A

Access Rights screen (VPN 3000 Series Concentrator), administration, 316-322 Action options, applying to filter rules, 273 adding filter rules to VPN Client, 272 addressing assignment method, configuring on VPN 3000 Series Concentrator, 147 admin password, configuring on VPN 3000 Series Concentrator, 150 Administer Sessions screen (VPN 3000 Series Concentrator), administration, 310 administering VPN 3000 Series Concentrators, 307 Access Rights screen, 316-322 Administer Session screen, 310...

Access Control List

The Administration Access Rights Access Control List screen allows for adding, modifying, and prioritizing access lists. These access lists are used to determine those IP addresses that may access the concentrator for management functions. It is important to note that this access is not limited to HTTP and Telnet access. The access lists are also used to define those IP addresses that may be used for SNMP, FTP, and TFTP purposes. If the list is empty, as shown in Figure 7-16, then all stations...

Access Settings

The Administration Access Rights Access Settings screen, shown in Figure 7-17, sets the session idle timeout, sets the session limit, and enables configuration file encryption. Figure 7-17 Administration Access Rights Access Settings Figure 7-17 Administration Access Rights Access Settings The Session Idle Timeout is entered in seconds. This specifies the amount of time that a connection is maintained without any activity on that session. After the timeout period without any activity, the...

Acknowledgments

Writing this book has provided me with an opportunity to work with some very fine individuals. I want to thank Brett Bartow from Cisco Press for believing in the project and for getting the ball rolling. I would also like to thank him for turning this project over to Michelle Grandin, Cisco Press, for editorial support. Michelle helped me in many ways during this project and was always there to lend an encouraging word or a guiding hand. Dayna Isley, Cisco Press, provided developmental guidance...

Administering the Cisco VPN 3000 Series Concentrator

26 Administering the Cisco VPN 3000 Series Concentrator To administer the Cisco VPN Concentrator, set the URL of your web browser to the IP address of your concentrator. Alternatively, if your DNS server will resolve the host name, you may enter the host name of the concentrator. You will see a screen similar to that shown in Figure 7-2. Once this screen is shown, enter a username and password. Later in this chapter you learn how to administer users and passwords. Click the Login button to...

Administration

The Administration screen is shown in Figure 3-11. Figure 3-11 VPN Concentrator Manager Administration Tins section of the Manager lets you control VPN 3000 Concentrator administiative functions. In tile left frame, or in the Est of links below, click the function you want Administer Sessions statistics and logout For all sessions. Software Update -- update concentrator and client software. System Reboot system reboot options. 1'ing use ICMP ping to determine connectivity. Monitoring Refresh...

Administrators

The Administration Access Rights Administrators screen, shown in Figure 7-13, is used to add those users who are allowed to access the concentrator's Configuration, Administration, and Monitoring functions. Up to five users may be allowed this type of access. To add a user, click the Modify button next to a username that is blank. Modifying a user is accomplished by clicking the Modify button next to a username that is not blank. Enabling the Administrator option gives the user full rights to...

Allow Secured Communications

Once the IPSec SAs have been established in Step 3, secured traffic can be exchanged over the connection. IP packets across this IPSec tunnel are authenticated and or encrypted, depending on the transform set selected. Figure 2-13 shows the use of a secure IPSec tunnel between peers.

Authenticating IPSec Peers and Forming Security Associations

The protocol that brings all the previously mentioned protocols together is the Internet Key Exchange (IKE) Protocol. IKE operates in two separate phases when establishing IPSec VPNs. In IKE Phase 1, it is IKE's responsibility to authenticate the IPSec peers, negotiate an IKE security association between peers, and initiate a secure tunnel for IPSec using the Internet Security Association and Key Management Protocol (ISAKMP). In IKE Phase 2, the peers use the authenticated, secure tunnel from...

Authentication

The Administration AAA Servers Authentication screen is used to add, modify, and test TACACS+ servers. A sample screen is shown in Figure 7-19. Figure 7-19 Administration AAA Servers Authentication Figure 7-19 Administration AAA Servers Authentication As with other screens of this type, choosing Add will allow you to add a new item, while Modify will allow changes to a chosen item. You may also move the order of the server entries and delete server entries, as well as test a connection to a...

Authentication Process

As part of the process of establishing the IPSec connection between Alpha and Theta, they each need to authenticate the identity of the other. Alpha sends its identity certificate to Theta. Theta performs a hashing algorithm on the certificate and calculates a hash value. Alpha's certificate says that Omega signed the certificate, so Theta then takes the CA's public key from the root certificate that Theta received from Omega and uses that public key to decrypt the signature of Alpha's identity...

B

VPN 3002 configuration, 412-413 branch office VPN routers, 28 browser-based manager, performing Quick Configuration for Cisco VPN 3000 Concentrator, 141, 144 address assignment method, 147 admin password, 150 interface settings, 144-146 internal authentication, 148 IPSec tunnel group, 149 system information, 146 tunneling protocol, 147 user authentication method, 148 business VPN applications, 21 business-to-business extranet VPNs, 25 remote access, 22-23 caveats of implementing, 23...

Backup Servers

There are nine items you need to remember regarding backup servers A backup server list can only be downloaded from a primary VPN concentrator. A backup concentrator is contacted ONLY if the list already exists. The VPN 3002 Hardware Client must be connected to a primary VPN connector to know of changes. On a VPN 3002 Hardware Client, set the backup servers through Configuration j System j Tunneling Protocols j IPSec. On VPN concentrator, set through Configuration j User Management j Base Group...

Between two networks connected through a nontrusted network

4 When setting up network lists, how should the lists at each side of the LAN-to-LAN connection relate to each other They must be reflective of each other. The network lists reflect the networks that are coming into the concentrator therefore referencing the network on the opposite side of where the network list is configured. 5 You attempted to configure a LAN-to-LAN connection, but cannot see a specific network on one side of the connection. What is the most likely problem Most likely, the...

Businessto Business Extranet VPNs

Business-to-business extranet VPNs are the VPNs that give corporate network access to customers, suppliers, business partners, or other interested communities who are not employees of the corporation. Extranet VPNs use a combination of the same infrastructures that are used by remote access and intranet VPNs. The difference is found in the privileges that are extended to the extranet users. Security policies can limit access by protocol, ports, user identity, time of day, source or destination...

C

CAs (Certificate Authorities), 50, 53 authentication process, 225 configuring on Cisco VPN 3000 Series manual SCEP authentication, 228-230 preshared key SCEP authentication, 230 via PKCS 10, 233-235 via SCEP, 228, 236 454-455 hierarchies, 225 Internet-based, 247 PKCS 10 certificate requests, 222-224 services, 221-222 vendors, 231 CBC (Cipher Block Chaining), 47 central CA structure, 225 central hub VPN routers, 28 certificate management, 454 Certificate Management screen, Cisco VPN 3000 Series...

CA Hierarchies

There are two basic types of CA structures central and hierarchical. When the root CA creates and issues the identity certificate directly from PKCS 10 requests, as shown in Figure 5-2, that is called a central CA structure. The root CA generates all identity certificates in a central CA structure. Hierarchical CA structures occur when subordinate CAs are involved in the process of issuing certificates. The subordinate CAs enroll with the root CA and receive identity and root certificates. The...

CA Vendors and Products that Support Cisco VPN Products

The Cisco VPN 3000 Concentrator Series works with the following Internet-based CAs Entrust Technologies (www.entrust.com) VeriSign, Inc. (www.verisign.com) Baltimore Technologies (www.baltimoretechnologies.com) These vendors provide digital certificates and all the associated management and maintenance support, for a fee. Well-established and reliable, these services can fill the needs of small- to mid-sized businesses without the need to set up internal CA support. As your business grows, you...

CCSP Self Study

CCSP Cisco Secure VPN Exam Certification Guide Copyright 2003 Cisco Systems, Inc. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing April 2003 Library...

Certificate Authorities

Another method of handling keys that does not take a lot of administrative support is to use Certificate Authorities (CAs) as a trusted entity for issuing and revoking digital certificates and for providing a means to verify the authenticity of those certificates. CAs are usually third-party agents such as VeriSign or Entrust, but for cost savings, you could also set up your own CA using Windows 2000 Certificate Services. The following list describes how CAs work 1 A client that wants to use...

Certificate Generation and Enrollment

CAs do not create public private key pairs for hosts. CAs only provide a means to share public keys (digital certificate) and attest to the authenticity of the keys. The responsibility for generating the key pairs resides with the host, so the host software must be capable of generating the key pairs and storing the private key, root certificate, and identity certificate. Cisco VPN Concentrators and the Cisco VPN Client have that capability. Normally, the process of generating the keys and then...

Certificate Manager

The Administration Certificate Manager screen allows you to Monitoring the Cisco VPN 3000 Series Concentrator Figure 7-49 shows the Monitoring screen. Figure 7-49 Monitoring Screen Figure 7-49 shows the Monitoring screen. Figure 7-49 Monitoring Screen Table 7-5 describes the Monitoring screen menu options. Table 7-5 Monitoring Menu System Table 7-5 describes the Monitoring screen menu options. Table 7-5 Monitoring Menu System Main screen for monitoring the VPN 3000 Concentrator. Enables all of...

Certificate Requests

When two hosts want to use digital certificates to secure communications between them, each host must contact the same CA and enroll its identity and public key with the CA. Enrollment is a multistep process on many systems. First, a host that wants to use digital certificates creates a pair of keys, one public and one private. Next, the host prepares a Public Key Cryptography Standards (PKCS) 10 certificate request. Finally, this PKCS 10 certificate request and the host's public key are then...

Certificate Revocation

Whenever a VPN concentrator receives an identity certificate from a peer during IKE Phase 1, the concentrator performs three tests on the certificate before going through the authentication process shown in Figure 5-3. Those three tests are as follows Did a trusted CA sign the certificate The concentrator must hold a root certificate from the CA before it can accept identity certificates that were created by that CA. Has the certificate expired The concentrator checks the Valid From date and...

Certificate Revocation Lists

Refresh Project Plan Template

The Administration Certificate Management screen, shown in Figure 5-16, is a starting point for many certificate functions. As you study the screen, you can see that it is separated into four different sections, one for each of the three certificate types and one for pending certificates in the enrollment process. This screen provides a quick overview of the certificates, including the certificate expiration date. The Certificate Management screen is the starting point for configuring CRL...

Certificate Validation

Once the CA returns the identity certificate to the concentrator, the certificate must be validated before it can be installed. The concentrator does this for you by performing the authentication steps shown in Figure 5-3. To restate those steps, the concentrator calculates a hash of the certificate while decrypting the signature using the CA's public key to discover the hash created by the CA. If the two hash values match, the certificate has been authenticated as to origin. Before performing...

Certificate Validation and Authentication Process

The following list outlines the certificate validation and authentication process Step 1 Certificate signed by trusted CA Has a CA certificate been installed on the concentrator for this CA Step 2 Certificate still valid Does the current date fall within the start and end dates of the certificate Step 3 Certificate revoked Does the certificate's serial number exist on the CA's CRL Step 4 Certificate authenticated Reasonable assurance that the certificate has not been altered. (a) Calculate hash...

Scenarios 47S

Site Descriptions 474 Detroit 474 Portland 474 Seattle 474 Memphis 474 Richmond 475 Terry and Carol 475 Scenario 11-1 The Basics 475 IKE Policy 475 IPSec Policy 476 Scenario 11-1 Answers 478 IKE Policy 478 IPSec Policy 479 Detroit VPN 3030 Concentrator and Router (Generic for All) 479 Detroit VPN 3030 Concentrator for Portland 480 Portland VPN 3002 Hardware Client 481 Detroit VPN 3030 Concentrator for Seattle 482 Seattle VPN 3002 Hardware Client 482 Detroit VPN 3030 Concentrator for Memphis 483...

Overview of VPN and IPSec Technologies

How to Best Use This Chapter 15 Do I Know This Already Quiz 16 Cisco VPN Product Line 21 Enabling VPN Applications Through Cisco Products 21 Typical VPN Applications 21 Using Cisco VPN Products 26 An Overview of IPSec Protocols 36 The IPSec Protocols 39 Security Associations 46 Existing Protocols Used in the IPSec Process 47 Authenticating IPSec Peers and Forming Security Associations 54 Combining Protocols into Transform Sets 54 Step 1 Interesting Traffic Triggers IPSec Process 59 Step 2...

Chapter 2QA

1 What are the Cisco hardware product families that support IPSec VPN technology Cisco IOS Software routers, PIX Firewalls, and VPN 3000 Series Concentrators, including the VPN 3002 Hardware Client, support IPSec VPN technology. 2 What are the two IPSec protocols The two IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP). 3 What are the three major VPN categories The three major VPN categories are remote access, intranet (site-to-site), and extranet...

Cisco VPN 3000 Concentrator Series Hardware Overview

Do I Know This Already Quiz 80 Major Advantages of Cisco VPN 3000 Series Concentrators 85 Ease of Deployment and Use 87 Performance and Scalability 87 Security 90 Fault Tolerance 94 Management Interface 94 Ease of Upgrades 99 Cisco Secure VPN Concentrators Comparison and Features 100 Cisco VPN 3005 Concentrator 101 Cisco VPN 3015 Concentrator 102 Cisco VPN 3030 Concentrator 103 Cisco VPN 3060 Concentrator 104 Cisco VPN 3080 Concentrator 104 Cisco VPN 3000 Concentrator Series LED Indicators 105...

Chapter 3Do I Know This Already

1 What models are available in the Cisco VPN 3000 Concentrator Series Five models are available in the Cisco VPN 3000 Concentrator Series VPN 3005, VPN 3015, VPN 3030, VPN 3060, and VPN 3080. 2 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3015 Concentrator The Cisco VPN 3015 Concentrator supports up to 100 simultaneous sessions. 3 What is the maximum number of simultaneous sessions that can be supported on the Cisco VPN 3080 Concentrator The Cisco...

Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys 125

Do I Know This Already Quiz 126 Using VPNs for Remote Access with Preshared Keys 132 Unique Preshared Keys 132 Group Preshared Keys 133 Wildcard Preshared Keys 133 Cisco VPN 3000 Concentrator Configuration Requirements 135 Cisco VPN 3000 Concentrator Initial Configuration 136 Configuring IPSec with Preshared Keys Through the VPN 3000 Concentrator Series Manager 152 Advanced Configuration of the VPN Concentrator 169 Installing and Configuring the VPN Client 174 Overview of the VPN Client 174 VPN...

Chapter 4Do I Know This Already

1 What methods can you use for user authentication on the Cisco VPN 3000 Series Concentrators You can configure the VPN concentrators to use RADIUS, NT Domain, Security Dynamics International (SDI), and internal user authentication. 2 What methods can you use for device authentication between VPN peers You can accomplish device authentication between VPN peers by using either preshared keys or digital certificates. 3 What are the three types of preshared keys Preshared keys can be unique,...

Chapter 4QA

1 Where would you normally use unique preshared keys You would normally use unique preshared keys in site-to-site VPNs. 2 To use a web browser to access the VPN Manager application on VPN concentrators, what features must you enable on the browser You must enable both JavaScript and cookies on the browser to access the VPN Manager. 3 What information is required to configure a LAN interface on the VPN concentrator You must supply the IP address, subnet mask, speed, and duplex mode to configure...

Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates 215

Do I Know This Already Quiz 217 Digital Certificates and Certificate Authorities 221 The CA Architecture 221 Simple Certificate Enrollment Process Authentication Methods 228 CA Vendors and Products that Support Cisco VPN Products 231 Digital Certificate Support Through the VPN 3000 Concentrator Series Manager 232 Certificate Generation and Enrollment 232 Certificate Validation 237 Certificate Revocation Lists 237 IKE Configuration 239 Configuring the VPN Client for CA Support 241 PKCS 10...

Chapter 5QA

1 What must be in place on a client's PC before you can configure the VPN Client for certificate support Before you can configure the VPN Client for certificate support, you must install a root certificate and an identity certificate in the browser. 2 What two methods are available on the VPN concentrator for installing certificates obtained through manual enrollment To install certificates on the VPN concentrator that were obtained through manual enrollment, you can either cut and paste the...

Configuring the Cisco VPN Client Firewall Feature 259

Do I Know This Already Quiz 260 Cisco VPN Client Firewall Feature Overview 265 The Stateful Firewall (Always On) Feature 267 The Are You There Feature 269 Configuring Firewall Filter Rules 269 Name, Direction, and Action 273 Protocol and TCP Connection 273 Source Address and Destination Address 274 TCP UDP Source and Destination Ports 274 ICMP Packet Type 276 Configuring the Stateful Firewall 276 Configuring the VPN Concentrator for Firewall Usage 277 Firewall Setting 278 Firewall 279 Custom...

Monitoring and Administering the VPN 3000 Series Concentrator 303

Do I Know This Already Quiz 304 Administering the Cisco VPN 3000 Series Concentrator 307 Administer Sessions 310 Software Update 310 System Reboot 313 Ping 315 Monitoring Refresh 315 Access Rights 316 File Management 322 Certificate Manager 323 Monitoring the Cisco VPN 3000 Series Concentrator 324 Routing Table 326 Event Log Screen 326 System Status 327 Administering the Cisco VPN 3000 Series Concentrator 338 Software Update 341 Concentrator 342 Clients 342 Monitoring Refresh 344 Access Rights...

Configuring Cisco 3002 Hardware Client for Remote Access 359

Do I Know This Already Quiz 361 Verify IKE and IPSec Configuration 368 Setting debug Levels 369 Configuring VPN 3002 Hardware Client and LAN Extension Modes 371 Split Tunneling 374 Unit and User Authentication for the VPN 3002 Hardware Client 375 Configuring the Head-End VPN Concentrator 376 Configuring Unit and User Authentication 380 Interactive Hardware Client and Individual User Authentication 381 Configuring Individual User Authentication on the VPN 3000 Concentrator 388

Chapter 8Do I Know This Already

1 What screen is used on the head-end concentrator to demand the use of preshared keys The Configuration System Tunneling Protocols IPSec LAN-to-LAN Modify screen is used to demand preshared keys from a VPN 3000 Series Concentrator. 2 You need to allow the main office to use PC Anywhere to connect to three separate machines at the remote office over the VPN. What mode must you use You must use Network Extension mode because all the machines at the remote office will appear as a single IP...

Chapter 8QA

1 What screen is used on the head-end concentrator to demand the use of preshared keys The Configuration System Tunneling Protocols IPSec LAN-to-LAN Modify screen is used to demand preshared keys from the VPN 3002 Hardware Client. 2 Name five items to check when you are unable to connect a VPN tunnel and you are receiving IKE failures on Phase 1. The five items to check when receiving Phase 1 errors are Xauth is required, but the proposal does not support Xauth. Check the priorities of IKE...

Configuring Scalability Features of the VPN 3002 Hardware Client 399

Do I Know This Already Quiz 400 VPN 3002 Hardware Client Reverse Route Injection 407 Setting Up the VPN Concentrator Using RIPv2 407 Setting Up the VPN Concentrator Using OSPF 408 Configuring VPN 3002 Hardware Client Reverse Route Injection 409 VPN 3002 Hardware Client Backup Servers 412 VPN 3002 Hardware Client Load Balancing 414 Overview of Port Address Translation 416 IPSec on the VPN 3002 Hardware Client 418 IPSec Over TCP IP 418 UDP NAT Transparent IPSec (IPSec Over UDP) 419...

Chapter Glossary

The following terms were introduced in this chapter or have special significance to the topics within this chapter Are You There (AYT) A process where the VPN Client enforces firewall policy defined on the local firewall by monitoring that firewall to make sure it is running. The client sends periodic Are you there messages to the firewall. If no response is received, the VPN Client terminates the connection to the VPN concentrator. classless interdomain routing (CIDR) Technique supported by...

Cisco Internet Mobile Office

The Cisco Internet Mobile Office is a program that aims to bring secure, flexible, manageable, and scalable VPN support to users on the road, at home, and at work. In fact, the three phases of Cisco Mobile Office are called On The Road, At Home, and At Work. Cisco Mobile Office On The Road is a global collaborative effort designed to provide secure, high-speed Internet and intranet access from public facilities such as airports and hotels. Using wireless LANs and many of the routers, firewalls,...

Cisco PIX Firewalls

The next set of major hardware components that support VPNs are the series of Cisco PIX Firewalls. The PIX Firewalls feature a hardened, purpose-built operating system and provide a wide range of security and networking services. Along with IPSec VPN support, the PIX Firewalls also support PPTP and L2TP VPNs from Microsoft Windows clients. Network Address Translation (NAT), Port Address Translation (PAT), content and URL filtering, Remote Authentication Dial-In User Service (RADIUS) and...

Cisco Secure VPN Client Features

8 Cisco VPN 3000 Concentrator Series Client support Cisco now offers two types of clients that can be used to negotiate and maintain IPSec VPN tunnels with Cisco VPN 3000 Series Concentrators, as well as equipment from other hardware vendors that support the full standards-based implementation of IPSec. The Cisco VPN Client is shipped with every VPN concentrator that Cisco sells. The Cisco VPN Client is supplied at no extra charge, is licensed for an unlimited number of installations, and can...

Cisco VPN 3000 Concentrator Configuration Requirements

Figure 4-2 shows a typical VPN concentrator configuration using a Cisco VPN 3005 Concentrator. The Public interface connects to the Internet through a security device such as a firewall or border router (not shown in this diagram). The Private interface connects to the local network, in this case supporting Domain Name System (DNS), Windows Internet Naming Service (WINS), and DHCP servers. On those models that have a third interface, you can establish a demilitarized zone (DMZ), which could...

Cisco VPN 3000 Concentrator Initial Configuration

When the Cisco VPN 3000 Concentrator is powered on for the first time, it boots up the factory default configuration, which offers a Quick Configuration option. The data requested by the Quick Configuration mode are enough to make the concentrator operational. Once you have the basic configuration entered through this mode, you can fine-tune the configuration through normal menu options. The Quick Configuration can be accomplished from the CLI, but the HTML version of the concentrator manager...

Cisco VPN 3000 Concentrators

Cisco identified the need for a purpose-built, remote access VPN device and developed the Cisco VPN 3000 Series Concentrator family of products. While much of the rest of this book deals with these devices, this section introduces them along with the other VPN products. The Cisco VPN 3000 Series Concentrator was designed to be a high-performance, scalable solution offering high availability and state-of-the-art encryption and authentication techniques. Scalable Encryption Processor (SEP)...

Cisco VPN 3000 LANtoLAN with Preshared Keys

One of the great benefits to using a VPN Concentrator is the ability to connect disparate LANs in a secure manner. For example, having your LAN in New York appear to be directly connected to the LAN in London makes administration of domains and user rights much easier for the systems administrator. You accomplish this by creating a secure VPN from your concentrator to another concentrator, router, or PIX firewall at the remote site. Although it is certainly permissible and sometimes advisable...

Cisco VPN 3002 Hardware Client

The Cisco VPN 3002 Hardware Client was designed for remote office environments that normally have little direct IT support. These facilities need an easy-to-install, scalable, reliable, stable platform that can support any attached TCP IP device, regardless of the operating system. The VPN 3002 is just such a device. Figure 3-18 shows the Cisco VPN 3002 Hardware Client equipped with the optional 8-port Ethernet switch. Figure 3-18 Cisco VPN3002Hardware Client The Cisco VPN 3002 Hardware Client...

Cisco VPN 3005 Concentrator

Designed for small- to medium-sized organizations, the Cisco VPN 3005 Concentrator can deliver up to full-duplex T1 E1, 4 Mbps of encryption throughput, and support for up to 100 simultaneous sessions. Figure 3-14 shows front and rear views of the 3005 chassis. Figure 3-14 Cisco VPN3005 Concentrator Table 3-3 shows the major features of the Cisco VPN 3005 Concentrator. Notice that encryption is performed in software on this system and that the system is not upgradeable. Table 3-3 Cisco VPN 3005...

Cisco VPN 3015 Concentrator

Also designed for small- to medium-sized organizations, the Cisco VPN 3015 Concentrator can deliver up to full-duplex T1 E1, 4 Mbps of encryption throughput, and support for up to 100 simultaneous sessions. The biggest difference between the 3005 and 3015 concentrators is the fact that the 3015 is upgradeable, whereas the 3005 is not. Figure 3-15 shows front and rear views of the 3015, 3030, 3060, and 3080 chassis. These models all share the same case. Figure 3-15 Cisco VPN3015 Concentrator...

Cisco VPN 3060 Concentrator

Designed for large organizations requiring high performance and reliability, the Cisco VPN 3060 Concentrator can deliver from fractional T3 through T3 E3 or greater, 100 Mbps of encryption throughput, and support for up to 5000 simultaneous sessions. Table 3-6 shows the major features of the Cisco VPN 3060 Concentrator. The 3060 VPN Concentrator uses SEPs to perform hardware encryption and can be purchased in either redundant or nonredundant configurations. This system is field-upgradeable to...

Cisco VPN 3080 Concentrator

Designed for large organizations demanding the highest level of performance and reliability, the Cisco VPN 3080 Concentrator delivers 100 Mbps of encryption throughput and support for up to 10,000 simultaneous sessions. Table 3-7 shows the major features of the Cisco VPN 3080 Concentrator. The 3080 VPN Concentrator uses SEPs to perform hardware encryption and is available only in a fully redundant configuration. The 3080 is the top of the line and is not upgradeable. Table 3-7 Cisco VPN 3080...

Cisco VPN Client

Sometimes called the Unity Client, the Cisco VPN Client is the current iteration of the Cisco VPN 3000 Client. This software comes bundled as a no-cost extra with Cisco VPN 3000 Series Concentrators and allows end stations to establish IPSec VPNs to any Cisco remote access VPN product at a central site. Although relatively easy to configure, the client can be preconfigured for mass deployments, making the initial configuration even easier. This method of installation is performed by pushing the...

Cisco VPN Client Firewall Feature Overview

Table 6-9 highlights the abilities of the VPN Client. Table 6-9 VPN Client Abilities Table 6-9 highlights the abilities of the VPN Client. Table 6-9 VPN Client Abilities Tunneling protocols supported are as follows IP Security-Encapsulating Security Payload (IPSec-ESP) Encryption and authentication protocols Encryption and authentication methods supported include the following IPSec(ESP) with Data Encryption Standard (DES) 3DES(56 168 bits) AES(126 256-bit) with Message Digest (MD5) or SHA Key...

Cisco VPN Routers

Cisco VPN routers are the best choice for constructing intranet or extranet site-to-site VPNs. These routers use Cisco IOS Software and can be used to deliver multicast, routing, and multiprotocol across the VPN. You can enable quality of service (QoS) on these devices, and the firewall feature option can turn these routers into robust firewalls. Some routers also have integrated DSL and cable modems to provide VPN access to small offices home offices (SOHOs). Some VPN routers can be equipped...

Client and LAN Extension Modes

Table 8-3 compares Client mode and LAN Extension mode. Table 8-3 Client Versus LAN Extension Mode Table 8-3 compares Client mode and LAN Extension mode. Table 8-3 Client Versus LAN Extension Mode All devices appear at the head-end as one device with the IP address of the outside interface of the VPN 3002 Hardware Client. Each device is seen at the head-end with its individual IP address. This is the default on the head-end concentrator. This must be configured at the head-end and on the VPN...

Clients

The Administration Software Update Clients screen is used to update hardware and software clients when they become connected to the concentrator. This screen is shown in Figure 7-8. The Group pull-down menu allows you to update all groups or any one group. The process for updating the client is the same as on the concentrator. You choose a file using a Browse function. The requirement to update the client is controlled through the Configuration User Management Groups screen. This is discussed...

Combining Protocols into Transform Sets

Configuring IPSec in Cisco devices is fairly simple. You need to identify the five parameters that IKE uses in Phase 1 to authenticate peers and establish the secure tunnel. Those five parameters and their default settings for the VPN 3000 Concentrator Series are as follows Encryption algorithm 56-bit DES (default) or the stronger 168-bit 3DES. Hash algorithm MD5 (default) or the stronger SHA-1. Authentication method Preshared keys, RSA encrypted nonces, or the most secure, RSA digital...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Vertical bars ( ) separate alternative, mutually exclusive elements. Square brackets indicate optional elements. Braces indicate a required choice. Braces within brackets ( ) indicate a required choice within an optional element. Boldface indicates commands and keywords that are entered literally as shown. In actual...

Complete Configuration Table of Contents

Table 4-5 shows the complete configuration table of contents (TOC). Table 4-5 Complete Expansion of the Configuration TOC Table 4-5 shows the complete configuration table of contents (TOC). Table 4-5 Complete Expansion of the Configuration TOC Table 4-5 Complete Expansion of the Configuration TOC (Continued) Table 4-5 Complete Expansion of the Configuration TOC (Continued) Table 4-5 Complete Expansion of the Configuration TOC (Continued) Table 4-5 Complete Expansion of the Configuration TOC...

Complete Monitoring Table of Contents

Table 4-7 shows the complete monitoring table of contents (TOC). Table 4-7 Complete Expansion of the Monitoring TOC Table 4-7 shows the complete monitoring table of contents (TOC). Table 4-7 Complete Expansion of the Monitoring TOC Table 4-7 Complete Expansion of the Monitoring TOC (Continued)

Concentrator

The Administration Software Update Concentrator screen is shown in Figure 7-7. This screen shows the current version of the software and allows you to upload a new version to the concentrator. Figure 7-7 Administration Software Update Concentrator Figure 7-7 Administration Software Update Concentrator The Browse button is used to find the file you wish to upload on the workstation being used for configuration or from the network. After uploading the file, you will be prompted to move to the...

Configuration

Figure 3-9 shows the Configuration menu that appears when you click that option from the main menu. This menu identifies the four subheadings under the Configuration portion of the manager Interfaces, System, User Management, and Policy Management. Figure 3-9 VPN Concentrator Manager Configuration Tins section of the Manager lets you configure a l VPN 3000 Concenfrator Features In die left frame, or in the Est of links below, click the feature you want to configure Interfaces -- Etfiemet...

Configuration Policy Management

Policies control the actions of users as they connect to the VPN concentrator. User management determines which users are allowed to use the device. Policy management determines when users can connect, from where they can connect, and what kind of data are permitted in the tunnels. The section of the VPN Manager established filters that determine whether to forward or drop packets and whether to pass the traffic through a tunnel or to send it in the clear. Filters are applied to interfaces,...

Configuration System

The functions that fall under the Configuration System section have to do with configuring parameters for system-wide functions in the VPN concentrator. The following subcategories under System let you control the VPN concentrator Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration Configuration System j Load Balancing Cisco VPN Clients The following sections describe each subcategory in more detail.

Configuration System Client Update

You can configure the Cisco VPN 3000 Concentrators to manage client updates for VPN Client and VPN 3002 Hardware Clients. In the case of the software clients, the concentrator notifies the clients of the acceptable client versions and provides the location where the appropriate versions can be obtained. For VPN 3002 Hardware Clients, the concentrator pushes the correct version to the client via TFTP. This section of the VPN 3000 Concentrator Manager lets you configure the client update feature,...

Configuration System Events

Significant occurrences within or that could affect a VPN 3000 Concentrator are classified as events. Typical events include alarms, traps, error conditions, network problems, task completions, breaches of threshold levels, and status changes. Events are stored in an event log in nonvolatile memory. Events can also be sent to a backup server via FTP or to Syslog servers. Events can be identified to trigger console messages, send e-mail messages, or send SNMP system traps. Event attributes...

Configuration System IP Routing

Cisco VPN 3000 Concentrators have the ability to act as routers for IP traffic. This allows the concentrator to communicate with other routers in the network to determine the best path for traffic to take. This section of the VPN Manager allows you to configure the following Static Routes Manually configured routing tables Default Gateways Routes for traffic for which routes cannot be determined OSPF Open Shortest Path First routing protocol OSPF Areas Subnet areas within the OSPF domain DHCP...

Configuration System Load Balancing Cisco VPN Clients

When you have two or more VPN 3000 Concentrators on the same subnet handling remote access VPN services, you can group those devices together to perform load balancing across the devices. The private and public subnets are grouped into a virtual cluster. One of the concentrators acts as the cluster master and directs incoming calls to the device that has the smallest load, including itself. If, for any reason, the master fails, one of the other concentrators in the cluster takes over the role....

Configuration System Management Protocols

The Configuration System Management Protocols portion of the VPN Manager allows you to control various management protocols and servers. These utilities can be an asset to you in managing your total network. Those management protocols are as follows FTP File Transfer Protocol HTTP HTTPS Hypertext Transfer Protocol and HTTP over SSL (Secure Sockets Layer) protocol TFTP Trivial File Transfer Protocol Telnet Terminal emulation protocol and Telnet over SSL SNMP Simple Network Management Protocol...

Configuration System Servers

The Configuration System Servers section of the VPN Manager allows you to configure the various types of servers that communicate with the concentrator. Those servers include the following Authentication Servers Used for user authentication Accounting Servers Used for RADIUS user accounting DNS Servers Domain Name System address lookup functions DHCP Servers Dynamic Host Configuration Protocol to assign IP addresses for client connections Firewall Servers Firewall enforcement by means of the...

Configuration User Management

Configuration User Management is the section that you used in the Configuring IPSec with Preshared Keys Through the VPN 3000 Concentrator Series Manager section of this chapter to configure the group for remote access with preshared keys. In addition to working with specific groups, this section is used to configure the Base Group and to manage user accounts for the internal authentication database. With the default settings, new groups inherit the attributes of the Base Group. Those attributes...

Configure Preshared Keys

To configure preshared keys, follow these steps Step 1 On the concentrator, go to the Configuration System Tunneling Protocols IPSec LAN-to-LAN Modify screen. Step 2 Set the IP address of the peer. Step 4 On the VPN 3002 Hardware Client, go to the Configuration System Tunneling Protocols IPSec screen. Step 5 Make sure that the Use Certificate box is not checked. Step 6 Enter the group and password. Step 7 Enter the user, username, and password.

Configuring Address Assignment Method

After you have selected the protocol to use, you must select the method the VPN concentrator is to use to assign an address to clients as they establish tunnels with the concentrator. The method of address assignment selected in Figure 4-11 is to use a DHCP server. You could select multiple methods the concentrator tries each method in order until it is successful in assigning an address to the client. Figure 4-11 Configuration Quick Address Assignment Configuration Quick Address Assignment...

Configuring Cisco 3002 Hardware Client for Remote Access

This chapter deals with configuring the VPN 3002 Hardware Client for remote access. These configuration tasks include using preshared keys, setting the VPN 3002 Hardware Client to use client and LAN Extension modes, and setting up individual authentication. Chapter 3, Cisco VPN 3000 Concentrator Series Hardware Overview, gave a brief overview of Cisco's VPN 3002 Hardware Client. From that discussion, you might remember that the VPN 3002 Hardware Client is a full-featured VPN client designed for...

Configuring Cisco VPN 3000 for Remote Access Using Digital Certificates

Chapter 4, Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys, discussed the opportunity of using preshared keys for device authentication between VPN peers, specifically between a remote access client and the VPN 3000 Concentrator. An IPSec group was defined on the VPN concentrator, and that group and its associated password were used as the preshared key for the VPN Client application. While the process of using preshared keys is simple when using the Cisco VPN Concentrator and...

Configuring Cisco VPN 3000 for Remote Access Using Preshared Keys

From a procedural perspective, it is easier to configure the Cisco VPN 3000 Concentrator Series for remote access using preshared keys. While the alternative method is to use the services of a Certificate Authority (CA), that method entails additional steps. Using preshared keys, the client only needs to know the address of the VPN concentrator and the shared secret key. While VPN configuration is relatively easy with preshared keys, this manual process does not scale well for large...

Configuring Client RRI

Client RRI, where the client injects its routes into the VPN concentrator, is configured through the Configuration System IP Routing Reverse Route Injection screen on the VPN concentrator (see Figure 9-6). Select the Client Reverse Route Injection checkbox to enable this feature. Figure 9-6 Configuration System IP Routing Reverse Route Injection Figure 9-6 Configuration System IP Routing Reverse Route Injection

Configuring Firewall Filter Rules

Guidelines for configuring firewall filtering rules are as follows Do not use the default rules in a real network. For default rules, the source and destination addresses are 0.0.0.0 255.255.255.255. VRRP uses 224.0.0.18 0.0.0.0. Rule for client is from the client's point of view. The filter is read from the top down until it finds a rule that matches the data and other conditions or until the end of the filter is reached. Configured on the Configuration Policy Management Traffic Management...

Configuring Hold Down Routes

Hold-down routes are used to make remote VPN connections appear as if they were active even when there is no VPN tunnel active. This way, the stability and speed of network topology calculations by the routing protocols is enhanced. Since the networks appear to be available at all times, the routing protocols do not have to recalculate the topology every time a VPN connection is established or dropped. Hold-down routes are entered on the Configuration System IP Routing Reverse Route Injection...

Configuring Individual User Authentication on the VPN 3000 Concentrator

Follow these steps to configure individual user authentication on the VPN 3000 Series Step 1 Use the Configuration User Management Groups Modify screen and choose the appropriate group. Step 2 Choose the General tab and set the WINS and DNS. Step 3 Choose the IPSec tab, set the tunnel type to Remote Access, and choose your authentication type. Step 4 Click the Mode Config tab and select what to tunnel. Step 5 Click the HW Client tab and check Require Individual User Authentication. Step 6 Go to...

Configuring IPSec with Preshared Keys Through the VPN 3000 Concentrator Series Manager

The Quick Configuration allows you to configure the basic operational settings of the concentrator, but the IPSec settings have not been established yet. Those settings are made using features in the Configuration portion of the Cisco VPN 3000 Concentrator Manager. Figure 4-18 shows the Main screen that appears after you log in to the concentrator through VPN Manager. Normally the root Configuration, Administration, and Monitoring levels are the only options displayed in the table of contents....

Configuring LANtoLAN with Autodiscovery

The only configuration change necessary to enable Autodiscovery is made through the Configuration System Tunneling Protocols IPSec LAN-to-LAN Modify screen. Here, you choose Autodiscovery instead of Network Lists. Remember that RIP is the only protocol available for use with Autodiscovery. Figure 9-4 Configuration System Tunneling Protocols IPSec LAN-to-LAN Modify Figure 9-4 Configuration System Tunneling Protocols IPSec LAN-to-LAN Modify

Configuring Remaining Interface Settings

When you click to start Quick Configuration, the VPN Manager displays the IP Interfaces screen. If your system is a 3005 series with only two fixed interfaces, the screen looks like that shown in Figure 4-6. Notice that the screen's title bar shows the complete path to this screen (Configuration Quick IP Interfaces), as it would be shown if you had worked down to this screen through the table of contents. This 3005 display shows that the Private interface is configured and operational and that...

Configuring Scalability Features of the VPN 3GG2 Hardware Client

A major issue on any network design is planning for the ability of the network to grow as the needs of the company grow. This chapter deals with some of the issues you will face when planning and implementing networks using the Cisco VPN 3002 Hardware Client. By combining hardware and software, the VPN 3002 Hardware Client provides for the scalability of software while the hardware provides stability and reliability. This combination makes the VPN 3002 Hardware Client an ideal solution that...

Configuring the Admin Password

The final setting that you should configure during the Quick Configuration is the password for the admin user. Figure 4-15 shows the Quick Configuration screen for completing this task and displays the message that strongly recommends changing the admin password. For maximum password security, select a password containing at least eight characters that are a mixture of uppercase and lowercase letters, numbers, and special characters. Figure 4-15 Configuration Quick Admin Password Figure 4-15...

Configuring the Cisco VPN Client Firewall Feature

This chapter deals with configuring the Cisco VPN Client firewall feature set. You learn about the Cisco VPN Client's basic configuration, how to create filters on the concentrator, and how to configure firewall features. The VPN Client has an integrated Stateful Firewall feature as part of the client package. This client can be enabled to block all traffic coming into the user's system that does not originate from the head-end concentrator's network. This provides a good measure of security...

Configuring the IPSec Tunnel Group

When you select IPSec as the tunneling protocol from the screen shown in Figure 4-10, the concentrator prompts you to define a group during the Quick Configuration phase. This group is used by every user unless you change the association later from the standard configuration section of the VPN Manager. Figure 4-14 shows the configuration information for the IPSec group. The password for this group becomes the preshared key for remote access users. Figure 4-14 Configuration Quick IPSec Group...

Configuring the Private LAN Interface

The next phase of the CLI Quick Configuration steps is to configure the Private LAN interface. This is simply a matter of setting the IP address and subnet mask information and then specifying the speed and duplex mode to use for the interface. Those steps are shown in the output in Example 4-3, which is displayed as soon as you enter your preference for daylight-savings support. Example 4-3 Configuring the Private Interface This table shows current IP addresses. Intf Status IP Address Subnet...

Configuring the Stateful Firewall

21 Software client's Stateful Firewall feature The Stateful Firewall feature is easily configured on the Cisco VPN Client. Open the client, as shown in Figure 6-4. Choose the Options pull-down menu, as shown in Figure 6-5. If the Stateful Firewall (Always On) option does not have a check mark in front of it, click it once. Because the Options pulldown menu disappears, choose it again, and make sure that there is a check mark in front of the Stateful Firewall (Always On) option, as shown in...

Configuring the Tunneling Protocol

Clicking the Continue button takes you to the Protocols screen, as shown in Figure 4-10. You can select all protocols, if you like. The configuration described in this chapter works with IPSec only, so that is the only protocol selected on this screen. Figure 4-10 Configuration Quick Protocols Select the tunneling protocols and encryption options that you want to enable. Select the tunneling protocols and encryption options that you want to enable. f Require Encryption (Clients without...

Configuring the VPN Client for CA Support

18 Configuring the Cisco VPN 3000 Concentrator Series for CA support Because you will now be using digital certificates for authentication on the VPN concentrator, you must modify the configuration of your user's VPN Client connection entries from using a preshared key to using a digital certificate. All your clients must have a root certificate and an identity certificate installed in the browser application of their VPN client system. As the system administrator, you can manually enroll each...

Configuring the VPN Concentrator for Firewall Usage

Configuration of the firewall for the VPN Client is done on the Configuration User Management Groups Modify screen under the Client FW tab (see Figure 6-6). This screen is used for configuring all firewall options other than the Stateful (Always On) option, which is configured on the VPN Client itself. The following sections describe each of the options that are shown in the Client FW tab.

Configuring User Authentication Method

Next, you determine how users connecting over the VPN tunnel are to be authenticated. Figure 4-12 shows the selection screen. Users can be authenticated from RADIUS servers, NT Domain controllers, external SDI servers, and the concentrator's internal server. The option you select brings up the appropriate next screen so that you can continue configuring user authentication. Figure 4-12 Configuration Quick Authentication Configuration Quick I Authentication Specify how to authenticate users...

Configuring Users for Internal Authentication

The example shown in Figure 4-12 has selected the Internal Server option and brings up the User Database screen, shown in Figure 4-13, so that you can enter the usernames and passwords. This screen also requests an IP address and subnet mask because, in this case, the concentrator's administrator selected Per User address assignment on the screen displayed in Figure 4-11. Figure 4-13 Configuration Quick User Database Figure 4-13 Configuration Quick User Database There is a maximum combined...

Custom Firewall

Should you choose to use the Custom Firewall option when it becomes available, Table 6-7 provides you with the necessary codes to be input into the Vendor ID and Product ID fields. Table 6-7 Vendor and Product ID Codes Table 6-7 Vendor and Product ID Codes Should you wish to combine, for example, Zone Alarm, Zone AlarmPro, and Integrity into a single firewall option, you would enter 2 into the Vendor ID field and 1,2,3 into the Product ID field. You cannot use multiple vendors. You can enter an...