Cisco VPN 3000 Concentrator

The Cisco VPN 3000 Series Concentrators are purpose-built, remote access virtual private network (VPN) platforms that incorporate high availability, high performance, and scalability with the most advanced encryption and authentication techniques available today. The VPN 3000 supports a number of secure protocols:

■ Point-to-Point Tunneling Protocol (PPTP)

■ Layer 2 Tunneling Protocol (L2TP) over IPSec

The Cisco VPN 3000 Series Concentrator supports the widest range of connectivity options, including WebVPN (clientless using a web browser), the Cisco Secure VPN Client, Microsoft L2TP/IPSec, and Microsoft PPTP.

Figure 5-5 displays a VPN 3000 Concentrator, front view.

Figure 5-5 VPN 3000 Concentrator, Front View

Figure 5-5 VPN 3000 Concentrator, Front View

Mgate W5108 W5208 Series

The VPN Concentrator is designed to terminate IPSec connections over a public domain such as the Internet. The placement of the VPN Concentrator is crucial for any network security engineer. Cisco makes a number of recommendations in its SAFE Blueprint, but in general requires that the VPN Concentrator be located behind a Cisco PIX Firewall on the inside interface where the DMZ is located. The Cisco SAFE Blueprint has a number of recommendations based on network size and appliances, though. See http://www.cisco.com/safe for the latest details.

There are currently six different VPN Concentrator models that you can purchase from Cisco. The following list details the hardware specifications of the models (reprinted from http://cisco.com/ en/US/partner/products/hw/vpndevc/ps2284/products_data_sheet09186a00801d3b56.html):

■ Cisco VPN 3005 Concentrator—The Cisco VPN 3005 Concentrator is a VPN platform designed for small- to medium-sized organizations with bandwidth requirements up to full-duplex T1/E1 (4 Mbps maximum performance) with support for up to 200 simultaneous IPSec sessions or 50 simultaneous clientless sessions. Encryption processing is performed in software. The Cisco VPN 3005 does not have built-in upgrade capability.

■ Cisco VPN 3015 Concentrator—The Cisco VPN 3015 Concentrator is a VPN platform designed for small- to medium-sized organizations with bandwidth requirements up to full-duplex T1/E1 (4 Mbps maximum performance) and up to 100 simultaneous IPSec sessions or 75 simultaneous clientless sessions. Like the Cisco VPN 3005, encryption processing is performed in software, but the Cisco VPN 3015 is also field-upgradeable to the Cisco VPN 3030 and 3060 models.

■ Cisco VPN 3020 Concentrator—The Cisco VPN 3020 Concentrator is a VPN platform designed for medium to large organizations with bandwidth requirements from full T1/E1 through T3/E3 (50 Mbps maximum performance) with support for up to 750 simultaneous IPSec sessions or 200 simultaneous clientless sessions. Specialized SEP modules (SEP-E) perform hardware-based acceleration. The Cisco VPN 3020 cannot be upgraded to other products in the family. Redundant and nonredundant configurations are available.

■ Cisco VPN 3030 Concentrator—The Cisco VPN 3030 Concentrator is a VPN platform designed for medium to large organizations with bandwidth requirements from full T1/E1 through T3/E3 (50 Mbps maximum performance) with support for up to 1,500 simultaneous IPSec sessions or 500 simultaneous clientless sessions. Specialized SEP modules perform hardware-based acceleration. The Cisco VPN 3030 can be upgraded to the Cisco VPN 3060 in the field. Redundant and nonredundant configurations are available.

■ Cisco VPN 3060 Concentrator—The Cisco VPN 3060 is a VPN platform designed for large organizations demanding the highest level of performance and reliability, with high-bandwidth requirements from fractional T3 through full T3/E3 or greater (100 Mbps maximum performance) with support for up to 5,000 simultaneous IPSec sessions or 500 simultaneous clientless sessions. Specialized SEP modules perform hardware-based acceleration. Redundant and nonredundant configurations are available.

■ Cisco VPN 3080 Concentrator—The Cisco VPN 3080 Concentrator is optimized to support large enterprise organizations that demand the highest level of performance combined with support for up to 10,000 simultaneous IPSec sessions or 500 simultaneous clientless sessions. Specialized SEP modules perform hardware-based acceleration. The VPN 3080 is available in a fully redundant configuration only.

Figure 5-6 displays a complex network whereby users from many different locations, such as

Internet cafes, remote branch offices, and telecommuters using wireless networks, need to gain access to the campus network.

To configure the VPN Concentrator, you have two methods: via the CLI or via the web. The web is the preferred management option. This section shows how to configure a VPN 3000

Concentrator for typical settings to allow telecommuters access to the corporate network.

Figure 5-6 Placement of a VPN Concentrator

Protected Network Marketing HR Finance

Figure 5-6 Placement of a VPN Concentrator

Protected Network Marketing HR Finance

Star Trek Uespa

NOTE The lab exam will not have any preconfiguration on any security appliances, including VPN 3000. This means candidates need to be aware of how to configure a VPN 3000 out of the box. Use the CLI (console) to initialize (bootstrap). Review Chapter 8 for VPN 3000 configuration and ensure that you also have CLI console experience for the lab. The written exam does not require a candidate to be an expert with the CLI.

Figure 5-7 displays an HTML session to a VPN Concentrator.

Figure 5-7 VPN Concentrator Configuration Login Page

Ife l-l "«-i li-H-i ".. i -i-i-

■ j .: a j'— j-

-J

"iT.iilK,.-,. ■ :

3 IT1 k .irii ■

URL of VPN Concentrator

URL of VPN Concentrator

VFN 3 MO

VFN 3 MO

^InnDXlI I'mlf^u

Default username/password is "admin"

j unHrd j

By using the default username/password pair of admin, the configuration screen is displayed next. Figure 5-8 displays the home configuration page for a VPN 3000.

Figure 5-8 displays Configuration, Administration, and Monitoring navigation text in the upper-left corner. The VPN 3000 Concentrator is a favorite topic of the lab exam. There are numerous examples and screen shots on how the VPN 3000 is configured at Cisco.com to help you study for the lab exam.

Figure 5-8 VPN Concentrator Configuration Home Page

Figure 5-8 VPN Concentrator Configuration Home Page

Consider an example of a typical VPN 3000 Concentrator configuration that allows remote telecommuters access to the campus network. The telecommuter in Figure 5-6 is attempting to connect to the corporate backbone via a Cisco Secure VPN Client on a PC. To connect, the telecommuter user must install the Cisco Secure VPN Client. (You can use other clients—for example the Windows IPSec client—but for the exam, the only tested mechanism is the Cisco Secure VPN Client. The next section covers the Cisco Secure VPN Client and configuration.) The Windows IPSec client is only supported using L2TP over IPSec.

Prior to allowing VPN terminations, the VPN Concentrator must be configured for IP and polices. Figure 5-9 displays the first configuration step, in which the interfaces are assigned an IP.

Figure 5-9 Concentrator Interface Screen

i,- j- j

■ ■■". 7Jh 1-1 M

F m 1 viifi M<

ijyr

.--ill'. .ttl+r, i, a Jdnn _ :lA-w ;j.,L Euu 3. a IM*. hJ Id.'.i MU.AI u iKhL" ■ ™

Public Routable Address

Figure 5-9 shows how to assign the static public IP address 131.108.1.2. You can also set the speed and the mode of the interface on that screen. The other remaining options are left at their default settings for this example.

Now you have to perform the same steps for the private interface.

Once the interfaces are configured, you have to add a group and a user to the Concentrator. To do this, choose Configuration > User Management. Choose Groups, because you have to define a group before you can add users to that group. Figure 5-10 displays this configuration step. When you configure the VPN Client in the next section, it will be a lot clearer why Groups are important.

The dialog box in Figure 5-10 has several tabs. You will configure the first three tabs, Identity, General, and IPSec.

Figure 5-10 Concentrator Group Screen

Figure 5-10 Concentrator Group Screen

The option group password in Figure 5-10 is also the shared key that the client uses to log into the Concentrator. You also have to define the type of authentication that is used for this group. Users can be authenticated via the following four methods:

■ RADIUS servers

■ Windows NT domain controllers

■ Concentrator internal server

In this example, you use the internal VPN 3000 server authentication database, so the next step is to add a user to the Concentrator on the internal server.

Figure 5-11 displays the network administrator selecting the General tab.

Figure 5-11 Concentrator Group Screen, General Tab

Figure 5-11 Concentrator Group Screen, General Tab

Figure 5-11 displays a number of configurable options:

■ Access Hours—Selected from the drop-down menu, this attribute determines when the Concentrator is open for business for this group. It is currently set to No Restrictions, but you could also select Never, Business Hours (9 a.m. to 5 p.m., Monday through Friday), or a named access hour range that you created elsewhere in the VPN Manager.

■ Simultaneous Logins—The default is 3, and the minimum is 0. There is no upper limit, but security and prudence would suggest that you limit this value to 1.

■ Minimum Password Length—The allowable range is 1 to 32 characters. A value of 8 provides a good level of security for most applications.

■ Allow Alphabetic-Only Passwords—Notice that the box has been unchecked. The default is to allow alphabetic-only passwords, which is a security risk. This value has been modified.

■ Idle Timeout—30 minutes is a good value here. The minimum allowable value is 1, and the maximum is a value that equates to more than 4,000 years. Zero disables idle timeout.

■ Maximum Connect Time—Zero disables maximum connect time. The range here is again 1 minute to more than 4,000 years.

■ Filter—A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter.

■ Primary/Secondary DNS/WINS—These have been modified from the base group's default settings.

■ Tunneling Protocols—IPSec has been selected, but you could allow the group to use PPTP, L2TP, and L2TP over IPSec as well.

■ Strip Realm—The default operation of the VPN Concentrator verifies users against the internal database using a combination of the username and realm qualifier, as in [email protected] The @group portion is called the realm.

Once these options are configured, the final page you need to configure covers the IPSec parameters. Figure 5-12 displays a sample configuration.

Figure 5-12 Concentrator Group Screen, IPSec Tab

Figure 5-12 Concentrator Group Screen, IPSec Tab

Figure 5-12 has a number of configurable options:

■ IPSec SA—For remote-access clients, you must select an IPSec Security Association (SA) from this list of available combinations. The client and server negotiate an SA that governs authentication, encryption, encapsulation, key management, and so on based on your selection here. These are the default selections supplied by the VPN Concentrator:

— ESP-DES-MD5 —This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic.

— Other options include ESP/MD5/HMAC-128, MD5/HMAC-128, ESP-3DES-MD5, ESP/IKE-3DES-MD5, ESP/MD5/HMAC-128, ESP-3DES-NONE, ESP-L2TP-TRANSPORT, ESP/MD5/HMAC-128, and ESP-3DES-MD5-DH7. DH refers to the Diffie-Hellman algorithm.

■ IKE Peer Identity Validation—This option applies only to VPN tunnel negotiation based on certificates. This field enables you to hold clients to tighter security requirements.

■ IKE Keepalives—This option monitors the continued presence of a remote peer and notifies the remote peer that the Concentrator is still active. If a peer no longer responds to the keepalives, the Concentrator drops the connection, preventing hung connections that could clutter up the Concentrator.

■ Tunnel Type—You can select either LAN-to-LAN or Remote Access as the tunnel type.

■ Group Lock—Checking this field forces the user to be a member of this group when authenticating to the Concentrator.

■ Authentication—This field selects the method of user authentication to use. The available options are as follows:

— None—No user authentication occurs. Use this with L2TP over IPSec.

— RADIUS—Uses an external RADIUS server for authentication.

— RADIUS with Expiry—Uses an external RADIUS server for authentication. Applied to allow Microsoft as the Client-Vendor to get support for the Microsoft Vendor-Specific Attributes (VSA).

— NT Domain—Uses an external Windows NT Domain system for user authentication.

— SDI—Uses an external RSA Security, Inc. SecureID system for user authentication.

— Internal (option selected)—Uses the internal VPN Concentrator authentication server for user authentication.

■ IPComp—Permits the use of the LZS compression algorithm for IP traffic.

Finally, to permit users to authenticate to the VPN Concentrator, you must create users. Figure 5-13 displays the user configuration page.

In Figure 5-13, the user "gschauwe" and a password (hidden) are configured. The user is then assigned to the group you previously made (vpngroup12). You must then click the Apply button to make the changes take effect. Now that the VPN Concentrator is ready to terminate VPN IPSec tunnels, you simply need to enable the clients on the end workstations, namely by configuring the

VPN Client. The next section covers the end-station client configuration using the Cisco Secure VPN Client.

NOTE To be a real expert, rather than just pass the written exam, you are encouraged to research more details on the Cisco VPN Concentrator at http://www.cisco.com/security/ and in Chapter 8 of this book.

Was this article helpful?

0 0

Post a comment