Cisco Router and Security Device Manager Cisco Easy VPN Server

Similar documents
CONFIGURING EPOLICY ORCHESTRATOR 3.0 AND MCAFEE 8.0i WITH CISCO CALLMANAGER

NEW METHOD FOR ORDERING CISCO 1700 SERIES MODULAR ACCESS ROUTERS AND CISCO 1800 SERIES INTEGRATED SERVICES ROUTERS SOFTWARE SPARE IMAGES

CISCO FAX SERVER. Figure 1. Example Deployment Scenario. The Cisco Fax Server solution consists of the following components:

USING MCAFEE VIRUSSCAN ENTERPRISE 8.0I WITH CISCO CALLMANAGER

CISCO SFP OPTICS FOR PACKET-OVER-SONET/SDH AND ATM APPLICATIONS

ANNOUNCING NEW PRODUCT OFFERINGS FOR THE CISCO CATALYST 6500 SERIES

Cisco MDS 9000 Family and EMC ECC Integration

END-OF-SALE AND END-OF-LIFE ANNOUNCEMENT FOR THE CISCO FLEXWAN MODULE FOR USE WITH THE CISCO 7600 SERIES ROUTERS AND CATALYST 6500 SERIES SWITCHES

USING TREND SERVERPROTECT5 WITH CISCO CALLMANAGER

Using TAPS with +E.164 Directory Numbers

Cisco Router and Security Device Manager Intrusion Prevention System

Cisco CallManager Server Upgrade Program

CISCO NETWORK CONNECTIVITY CENTER BUSINESS DASHBOARD

Cisco Unified CallConnector for Microsoft Office Quick Reference Guide 1

CISCO CENTRALIZED WIRELESS LAN SOFTWARE RELEASE 3.0

CISCO IOS SOFTWARE RELEASE 12.3(11)YK

NEW CISCO IOS SOFTWARE RELEASE 12.2(25)FY FOR CISCO CATALYST EXPRESS 500 SERIES SWITCHES

CISCO WDM SERIES OF CWDM PASSIVE DEVICES

END-OF-SALE AND END-OF-LIFE ANNOUNCEMENT FOR THE CISCO CATALYST 6500 SERIES OC-12 ATM MODULE

Cisco Unity 4.0(4) with Cisco Unified CallManager 4.1(2) Configured as Message Center PINX using Cisco WS-X6608-T1 using Q.SIG as MGCP Gateway

Third party information provided to you courtesy of Dell

Quick Start Guide Cisco CTE 1400 and Design Studio

CISCO 10GBASE XENPAK MODULES

Cisco Unified Wireless IP Phone 7920 Multi-Charger

Cisco Unified CallManager Licensing Pricing Model

Cisco Unified Wireless Network Software Release 3.1

Cisco 7304 Shared Port Adapter Modular Services Card

CISCO CATALYST 6500 SERIES WITH CISCO IOS SOFTWARE MODULARITY

CISCO GIGABIT INTERFACE CONVERTER

CISCO AIRONET 1230AG SERIES ACCESS POINT

Innovation in Accessibility

Cisco MCS 7815-I2-UC1 Media Convergence Server

C ISCO INTELLIGENCE ENGINE 2100 SERIES M OUNTING AND CABLING

Cisco CallManager 4.0-PBX Interoperability: Lucent/Avaya Definity G3 MV1.3 PBX using 6608-T1 PRI NI2 with MGCP

Avaya Definity CM 2.0 to a Cisco IAD243X using PRI T1 5ESS ISDN with SIP

END-OF-SALE AND END-OF-LIFE ANNOUNCEMENT FOR THE CISCO MEDIA CONVERGENCE SERVER 7845H-2400

Cisco Extensible Provisioning and Operations Manager 4.5

Cisco 7200VXR Series NPE-G2 Network Processing Engine

Cisco Persistent Storage Device

A New Services Aggregation Benchmark for the WAN and MAN The Cisco 7200VXR Series Router

End-of-Sale and End-of-Life Announcement for Select Cisco Catalyst 2950G and Catalyst 2950T Series Switches

Cisco 2651XM Gateway - PBX Interoperability: Avaya Definity G3 PBX using Analog FXO Interfaces to an H.323 Gateway

CISCO IPCC EXPRESS EDITION FEATURES AND PRODUCT SPECIFICATIONS

Cisco Voice Services Provisioning Tool 2.6(1)

ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL STUB ROUTER FUNCTIONALITY

Cisco 3745 Gateway - PBX Interoperability: Avaya Definity G3 PBX using Q.931 PRI Network Side Interfaces to an H.323 Gateway

CISCO IP PHONE 7970G NEW! CISCO IP PHONE 7905G AND 7912G XML

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default)

Cisco Unified IP Phone 7971G-GE

NEW CISCO IOS SOFTWARE RELEASE 12.2(25)EY FOR CISCO CATALYST 3750 METRO SERIES SWITCHES

CISCO UNIFIED IP PHONE 7912G

Announcing the Cisco Wireless IP Phone 7920

Mitel 3300 ICP Release 4.1 using T1 QSIG to Cisco Unified CallManager 4.0

Cisco Unified MeetingPlace for Microsoft Office Communicator

THE POWER OF A STRONG PARTNERSHIP.

CISCO 7304 SERIES ROUTER PORT ADAPTER CARRIER CARD

Cisco Catalyst 2950 Series Software Feature Comparison Standard Image (SI) and Enhanced Image (EI) Feature Comparison

CISCO CWDM GBIC AND SFP SOLUTION

Cisco Unified Mobile Communicator 3.0 User Portal Guide

Traffic Offload. Cisco 7200/Cisco 7500 APPLICATION NOTE

MULTI-VRF AND IP MULTICAST

Cisco ONS SDH 12-Port STM-1 Electrical Interface Card

NEW JERSEY S HIGHER EDUCATION NETWORK (NJEDGE.NET), AN IP-VPN CASE STUDY

Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership

CISCO IP CONTACT CENTER EXPRESS EDITION ENHANCED

High-Availability Solutions for SIP Enabled Voice-over-IP Networks

Microsoft Live Communication Server 2005 Enterprise Edition with SP1 to Cisco Unified Presence 1.0(3) and Cisco Unified CallManager 5.

The Cisco Unified Communications Planning and Design Service Bundle

CISCO IP PHONE 7941G. Figure 1. Cisco IP Phone 7941G DATA SHEET

Cisco Media Convergence Server 7845I-2400

Cisco AS5300 Gateway - PBX Interoperability: NEC NEAX 2400 PBX using T1 PRI Interfaces to an H.323 Gateway

Cisco Smart Business Communications System Teleworker Set Up

Portable Product Sheets Cat 4500 Supervisors last updated July 22, 2009

Microsoft Live Communication Server 2005 Enterprise Edition with SP1 to Cisco Unified Presence 6.0(1) and Cisco Unified Communications Manager 5.

Cisco Aironet In-Building Wireless Solutions International Power Compliance Chart

E-Seminar. Voice over IP. Internet Technical Solution Seminar

Cisco Unified CallManager 4.0-PBX Interoperability: Mitel 3300 ICP Release 4.1 PBX to a Cisco 6608 Gateway using T1 QSIG with MGCP

THE CISCO SUCCESS BUILDER PROGRAM THE CISCO SMALL OFFICE COMMUNICATIONS CENTER: AFFORDABLE, PROVEN COMMUNICATIONS SOLUTIONS FOR SMALL ORGANIZATIONS

IP Communications for Small Offices Using Cisco CallManager Express and Cisco Unity Express

CISCO IP PHONE 7940G. Figure 1. Cisco IP Phone 7940G

CISCO GATEWAY GPRS SUPPORT NODE RELEASE 5.0

Cisco Value Incentive Program Advanced Technologies: Period 7

CISCO UNITY CONNECTION 1.1

BGP Enforce the First Autonomous System Path

Microsoft Office Communications Server 2007 Enterprise Edition to Cisco Unified Presence 6.0(1) and Cisco Unified Communication Manager 6.

Cisco EtherChannel Technology

MPLS MTU Command Changes

Cisco Router and Security Device Manager Public Key Infrastructure Management

Cisco Systems Intelligent Storage Networking

Cisco Unified Wireless Network Software Release 3.2

CISCO 5-PORT, 8-PORT, AND 10-PORT GIGABIT ETHERNET SHARED PORT ADAPTERS

Cisco 2651XM Gateway - PBX Interoperability: Ericsson MD-110 PBX using Q.931 BRI User Side Interfaces to an H.323 Gateway

Belgian fire department wields pioneering wireless solution in the fight to save lives

CISCO 7304 SERIES ROUTER PORT ADAPTER CARRIER CARD

Cisco Series TDM Line Cards

CISCO TRAFFIC ANOMALY DETECTOR MODULE AND CISCO ANOMALY GUARD MODULE

Взято с сайта

CISCO 800 SERIES INTEGRATED SERVICES ROUTERS

RADIUS NAS-IP-Address Attribute Configurability

Cisco Unity Express Voic System User s Guide

Transcription:

Application Note Cisco Router and Security Device Manager Cisco Easy VPN Server Introduction This document explains how to configure a Cisco Easy VPN server. Cisco Easy VPN Introduction Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworker. The Cisco Easy VPN solution centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments. Cisco Easy VPN consists of two components: Cisco Easy VPN Remote and Cisco Easy VPN Server. The Cisco Easy VPN Remote feature allows Cisco IOS routers to receive security policies upon a VPN tunnel connection from a Cisco Easy VPN Server, minimizing configuration requirements at the remote location. This cost-effective solution is ideal for remote offices with little IT support. The Cisco Easy VPN Server allows Cisco IOS routers to act as VPN head-end devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. This feature pushes security policies defined at the central site to the remote VPN device, helping to ensure that those connections have up-to-date policies in place before the connection is established. A Cisco Easy VPN Server-enabled device can terminate VPN tunnels initiated by Cisco Easy VPN Remote-enabled routers. The Cisco Easy VPN Remote feature allows the VPN parameters, such as internal IP addresses, internal subnet masks, Domain Name System (DNS) server addresses, Windows Internet Naming Service (WINS) server addresses, and Split Tunneling flags, to be pushed to the remote device. The centrally stored configurations allow dynamic configuration of end-user policy and require less manual configuration by end users and field technicians. This reduces errors and further service calls. The Cisco Easy VPN provides centralized security policy management and helps enable large-scale deployment with rapid user provisioning. Cisco Easy VPN provides automatic management for negotiating tunnel parameters and establishing IP Security (IPSec) tunnels. Extended authentication (Xauth) adds another level of authentication that identifies the user who requests the IPSec connection. Split Tunneling enables the remote router to route the Internet-destined traffic directly without forwarding it over the encrypted tunnel. It is easier than ever to deploy VPNs as part of small and medium businesses or large enterprise networks with Cisco Router and Security Device Manager (SDM). Deployment Scenario This document demonstrates how to configure a Cisco Easy VPN Server based on the Cisco IOS Easy VPN Remote feature and the Cisco IOS Easy VPN Server. The sample configuration is based on the following assumptions: Static IP address is at the Cisco Easy VPN Server. Static or Dynamic IP address is at the Cisco Easy VPN Remote. Page 1 of 16

The Cisco Easy VPN Remote encrypts only traffic that is forwarded to the Cisco Easy VPN Server. Traffic destined for the Internet is forwarded directly and unencrypted from the remote site. Traffic from the remote site is forwarded after applying Network Address Translation/Port Address Translation (NAT/PAT). User level authentication is used for authorizing VPN access (Xauth 1 ) Figure 1 illustrates the network for the sample configuration. Figure 1. Network Diagram Sample Configuration In our example, a preshared key is used to authenticate devices 2. Xauth provides an additional level of authentication for identifying the user requesting the IPSec connection. The remote waits for a username/password challenge after the Internet Key Exchange (IKE) Security Association has been established. Split Tunneling is configured on the Cisco Easy VPN Server, and is dynamically loaded on the Cisco Easy VPN Remote. Split Tunneling enables the remote router to route the Internet-destined traffic directly without forwarding it over the encrypted tunnel. Prerequisite The device started with a cleared default SDM configuration with LAN and WAN interfaces configured. Cisco SDM Cisco Easy VPN Server Although the Cisco Easy VPN feature allows dynamic configuration of end-user policy and requires less manual configuration by end-users and field technicians, it requires users to fully understand how to configure an authentication, authorization, and accounting (AAA) server, the group policy, and the dynamic crypto map on the Cisco Easy VPN Server side. Cisco Router and SDM allows users to easily configure the Cisco Easy Server with limited knowledge and information. The following steps are used to configure the deployment scenario using Cisco SDM: 1 Xauth allows authenticating a user after authenticating the gateway (for instance, the Cisco Easy VPN Remote/Client), provides good authentication where certificates cannot be used, and solves the issue of not knowing the IP address in advance. 2 IPSec main mode device authentication is based on IP address and preshared key or digital certificate. Page 2 of 16

Create a Cisco Easy VPN Server To create a Cisco Easy VPN Server, at Configure Mode, select the VPN/Easy VPN Server and then click Create Easy VPN Server tab to launch Create an Easy VPN server wizard. In our example, the AAA is not enabled; the Launch the selected task button is grayed out (Figure 2). To enable AAA, click Enable AAA; the Launch the selected task button will be available when AAA is enabled. Figure 2. Cisco Easy VPN Server Wizard Page 3 of 16

Select the outside interface on which the Cisco Easy VPN server should be configured; in this scenario the Cisco Easy VPN Server router uses FastEthernet1/0 (Figure 3), click Next. Figure 3. Select an Interface Page 4 of 16

For the IKE proposal, in this scenario the SDM default is used (Figure 4); click Next. Figure 4. IKE Proposal Page 5 of 16

For Transform Set, in this scenario the SDM default is used (Figure 5); click Next Figure 5. Transform Set Page 6 of 16

For Group Authorization/Group Policy lookup, select Local Only (Figure 6); click Next. Figure 6. Group Authorization/Group Policy Lookup Page 7 of 16

To configure the Extended Authentication (Figure 7), take the following steps: 1. Check Enable Extended Authentication 2. Select Local Only 3. Click Add User Account to add new users Figure 7. Extended Authentication (Xauth) In the User Accounts screen, click Add, then Cisco SDM prompts for the following information: Username: sdmuser1 Password: cisco123 (the password is displayed encrypted on screen) Encrypt password using Message Digest Algorithm 5 (MD5) hash algorithm: check Privilege Level: 15 Page 8 of 16

Click OK In the User Accounts screen, click OK In the Extended Authentication screen, click Next In the Group Authentication/User Group Policies, click Add, then Cisco SDM prompts for the following information: Click General (Figure 8) tab: Name of this group: EZVPNgroup New pre-shares key: cisco123 Pool Information/Create a new pool: 30.30.30.100 30.30.30.120 Figure 8. Add Group Policy General Tab Click DNS/WINS tab: Check DNS Page 9 of 16

Primary DNS Server: 30.30.30.5 Secondary DNS Server: 30.30.30.6 Domain Name: cisco.com Check WIN Primary WIN Server: 30.30.30.7 Secondary WIN Server: 30.30.30.8 Click Split Tunneling (Figure 9) tab: Check Enable Split Tunneling Enter the protected subnets: 30.30.30.0/0.0.0.255 Figure 9. Add Group Policy Split Tunneling Tab Page 10 of 16

Click XAuth Option (Figure 10) tab: Check Enable save password Maximum Login Allowed Per User: 5 Click OK Figure 10. Add Group Policy XAuth Options Tab Page 11 of 16

To return to the User Group Policy (Figure 11), click Next. Figure 11. User Group Policy Click Finish Click Deliver Page 12 of 16

Monitoring Users can go to Monitor Mode, and then select VPN Status to view and verify the tunnel status. Figure 12 shows the Groups and the Client Connections in this Group. Figure 12. Cisco Easy VPN Servers Page 13 of 16

Cisco IOS Software Command-Line Interface The following command-line interfaces (CLIs) are used to configure the same deployment scenario as above as opposed to the SDM. The Cisco Easy VPN Server Configuration! aaa new-model aaa authentication login ezvpnxauth local aaa authorization network ezvpnnetwork local username sdmuser1 privilege 15 secret 0 cisco123! enable AAA! use local user database for Xauth! use local user database for IKE queries! define local user database for Xauth! crypto isakmp policy 1! IKE Policy authentication pre-share encr 3des hash sha group 2 lifetime 86400! crypto isakmp policy 3 authentication rsa-sig encr 3des hash sah group 2 lifetime 86400 crypto isakmp xauth timeout 60! ip local pool ezvpnpool 30.30.30.100 30.30.30.120! define local IP address pool access-list 100 permit ip 30.30.30.0 0.0.0.255 any! split tunneling access control list (ACL)! Group policy pushed to Cisco Easy VPN Remote/Client crypto isakmp client configuration group EZVPNgroup key cisco123 pool ezvpnpool acl 100! define preshare key! specify IP address pool! split tunneling dns 30.30.30.5 30.30.30.6 Page 14 of 16

wins 30.30.30.7 30.30.30.8 domain cisco.com save-password! domain name for DNS! Xauth: allow password save max-logins 5! Transform set crypto ipsec transform-set my-transform esp-sha-hmac esp-3des mode tunnel! crypto dynamic-map ezvpn-dymap 1 set transform-set my-transform! create a dynamic crypto map entry! specify transform sets set security-association lifetime seconds 3600 set security-association lifetime kilobytes 4608000 reverse-route! set source proxy! crypto map MYCMAP 65535 ipsec-isakmp dynamic ezvpn-dymap! add the dynamic map to a static map! crypto map MYCMAP isakmp authorization list ezvpnnetwork! enable IKE queries crypto map MYCMAP client authentication list ezvpnxauth crypto map MYCMAP client configuration address respond! enforce Xauth! easy server responds to requests! interface FastEthernet0/1! apply the cryto map to the outside interface crypto map MYCMAP In summary, by using the Cisco Security Device Manager Easy VPN Wizards, users can generate complex Cisco Easy VPN Server configuration easily and quickly with minimum knowledge of Cisco IOS Software commands and client-server IPSec VPN. Page 15 of 16

References Cisco Easy VPN Solution: http://www.cisco.com/en/us/partner/netsol/ns340/ns394/ns171/ns27/networking_solutions_sub_solution_home.html Cisco Easy VPN White Paper: http://www.cisco.com/en/us/partner/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_papers_list.html Cisco Easy VPN Remote: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/ftezvpnr.pdf Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc. Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 www.cisco.com Tel: +65 317 7777 Fax: +65 317 7799 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe Copyright 2004 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iquick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0406R) Printed in the USA Page 16 of 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback