Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA



Similar documents
REMOTE ACCESS VPN NETWORK DIAGRAM

VPN Configuration Guide. Cisco ASA 5500 Series

Configuring Remote Access IPSec VPNs

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

Cisco ASA configuration for SMS PASSCODE SMS PASSCODE 2014

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Lab a Configure Remote Access Using Cisco Easy VPN

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Network Security 2. Module 6 Configure Remote Access VPN

Lab Configure Remote Access Using Cisco Easy VPN

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Scenario: Remote-Access VPN Configuration

VPN SECURITY POLICIES

Triple DES Encryption for IPSec

C H A P T E R Management Cisco SAFE Reference Guide OL

Using PIX Firewall in SOHO Networks

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

Configuring L2TP over IPsec

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

Module 6 Configure Remote Access VPN

IPSec tunnel APLICATION GUIDE

Scenario: IPsec Remote-Access VPN Configuration

LAN-Cell to Cisco Tunneling

Understanding the Cisco VPN Client

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

ASA and Native L2TP IPSec Android Client Configuration Example

Lab Configure a PIX Firewall VPN

Virtual Private Network (VPN)

VPN. VPN For BIPAC 741/743GE

Configuring L2TP over IPSec

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

Interoperability Guide

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

LAN-Cell 3 to Cisco ASA 5500 VPN Example

GregSowell.com. Mikrotik VPN

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

TABLE OF CONTENTS NETWORK SECURITY 2...1

Configure ISDN Backup and VPN Connection

- The PIX OS Command-Line Interface -

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Lab Configuring the PIX Firewall as a DHCP Server

Configure ISE Version 1.4 Posture with Microsoft WSUS

Configuring Tunnel Default Gateway on Cisco IOS EasyVPN/DMVPN Server to Route Tunneled Traffic

IPSec. User Guide Rev 2.2

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Configuring GTA Firewalls for Remote Access

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Chapter 5 Virtual Private Networking Using IPsec

Packet Tracer Configuring VPNs (Optional)

How to configure VPN function on TP-LINK Routers

Configuring Easy VPN Services on the ASA 5505

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Cisco ASA Multi-tier VPN access with Active Directory Group Authentication

Amazon Virtual Private Cloud. Network Administrator Guide API Version

This section provides a summary of using network location profiles to identify network connection types. Details include:

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

IP Office Technical Tip

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

IP Office Technical Tip

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

How to configure VPN function on TP-LINK Routers

Windows XP VPN Client Example

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

2.0 HOW-TO GUIDELINES

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

GoldKey and Cisco AnyConnect

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Nokia Mobile VPN How to configure Nokia Mobile VPN for Cisco ASA with PSK/xAuth authentication

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Cisco 1841 MyDigitalShield BYOG Integration Guide

Clientless SSL VPN Users

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

SingTel VPN as a Service. Quick Start Guide

VPN L2TP Application. Installation Guide

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Implementing Cisco IOS Network Security v2.0 (IINS)

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Configuring a VPN between a Sidewinder G2 and a NetScreen

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

How To Industrial Networking

Cisco Virtual Office Express

IPSec Network Security Commands

Transcription:

Expert Reference Series of White Papers Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA 1-800-COURSES www.globalknowledge.com

Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA Chris Olsen, Global Knowledge Cisco, Microsoft, and VMware Instructor Introduction As our methods of doing business becomes more global and mobile, businesses large and small continue to have greater needs for traveling employees to access internal company information, securely and reliably. Cisco s widely implemented Adaptive Security Appliance (ASA) offers the functionality of secure Virtual Private Network (VPN) connectivity for remote users. While user credentials for authentication can be configured in the ASA, this creates a redundant user database for organizations that already have Microsoft Active Directory (AD) in place. This white paper will show you how to configure an ASA to leverage AD for remote connectivity. I have done this integration several times for my clients, and they all appreciate the benefit of having only one username and password to access their internal organizational programs or data whether they are in the office or connecting remotely. While this white paper will show you how to configure the integration between a Cisco ASA and Microsoft AD, these configuration steps will be relatively similar if you are still using the ASA predecessor, Private Internet Exchange (PIX) firewall. Microsoft has offered AD in their Windows server product versions 2000, 2003, and 2008, and this integration will work with all three versions. you will need to instal LDAP in Windows 2008 or the Internet Authentication Service (IAS) on a Windows server in your domain to accept the ASA configurations in this document. Protocols in Use The first underlying protocol for this integration is Lightweight Directory Access Protocol (LDAP). LDAP allows an access device, like our ASA, to borrow authentication from a user database such as AD. LDAP is a low-overhead protocol that runs between the ASA and AD server(s) and is not exposed to the public Internet. The next protocol required is Authentication Authorization and Accounting (AAA). Authentication actually takes the username and password entered by the remote VPN user and verifies that it is authentic according to AD. Authorization establishes what the users can or cannot do inside the network once they are authorized. Accounting acts like a logging feature documenting the remote user s actions. The configuration in this paper only focuses on the Authentication portion, but does not interfere with Authorization and Accounting if those features are also desired. Copyright 2010 Global Knowledge Training LLC. All rights reserved. 2

Remote Access Dial in User Service (RADIUS) is used to authenticate users from the ASA to AD. RADIUS initially became popular many years ago with ISPs that had modem pools for external users to connect to their internal organizations or the public Internet with asynchronous modems. RADIUS is used in this implementation without any reference to or usage of modems. Configuration This example does not include all configuration commands on your ASA, just those relevant to the LDAP integration with AD. Of course, you would replace the example names and IP addressed in this document with those used in your production environment. Once you connect into your ASA device, you will need to start your configuration in Global Config mode as follows. For this example, the hostname of your ASA device is YourASADevice. YourASADevice#configure terminal The following named access list called acl-vpn-nonat refers to a virtual internal private address space used for remote VPN users. YourASADevice(config)# access-list acl-vpn-nonat extended permit ip any 192.168.2.0 255.255.255.0 The pool named remote-vpn-pool provides the range of IP addresses assigned to remote VPN users. YourASADevice(config)#ip local pool remote-vpnpool 192.168.2.10-192-.168.2.20 mask 255.255.255.0 Global and NAT commands allow outside users to connect in, and inside users to connect out to the public Internet. The 192.168.1.0 address would be your internal private address space. YourASADevice(config)#global (outside) 1 interface YourASADevice(config)#nat (inside) 0 access-list acl-vpn-nonat YourASADevice(config)#nat (inside) 1 192.168.1.0 255.255.255.0 RADIUS is enabled on the ASA to the LDAP AD server with the IP address 192.168.10.40 with a password of ASA123. YourASADevice(config)#aaa-server RADIUS protocol radius YourASADevice(config)#aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host 192.168.10.40 timeout 5 key ASA123 Copyright 2010 Global Knowledge Training LLC. All rights reserved. 3

The following Crypto commands establish the preference of security protocols for remote VPN access. When you view the running configuration on your ASA device, you will notice that some of these are the default commands: YourASADevice(config)#crypto ipsec transform-set myset esp-aes espsha-hmac YourASADevice(config)#crypto ipsec transform-set ESP-3DES-SHA esp- 3des esp-sha-hmac YourASADevice(config)#crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac YourASADevice(config)#crypto ipsec transform-set ESP-DES-SHA espdes esp-sha-hmac YourASADevice(config)#crypto ipsec transform-set ESP-DES-MD5 espdes esp-md5-hmac YourASADevice(config)#crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac YourASADevice(config)#crypto ipsec transform-set ESP-3DES-MD5 esp- 3des esp-md5-hmac YourASADevice(config)#crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac YourASADevice(config)#crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac YourASADevice(config)#crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac YourASADevice(config)#crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac YourASADevice(config)#crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5 YourASADevice(config)#crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES- 192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES- SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 Copyright 2010 Global Knowledge Training LLC. All rights reserved. 4

YourASADevice(config)#crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP YourASADevice(config)#crypto map outside_map interface outside YourASADevice(config)#crypto isakmp identity address YourASADevice(config)#crypto isakmp enable outside crypto isakmp policy 30 authentication pre-share encryption aes hash sha group 5 lifetime 86400 YourASADevice(config)#crypto isakmp policy 200 authentication pre-share encryption aes hash sha group 2 lifetime 86400 Your internal users can benefit from the DHCP services of the ASA device as shown here. DHCP on the ASA device for internal users is not required for remote VPN users. YourASADevice(config)# dhcpd address 192.168.1.5-192.168.1.36 inside dhcpd enable inside These commands demonstrate an internal WINS and DNS server or 192.168.1.90 with a domain name of YourCompany.com. YourASADevice(config)# group-policy remote attributes wins-server value 192.168.1.90 dns-server value 192.168.1.90 vpn-tunnel-protocol IPSec password-storage disable ip-comp disable pfs enable default-domain value YourCompany.com Copyright 2010 Global Knowledge Training LLC. All rights reserved. 5

Tunnel groups are used to establish the settings for remote VPN users. YourASADevice(config)# tunnel-group remote type remote-access YourASADevice(config)# tunnel-group remote general-attributes address-pool remote-vpnpool authentication-server-group partnerauth default-group-policy remote YourASADevice(config)# tunnel-group remote ipsec-attributes pre-shared-key * YourASADevice(config)# class-map global-class match default-inspection-traffic Conclusion Your users will appreciate the ability to connect in to your internal network to access programs and data with the same user name and password credentials as they do when they are in the office. VPN access via the public Internet is very secure and reliable. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge course(s): VPN Deploying Cisco ASA VPN Solutions SNAA Securing Networks with ASA Advanced ASACAMP ASA Lab Camp For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs and exercises offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 1,200 courses, delivered through Classrooms, e-learning, and On-site sessions, to meet your IT and business training needs. About the Author Chris Olsen has been an IT trainer since 1993 and an independent consultant and technical writer since 1996. He has taught over 60 different IT and telephony classes to over 15,000 students. He is a technical editor for Global Knowledge s lab manuals, and he has published two books with Cisco Press, CIPT Part 2 and CCNA Voice Flash Cards. He is an author and technical editor on both Microsoft OCS 2007 and 2007 R2 certification exams. He is a technical author for Cisco certified courses and is currently working on another book. Copyright 2010 Global Knowledge Training LLC. All rights reserved. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information