© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—16-1 lesson 16 easy vpn remote—small...

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1

Lesson 16

Easy VPN Remote—Small Office/Home Office


Objectives


Objectives

Upon completion of this lesson, you will be able to perform the following tasks:• Describe the Easy VPN two modes of operation.• Configure the PIX Firewall as an Easy VPN Remote client.• Explain the PIX Firewall’s Secure Unit Authentication and

Individual User Authentication feature. • Configure the PIX Firewall for Secure Unit Authentication and

Individual User Authentication.• Describe the PIX Firewall’s DHCP server feature.• Configure the PIX Firewall as a DHCP server.• Configure the PIX Firewall’s PPPoE client.


PIX Firewall Easy VPN Remote Feature Overview


Implementing PIX Firewall Easy VPN Remote

Cisco IOS > 12.2(8)T router

PIX Firewall > 6.2

VPN 3000 > 3.11(> 3.5.1 recommended)

Easy VPN Servers

Cisco PIX Firewall 501/506E




PIX Easy VPN Remote

PushPolicy


Easy VPN Remote Configuration


Easy VPN Remote Client Configuration

PIX110.0.0.0/24

10.1.1.1

pix1(config)# vpngroup training password cisco123

pix1(config)# vpnclient username student1 password training

pix1(config)# vpnclient server 192.168.1.2

pixfirewall(config)#

vpnclient group_name password preshared_key

vpnclient username { xauth_username} password { xauth_password}

vpnclient server { ip_primary} [ ip_secondary_n]

192.168.1.2

10.1.1.2

10.1.1.3

• Group name and pre-shared key

• VPN client extended authentication username and password

• Easy VPN server IP address

209.165.201.5


Easy VPN Client Device Mode

PIX Firewall 501/506E(Easy VPN Remote) PIX Firewall 525

(Easy VPN Server)

VPN tunnel

Hidden address

10.0.0.0/24

10.1.1.2

10.1.1.3

PIX Firewall 501/506(Easy VPN Remote)

PIX Firewall 525 (Easy VPN Server)

10.1.1.2VPN tunnel

10.1.1.1

10.1.1.310.0.0.0/24

Client mode

Network extensionmode

Visible address

PAT

209.165.201.5

209.165.201.5


Easy VPN Client Device Mode Configuration

PIX110.0.0.0/24

10.1.1.1

pix1(config)# vpnclient mode network-extension-mode

pixfirewall(config)#vpnclient mode {client-mode | network-extension-mode}

192.168.1.2

10.1.1.2

10.1.1.3

• Sets the easy VPN remote device mode — client of network extension mode.

Network extension mode—address visible from central site

209.165.201.5


Enable Easy VPN Remote Device

pix1(config)# vpnclient enable

pixfirewall(config)#vpnclient enable• Enables the Easy VPN Remote device.

PIX110.0.0.0/24

10.1.1.2

10.1.1.3VPN tunnel


Secure Unit Authentication

PIX110.0.0.0/24

PIX2

10.1.1.2

10.1.1.3

pix2(config)# vpngroup training secure-unit-authentication

pixfirewall(config)#vpngroup groupname secure-unit-authentication• Enables secure-unit-authentication policy at central site.

Secure-unit-authentication policypushed to Easy VPN Client

Easy VPN Client must authenticate

ACS


Individual User Authentication

pix2(config)# vpngroup training user-authentication

pixfirewall(config)#vpngroup groupname user-authentication

• Enables individual user authentication policy at central site.

PIX110.0.0.0/24

10.1.1.2

10.1.1.3VPN tunnel

Individual authentication policypushed to Easy VPN Client

Remote user must authenticate

ACS

PIX2

vpngroup groupname user-idle-timeout

vpngroup groupname authentication-server server_tag


PPPoE and the PIX Firewall


The PIX Firewall as a PPPoE Client

ISPPPPoE accessconcentratorDSL

modemPPPoEclient

10.0.0.0/24

PPPoEIPSec


Configure a Virtual Private Dial-Up Networking Group

ISPPPPoE accessconcentrator

DSL modem

10.0.0.0/24

pix1(config)# vpdn group PPPOEGROUP request dialout pppoepix1(config)# vpdn group PPPOEGROUP ppp authentication pappix1(config)# vpdn group PPPOEGROUP localname MYUSERNAME


vpdn group group_name request dialout pppoe

vpdn group group_name ppp authentication PAP | CHAP | MSCHAP

vpdn group group_name localname username

• Defines a VPDN group to be used for PPPoE.

• Selects an authentication method.

• Associates the username assigned by your ISP with the VPDN group.

PIX1


Create VPDN Username and Password

pix1(config)# vpdn username student1 password training


DSL modem

10.0.0.0/24

vpdn username name password passpixfirewall(config)#

• Creates a username and password pair for the PPPoE connection.

PIX1


Enable PPPoE Client

pix1(config)# ip address outside pppoe


DSL modem

10.0.0.0/24

• Enables PPPoE client.


ip address if_name pppoe [setroute]

PIX1


Monitoring the PPPoE Client (Cont.)

• Displays detailed information about a PPPOE connection.


show ip address if_name pppoe

show vpdn pppinterface [id intf_id]pixfirewall(config)#

• Displays the interface identification value.


show vpdn username [name] • Displays local usernames.


show vpdn group [groupname] • Displays configured groups.


Debugging the PPPoE Client

• Enables debugging for the PPPoE client.

pixfirewall(config)#debug pppoe event | error | packet


DHCP Server Configuration


DHCP

The PIX Firewall’s DHCP server can be used to dynamically assign:• An IP address and subnet mask• The IP address of a DNS server• The IP address of a WINS server• A domain name• The IP address of a TFTP server• A lease length


DHCP Server

DHCP pool10.1.1.2–10.1.1.20

1. DHCPDISCOVER—The client seeks an address.

2. DHCPOFFER—The server offers 10.1.1.2.

3. DHCPREQUEST—The client requests 10.1.1.2.

4. DHCPACK—The server acknowledges the assignment of 10.1.1.2.

31 2 4

Internet


Configuring the PIX Firewall as a DHCP Server

• Step 1—Assign a static IP address to the inside interface.• Step 2—Specify a range of addresses for the DHCP server to

distribute.• Step 3—(Optional.) Specify the IP address of the DNS server.• Step 4—(Optional.) Specify the IP address of the WINS server.• Step 5—(Optional.) Configure the domain name.• Step 6—(Optional.) Specify the IP address of the TFTP server.• Step 7—Specify the lease length (default = 3,600 seconds).• Step 8—Enable DHCP.


Configure DHCP Address Pool

pix1(config)# dhcpd address 10.1.1.2–10.1.1.15 inside

10.0.0.0/2410.1.1.2

10.1.1.3

ACS

• Specifies a range of addresses for DHCP to assign.


dhcpd address ip1[-ip2][if_name]

DHCP address pool:10.1.1.2-10.1.1.15

DHCP server


Specify WINS, DNS, and Domain Name

pix1(config)# dhcpd wins 10.0.0.21pix1(config)# dhcpd dns 10.0.0.14pix1(config)# dhcpd domain cisco.com


dhcpd wins wins1 [wins2]

dhcpd dns dns1 [dns2]

dhcpd domain domain_name

• Defines a VPDN group to be used for PPPoE.

• Selects an authentication method.

• Associates the username assigned by your ISP with the VPDN group.

DHCP Server

10.0.0.0/2410.0.0.2

10.0.0.3

WINS

WINS: 10.0.0.21DNS: 10.0.0.14Domain: cisco.com

DNS


DHCP Option 66 and 150

pix1(config)# dhcpd option 150 ip 10.0.0.11

pix1(config)# dhcpd option 66 ip 10.0.0.11


dhcpd option 150 ip server_ip1 [server_ip2]

dhcpd option 66 ascii {server_name | server_ip_str}

• Distributes list of TFTP servers for IP Phone connections.

• Distributes TFTP server for IP Phone connections.

DHCP server

10.0.0.0/2410.1.1.2

Option 150: 10.0.0.11Option 66: 10.0.0.11

TFTPserver

10.0.0.11


Setting DHCP Lease Length

pix1(config)# dhcpd lease 3000

10.0.0.0/2410.1.1.2

10.1.1.3

ACS

• Specifies DHCP lease length.


dhcpd lease lease_length

DHCP server

Leaselength


Enable DHCP

pix1(config)# dhcpd enable inside

10.0.0.0/2410.1.1.2

10.1.1.3

ACS

• Enables DHCP server.


dhcpd enable [if_name]

DHCP server


DHCP Server Auto Configuration

• Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server.

pix1(config)# ip address outside dhcppix1(config)# dhcpd address 10.1.1.2-10.1.1.20 insidepix1(config)# dhcpd auto_config pix1(config)# dhcpd enable inside

pixfirewall(config)#dhcpd auto_config[client_ifx_name]

DHCPserver

DHCPclient


IP Address: 10.1.1.2



debug dhcpd and clear dhcpd Commands

• Displays information associated with the DHCP server.

• Removes all dhcpd command statements from the configuration.

pixfirewall(config)#debug dhcpd event | packet

pixfirewall(config)#clear dhcpd


Summary


Summary

• Easy VPN Remote can operate in client or network extension mode.

• With Secure Unit Authentication, the remote PIX Firewall must authenticate before the VPN tunnel comes up.

• With Individual User Authentication, the remote user must authenticate before the user gains access to the VPN tunnel.

• The PIX Firewall can function as a DHCP client and DHCP server.

• Configuring the PIX Firewall as a PPPoE client enables it to secure broadband Internet connections such as DSL.

© 2004, cisco systems, inc. all rights reserved. cspfa 3.2—16-1 lesson 16 easy vpn remote—small...

Documents