supports XAUTH and Remote Authentication Dial-In User Service (RADIUS) with support for the following:
Policy and Profile ManagementYou can easily distribute Cisco VPN Software Clients with preconfigured Profile Configuration Files (PCFs) that regulate the operation of the client software. You can also centrally control policies such as the following:
Cisco VPN Client Manual Configuration TasksWhen using the Cisco VPN Software Client, the Easy VPN Server can push the VPN policy to help facilitate the management of the client systems. Initially, however, you still need to install the Cisco VPN Software Client on the remote system. This manual process involves the following tasks:
Installing the Cisco VPN Software ClientInstallation of the Cisco VPN Software Client varies slightly between the different supported operating systems. The best source of detailed installation information is the release notes that accompany the Cisco VPN Softwae Client that you are installing. Installing the Cisco VPN Software Client on a Windows-based system follows the usual software installation process. The on-screen instructions ensure the installation is quick and not very complicated. After the software is installed, the following new options are added to your Programs menu (see Figure 12-5):
Figure 12-5. Cisco VPN Software Client Program MenuIf you try to launch the Cisco VPN Client when you already have a session established, it displays the same window you see when you launch the Cisco VPN Client Software (see Figure 12-6). Figure 12-6. VPN Client WindowEither typing Ctrl-S or selecting Statistics from the Status drop-down menu displays the following information about your connection (see Figure 12-7): Figure 12-7. VPN Client Statistics Window
Creating a New Connection EntryAfter installing the Cisco VPN Software Client on your system, you need to create a connection entry that will define the properties of your VPN connection, such as the following:
Creating a new connection entry involves the following steps on a Windows 2000 system:
Modifying VPN Client OptionsBesides creating a new connection entry, you can also optionally define various characteristics of the connection entry. These options are accessible by using the Options drop-down menu on the main Cisco VPN Software Client screen (see Figure 12-8). Figure 12-8. Cisco VPN Software Client OptionsFrom the Options drop-down menu, you can configure the characteristics of the current connection entry as listed in Table 12-5.
Note If you want to know the version of the Cisco VPN Software Client installed on your PC, you can right-click the Cisco VPN Dialer icon in the system tray. This will also indicate if the stateful firewall functionality is always on because Stateful Firewall (Always On) will have a check mark next to it if enabled. Clicking the Modify icon enables you to configure the following characteristics of the Cisco VPN Client:
Although these properties vary slightly between the supported operating systems, the major general properties that you can configure are as follows:
Note Allowing IPSec over TCP (or UDP) enables you to use the VPN Client in an environment where your traffic must go though a firewall or router that is using NAT or PAT. This option must also be configured on the Easy VPN Server for it to operate correctly. The Authentication tab of the VPN Client Properties window enables you to configure the VPN Client to use either a group name and password or digital certificates for authentication (see Figure 12-9). Figure 12-9. Authentication Tab of the VPN Client Properties WindowThe Transport tab in the VPN Client Properties window enables you to configure the transparent tunneling properties for the VPN connection (see Figure 12-10). Transparent tunneling enables your VPN connection to travel across devices that are performing NAT or PAT on the traffic. Without transparent tunneling, the traffic would be considered invalid because the integrity checks on the packets would fail. Figure 12-10. Transport Tab of the VPN Client Properties WindowThe Backup Servers tab of the VPN Client Properties window defines backup Easy VPN Servers (see Figure 12-11), and the Dial-Up tab of the VPN Client Properties window defines whether the connection to the Internet using dialup networking is enabled (see Figure 12-12). Figure 12-11. Backup Servers Tab of the VPN Client Properties WindowsFigure 12-12. Dial-Up Tab of the VPN Client Properties WindowAn enterprise network may have multiple Easy VPN Servers. Backup servers for the connections enable your Cisco VPN Clients to utilize these alternate Easy VPN Servers if the primary Easy VPN Server is unavailable. When establishing a VPN connection, clients attempt to connect to the primary Easy VPN Server first. If that device is unavailable, one of the backup servers will be used. Note You also can configure the backup servers on the Easy VPN Server and have them pushed to the VPN Client after a successful connection. Then, on subsequent connections, the VPN Client can use these backup servers if the primary server is unavailable. PIX Easy VPN Remote ConfigurationThe Easy VPN Server controls the policy enforced on the PIX Firewall Easy VPN Remote device. To establish the initial connection to the Easy VPN Server, you must complete some configuration locally on the remote client device. You can perform this configuration using the Cisco PIX Device Manager (PDM) or by using the command-line interface. These configuration tasks fall into the following categories:
Basic ConfigurationTo enable the PIX Easy VPN Remote client to communicate with the Easy VPN Server, you need to identify the location of the Easy VPN Server using the vpnclient server command. The syntax for this command is as follows:
vpnclient server { Primary_IP } [ Secondary_IPs ]
You need to specify the IP address of the primary Easy VPN Server. In addition to the primary Easy VPN Server, you also can specify up to ten additional secondary Easy VPN Servers. If the primary server is not accessible, the client will use one of the secondary servers. To enable the VPN Client you need to use the vpnclient enable command. The syntax for this command is as follows: vpnclient enable If you use preshared keys, you also must specify this key value using the vpnclient vpngroup command. The syntax for this command is as follows:
vpnclient vpngroup { groupname } password { preshared_key }
The client needs to use the preshared key to encrypt the information being transmitted to the server. One other basic configuration task involves XAUTH. If you use XAUTH, you need to specify the username and password for the VPN Client using AAA or the vpnclient username command. The syntax for this command is as follows:
vpnclient username { xuath_username } password { xauth_password }
Client Device ModeThe Cisco VPN Client operates in the following two modes (see the "Easy VPN Remote Modes of Operation" section earlier in the chapter for more information):
To configure the client device mode, you use the vpnclient mode command. The syntax for this command is as follows:
vpnclient mode { client-mode|network-extension-mode }
Client mode applies NAT/PAT to all IP addresses of the clients connected to the higher-security (inside) interface. Network extension mode, on the other hand, does not apply NAT/ PAT to any IP addresses of clients on the higher-security interface. Secure Unit AuthenticationSecure Unit Authentication (SUA) is a feature introduced in PIX Firewall Software Version 6.3 to improve security when using a PIX Firewall as an Easy VPN Remote device. With SUA, the Easy VPN Remote Server can require one-time passwords, two-factor authentication, and similar authentication schemes before the establishment of a VPN tunnel to the Easy VPN Server. SUA is configured as part of the VPN policy on the Easy VPN Server and cannot be configured directly on the VPN Remote device. The Easy VPN Remote device downloads the VPN policy (after connecting to the Easy VPN Server), which enables or disables SUA. Client Operation with Secure Unit Authentication DisabledWhen SUA is disabled and the Easy VPN Remote device is operating in network extension mode, a connection is automatically initiated by the PIX VPN Remote device for the remote protected hosts. In client mode, the connection is initiated whenever traffic from the remote protected network is sent through the PIX Firewall to the network protected by the Easy VPN Server. Client Operation with Secure Unit Authentication EnabledWhen SUA is enabled, static credentials included in the local configuration of the Easy VPN Remote device are ignored. A connection request is initiated as soon as any Hypertext Transfer Protocol (HTTP) request is sent from the remote network to the network protected by the Easy VPN Remote Server. All other traffic to the network protected by the Easy VPN Server is dropped until a VPN tunnel is established. Note You also can initiate a connection request from the command-line interface (CLI) of the Easy VPN Remote device. Before a VPN tunnel is established, any HTTP request to the network protected by the Easy VPN Server is redirected to a Uniform Resource Locator (URL) in the following format: https:// < inside-ip-address >/ vpnclient/connstatu185 inside-ip-address is the inside (protected) interface of the Easy VPN Remote device. For instance, if the inside interface of the Easy VPN Remote device is 10.10.10.1, the requests will be redirected to the following URL: https://10.10.10.1/vpnclient/connstatu185 You can check the status of the VPN tunnel by manually entering this URL into your browser (from one of the remote protected hosts). This URL displays a page containing a Connect link that displays an authentication page. If authentication is successful, the VPN tunnel has been established. Note You can also activate the connection by manually entering this URL into your browser (on a remote protected host). To enable SUA, you use the following command on the Easy VPN Server: vpngroup groupname secure-unit-authentication groupname is the alphanumeric identifier for the VPN group for which you want to enable SUA. After the tunnel is established, other users on the remote network (protected by the Easy VPN Remote device) can access the network protected by the Easy VPN Server without further authentication. If you want to control access by individual users, you need to implement Individual User Authentication (IUA). IUA is explained in the next section. Individual User AuthenticationIUA causes the hosts on the remote protected network (behind the Easy VPN Remote device) to be authenticated individually based on the IP address of the inside host. IUA supports authentication based on both static and dynamic password mechanisms. Similar to SUA, IUA is enabled by the VPN policy downloaded from the Easy VPN Server and cannot be configured locally. When IUA is enabled, each user on the remote protected network is prompted for a username and password when trying to initiate a connection to the network protected by the Easy VPN Server. Unlike SUA, which requires an HTTP connection to initiate the authentication request, when IUA is enabled the user will automatically be prompted for authentication (to establish the tunnel) whenever any traffic is sent across the tunnel. A PIX Firewall (serving as an Easy VPN Server) downloads the contact information for the AAA server to the Easy VPN Remote device. The Easy VPN Remote device then sends authentication requests directly to the AAA server. Note A Cisco 3000 Series VPN Concentrator used as an Easy VPN Server performs proxy authentication to the AAA server. The Easy VPN Remote device sends each authentication request to the Cisco 3000 Series VPN Concentrator instead of directly to the AAA server. To enable IUA, you use the following command on the Easy VPN Server: VPNgroup groupname user-authentication groupname is the alphanumeric identifier for the VPN group for which you want to enable IUA. You also must use the following command on the Easy VPN Server to specify the AAA server to use for authentication: VPNgroup groupname authentication-server server-tag The server-tag identifies the AAA server to use for the specified VPN group. To specify the length of time that the VPN tunnel will remain open without any user activity, you use the following command on the Easy VPN Server: VPNgroup groupname user-idle-timeout seconds You specify the idle time for the specified VPN group in seconds. Point-to-Point Protocol over Ethernet and the PIX FirewallBeginning with software version 6.2, you can configure the PIX Firewall as a Point-to-Point Protocol over Ethernet (PPPoE) client. Many Internet service providers (ISPs) deploy PPPoE because it provides high-speed broadband access using their existing remote access infrastructure. PPPoE is also easy for customers to use. Figure 12-13 depicts a typical PPPoE network configuration that uses a PIX Firewall to secure a low-cost always-on Internet connection. The PIX Firewall can secure various broadband connections including the following:
Figure 12-13. PIX Firewall PPPoE Client ConfigurationPPPoE (see RFC 2516) provides an authenticated method for assigning IP addresses to client systems by combining the following two widely accepted standards:
PPPoE is composed of the following two main phases:
PPPoE connects a network of systems over a simple bridging access device to a remote Access Concentrator (AC). In the active discovery phase, the PPPoE client locates the AC (or PPPoE server). After locating an AC, the PPPoE client establishes a PPP session. When establishing a session, PPP options are negotiated and authentication is performed. Once the session is completely established, the information from the client is sent across the Ethernet network by encapsulating the PPP messages in unicast Ethernet packets. The session ID enables the AC to determine to which client the PPP messages belong. After configuration, the PIX Firewall automatically connects to a service provider's AC without user intervention. By setting the MTU to 1492 bytes, the PIX Firewall can encapsulate PPPoE messages inside regular Ethernet frames by attaching PPPoE/PPP headers. The PIX Firewall PPPoE Client can operate in environments that are using other firewall features such as the following:
If your ISP distributes certain configuration parameters, such as DNS and WINS, the PIX Firewall's PPPoE Client can retrieve these parameters and automatically pass these parameters to its Dynamic Host Configuration Protocol (DHCP) clients. You need to use the dhcpd auto-config command on the PIX Firewall to enable your DHCP clients to receive the configuration parameters automatically from the PPPoE client. Note Although the PIX Firewall DHCP server operates with the PPPoE client, the PPPoE client and the DHCP clients are mutually exclusive. Therefore, if you configure the PPPoE client on the outside interface, the DHCP client functionality is automatically disabled on that interface. Similarly, if you enable the DHCP client on the outside interface, the PPPoE client is automatically disabled on the outside interface. Note The PIX Firewall's PPPoE Client is not interoperable with failover, Layer Two Tunneling Protocol (L2TP), or Point-to-Point Tunneling Protocol (PPTP). Configuring the PPPoE client on the PIX Firewall involves the following tasks:
Configuring the Virtual Private Dial-Up Networking GroupThe first task in configuring the PIX Firewall PPPoE Client is to define the VPDN group using the following command: vpdn group group-name request dialout pppoe Configuring Virtual Private Dial-Up Networking Group AuthenticationYour ISP may require you to use authentication with PPPoE. The PIX Firewall PPPoE Client supports the following authentication protocols:
To define the authentication protocol for the PPPoE client, you use the following command: vpdn group group-name ppp authentication pap|chap|mschap Note ISPs that use CHAP or MS-CHAP may refer to the username as the remote system name and the password as the CHAP secret. Assigning the Virtual Private Dial-Up Networking Group UsernameTo assign the username provided by your ISP to the VPDN group you use the following command: vpdn group group-name localname username Configuring the Virtual Private Dial-Up Networking Username and PasswordThe PIX Firewall uses a username and password pair to authenticate to the AC. To assign a username and password pair for PPPoE authentication, you use the following command: vpdn username username password password Note The username specified must be the username that has already been associated with the VPDN group specified for PPPoE (using the vpdn group command). Enabling the Point-to-Point over Ethernet ClientBy default the PPPoE client on the PIX Firewall is disabled. Use the following command to enable the PPPoE client: ip address interface-name pppoe [ setroute ] You also can enable PPPoE by manually entering the IP address using the following command: ip address interface-name ip-address netmask pppoe [ setroute ] This command causes the PIX Firewall to use the specified IP address instead of negotiating with the PPPoE server to assign an address dynamically. The parameters for the ip address command are shown in Table 12-6.
The setroute keyword causes a default route to be created based on the default gateway parameter returned by either the DHCP or PPPoE server. This keyword, however, cannot override an existing default route. If you use the setroute keyword when a default route already exists, the PIX Firewall will be unable to override the existing default route with the information learned from PPPoE. Therefore, if you already have an existing default route configured on the PIX Firewall, you must delete the default route before using the setroute keyword. Monitoring the Point-to-Point over Ethernet ClientThe show vpdn command displays information about the PPPoE traffic on the PIX Firewall. Without any other keywords, this command displays information about the PPPoE tunnels and sessions, such as in the following: pix515a# show vpdn %No active L2TP tunnels PPPoE Tunnel and Session Information (Total tunnels=1 sessions=1) Tunnel id 0, 1 active sessions time since change 4294967 secs Remote MAC Address 00:02:3B:02:32:2E 9005625 packets sent, 11376588 received, 1755681415 bytes sent, -407696198 received Remote MAC is 00:02:3B:02:32:2E Session state is SESSION_UP Time since event change 4294967 secs, interface outside PPP interface id is 1 9005625 packets sent, 1265856 received, 1755681415 bytes sent, 865125131 received pix515a# To view the information only on your VPDN sessions, you can add the session keyword to the show vpdn command, as in the following: pix515a# show vpdn session %No active L2TP tunnels PPPoE Tunnel and Session Information (Total tunnels=1 sessions=1) Remote MAC is 00:02:3B:02:32:2E Session state is SESSION_UP Time since event change 4294967 secs, interface outside PPP interface id is 1 9005664 packets sent, 1265894 received, 1755684373 bytes sent, 865127247 received pix515a# To view the information only on your VPDN tunnels, you can add the tunnel keyword to the show vpdn command, as in the following: pix515a# show vpdn tunnel %No active L2TP tunnels PPPoE Tunnel and Session Information (Total tunnels=1 sessions=1) Tunnel id 0, 1 active sessions time since change 4294967 secs Remote MAC Address 00:02:3B:02:32:2E 9005704 packets sent, 11376666 received, 1755687225 bytes sent, -407691806 received pix515a# You can use the show vpdn pppinterface command when a PPPoE connection is established to view the address of the AC. If the PIX Firewall cannot locate the AC, the address displayed is 0.0.0.0. The syntax for this command is as follows: show vpdn pppinterface [ id interface_name] The output of the show vpdn pppinterface command is similar to the following: pix515a# show vpdn pppinterface PPP virtual interface id = 1 PPP authentication protocol is PAP Server ip address is 214.8.252.151 Our ip address is 88.235.123.14 Transmitted Pkts: 1002469, Received Pkts: 1265984, Error Pkts: 0 MPPE key strength is None MPPE_Encrypt_Pkts: 0, MPPE_Encrypt_Bytes: 0 MPPE_Decrypt_Pkts: 0, MPPE_Decrypt_Bytes: 0 Rcvd_Out_Of_Seq_MPPE_Pkts: 0 pix515a# To view the local usernames, you use the show vpdn username command, and the show vpdn group command displays the configured VPDN groups. The syntax for these commands is as follows: show vpdn username [ specific-name ] show vpdn group [ specific-group-name ] To view the IP address assigned by the PPPoE server on an established PPPoE session, you use the show ip address command using the interface on which PPPoE is enabled. The syntax for this command is as follows: show ip address interface-name pppoe Finally, you can debug the PPPoE packets processed by the PIX Firewall with the debug pppoe command. The syntax for this command is as follows:
debug pppoe { event | error | packet }
Dynamic Host Configuration Protocol Server ConfigurationDHCP provides automatic allocation of reusable network addresses on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. Without DHCP, IP addresses must be manually entered on each computer or device that is connected to the network. Automatic allocation dramatically reduces administration and user error. DHCP can also distribute other configuration parameters such as DNS and WINS server addresses and domain names. The system requesting an IP address and configuration parameters is known as the DHCP client . The system that automatically allocates the IP addresses is known as the DHCP server . Note Because the DHCP client does not know the IP address of the DHCP server, the initial DHCP requests are broadcast to every host on the network segment. Instead of deploying a DHCP server on every network segment, you can configure your IOS® router to forward the DHCP requests to a single DHCP server by using the ip helper-address command. Any PIX Firewall (Version 5.2 or later) provides both DHCP server and DHCP client functionality. As a DHCP server, the PIX Firewall provides hosts protected by the firewall with the network parameters necessary for them to access the enterprise or corporate network. As a DHCP client, the PIX Firewall can obtain its own IP address and network mask and optionally a default route from the DHCP server. DHCP OverviewDHCP communications consist of several messages sent between the DHCP client and DHCP server by broadcast messages. This exchange of messages consists of the following events:
Note If the selected DHCP server cannot satisfy the DHCPREQUEST (for instance, the requested address has already been assigned to another system), it sends a DHCPNAK message to the DHCP client. Configuring the PIX Firewall Dynamic Host Configuration Protocol ServerConfiguring the PIX Firewall to operate as a DHCP server involves the following tasks:
Note Configuring the PIX Firewall to serve as a DHCP server also requires you to assign a static IP address to the inside interface. This is one of the basic configuration tasks when setting up your PIX Firewall. Configuring the Address PoolA DHCP server needs to know which addresses it can assign to DHCP clients. It must also keep track of the IP addresses that it has already given out. The dhcpd address command specifies the range of IP addresses for the PIX DHCP server to distribute. The syntax for this command is as follows: dhcpd address ipaddress1 [ -ipaddress2 ] [ interface ] Note To remove an existing DHCP address pool, use the no dhcpd address command. Table 12-7 shows the parameters for the dhcpd address command.
Note The DHCP address pool is limited to 32 addresses for the PIX Firewall 501 with a 10-user license. With the 50-user license, 128 addresses are supported. The maximum size of the address pool is 256 addresses for the Unlimited license and for all other PIX models. Specifying WINS, DNS, and the Domain NameBesides providing IP addresses to DHCP clients, a DHCP server can also provide other configuration parameters, such as the following:
To configure the DNS servers that the PIX DHCP server provides in its DHCPOFFER messages, you use the dhcpd dns command. The syntax for this command is as follows: dhcpd dns dns-server1 [ dns-server2 ] To configure the WINS servers that the PIX DHCP server provides in its DHCPOFFER messages, you use the dhcpd wins command. The syntax for this command is as follows: dhcpd wins wins-server1 [ wins-server2 ] Finally, you also can specify the domain name that will be provided to the DHCP clients using the dhcpd domain command. The syntax for this command is as follows: dhcpd domain domain_name Configuring Dynamic Host Configuration Protocol OptionsBecause Cisco IP Phones use TFTP to load phone images, the PIX Firewall supports the dhcpd option command to define the TFTP servers that will be identified to the client by DHCP. The syntax for this command is as follows:
dhcpd option 66 ascii { server-name | server-ip-str }
dhcpd option 150 ip server-ip1 [ server-ip2 ]
Note The difference between these two commands is that the option 150 enables you to specify a list of TFTP servers to be used by the DHCP client. Configuring Dynamic Host Configuration Protocol Lease LengthThe dhcpd lease command specifies the amount of time (in seconds) that the DHCP clients can use the assigned IP address received from the DHCP server. The syntax for this command is as follows: dhcpd lease lease_length Note The default lease length is 3600 seconds. The minimum lease length that you can specify is 300 seconds, and the maximum lease length that you can specify is 2,147,483,647 seconds. Enabling the Dynamic Host Configuration Protocol ServerYou enable DHCP on the PIX Firewall on a per-interface basis. The command to enable the DHCP daemon on an interface is dhcpd enable . The syntax for this command is as follows: dhcpd enable [ interface-name ] For instance, to enable DHCP on the inside interface you would use the following command: dhcpd enable inside Dynamic Host Configuration Protocol Server Auto ConfigurationThe PIX Firewall can serve as a DHCP server, DHCP client, or a DHCP server and DHCP client simultaneously. When the PIX Firewall is operating as a DHCP client, it can pass the configuration parameters learned (such as DNS, WINS, and the domain name) automatically to the clients that its DHCP server services. To enable the PIX Firewall to pass the learned DHCP configuration parameters to its DHCP clients automatically, you use the dhcpd auto-config command. The syntax for this command is as follows: dhcpd auto-config [ client_interface_name ] Note The dhcpd auto-config command also enables the PIX Firewall to pass information learned from its PPPoE interface to its DHCP clients. The client_interface_name represents the interface on which you have enabled the PIX Firewall to operate as a DHCP client using the ip address interface dhcp command. Dynamic Host Configuration Protocol Debugging CommandsTo help debug the operation of your PIX DHCP server and PIX DHCP client, you can use the following two commands:
debug dhcpd { event | packet }
debug dhcpc { detail | error | packet }
The debug dhcpd command displays information associated with the DHCP server running on the PIX Firewall. The event keyword displays information about the events related to the DHCP server, and the packet keyword displays information about the packets received for the DHCP server. The debug dhcpc command displays information about the PIX DHCP client running on the PIX Firewall. The packet keyword specifies information about the packets received for the DHCP client. The detail keyword provides detailed information on the packets received by the DHCP client. The error keyword enables you to view information on the error messages associated with the DHCP client running on the PIX Firewall. To show or clear the IP address bindings that the PIX DHCP server has issued, you use the following two commands: show dhcpd [binding|statistics] clear dhcpd [ binding | statistics ] Both of these commands accept the same two keywords. The binding keyword causes the command to operate only on the DHCP leases (binding of an IP address to a specific Layer 2 Ethernet address). The statistics keyword operates on the statistics that are tracked on the DHCP server. The following information illustrates the output from the show dhcpd commands: pix515a# show dhcpd dhcpd address 10.10.10.129-10.10.10.254 inside dhcpd lease 84400 dhcpd ping timeout 750 dhcpd dns 10.200.10.32 10.100.20.40 dhcpd enable inside pix515a# show dhcpd statistics Address pools 1 Automatic bindings 1 Expired bindings 1 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 2 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 0 pix515a(config)# show dhcpd bindings IP address Hardware address Lease expiration Type 10.10.10.129 00A0.CC5C.8163 46500 seconds automatic 10.10.10.130 00E0.B605.43B2 32503 seconds automatic pix515a# |