Deployment Scenarios of Cisco IPSec VPN

The Cisco remote-access solution is useful in deployments where remote and home users need corporate access without being physically connected to the corporate LAN. The remote-access solution can be deployed in many ways; however, this section covers the following two design scenarios for ease of understanding:

  • IPSec hairpinning with Easy VPN and Firewalling
  • Load balancing and site-to-site integration

Note

The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.

 

IPSec Hairpinning with Easy VPN and Firewalling

SecureMe has recently installed a Cisco ASA in its Brussels office to provide VPN access to its mobile users. Figure 16-13 shows SecureMe's network topology in Brussels.

Figure 16-13. SecureMe's Remote-Access Topology in Brussels

The security requirements for SecureMe are as follows:

  • Use split tunneling and encrypt the traffic going over to the 192.168.0.0/16 network.
  • Enforce Cisco Integrated Client Firewall and only allow HTTP and DNS traffic in clear text.
  • Use IPSec over TCP on port 9000 as the encapsulation protocol.
  • Allow one VPN client to be able to talk to the other client.
  • Use local database for user authentication.
  • Log all the system-generated syslog messages to a server.

Example 16-48 shows the relevant Cisco ASA configuration in Brussels.

Example 16-48. Cisco ASA Full Configuration Having Multiple Security Contexts

Brussels# show running-config

: Saved

:

ASA Version 7.0(1)

! ip address on the outside interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.202.129 255.255.255.0

! ip address on the inside interface

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.40.1 255.255.255.0

!

hostname Brussels

domain-name securemeinc.com

! To Allow IPSec hairpinning on the same interface

same-security-traffic permit intra-interface

! ACL to define Split-tunnel policy. This will allow the Client to send encrypted

! traffic to 192.168.0.0/16

access-list ST_ACL standard permit 192.168.0.0 255.255.0.0

! ACL to define Inbound FW policy to restrict inbound clear-text traffic

access-list Inbound_FW_ACL extended permit tcp any eq www any

access-list Inbound_FW_ACL extended permit udp any eq domain any

! ACL to define Outbound FW policy to restrict outbound clear-text traffic

access-list Outbound_FW_ACL extended permit tcp any any eq www

access-list Outbound_FW_ACL extended permit udp any any eq domain

! Enable logging to send syslog messages to 192.168.60.150

logging enable

logging timestamp

logging host inside 192.168.60.150

logging trap notifications

! IP Pool used to assign IP address to the VPN client

ip local pool ippool 192.168.50.1-192.168.50.100 mask 255.255.255.0

! Default gateways.

route outside 0.0.0.0 0.0.0.0 209.165.202.130 1

route inside 192.168.60.0 255.255.255.0 192.168.40.2

route inside 0.0.0.0 0.0.0.0 192.168.40.2 tunneled

! Configuration of an internal user-group called SecureMeGrp

group-policy SecureMeGrp internal

! Configuration of user-group attributes

group-policy SecureMeGrp attributes

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ST_ACL

 default-domain value securemeinc.com

 client-firewall req cisco-integrated acl-in Inbound_FW_ACL acl-out Outbound_FW_ACL

! Configuration of LOCAL user database

username ciscouser password aE.CsXUz4UT9JfjO encrypted

username adminuser password aE.T9JfjOCsXUz4U encrypted

username poweruser password sXUzaE.C4UT9JfjO encrypted

! Configuration of ASDM for Appliance management

http server enable

http 0.0.0.0 0.0.0.0 inside

! sysopt to bypass traffic filters

sysopt connection permit-ipsec

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

! Dynamic crypto-map for Remote-Access Clients

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

! Dynamic crypto-map is mapped to the static crypto-map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

! Static crypto-map is applied to the outside interface

crypto map outside_map interface outside

! isakmp configuration

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

! Tunnel Encapsulation to use IPSec over TCP over port 9000

isakmp ipsec-over-tcp port 9000

! tunnel-group configuration for VPN client. The groupname is ciscovpn

tunnel-group ciscovpn type ipsec-ra

tunnel-group ciscovpn general-attributes

 address-pool ippool

 default-group-policy SecureMeGrp

tunnel-group ciscovpn ipsec-attributes

 pre-shared-key *

 

Load-Balancing and Site-to-Site Integration

SecureMe's headquarters office in Chicago wants to deploy Cisco ASA to be used for remote-access VPN tunnels that will support about 2000 users. However, SecureMe wants to make sure that users do not overburden the system and therefore wants to use two security appliances in load-balancing mode. Figure 16-14 shows SecureMe's network topology in Chicago.

Figure 16-14. SecureMe's Remote-Access Topology in Chicago

The security requirements for SecureMe's Chicago office are as follows:

  • Load-balance Cisco IPSec VPN connections across two Cisco ASA devices.
  • Use NAT-T if there is a NAT device between the VPN peers.
  • Use a RADIUS server as the external database for user lookup.
  • Configure a site-to-site VPN tunnel to the London ASA.
  • Assign the DNS and WINS server addresses as 192.168.20.100 and 192.168.20.101, respectively.
  • Limit the number of simultaneous sessions per users to two.
  • Display a banner warning authorized users.
  • Translate the clear-text traffic if it is originated from the inside network and destined to the outside network.

Example 16-49 shows the complete configuration of SecureMe's Cisco ASA in Chicago.

Example 16-49. Cisco ASA Relevant Configuration Using Load-Balancing and Site-to-Site Integration

Chicago# show running-config

: Saved

ASA Version 7.0(1)

! ip address on the outside interface

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.0

! ip address on the inside interface

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

hostname Chicago

domain-name securemeinc.com

! Access-list entries to bypass NAT for the traffic going from Chicago to London

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0

 192.168.30.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0

 192.168.30.0 255.255.255.0

! Access-list entries to bypass NAT for the traffic going from Chicago to RA_clients

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0

 192.168.60.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0

 192.168.60.0 255.255.255.0

! Encryption Access-list to encrypt the traffic from Chicago to London

access-list to_London extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0

 255.255.255.0

access-list to_London extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0

 255.255.255.0

! IP Pool used to assign IP address to the VPN client

ip local pool ippool 192.168.60.1-192.168.60.100 mask 255.255.255.0

! NAT ACL is bound to NAT 0 statement to bypass address translation

nat (inside) 0 access-list inside_nat0_outbound

! Address Translation for the inside network

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

global (outside) 1 interface

 Default gateways.

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

route inside 192.168.20.0 255.255.255.0 192.168.10.2 1

route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled

! Radius configuration to enable user authentication

aaa-server Radius protocol radius

aaa-server Radius (inside) host 192.168.10.10

 key cisco123

! Configuration of an internal user group-policy called SecureMeGrp

group-policy SecureMeGrp internal

! Configuration of user-group attributes

group-policy SecureMeGrp attributes

 banner value Unauthorized Users will be prosecuted

 vpn-simultaneous-logins 2

 wins-server value 192.168.20.101

 dns-server value 192.168.20.100

 default-domain value securemeinc.com

! Configuration of ASDM for Appliance management

http server enable

http 0.0.0.0 0.0.0.0 inside

! Transform set to specify encryption and hashing algorithm

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

! Dynamic crypto-map for Remote-Access Clients

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

! Crypto map configuration for London

crypto map outside_map 20 match address to_London

crypto map outside_map 20 set peer 209.165.201.1

crypto map outside_map 20 set transform-set ESP-3DES-SHA

! Dynamic crypto-map is mapped to the static crypto-map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

! Static crypto-map is applied to the outside interface

crypto map outside_map interface outside

! isakmp configuration- Enabled on the outside interface

isakmp enable outside

! isakmp configuration- Enabled on the inside interface for VPN LB

isakmp enable inside

! isakmp policy configuration

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

! NAT-T is enabled with a default keepalive of 20 seconds

isakmp nat-traversal 20

! tunnel-group configuration for VPN client. The group-name is ciscovpn

tunnel-group ciscovpn type ipsec-ra

tunnel-group ciscovpn general-attributes

 address-pool ippool

 authentication-server-group Radius

 authentication-server-group (inside) Radius

 default-group-policy SecureMeGrp

tunnel-group ciscovpn ipsec-attributes

 pre-shared-key *

! L2L tunnel-group configuration for London

tunnel-group 209.165.201.1 type ipsec-l2l

tunnel-group 209.165.201.1 ipsec-attributes

 pre-shared-key *

! VPN Load-balancing. The virtual IP address is 209.165.200.227. Encryption is

 enabled with using cisco123 as the key

vpn load-balancing

 cluster key cisco123

 cluster ip address 209.165.200.227

 cluster encryption

 participate






Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net