© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—16-1 lesson 16 easy vpn remote—small...
DESCRIPTION
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Easy VPN two modes of operation. Configure the PIX Firewall as an Easy VPN Remote client. Explain the PIX Firewall’s Secure Unit Authentication and Individual User Authentication feature. Configure the PIX Firewall for Secure Unit Authentication and Individual User Authentication. Describe the PIX Firewall’s DHCP server feature. Configure the PIX Firewall as a DHCP server. Configure the PIX Firewall’s PPPoE client.TRANSCRIPT
![Page 1: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/1.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1
Lesson 16
Easy VPN Remote—Small Office/Home Office
![Page 2: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/2.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-2
Objectives
![Page 3: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/3.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-3
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:• Describe the Easy VPN two modes of operation.• Configure the PIX Firewall as an Easy VPN Remote client.• Explain the PIX Firewall’s Secure Unit Authentication and
Individual User Authentication feature. • Configure the PIX Firewall for Secure Unit Authentication and
Individual User Authentication.• Describe the PIX Firewall’s DHCP server feature.• Configure the PIX Firewall as a DHCP server.• Configure the PIX Firewall’s PPPoE client.
![Page 4: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/4.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-4
PIX Firewall Easy VPN Remote Feature Overview
![Page 5: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/5.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-5
Implementing PIX Firewall Easy VPN Remote
Cisco IOS > 12.2(8)T router
PIX Firewall > 6.2
VPN 3000 > 3.11(> 3.5.1 recommended)
Easy VPN Servers
Cisco PIX Firewall 501/506E
Cisco PIX Firewall 501/506E
Cisco PIX Firewall 501/506E
Cisco PIX Firewall 501/506E
PIX Easy VPN Remote
PushPolicy
![Page 6: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/6.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-6
Easy VPN Remote Configuration
![Page 7: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/7.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-7
Easy VPN Remote Client Configuration
PIX110.0.0.0/24
10.1.1.1
pix1(config)# vpngroup training password cisco123
pix1(config)# vpnclient username student1 password training
pix1(config)# vpnclient server 192.168.1.2
pixfirewall(config)#
vpnclient group_name password preshared_key
vpnclient username { xauth_username} password { xauth_password}
vpnclient server { ip_primary} [ ip_secondary_n]
192.168.1.2
10.1.1.2
10.1.1.3
• Group name and pre-shared key
• VPN client extended authentication username and password
• Easy VPN server IP address
209.165.201.5
![Page 8: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/8.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-8
Easy VPN Client Device Mode
PIX Firewall 501/506E(Easy VPN Remote) PIX Firewall 525
(Easy VPN Server)
VPN tunnel
Hidden address
10.0.0.0/24
10.1.1.2
10.1.1.3
PIX Firewall 501/506(Easy VPN Remote)
PIX Firewall 525 (Easy VPN Server)
10.1.1.2VPN tunnel
10.1.1.1
10.1.1.310.0.0.0/24
Client mode
Network extensionmode
Visible address
PAT
209.165.201.5
209.165.201.5
![Page 9: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/9.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-9
Easy VPN Client Device Mode Configuration
PIX110.0.0.0/24
10.1.1.1
pix1(config)# vpnclient mode network-extension-mode
pixfirewall(config)#vpnclient mode {client-mode | network-extension-mode}
192.168.1.2
10.1.1.2
10.1.1.3
• Sets the easy VPN remote device mode — client of network extension mode.
Network extension mode—address visible from central site
209.165.201.5
![Page 10: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/10.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-10
Enable Easy VPN Remote Device
pix1(config)# vpnclient enable
pixfirewall(config)#vpnclient enable• Enables the Easy VPN Remote device.
PIX110.0.0.0/24
10.1.1.2
10.1.1.3VPN tunnel
![Page 11: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/11.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-11
Secure Unit Authentication
PIX110.0.0.0/24
PIX2
10.1.1.2
10.1.1.3
pix2(config)# vpngroup training secure-unit-authentication
pixfirewall(config)#vpngroup groupname secure-unit-authentication• Enables secure-unit-authentication policy at central site.
Secure-unit-authentication policypushed to Easy VPN Client
Easy VPN Client must authenticate
ACS
![Page 12: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/12.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-12
Individual User Authentication
pix2(config)# vpngroup training user-authentication
pixfirewall(config)#vpngroup groupname user-authentication
• Enables individual user authentication policy at central site.
PIX110.0.0.0/24
10.1.1.2
10.1.1.3VPN tunnel
Individual authentication policypushed to Easy VPN Client
Remote user must authenticate
ACS
PIX2
vpngroup groupname user-idle-timeout
vpngroup groupname authentication-server server_tag
![Page 13: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/13.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-13
PPPoE and the PIX Firewall
![Page 14: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/14.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-14
The PIX Firewall as a PPPoE Client
ISPPPPoE accessconcentratorDSL
modemPPPoEclient
10.0.0.0/24
PPPoEIPSec
![Page 15: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/15.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-15
Configure a Virtual Private Dial-Up Networking Group
ISPPPPoE accessconcentrator
DSL modem
10.0.0.0/24
pix1(config)# vpdn group PPPOEGROUP request dialout pppoepix1(config)# vpdn group PPPOEGROUP ppp authentication pappix1(config)# vpdn group PPPOEGROUP localname MYUSERNAME
pixfirewall(config)#
vpdn group group_name request dialout pppoe
vpdn group group_name ppp authentication PAP | CHAP | MSCHAP
vpdn group group_name localname username
• Defines a VPDN group to be used for PPPoE.
• Selects an authentication method.
• Associates the username assigned by your ISP with the VPDN group.
PIX1
![Page 16: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/16.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-16
Create VPDN Username and Password
pix1(config)# vpdn username student1 password training
ISPPPPoE accessconcentrator
DSL modem
10.0.0.0/24
vpdn username name password passpixfirewall(config)#
• Creates a username and password pair for the PPPoE connection.
PIX1
![Page 17: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/17.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-17
Enable PPPoE Client
pix1(config)# ip address outside pppoe
ISPPPPoE accessconcentrator
DSL modem
10.0.0.0/24
• Enables PPPoE client.
pixfirewall(config)#
ip address if_name pppoe [setroute]
PIX1
![Page 18: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/18.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-18
Monitoring the PPPoE Client
show vpdn session [l2tp | pptp | pppoe] [id session_id | packets | state | window]• Displays session information.
pixfirewall(config)#
pixfirewall(config)#
show vpdn tunnel [l2tp | pptp | pppoe] [id tunnel_id | packets | state | summary | transport]• Displays tunnel information.
pixfirewall(config)#
show vpdn • Displays tunnel and session information.
![Page 19: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/19.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-19
Monitoring the PPPoE Client (Cont.)
• Displays detailed information about a PPPOE connection.
pixfirewall(config)#
show ip address if_name pppoe
show vpdn pppinterface [id intf_id]pixfirewall(config)#
• Displays the interface identification value.
pixfirewall(config)#
show vpdn username [name] • Displays local usernames.
pixfirewall(config)#
show vpdn group [groupname] • Displays configured groups.
![Page 20: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/20.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-20
Debugging the PPPoE Client
• Enables debugging for the PPPoE client.
pixfirewall(config)#debug pppoe event | error | packet
![Page 21: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/21.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-21
DHCP Server Configuration
![Page 22: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/22.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-22
DHCP
The PIX Firewall’s DHCP server can be used to dynamically assign:• An IP address and subnet mask• The IP address of a DNS server• The IP address of a WINS server• A domain name• The IP address of a TFTP server• A lease length
![Page 23: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/23.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-23
DHCP Server
DHCP pool10.1.1.2–10.1.1.20
1. DHCPDISCOVER—The client seeks an address.
2. DHCPOFFER—The server offers 10.1.1.2.
3. DHCPREQUEST—The client requests 10.1.1.2.
4. DHCPACK—The server acknowledges the assignment of 10.1.1.2.
31 2 4
Internet
![Page 24: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/24.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-24
Configuring the PIX Firewall as a DHCP Server
• Step 1—Assign a static IP address to the inside interface.• Step 2—Specify a range of addresses for the DHCP server to
distribute.• Step 3—(Optional.) Specify the IP address of the DNS server.• Step 4—(Optional.) Specify the IP address of the WINS server.• Step 5—(Optional.) Configure the domain name.• Step 6—(Optional.) Specify the IP address of the TFTP server.• Step 7—Specify the lease length (default = 3,600 seconds).• Step 8—Enable DHCP.
![Page 25: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/25.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-25
Configure DHCP Address Pool
pix1(config)# dhcpd address 10.1.1.2–10.1.1.15 inside
10.0.0.0/2410.1.1.2
10.1.1.3
ACS
• Specifies a range of addresses for DHCP to assign.
pixfirewall(config)#
dhcpd address ip1[-ip2][if_name]
DHCP address pool:10.1.1.2-10.1.1.15
DHCP server
![Page 26: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/26.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-26
Specify WINS, DNS, and Domain Name
pix1(config)# dhcpd wins 10.0.0.21pix1(config)# dhcpd dns 10.0.0.14pix1(config)# dhcpd domain cisco.com
pixfirewall(config)#
dhcpd wins wins1 [wins2]
dhcpd dns dns1 [dns2]
dhcpd domain domain_name
• Defines a VPDN group to be used for PPPoE.
• Selects an authentication method.
• Associates the username assigned by your ISP with the VPDN group.
DHCP Server
10.0.0.0/2410.0.0.2
10.0.0.3
WINS
WINS: 10.0.0.21DNS: 10.0.0.14Domain: cisco.com
DNS
![Page 27: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/27.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-27
DHCP Option 66 and 150
pix1(config)# dhcpd option 150 ip 10.0.0.11
pix1(config)# dhcpd option 66 ip 10.0.0.11
pixfirewall(config)#
dhcpd option 150 ip server_ip1 [server_ip2]
dhcpd option 66 ascii {server_name | server_ip_str}
• Distributes list of TFTP servers for IP Phone connections.
• Distributes TFTP server for IP Phone connections.
DHCP server
10.0.0.0/2410.1.1.2
Option 150: 10.0.0.11Option 66: 10.0.0.11
TFTPserver
10.0.0.11
![Page 28: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/28.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-28
Setting DHCP Lease Length
pix1(config)# dhcpd lease 3000
10.0.0.0/2410.1.1.2
10.1.1.3
ACS
• Specifies DHCP lease length.
pixfirewall(config)#
dhcpd lease lease_length
DHCP server
Leaselength
![Page 29: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/29.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-29
Enable DHCP
pix1(config)# dhcpd enable inside
10.0.0.0/2410.1.1.2
10.1.1.3
ACS
• Enables DHCP server.
pixfirewall(config)#
dhcpd enable [if_name]
DHCP server
![Page 30: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/30.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-30
DHCP Server Auto Configuration
• Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server.
pix1(config)# ip address outside dhcppix1(config)# dhcpd address 10.1.1.2-10.1.1.20 insidepix1(config)# dhcpd auto_config pix1(config)# dhcpd enable inside
pixfirewall(config)#dhcpd auto_config[client_ifx_name]
DHCPserver
DHCPclient
WINS: 10.0.0.21DNS: 10.0.0.15Domain: cisco.com
IP Address: 10.1.1.2
WINS: 10.0.0.21DNS: 10.0.0.15Domain: cisco.com
![Page 31: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/31.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-31
debug dhcpd and clear dhcpd Commands
• Displays information associated with the DHCP server.
• Removes all dhcpd command statements from the configuration.
pixfirewall(config)#debug dhcpd event | packet
pixfirewall(config)#clear dhcpd
![Page 32: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/32.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-32
Summary
![Page 33: © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office](https://reader035.vdocument.in/reader035/viewer/2022062905/5a4d1af57f8b9ab059981081/html5/thumbnails/33.jpg)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-33
Summary
• Easy VPN Remote can operate in client or network extension mode.
• With Secure Unit Authentication, the remote PIX Firewall must authenticate before the VPN tunnel comes up.
• With Individual User Authentication, the remote user must authenticate before the user gains access to the VPN tunnel.
• The PIX Firewall can function as a DHCP client and DHCP server.
• Configuring the PIX Firewall as a PPPoE client enables it to secure broadband Internet connections such as DSL.