The Cisco remote-access solution is useful in deployments where remote and home users need corporate access without being physically connected to the corporate LAN. The remote-access solution can be deployed in many ways; however, this section covers the following two design scenarios for ease of understanding:
Note
The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.
IPSec Hairpinning with Easy VPN and Firewalling
SecureMe has recently installed a Cisco ASA in its Brussels office to provide VPN access to its mobile users. Figure 16-13 shows SecureMe's network topology in Brussels.
Figure 16-13. SecureMe's Remote-Access Topology in Brussels
The security requirements for SecureMe are as follows:
Example 16-48 shows the relevant Cisco ASA configuration in Brussels.
Example 16-48. Cisco ASA Full Configuration Having Multiple Security Contexts
Brussels# show running-config : Saved : ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.202.129 255.255.255.0 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.40.1 255.255.255.0 ! hostname Brussels domain-name securemeinc.com ! To Allow IPSec hairpinning on the same interface same-security-traffic permit intra-interface ! ACL to define Split-tunnel policy. This will allow the Client to send encrypted ! traffic to 192.168.0.0/16 access-list ST_ACL standard permit 192.168.0.0 255.255.0.0 ! ACL to define Inbound FW policy to restrict inbound clear-text traffic access-list Inbound_FW_ACL extended permit tcp any eq www any access-list Inbound_FW_ACL extended permit udp any eq domain any ! ACL to define Outbound FW policy to restrict outbound clear-text traffic access-list Outbound_FW_ACL extended permit tcp any any eq www access-list Outbound_FW_ACL extended permit udp any any eq domain ! Enable logging to send syslog messages to 192.168.60.150 logging enable logging timestamp logging host inside 192.168.60.150 logging trap notifications ! IP Pool used to assign IP address to the VPN client ip local pool ippool 192.168.50.1-192.168.50.100 mask 255.255.255.0 ! Default gateways. route outside 0.0.0.0 0.0.0.0 209.165.202.130 1 route inside 192.168.60.0 255.255.255.0 192.168.40.2 route inside 0.0.0.0 0.0.0.0 192.168.40.2 tunneled ! Configuration of an internal user-group called SecureMeGrp group-policy SecureMeGrp internal ! Configuration of user-group attributes group-policy SecureMeGrp attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ST_ACL default-domain value securemeinc.com client-firewall req cisco-integrated acl-in Inbound_FW_ACL acl-out Outbound_FW_ACL ! Configuration of LOCAL user database username ciscouser password aE.CsXUz4UT9JfjO encrypted username adminuser password aE.T9JfjOCsXUz4U encrypted username poweruser password sXUzaE.C4UT9JfjO encrypted ! Configuration of ASDM for Appliance management http server enable http 0.0.0.0 0.0.0.0 inside ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! Dynamic crypto-map for Remote-Access Clients crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA ! Dynamic crypto-map is mapped to the static crypto-map crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map ! Static crypto-map is applied to the outside interface crypto map outside_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! Tunnel Encapsulation to use IPSec over TCP over port 9000 isakmp ipsec-over-tcp port 9000 ! tunnel-group configuration for VPN client. The groupname is ciscovpn tunnel-group ciscovpn type ipsec-ra tunnel-group ciscovpn general-attributes address-pool ippool default-group-policy SecureMeGrp tunnel-group ciscovpn ipsec-attributes pre-shared-key *
Load-Balancing and Site-to-Site Integration
SecureMe's headquarters office in Chicago wants to deploy Cisco ASA to be used for remote-access VPN tunnels that will support about 2000 users. However, SecureMe wants to make sure that users do not overburden the system and therefore wants to use two security appliances in load-balancing mode. Figure 16-14 shows SecureMe's network topology in Chicago.
Figure 16-14. SecureMe's Remote-Access Topology in Chicago
The security requirements for SecureMe's Chicago office are as follows:
Example 16-49 shows the complete configuration of SecureMe's Cisco ASA in Chicago.
Example 16-49. Cisco ASA Relevant Configuration Using Load-Balancing and Site-to-Site Integration
Chicago# show running-config : Saved ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.0 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! hostname Chicago domain-name securemeinc.com ! Access-list entries to bypass NAT for the traffic going from Chicago to London access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 ! Access-list entries to bypass NAT for the traffic going from Chicago to RA_clients access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0 ! Encryption Access-list to encrypt the traffic from Chicago to London access-list to_London extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list to_London extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 ! IP Pool used to assign IP address to the VPN client ip local pool ippool 192.168.60.1-192.168.60.100 mask 255.255.255.0 ! NAT ACL is bound to NAT 0 statement to bypass address translation nat (inside) 0 access-list inside_nat0_outbound ! Address Translation for the inside network nat (inside) 1 192.168.10.0 255.255.255.0 nat (inside) 1 192.168.20.0 255.255.255.0 global (outside) 1 interface Default gateways. route outside 0.0.0.0 0.0.0.0 209.165.200.226 1 route inside 192.168.20.0 255.255.255.0 192.168.10.2 1 route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled ! Radius configuration to enable user authentication aaa-server Radius protocol radius aaa-server Radius (inside) host 192.168.10.10 key cisco123 ! Configuration of an internal user group-policy called SecureMeGrp group-policy SecureMeGrp internal ! Configuration of user-group attributes group-policy SecureMeGrp attributes banner value Unauthorized Users will be prosecuted vpn-simultaneous-logins 2 wins-server value 192.168.20.101 dns-server value 192.168.20.100 default-domain value securemeinc.com ! Configuration of ASDM for Appliance management http server enable http 0.0.0.0 0.0.0.0 inside ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! Dynamic crypto-map for Remote-Access Clients crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA ! Crypto map configuration for London crypto map outside_map 20 match address to_London crypto map outside_map 20 set peer 209.165.201.1 crypto map outside_map 20 set transform-set ESP-3DES-SHA ! Dynamic crypto-map is mapped to the static crypto-map crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map ! Static crypto-map is applied to the outside interface crypto map outside_map interface outside ! isakmp configuration- Enabled on the outside interface isakmp enable outside ! isakmp configuration- Enabled on the inside interface for VPN LB isakmp enable inside ! isakmp policy configuration isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! NAT-T is enabled with a default keepalive of 20 seconds isakmp nat-traversal 20 ! tunnel-group configuration for VPN client. The group-name is ciscovpn tunnel-group ciscovpn type ipsec-ra tunnel-group ciscovpn general-attributes address-pool ippool authentication-server-group Radius authentication-server-group (inside) Radius default-group-policy SecureMeGrp tunnel-group ciscovpn ipsec-attributes pre-shared-key * ! L2L tunnel-group configuration for London tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key * ! VPN Load-balancing. The virtual IP address is 209.165.200.227. Encryption is enabled with using cisco123 as the key vpn load-balancing cluster key cisco123 cluster ip address 209.165.200.227 cluster encryption participate
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies