Cisco Remote-Access IPSec VPN Setup
ASDM also provides a VPN Wizard that configures remote-access IPSec VPN connections for the Cisco EasyVPN clients. This wizard guides you through the step-by-step configurations required for a successful EasyVPN client tunnel. In this section, Figure 21-21 is used as a reference topology in which a security Cisco ASA is being set up to accept VPN connections on the outside interface from multiple remote-access clients. The inside interface of Cisco ASA in Chicago is directly connected to the 192.168.10.0/24 subnet, while another inside network, 192.168.20.0/24, is behind Router1. The public interface's IP address is 209.165.200.225/27, and the default route sends all traffic to the next-hop router toward the Internet.
Figure 21-21. Remote-Access Topology
The goal of this example is to enable split tunneling such that the clients encrypt only traffic destined for the inside networks on Cisco ASA. All other traffic destined for the Internet, such as web traffic to www.cisco.com, should flow in clear text directly from the remote VPN clients.
Use the following procedure for step-by-step configuration of ASDM:
|
Step 1. |
Launch the VPN Wizard. Figure 21-22. Selecting Remote-Access Tunnel 
In this example, because VPN clients connect to Cisco ASA on the outside interface, the Outside interface is chosen from the drop-down menu in the VPN Tunnel Interface field. Click Next to move forward to the Remote Access Client window. |
|
Step 2. |
Select the type of remote-access VPN tunnel. Figure 21-23. Selecting the Type of Remote-Access VPN 
|
|
Step 3. |
Set up the tunnel group name. Figure 21-24. Specifying a Tunnel Group Name 
|
|
Step 4. |
Set the user authentication method. Figure 21-25. Selecting the Local User Database 
|
|
Step 5. |
Create the user database. Figure 21-26. Creating User Accounts 
|
|
Step 6. |
Assign IP addresses. Figure 21-27. Assigning IP Addresses 
|
|
Step 7. |
Set up mode configuration attributes. Figure 21-28. Assigning Mode Configuration Attributes 
|
|
Step 8. |
Select the IKE policy. Figure 21-29. IKE Policy 
Note Cisco VPN Client supports DH groups 2 and 5, by default. You have to select one of these groups to match the client settings. |
|
Step 9. |
Set up the IPSec transform set. Figure 21-30. IPSec Transform Set 
|
|
Step 10. |
Bypass address translation. Figure 21-31. Enabling Split Tunneling and NAT Exemption 
By using split tunneling, you can enforce the remote VPN users to encrypt only the traffic destined for the inside networks of Cisco ASA. All other traffic can go to the Internet in clear text. Enable split tunneling by checking off the box shown at the bottom of Figure 21-31. Click Next to move to the last step of the VPN Wizard. |
|
Step 11. |
Verify remote-access configuration. |
If the Preview Command Before Sending to the Device option is enabled in ASDM, the entire remote-access VPN configuration is displayed to you before being sent to the security Cisco ASA. If the configuration looks accurate, click Send to push it to Cisco ASA. Example 21-2 shows the complete remote-access VPN configuration created by ASDM. ASDM does not add comments, but they are added here for ease of understanding.
Example 21-2. Complete Remote-Access Configuration Created by ASDM
!Access-list to bypass Address Translation access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.128 access-list inside_nat0_outbound permit ip 192.168.20.0 255.255.255.0 192.168.50.0 255.255.255.128 !Access-list is linked to NAT 0 nat (inside) 0 access-list inside_nat0_outbound !Access-list is identify traffic for Split tunneling access-list SecureMeTnlGrp_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0 access-list SecureMeTnlGrp_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0 !User Accounts for local X-Auth username ciscouser1 password ffIRPGpDSOJh9YLq encrypted privilege 0 username ciscouser2 password ffIRPGpDSOJh9YLq encrypted privilege 0 !Pool of addresses to be assigned to the VPN users ip local pool ippool 192.168.50.1-192.168.50.127 mask 255.255.255.128 !Configuration of VPN group-policy group-policy SecureMeTnlGrp internal !group-policy to send mode-config attributes group-policy SecureMeTnlGrp attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value SecureMeTnlGrp_splitTunnelAcl dns-server value 192.168.10.10 192.168.10.20 wins-server value 192.168.10.20 192.168.10.10 default-domain value securemeinc.com !Configuration of Remote Access VPN group called SecureMeTnlGrp tunnel-group SecureMeTnlGrp type ipsec-ra tunnel-group SecureMeTnlGrp general-attributes !The VPN Group is using VPN attributes from the group-policy default-group-policy SecureMeTnlGrp address-pool ippool !Configuration of preshared key for SecureMeTnlGrp tunnel-group SecureMeTnlGrp ipsec-attributes pre-shared-key cisco123 !IPSec transform-set for data encryption crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac !ISAKMP Phase 1 policy isakmp enable outside isakmp policy 30 authen pre-share isakmp policy 30 encrypt 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 !Dynamic Crypto map configuration crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 !Static crypto map configuration crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside !Sysopt to bypass packet filtration sysopt connection permit-ipsec
Part I: Product Overview
Introduction to Network Security
- Introduction to Network Security
- Firewall Technologies
- Intrusion Detection and Prevention Technologies
- Network-Based Attacks
- Virtual Private Networks
- Summary
Product History
- Product History
- Cisco Firewall Products
- Cisco IDS Products
- Cisco VPN Products
- Cisco ASA All-in-One Solution
- Summary
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
- Initial Setup and System Maintenance
- Accessing the Cisco ASA Appliances
- Managing Licenses
- Initial Setup
- IP Version 6
- Setting Up the System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Network Access Control
- Network Access Control
- Packet Filtering
- Advanced ACL Features
- Content and URL Filtering
- Deployment Scenarios Using ACLs
- Monitoring Network Access Control
- Understanding Address Translation
- DNS Doctoring
- Monitoring Address Translations
- Summary
IP Routing
Authentication, Authorization, and Accounting (AAA)
- Authentication, Authorization, and Accounting (AAA)
- AAA Protocols and Services Supported by Cisco ASA
- Defining an Authentication Server
- Configuring Authentication of Administrative Sessions
- Authenticating Firewall Sessions (Cut-Through Proxy Feature)
- Configuring Authorization
- Configuring Accounting
- Deployment Scenarios
- Troubleshooting AAA
- Summary
Application Inspection
- Application Inspection
- Enabling Application Inspection Using the Modular Policy Framework
- Selective Inspection
- Computer Telephony Interface Quick Buffer Encoding Inspection
- Domain Name System
- Extended Simple Mail Transfer Protocol
- File Transfer Protocol
- General Packet Radio Service Tunneling Protocol
- H.323
- HTTP
- ICMP
- ILS
- MGCP
- NetBIOS
- PPTP
- Sun RPC
- RSH
- RTSP
- SIP
- Skinny
- SNMP
- SQL*Net
- TFTP
- XDMCP
- Deployment Scenarios
- Summary
Security Contexts
- Security Contexts
- Architectural Overview
- Configuration of Security Contexts
- Deployment Scenarios
- Monitoring and Troubleshooting the Security Contexts
- Summary
Transparent Firewalls
- Transparent Firewalls
- Architectural Overview
- Transparent Firewalls and VPNs
- Configuration of Transparent Firewall
- Deployment Scenarios
- Monitoring and Troubleshooting the Transparent Firewall
- Summary
Failover and Redundancy
- Failover and Redundancy
- Architectural Overview
- Failover Configuration
- Deployment Scenarios
- Monitoring and Troubleshooting Failovers
- Summary
Quality of Service
- Quality of Service
- Architectural Overview
- Configuring Quality of Service
- QoS Deployment Scenarios
- Monitoring QoS
- Summary
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
- Intrusion Prevention System Integration
- Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)
- Directing Traffic to the AIP-SSM
- AIP-SSM Module Software Recovery
- Additional IPS Features
- Summary
Configuring and Troubleshooting Cisco IPS Software via CLI
- Configuring and Troubleshooting Cisco IPS Software via CLI
- Cisco IPS Software Architecture
- Introduction to the CIPS 5.x Command-Line Interface
- User Administration
- AIP-SSM Maintenance
- Advanced Features and Configuration
- Summary
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
- Site-to-Site IPSec VPNs
- Preconfiguration Checklist
- Configuration Steps
- Advanced Features
- Optional Commands
- Deployment Scenarios
- Monitoring and Troubleshooting Site-to-Site IPSec VPNs
- Summary
Remote Access VPN
- Remote Access VPN
- Cisco IPSec Remote Access VPN Solution
- Advanced Cisco IPSec VPN Features
- Deployment Scenarios of Cisco IPSec VPN
- Monitoring and Troubleshooting Cisco Remote Access VPN
- Cisco WebVPN Solution
- Advanced WebVPN Features
- Deployment Scenarios of WebVPN
- Monitoring and Troubleshooting WebVPN
- Summary
Public Key Infrastructure (PKI)
- Public Key Infrastructure (PKI)
- Introduction to PKI
- Enrolling the Cisco ASA to a CA Using SCEP
- Manual (Cut-and-Paste) Enrollment
- Configuring CRL Options
- Configuring IPSec Site-to-Site Tunnels Using Certificates
- Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
- Troubleshooting PKI
- Summary
Part V: Adaptive Security Device Manager
Introduction to ASDM
- Introduction to ASDM
- Setting Up ASDM
- Initial Setup
- Functional Screens
- Interface Management
- System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Firewall Management Using ASDM
- Firewall Management Using ASDM
- Access Control Lists
- Address Translation
- Routing Protocols
- AAA
- Application Inspection
- Security Contexts
- Transparent Firewalls
- Failover
- QoS
- Summary
IPS Management Using ASDM
- IPS Management Using ASDM
- Accessing the IPS Device Management Console from ASDM
- Configuring Basic AIP-SSM Settings
- Advanced IPS Configuration and Monitoring Using ASDM
- Summary
VPN Management Using ASDM
- VPN Management Using ASDM
- Site-to-Site VPN Setup Using Preshared Keys
- Site-to-Site VPN Setup Using PKI
- Cisco Remote-Access IPSec VPN Setup
- WebVPN
- VPN Monitoring
- Summary
Case Studies
EAN: 2147483647
Pages: 231
