Lab 7.3.6 Configure Remote Access Using Cisco Easy VPN



Similar documents
Lab a Configure Remote Access Using Cisco Easy VPN

Network Security 2. Module 6 Configure Remote Access VPN

Module 6 Configure Remote Access VPN

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

REMOTE ACCESS VPN NETWORK DIAGRAM

Configuring Remote Access IPSec VPNs

Triple DES Encryption for IPSec

Lab Configuring the PIX Firewall as a DHCP Server

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Lab Configure a PIX Firewall VPN

Configure ISDN Backup and VPN Connection

Understanding the Cisco VPN Client

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Scenario: IPsec Remote-Access VPN Configuration

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Scenario: Remote-Access VPN Configuration

Objectives. Background. Required Resources. CCNA Security

How To Industrial Networking

VPN Configuration Guide. Cisco ASA 5500 Series

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Configuring Internet Key Exchange Security Protocol

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Device Interface IP Address Subnet Mask Default Gateway

LAN-Cell to Cisco Tunneling

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Florida Atlantic University VPN Client Installation Guide

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

VPN SECURITY POLICIES

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

Lab Configure Cisco IOS Firewall CBAC

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

Lab Configure IOS Firewall IDS

Global VPN Client Getting Started Guide

Installation and Configuration of VPN Software

Lab Configure Basic AP Security through IOS CLI

Installing the VPN Client for Microsoft Windows OS

TABLE OF CONTENTS NETWORK SECURITY 2...1

Lab 2.5.2a Configure SSH

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

Global VPN Client Getting Started Guide

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Virtual Private Network (VPN)

ZyWALL OTPv2 Support Notes

Windows XP VPN Client Example

IPSec Network Security Commands

Using PIX Firewall in SOHO Networks

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Tufts VPN Client User Guide for Windows

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Configuring the PIX Firewall with PDM

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Classroom Management network FAQ and troubleshooting

Pre-lab and In-class Laboratory Exercise 10 (L10)

How to configure MAC authentication on a ProCurve switch

VPNC Interoperability Profile

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Setting up Remote Desktop

How to Configure Web Authentication on a ProCurve Switch

VPN L2TP Application. Installation Guide

Accessing the Media General SSL VPN

Remote Access for Cisco Unity 8.x

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Configuring Global Protect SSL VPN with a user-defined port

V310 Support Note Version 1.0 November, 2011

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Lab Configure Local AAA on Cisco Router

How to configure VPN function on TP-LINK Routers

How To Connect To Ecs.Org From A Pc Or Mac Or Ipad (For A Laptop) With A Network Connection (For Mac) With The Ipad Or Ipa (For Pc Or Ipac) With An Ipa Or Ip

Encrypted Preshared Key

How to connect to via VPN Remote Desktop for Windows 2000, XP, & Vista-32bit

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

SingTel VPN as a Service. Quick Start Guide

Cisco ASA configuration for SMS PASSCODE SMS PASSCODE 2014

Connecting and Setting Up Your Laptop Computer

Installing Windows 95 Drivers and Utilities for the Cisco Aironet 340/350 Series Client Adapters

Cisco QuickVPN Installation Tips for Windows Operating Systems

IP Office Technical Tip

3.1 Connecting to a Router and Basic Configuration

How to configure VPN function on TP-LINK Routers

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

NAC Guest. Lab Exercises

Case Study - Configuration between NXC2500 and LDAP Server

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

How to Logon with Domain Credentials to a Server in a Workgroup

Global VPN Client Getting Started Guide

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

VPN. VPN For BIPAC 741/743GE

Encrypted Preshared Key

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Transcription:

Lab 7.3.6 Configure Remote Access Using Cisco Easy VPN Objective Scenario Estimated Time: 20 minutes Number of Team Members: Two teams with four students per team In this lab, the student will learn the following objectives: Change the IP address of the client PC Create an IP address pool Enable policy lookup via authentication, authorization, and accounting (AAA) Define group policy information for mode configuration push Apply mode configuration and Xauth Verify Easy VPN Server configuration Install the Cisco VPN Client 3.5 Create a new connection entry Launch the Cisco VPN Client In this lab exercise, the team will configure a Cisco Easy VPN Server given a Cisco 2600 Series router, and a Cisco VPN Client 3.5 given a PC running Windows 2000. Upon completion of these configuration tasks, the group will test the connectivity between the VPN Client and the Easy VPN Server. 1-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

Topology This figure illustrates the lab network environment. Preparation Begin with the topology above and verify the standard router configuration on the pod routers. Access the perimeter router console port using the terminal emulator on the Windows 2000 server. If desired, save the router configuration to a text file for later analysis. Refer back to the Student Lab Orientation if more help is needed. Before beginning this lab exercise, it is imperative to change the static IP address of the laptop PC to 172.26.26.P (where P =pod number). Also, the PC must be physically connected to a switch port on VLAN 1. Tools and resources In order to complete the lab, the standard lab topology is required: Two pod routers Two student PCs One SuperServer Backbone switch and one backbone router Two console cables and HyperTerminal Cisco VPN Client 3.5 2-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

Additional materials Further information about the objectives covered in this lab can be found at the following websites: http://www.cisco.com/en/us/products/sw/iosswrel/ps1834/products_feature_guide09186a00 8007feb8.html Command list http://www.cisco.com/en/us/products/sw/iosswrel/ps1839/products_feature_guide09186a00 80087d1e.html In this lab exercise, the following commands will be used. Refer to this list if assistance or help is needed during the lab exercise. Command aaa authentication aaa new-model crypto isakmp client configuration group {group-name default} crypto map map-name client authentication list list-name crypto map map-name client configuration address [initiate respond] Description Use the aaa authorization global configuration command to set parameters that restrict a user's network access Enables AAA. Specifies which group's policy profile will be defined and enters Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. If no specific group matches and a default group is defined, users will automatically be given the default group's policy. Enforces Xauth. The list-name argument is used to determine the appropriate username and password storage location (local or RADIUS) as defined in the aaa authentication login command. Configures the router to initiate or reply to Mode Configuration requests. Note that the Cisco clients require the respond keyword to be used. However, if the Cisco Secure VPN Client 1.x is used, the initiate keyword must be used. The initiate and respond keywords may be used simultaneously. crypto map map-name isakmp authorization list list-name ip local pool key name Enables IKE querying for group policy when requested by the client. The list-name argument is used by AAA to determine which storage source is used to find the policy (local or RADIUS) as defined in the aaa authorization network command. Configures a group of local IP address pools Specifies the IKE pre-shared key for group policy attribute definition. Note that this command must be enabled if the client 3-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

Command pool name username name password encryption-type encrypted-password Description identifies itself with a pre-shared key. Defines a local pool address. Although a user must define at least one pool name, a separate pool may be defined for each group policy. Note that this command must be defined and refer to a valid IP local pool address or the client connection will fail. Defines local users for Xauth if RADIUS or TACACS+ is not used. Use this command only if no external validation repository will be used. Step 1 Change the IP Address of the Client PC a. Before beginning this lab exercise, it is imperative to change the static IP address of the laptop PC to 172.26.26.P (where P =pod number). Also, the PC must be physically connected to a switch port on VLAN 1. Step 2 Create an IP Address Pool Complete the following step to create an IP address pool for the remote clients on the perimeter router beginning in the global configuration mode. a. Configure a local pool of IP addresses to be used when a remote peer connects to a point-topoint interface. The syntax for the ip local pool is: ip local pool {default pool-name low-ip-address [high-ip-address]} i. Use the following IP address pool: RouterP(config)#ip local pool IPPOOL 10.0.P.20 10.0.P.30 (where P = pod number) Step 3 Enable Policy Lookup via AAA To enable policy lookup via AAA, complete the following commands for the perimeter router beginning in global configuration mode: a. Enable AAA: RouterP(config)#aaa new-model b. Set AAA authentication at login. Note that this command must be enabled to enforce Xauth. RouterP(config)#aaa authentication login VPNAUTHEN local c. Set AAA authorization at login. RouterP(config)# aaa authorization network VPNAUTHOR local d. Define local users: RouterP(config)#username vpnstudent password cisco 4-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

Step 4 Define Group Policy Information for Mode Configuration Push Define the policy attributes that are pushed to the VPN Client via mode configuration. Use the following commands beginning in global configuration mode: a. Create the ISAKMP policy: RouterP(config)# crypto isakmp policy 3 RouterP(config-isakmp)# encryption des RouterP(config-isakmp)# authentication pre-share RouterP(config-isakmp)# group 2 RouterP(config-isakmp)# exit RouterP(config)# b. Specify which group policy profile will be defined and enter ISAKMP group configuration mode. If no specific group matches and a default group is defined, users will automatically be given the default group policy. For this exercise, use a group name of SALES. RouterP(config)#crypto isakmp client configuration group SALES c. Specify the IKE pre-shared key for group policy attribute definition. Note that this command must be enabled if the VPN Client identifies itself with a pre-shared key. For this exercise, use a key name of cisco. RouterP(isakmp-group)#key cisco123 d. Select a local IP address pool. Note that this command must refer to a valid local IP local address pool or the VPN Client connection will fail. Use the rempool pool name. RouterP(isakmp-group)#pool IPPOOL e. Define a domain name: RouterP(isakmp-group)#domain cisco.com RouterP(isakmp-group)#exit Step 5 Create the IPSec Transforms a. Create the transform set to be used with the dynamic crypto map. Name the transform set MYSET. Specify triple-des for encryptions in the ESP and SHA HMAC authentication in the ESP. RouterP(config)# crypto ipsec transform-set MYSET esp-3des esp-sha-hmac RouterP(cfg-crypto-trans)# exit Step 6 Create Crypto Maps a. Create the dynamic crypto map: RouterP(config)# crypto dynamic-map DYNMAP 10 RouterP(config-crypto-map)# set transform-set MYSET RouterP(config-crypto-map)# reverse-route RouterP(config-crypto-map)# exit b. Configure the router to initiate or reply to mode configuration requests. Note that VPN Clients require the respond keyword to be used. The initiate keyword was used with older VPN Clients and is no longer used with the 3.x version VPN Clients. RouterP(config)#crypto map CLIENTMAP client configuration address respond 5-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

c. Enable IKE querying for group policy when requested by the VPN Client. The list-name argument is used by AAA to determine which storage is used to find the policy, local or RADIUS, as defined in the aaa authorization network command. RouterP(config)#crypto map CLIENTMAP isakmp authorization list VPNAUTHOR d. Enforce Xauth. The list-name argument is used to determine the appropriate username and password storage location, local or RADIUS, as defined in the aaa authentication login command. RouterP(config)#crypto map CLIENTMAP client authentication list VPNAUTHEN e. Assign the dynamic crypto map to CLIENTMAP: RouterP(config)# crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP f. Assign the crypto map to the outside interface: RouterP(config)# interface fa0/1 RouterP(config-if)# crypto map CLIENTMAP RouterP(config-if)# exit Step 7 Verify Easy VPN Server Configuration a. To verify the configurations for this feature, use the following command in EXEC mode: RouterP#show crypto map {interface interface tag map-name} This command displays the crypto map configuration. Step 8 Install the Cisco VPN Client 3.5 Complete the following steps to install the Cisco VPN Client version 3.5 on the Windows 2000 Server PC: a. Open the VPN Client desktop folder. b. Locate and run the Cisco VPN Client setup.exe executable. If this is the first time the VPN Client is installed, a window opens and displays the following message: Do you want the installer to disable the IPSec Policy Agent? c. Click Yes to disable the IPSec policy agent. The Welcome window opens. d. Read the Welcome window and click Next. The License Agreement window opens. e. Read the license agreement and click Yes. The Choose Destination Location window opens. f. Click Next. The Select Program Folder window opens. g. Accept the defaults by clicking Next. The Start Copying Files window opens. The files are copied to the hard disk drive of the PC and the InstallShield Wizard Complete window opens. h. Select Yes, I want to restart my computer now and click Finish. The PC restarts. This completes the installation of the Cisco VPN Client (Software Client). Step 9 Create a New Connection Entry Complete the following steps to create a new VPN connection entry: a. Choose Start > Programs > Cisco Systems VPN Client > VPN Dialer. The Cisco Systems VPN Client window opens. b. Click New. The New Connection Entry wizard opens. 6-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

c. Enter Boston Sales in the connection entry field. d. Click Next. e. Enter a public interface IP address of 172.30.P.2 in the remote server field. (where P = pod number) f. Click Next. g. Select Group Access Information and complete the following substeps. The following entries are always case sensitive. Enter a group name, SALES. Enter the group password, cisco123. Confirm the password, cisco123. h. Click Next. i. Click Finish and leave the Cisco Systems VPN Client window open. The network parameters for the VPN Client have been configured and a new VPN private networking connection entry has been created successfully. Step 10 Launch the Cisco VPN Client Complete the following steps to launch the Cisco VPN client on the PC: a. Choose Start > Programs > Cisco Systems VPN Client > VPN Dialer. b. Verify that the connection entry is Boston Sales. c. Verify that the IP address of remote server is set to the perimeter router public interface IP address of 172.30.P.2. (where P = pod number) d. Click Connect. The Connection History window opens and several messages flash by quickly. Complete the following substeps: i. When prompted for a username, enter vpnstudent. ii. When prompted to enter a password, enter cisco. iii. Click OK. The following messages flash by quickly: Initializing the connection Contacting the security gateway at Authenticating user The window disappears and a VPN lock icon appears in the system tray. The VPN Client has been successfully launched. 7-7 Fundamentals of Network Security v 1.0 - Lab 7.3.6 Copyright 2003, Cisco Systems, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information