Network Security 2. Module 6 Configure Remote Access VPN

Transcription

1 1 1

2 Network Security 2 Module 6 Configure Remote Access VPN 2

3 Learning Objectives 6.1 Introduction to Cisco Easy VPN 6.2 Configure the Easy VPN Server 6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x 6.4 Configure Cisco Easy VPN Remote for Access Routers 6.5 Configure the PIX Security Appliance as an Easy VPN Server 6.6 Configure a PIX 501 or 506E as an Easy VPN Client 6.7 Configure the Adaptive Security Appliance to Support WebVPN 3

4 Module 6 Configure Remote Access VPN 6.1 Introduction to Cisco EasyVPN 4

5 Cisco Easy VPN Components The Cisco Easy VPN is made up of two components Easy VPN Server Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Series Concentrators to act as VPN head-end devices in site-tosite or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature Easy VPN Remote Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Hardware Clients or Software Clients to act as remote VPN Clients 5

6 Remote Access Using Cisco Easy VPN PC with Easy Remote VPN Client 4.x Cisco 800 Router Cisco 900 Router Cisco 1700 Router Cisco IOS router 12.3(11)T (or later) Easy VPN Server Cisco PIX Security Appliance 501 Cisco VPN 3002 Hardware Client 6

7 Easy VPN Remote Connection Process Step 1 The VPN Client initiates the IKE Phase 1 process. Step 2 The VPN Client establishes an ISAKMP SA. Step 3 The Easy VPN Server accepts the SA proposal. Step 4 The Easy VPN Server initiates a username/ password challenge. Step 5 The mode configuration process is initiated. Step 6 The RRI process is initiated. Step 7 IPSec quick mode completes the connection. 7

8 Step 1 The VPN Client Initiates the IKE Phase 1 Process Remote PC with Easy Remote VPN Client 4.x Cisco IOS router 12.3(11)T Easy VPN Server Using pre-shared keys? Initiate aggressive mode (AM). Using digital certificates? Initiate main mode (MM). 8

9 Step 2 The VPN Client Establishes an ISAKMP SA Remote PC with Easy Remote VPN Client 4.x Proposal 1, proposal 2, proposal 3 Cisco IOS router 12.3(11)T Easy VPN Server The VPN Client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN Client, these ISAKMP proposals include several combinations of the following Encryption and hash algorithms Authentication methods Diffie-Hellman group sizes 9

10 Step 3 The Easy VPN Server Accepts the SA Proposal Remote PC with Easy Remote VPN Client 4.x The Easy VPN Server searches for a match The first proposal to match the server s list is accepted (highest-priority match). The most secure proposals are always listed at the top of the Easy VPN Server s proposal list (highest priority). ISAKMP SA is successfully established. Proposal 1 Cisco IOS router 12.3(11)T Easy VPN Server Device authentication ends and user authentication begins. Proposal checking finds proposal 1 match 10

11 Step 4 Username/Password Challenge Remote PC with Easy Remote VPN Client 4.x Username/password challenge Username/password Cisco IOS router 12.3(11)T Easy VPN Server AAA checking If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge The user enters a username/password combination. The username/password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication. 11

12 Step 5 The Mode Configuration Process Is Initiated Remote PC with Easy Remote VPN Client 4.x Client Requests Parameters Cisco IOS router 12.3(11)T Easy VPN Server If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server Mode configuration starts. System Parameters via Mode Config The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the VPN Client. Remember that the IP address is the only required parameter in a group profile. All other parameters are optional. 12

13 Step 6 The RRI Process Is Initiated Remote PC with Easy Remote VPN Client 4.x VPN Tunnel Cisco IOS router 12.3(11)T Easy VPN Server RRI static route creation After the Easy VPN Server knows the VPN Client s assigned IP address, it must determine how to route packets through the appropriate VPN tunnel RRI creates a static route on the Easy VPN Server for each VPN Client s internal IP address. RRI must be enabled on the crypto maps supporting VPN Clients. RRI need not be enabled on a crypto map applied to a GRE tunnel that is already being used to distribute routing information. 13

14 Step 7 IPSec Quick Mode Completes the Connection Remote PC with Easy Remote VPN Client 4.x Quick mode IPSec SA establishment VPN tunnel Cisco IOS router 12.3(11)T Easy VPN Server After the configuration parameters have been successfully received by the VPN Client, ISAKMP quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete. 14

15 Module 6 Configure Remote Access VPN 6.2 Configure the EasyVPN Server 15

16 Easy VPN Server General Configuration Tasks The following general tasks are used to configure Easy VPN Server on a Cisco router Task 1 Create IP address pool. Task 2 Configure group policy lookup. Task 3 Create ISAKMP policy for remote VPN Client access. Task 4 Define group policy for mode configuration push. Task 5 Create a transform set. Task 6 Create a dynamic crypto map with RRI. Task 7 Apply mode configuration to the dynamic crypto map. Task 8 Apply the crypto map to the router interface. Task 9 Enable IKE DPD. Task 10 Configure XAUTH. Task 11 (Optional) Enable XAUTH save password feature. 16

17 Task 1 Create IP Address Pool Remote client vpngate1 Pool REMOTE-POOL to router(config)# ip local pool {default pool-name low-ip-address [high-ip-address]} vpngate1(config)# ip local pool REMOTE-POOL Creating a local address pool is optional if an external DHCP server is in use on the network. 17

18 Task 2 Configure Group Policy Lookup Remote client Group VPN-REMOTE-ACCESS vpngate1 router(config)# aaa new-model router(config)# aaa authorization network list-name local [method1 [method2 ]] vpngate1(config)# aaa new-model vpngate1(config)# aaa authorization network VPN-REMOTE-ACCESS local Creates a user group for local AAA policy lookup 18

19 Task 3 Create ISAKMP Policy for Remote VPN Client Access Remote client vpngate1 Policy 1 Authen Preshared keys Encryption 3-DES Diffie-Hellman Group 2 Other settings Default vpngate1(config)# crypto isakmp enable vpngate1(config)# crypto isakmp policy 1 vpngate1(config-isakmp)# authen pre-share vpngate1(config-isakmp)# encryption 3des vpngate1(config-isakmp)# group 2 vpngate1(config-isakmp)# exit Use standard ISAKMP configuration commands. 19

20 Task 4 Define Group Policy for Mode Configuration Push Task 4 contains the following steps Step 1 Add the group profile to be defined. Step 2 Configure the ISAKMP pre-shared key. Step 3 Specify the DNS servers. Step 4 Specify the WINS servers. Step 5 Specify the DNS domain. Step 6 Specify the local IP address pool. 20

21 Task 4-Step 1 Add the Group Profile to Be Defined Remote client Group VPN-REMOTE-ACCESS Key MYVPNKEY DNS DNS1 & DNS2 vpngate1 WINS WINS1 & WINS2 Domain cisco.com Pool name REMOTE-POOL router(config)# Pool to crypto isakmp client configuration group {group-name default} vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS vpngate1(config-isakmp-group)# 21

22 Task 4-Step 2 Configure the IKE Pre-Shared Key Group VPN-REMOTE-ACCESS Key MYVPNKEY Remote client vpngate1 DNS DNS1 & DNS2 WINS WINS1 & WINS2 Domain cisco.com Pool name REMOTE-POOL Pool to router(config-isakmp-group)# key name vpngate1(config-isakmp-group)# key MYVPNKEY 22

23 Task 4-Step 3 Specify the DNS Servers Remote client router(config-isakmp-group)# vpngate1 dns primary-server secondary-server Group VPN-REMOTE-ACCESS Key MYVPNKEY DNS DNS1 & DNS2 WINS WINS1 & WINS2 Domain cisco.com Pool name REMOTE-POOL Pool to vpngate1(config-isakmp-group)# dns DNS1 DNS2 vpngate1(config-isakmp-group)# dns

24 Task 4-Step 4 Specify the WINS Servers Remote client router(config-isakmp-group)# vpngate1 Group VPN-REMOTE-ACCESS Key MYVPNKEY DNS DNS1 & DNS2 WINS WINS1 & WINS2 Domain cisco.com wins primary-server secondary-server Pool name REMOTE-POOL Pool to vpngate1(config-isakmp-group)# wins WINS1 WINS2 vpngate1(config-isakmp-group)# wins

25 Task 4-Step 5 Specify the DNS Domain Group VPN-REMOTE-ACCESS Key MYVPNKEY Remote client DNS DNS1 & DNS2 WINS WINS1 & WINS2 Domain cisco.com vpngate1 Pool name REMOTE-POOL Pool to router(config-isakmp-group)# domain name vpngate1(config-isakmp-group)# domain cisco.com 25

26 Task 4-Step 6 Specify the Local IP Address Pool Group VPN-REMOTE-ACCESS Key MYVPNKEY Remote client vpngate1 DNS DNS1 & DNS2 WINS WINS1 & WINS2 Domain cisco.com Pool name REMOTE-POOL Pool to router(config-isakmp-group)# pool name vpngate1(config-isakmp-group)# pool REMOTE-POOL 26

27 Task 5 Create Transform Set Remote client Transform set name VPNTRANSFORM vpngate1 router(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] vpngate1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac vpngate1(cfg-crypto-trans)# exit 27

28 Task 6 Create a Dynamic Crypto Map with RRI Task 6 contains the following steps Step 1 Create a dynamic crypto map. Step 2 Assign a transform set. Step 3 Enable RRI. 28

29 Task 6-Step 1 Create a Dynamic Crypto Map Dynamic Crypto map name/sequence # Remote client DYNMAP 1 vpngate1 router(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num vpngate1(config)# crypto dynamic-map DYNMAP 1 vpngate1(config-crypto-map)# 29

30 Task 6-Step 2 Assign Transform Set to Dynamic Crypto Map Transform set name Remote client VPNTRANSFORM vpngate1 router(config-crypto-map)# set transform-set transform-set-name [transform-set-name2 transform-set-name6] vpngate1(config-crypto-map)# set transform-set VPNTRANSFORM 30

31 Task 6-Step 3 Enable RRI RRI routing announcement to inside network Remote client File server Tunnel vpngate1 router(config-crypto-map)# reverse-route vpngate1(config-crypto-map)# reverse-route vpngate1(config-crypto-map)# exit 31

32 Task 7 Apply Mode Configuration to Crypto Map Task 7 contains the following steps Step 1 Configure the router to respond to mode configuration requests. Step 2 Enable IKE querying for a group policy. Step 3 Apply the dynamic crypto map to the crypto map. 32

33 Task 7-Step 1 Configure Router to Respond to Mode Configuration Requests Remote client vpngate1 router(config)# crypto map map-name client configuration address {initiate respond} vpngate1(config)# crypto map CLIENTMAP client configuration address respond 33

34 Task 7-Step 2 Enable ISAKMP Querying for Group Policy Group Remote client VPN-REMOTE-ACCESS vpngate1 router(config)# crypto map map-name isakmp authorization list list-name vpngate1(config)# crypto map CLIENTMAP isakmp authorization list VPN-REMOTE-ACCESS 34

35 Task 7-Step 3 Apply Dynamic Crypto Map to the Crypto Map Crypto map name/sequence # Remote client CLIENTMAP vpngate1 router(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name vpngate1(config)# crypto map CLIENTMAP ipsec-isakmp dynamic DYNMAP 35

36 Task 8 Apply the Crypto Map to Router Outside Interface Crypto map name Remote client CLIENTMAP e0/1 vpngate1 vpngate1(config)# interface ethernet0/1 vpngate1(config-if)# crypto map CLIENTMAP vpngate1(config-if)# exit 36

37 Task 9 Enable ISAKMP DPD Remote client 1) DPD send Are you there? 2) 2) DPD Reply reply Yes, I I am here. vpngate1 router(config)# crypto isakmp keepalive secs retries vpngate1(config)# crypto isakmp keepalive

38 Task 10 Configure XAUTH Task 10 contains the following steps Step 1 Enable AAA login authentication. Step 2 Set the XAUTH timeout value. Step 3 Enable ISAKMP XAUTH for the dynamic crypto map. 38

39 Task 10, Step 1 Enable AAA Login Authentication Remote client VPN user group VPNUSERS vpngate1 router(config)# aaa authentication login list-name method1 [method2 ] vpngate1(config)# aaa authentication login VPNUSERS local 39

40 Task 10, Step 2 Set XAUTH Timeout Value Remote client 20 seconds vpngate1 VPN user group VPNUSERS router(config)# crypto isakmp xauth timeout seconds vpngate1(config)# crypto isakmp xauth timeout 20 40

41 Task 10, Step 3 Enable ISAKMP XAUTH for Crypto Map Crypto map name CLIENTMAP VPN user group Remote client VPNUSERS vpngate1 router(config)# crypto map map-name client authentication list list-name vpngate1(config)# crypto map CLIENTMAP client authentication list VPNUSERS 41

42 Task 11 (Optional) Enable XAUTH Save Password Remote client Group VPN-REMOTE-ACCESS vpngate1 router(config-isakmp-group)# save-password vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS vpngate1(config-isakmp-group)# save-password This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration group command. 42

43 Easy VPN Server Configuration Example version 12.3 hostname Router1! aaa new-model aaa authentication login VPNAUTHEN local aaa authorization network VPNAUTHOR local ip domain-name cisco.com ip dhcp excluded-address ! ip dhcp pool POD1_INSIDE network default-router ! crypto isakmp policy 3 hash md5 authentication pre-share group 2! ip local pool IPPOOL crypto isakmp xauth timeout 20 43

44 Easy VPN Server Configuration Example crypto isakmp client configuration group SALES key cisco123 domain cisco.com pool IPPOOL save-password! crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac! crypto dynamic-map DYNMAP 10 set transform-set MYSET reverse-route! crypto map CLIENTMAP client authentication list VPNAUTHEN crypto map CLIENTMAP isakmp authorization list VPNAUTHOR crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP! interface FastEthernet 0/1 ip address crypto map CLIENTMAP crypto isakmp keepalive

45 Task 12 Verify router# show crypto map [interface interface tag mapname] Router# show crypto map interface ethernet 0 Displays crypto map configuration. router# show run Router# show run Displays running configuration. 45

46 Module 6 Configure Remote Access VPN 6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x 46

47 Configuring Easy VPN Remote for the Cisco VPN Client 4.x General Tasks Task 1 Install Cisco VPN Client 4.x. Task 2 Create a new client connection entry. Task 3 Choose an authentication method. Task 4 Configure transparent tunneling. Task 5 Enable and add backup servers. Task 6 Configure connection to the Internet through dial-up networking. 47

48 Task 1 Install Cisco VPN Client 4.x Installation file on IP-disks 48

49 Error Message 49

50 Task 2 Create a New Client Connection Entry 50

51 Task 3 Configure Client Authentication Properties 51

52 Task 4 Configure Transparent Tunneling 52

53 Task 5 Enable and Add Backup Servers 53

54 Task 6 Configure Connection to the Internet through Dial-up Networking 54

55 Module 6 Configure Remote Access VPN 6.4 Configure Cisco Easy VPN Remote for Access Routers 55

56 Easy VPN Remote Client Mode X VPN tunnel Cisco 831 router Cisco router (Easy VPN Server) 12.3(11)T 56

57 Easy VPN Remote Network Extension Mode Cisco 831(Easy VPN Remote) VPN tunnel Cisco router (Easy VPN Server) 12.3(11)T X.X 57

58 Easy VPN Remote Configuration General Tasks for Access Routers Task 1 (Optional) Configure the DHCP server pool. Task 2 Configure and assign the Cisco Easy VPN client profile. Task 3 (Optional) Configure XAUTH password save. Task 4 Initiate the VPN tunnel. Task 5 Verify the Cisco Easy VPN configuration. 58

59 Task 1 Configure the DHCP Server Pool router(config)# ip dhcp pool pool-name router(dhcp-config)# network ip-address [ mask /prefix-length] default-router address [address2... addressn] import all lease {days [ hours][ minutes] infinite} exit router(config)# ip dhcp excluded-address lan-ip-address 59

60 Task 1 Example DHCP Server Pool VPNREMOTE1 VPNGATE1 vpnremote1(config)# ip dhcp pool CLIENT vpnremote1(dhcp-config)# network vpnremote1(dhcp-config)# default-router vpnremote1(dhcp-config)# import all vpnremote1(dhcp-config)# lease 3 vpnremote1(dhcp-config)# exit vpnremote1(config)# ip dhcp excluded-address

61 Task 2 Configure the Cisco Easy VPN Client Profile router(config)# crypto ipsec client ezvpn name router(config-crypto-ezvpn)# group group-name key group-key peer [ ip-address hostname] mode {client network-extension network-plus} exit 61

62 Task 2 Example Configure the Cisco Easy VPN Client Profile VPNGATE Group: VPN-REMOTE-ACCESS Peer: Key: MYVPNKEY Mode: Client.1.1 VPNREMOTE1.2 VPNGATE1 vpnremote1(config)# crypto ipsec client ezvpn VPNGATE1 vpnremote1(config-crypto-ezvpn)# group VPNREMOTE1 key MYVPNKEY vpnremote1(config-crypto-ezvpn)# peer vpnremote1(config-crypto-ezvpn)# mode client vpnremote1(config-crypto-ezvpn)# exit vpnremote1(config)# 62

63 Task 2 Example Assign Easy VPN Remote to the Interface VPNGate VPNREMOTE1 VPNGATE1 router(config-if)# crypto ipsec client ezvpn name [inside outside] vpnremote1(config)# interface ethernet1 vpnremote1(config-if)# crypto ipsec client ezvpn VPNGATE1 vpnremote1(config-if)# exit 63

64 Task 3 (Optional) Configure XAUTH Save Password Feature router(config)# crypto ipsec client ezvpn name router(config-crypto-ezvpn)# username aaa-username password aaa-password vpnremote1(config)# crypto ipsec client ezvpn VPNGATE1 vpnremote1(config-crypto-ezvpn)# username VPNUSER password VPNPASS vpnremote1(config-crypto-ezvpn)# exit 64

65 Task 4 (Optional) Initiate the VPN Tunnel (XAUTH) 01:34:42: EZVPN: Pending XAuth Request, Please enter the following command: 01:34:42: EZVPN: crypto ipsec client ezvpn xauth router# Cisco IOS message: Waiting for valid XAUTH username and password. crypto ipsec client ezvpn xauth vpnremote1# crypto ipsec client ezvpn xauth Enter Username and Password: vpnusers Password: ******** With XAUTH: When SA expires, username and password must be manually entered. With XAUTH Password Save enabled: When SA expires, the last valid username and password will be reused automatically. 65

66 Task 5 Verify the Cisco Easy VPN Configuration vpnremote1# show crypto ipsec client ezvpn Easy VPN Remote Phase: 2 Tunnel name : VPNGATE1 Inside interface list: Ethernet0, Outside interface: Ethernet1 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: Mask: DNS Primary: DNS Secondary: NBMS/WINS Primary: NBMS/WINS Secondary: Default Domain: cisco.com 66

67 Easy VPN Remote Configuration Example version 12.2 hostname VPNREMOTE1! username admin privilege 15 password 7 070E ip subnet-zero ip domain-name cisco.com ip dhcp excluded-address ! ip dhcp pool CLIENT import all network default-router lease 3! crypto ipsec client ezvpn VPNGATE1 connect auto group VPNREMOTE1 key 0 MYVPNKEY mode client peer username VPNUSER password 0 VPNPASS 67

68 Easy VPN Remote Configuration Example (Cont.) interface Ethernet0 ip address crypto ipsec client ezvpn VPNGATE1 inside! interface Ethernet1 ip address crypto ipsec client ezvpn VPNGATE1! ip classless ip route Ethernet1 ip route Ethernet1 ip http server no ip http secure-server! line con 0 no modem enable stopbits 1 line aux 0 line vty 0 4! end 68

69 Module 6 Configure Remote Access VPN 6.5 Configure the PIX Security Appliance as an Easy VPN Server 69

70 EasyVPN Server General Configuration Tasks Task 1 Create an ISAKMP policy for remote Cisco VPN Client access. Task 2 Create an IP address pool. Task 3 Define a group policy for a mode configuration push. Task 4 Create a transform set. Task 5 Create a dynamic crypto map. Task 6 Assign a dynamic crypto map to a static crypto map. Task 7 Apply a dynamic crypto map to the PIX Security Appliance interface. Task 8 Configure XAUTH. Task 9 Configure NAT and NAT 0. Task 10 Enable IKE dead peer detection (DPD). 70

71 Create ISAKMP Policy 71

72 Create IP Address Pool 72

73 Define Group Policy for Mode Configuration Push Step 1 Set the Tunnel Group Type Step 2 Configure the IKE Pre-shared Key Step 3 Specify the Local IP Address Pool Step 4 Configure the Group Policy Type Step 5 Enter the Group Policy Attributes Submode Step 6 Specify the DNS Servers Step 7 Specify the WINS Servers Step 8 Specify the DNS Domain Step 9 Specify the Idle Timeout 73

74 Set Tunnel Group Type 74

75 Configure IKE Pre-Shared Key 75

76 Specify Local IP Address Pool 76

77 Configure the Group Policy Type 77

78 Enter the Group Policy Attributes Submode 78

79 Specify DNS Servers 79

80 Specify WINS Servers 80

81 Specify DNS Domain 81

82 Specify Idle Time 82

83 Create Transform Set 83

84 Create Dynamic Crypto Map 84

85 Assign Dynamic Crypto Map to Static Crypto Map 85

86 Apply Dynamic Crypto Map 86

87 Configure XAUTH Step 1 Enable AAA login authentication. Step 2 Define AAA server IP address and encryption key. Step 3 Enable IKE XAUTH for the crypto map. 87

88 Configure NAT and NAT 0 88

89 Enable IKE DPD 89

90 Module 6 Configure Remote Access VPN 6.6 Configure a PIX 501 or 506E as an Easy VPN Client 90

91 PIX Easy VPN Remote 91

92 Easy VPN Remote Client Configuration 92

93 Easy VPN Client Device Mode 93

94 Module 6 Configure Remote Access VPN 6.7 Configure the Adaptive Security Appliance to Support WebVPN 94

95 Home Page 95

96 Website Access 96

97 Port Forwarding 97

98 Enabling WebVPN 98

99 Home Page Look and Feel Configuration 99

100 Enabling WebVPN 100

101 Servers and URL Configuration Example 101

102 Enable Port Forwarding 102

103 Port Forwarding Configuration Example 103

104 Enable Proxy 104

105 Proxy Configuration Example 105

106 HTML Content Filtering 106

107 HTML Content Filtering 107

108 WebVPN ACLs 108