vpn conc core sample
TRANSCRIPT
-
8/8/2019 VPN Conc Core Sample
1/17
CCIE Sec urity: VPN
Conc entra to r 3000 Series
W R I T T E N B Y :
A S H W I N K O H L I
C C I E # 8877
S U N I L S E T H I
C I S C O Q U A L I F I E D S P E C I A L I S T (S E C U R I T Y )
CCSP
-
8/8/2019 VPN Conc Core Sample
2/17
CCIE Practice Lab: VPN Concentrator 3000 SeriesAshwin Kohli, CCIE #8877
Copyright 2005 Netcg, Inc.
Published by:
Network Learning Inc.
1997 Whitney Mesa Dr.
Henderson, LV 89014 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without
written permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America
Warning and DisclaimerThis book contains a practice lab and step-by-step instructions on how to complete the practice lab. Every effort has
been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an as is basis. The author, Netcg, Inc. shall have neither liability nor responsibility
to any person or entity with respect to any loss or damages arising from the information contained in this book.
The opinions expressed in this book belong to the authors and are not necessarily those of Network Learning Inc.
Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Netcg, Inc. or Network Learning, Inc. cannot attest to the accuracy of this information. Use of a team
in this book should not be regarded as affecting the validity of any trademark or service mark.
Feedback InformationAt Network Learning Inc., our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members
from the professional technical community.
Readers feedback is a natural continuation of this process. If you have any comments regarding how we could
improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at
[email protected]. Please make sure to include the book title in your message.
We greatly appreciate the assistance.
-
8/8/2019 VPN Conc Core Sample
3/17
ABOUT THE AUTHOR
ASHWIN KOHLI,Ashwin Kohli is a dual CCIE #8877 (Routing/Switching and Security). He
is currently a Global Architect for one of the top three financial companies, and is
responsible for architecting enterprise solutions. He has worked at many of the top financial
companies over the last 10 years. Ashwin also holds the CCNP, CCDP and a BSc in
Computer Science & Accounting form Manchester University, United Kingdom. He has
more than 10 years experience in Cisco networking and security including planning,
designing, implementing, and troubleshooting enterprise multi-protocol networks. Ashwin
also writes Cisco training material for Network Learning, Inc.
SUNIL SETHI, is Cisco Qualified Specialist in Cisco Security and currently working on hisCCIE security lab exam. He is working as a Sr. Network Security Consultant, and is
responsible for designing, implementing, monitoring and training field engineer on cisco
security products in Washington DC area. Sunil also holds the CCNP, CCDP and has
passed CCIE Security written exam. He has more than 8 years experience in Cisco
networking, security.
-
8/8/2019 VPN Conc Core Sample
4/17
Table of Contents i
TABLE OF CONTENTS
VPNCONCENTRATORSERIES3000HANDS-ON ......................Error! Bookmark not defined.
LAB1-SETUP ..........................................................................Error! Bookmark not defined.
LAB2-ROUTING ON VPN 3000 STATIC ROUTING ................................................................ 5
LAB3-CONFIGURE RIP AND OSPF ON VPNCONCENTRATOR DYNAMIC ROUTING ......................... 7
LAB4-ACCESSING VPN3000 FROM THE INTERNET USING HTTP,HTTPS,SSH ..Error! Bookmark
not defined.
LAB5-CONFIGURE VPN3000 FOR REMOTE ACCESS USING PRESHARED KEYS ....Error! Bookmark
not defined.
LAB6-CONFIGURING IPSEC OVER TCP ON A CISCO VPN3000CONCENTRATORError! Bookmark
not defined.
LAB7-CONFIGURING SPLIT DNS ...............................................Error! Bookmark not defined.
LAB8-CONFIGURING CISCO VPNCLIENT AND THE CISCO INTEGRATED CLIENT TO SECURE
NONENCRYPTED TRAFFIC WHILE USING SPLIT TUNNELING .......... Error! Bookmark not
defined.
LAB9-PPTPCLIENTCONFIGURATIONTOVPN3000LOCAL AUTHENTICATION ............ Error!
Bookmark not defined.
LAB10-ROUTERTOVPN3000TUNNEL ..................................Error! Bookmark not defined.
LAB11-CONFIGURING NATTRANSPARENT MODE FOR IPSEC ON THE VPN3000
CONCENTRATOR ......................................................................................................... 11
LAB12-CONFIGURINGLAN-TO-LANTUNNELS ON A VPN3000CONCENTRATOR
WITH A CISCO IOSROUTER CONFIGURED FOR DHCP ...Error! Bookmark not defined.
LAB13-CONCENTRATOR TO CISCO VPN3000CONCENTRATOR TO THE PIXFIREWALL ........ Error!
Bookmark not defined.
LAB14-RADIUS AUTHENTICATION FOR IPSECCLIENT VERSION 4.X.......... Error! Bookmark not
defined.
-
8/8/2019 VPN Conc Core Sample
5/17
LAB15-CONFIGURING THE CISCO VPN3000CONCENTRATOR 4.1 TO GET A DIGITAL
CERTIFICATE USING SCEPFROM MICROSOFT CERTIFICATE SERVER
NETWORK BASED ENROLLMENT (AUTOMATED) .............Error! Bookmark not defined.
LAB16-CONFIGURING THE VPNCLIENT 4.X TO GET A DIGITAL CERTIFICATE.............................. 13
LAB17-CONFIGURING THE LAN-TO-LANVPN WITH DIGITAL CERTIFICATE ....Error! Bookmark
not defined.
LAB18-CONFIGURING THE LAN-TO-LANVPN WITH DIGITAL CERTIFICATE ROUTER
USING NAT ................................................................................................................ 14
-
8/8/2019 VPN Conc Core Sample
6/17
VPN Concentrator 3000 Series: Sample Document
CLICK ADD TO DEFINE NEW USER
CLICK ON GENERAL TAB TO DEFINE USER SETTINGS
-
8/8/2019 VPN Conc Core Sample
7/17
VPN Concentrator 3000 Series: Sample Document
CLICK ON IPSEC SETTINGS TO DEFINE USER IPSECSA
IF USERS WILL BE USING PPTP CLICK ON PPTP/L2TP TAB
-
8/8/2019 VPN Conc Core Sample
8/17
VPN Concentrator 3000 Series: Sample Document
LAB2ROUTING ON VPN 3000 STATIC ROUTING
Click Add to insert another static route
Adding a route to network 192.168.1.0 / 24 point to perimeter router but if your vpn concentrator is a gateway
just check the interface below router.
-
8/8/2019 VPN Conc Core Sample
9/17
VPN Concentrator 3000 Series: Sample Document
Configure a Default Route
-
8/8/2019 VPN Conc Core Sample
10/17
VPN Concentrator 3000 Series: Sample Document
LAB3CONFIGURE RIP AND OSPF ON VPNCONCENTRATOR DYNAMIC ROUTINGVPN CONCENTRATOR SERIES 3000 SUPPORTS RIP AND OSPFRIP ROUTING ON CONCENTRATOR
Routing configuration is interface based to configure routing using Rip or OSPF access the interface
configuration under CONFIGURAION option. Click on Private Interface
Click on RIP tab
-
8/8/2019 VPN Conc Core Sample
11/17
VPN Concentrator 3000 Series: Sample Document
Above capture shows RIP V2 going out of the interface and RIP V1/V2 for inbound traffic.
-
8/8/2019 VPN Conc Core Sample
12/17
VPN Concentrator 3000 Series: Sample Document
ROUTER R1interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface Loopback2
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.0.1.10 255.255.255.0
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 10.0.1.0 0.0.0.255 area 0
!
router rip
version 2
network 10.0.0.0
network 11.0.0.0
no auto-summary
!
r1#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
10.0.1.100 0 FULL/DROTHER 00:00:38 10.0.1.100 Ethernet0/0
r1#
-
8/8/2019 VPN Conc Core Sample
13/17
VPN Concentrator 3000 Series: Sample Document
Step 5. Define IP allocation method
Step 6. Definethe server type once user is authenticated.
-
8/8/2019 VPN Conc Core Sample
14/17
VPN Concentrator 3000 Series: Sample Document
LAB11CONFIGURING NATTRANSPARENT MODE FOR IPSEC ON THE VPN3000CONCENTRATOR
Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single
routable (public) address; this is also known as Port Address Translation (PAT). The association is
implemented at the port level. The PAT solution creates a problem for IPSec traffic that does not use any
ports.
ENCAPSULATING SECURITY PAYLOADProtocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec.
Most PAT devices do not work with ESP since they have been programmed to work only with
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control MessageProtocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs).
The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP
and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is
IPSec through NAT. A new protocol NAT-T which is an IETF standard (still in the DRAFT stage as of the
writing this article) also encapsulates IPSec packets in UDP, but it works on port 4500. That port is not
configurable.
HOW DOES NATTRANSPARENT MODE WORK?Activating IPSec transparent mode on the VPN Concentrator creates non-visible filter rules and applies
them to the public filter. The configured port number is then passed to the VPN Client transparently whenthe VPN Client connects. On the inbound side, UDP inbound traffic from that port passes directly to IPSec
for processing. Traffic is decrypted and decapsulated, and then routed normally. On the outbound side
IPSec encrypts, encapsulates and then applies a UDP header (if so configured). The runtime filter rules are
deactivated and deleted from the appropriate filter under three conditions: when IPSec over UDP is
disabled for a group, when the group is deleted, or when the last active IPSec over UDP SA on that port is
deleted. Keepalives are sent to prevent a NAT device from closing the port mapping due to inactivity.
-
8/8/2019 VPN Conc Core Sample
15/17
VPN Concentrator 3000 Series: Sample Document
If IPSec over NAT-T is enabled on the VPN Concentrator, then the VPN Concentrator/VPN Client uses
NAT-T mode of UDP encapsulation. NAT-T works by auto-detecting any NAT device between the VPN
Client and VPN Concentrator during IKE negotiation. You must ensure that UDP port 4500 is not blocked
between the VPN Concentrator/VPN Client for NAT-T to work. Also, if you are using a previous
IPSec/UDP configuration that is already using that port, you must reconfigure that earlier IPSec/UDP
configuration to use a different UDP port. Since NAT-T is an IETF draft, it helps when using multivendor
devices if the other vendor implements this standard.
NAT-T works with both VPN Client connections and LAN-to-LAN connections unlike IPSec over
UDP/TCP. Also, Cisco IOS routers and the PIX firewall devices support NAT-T. You do not need IPSec
over UDP to be enabled to have NAT-T working.
Use the following procedure to configure NAT transparent mode on the VPN Concentrator.
Note: IPSec over UDP is configured on a per group basis, while IPSec over TCP/ NAT-T is configuredglobally.
1. Configure IPSec over UDP:On the VPN Concentrator, select Configuration > User Management > Groups.
a. To add a group, select Add. To modify an existing group, select it and click Modify.b. Click the IPSec tab, check IPSec through NAT and configure the IPSec through NAT
UDP Port.c. The default port for IPSec through NAT is 10000 (source and destination), but this setting
may be changed.
2. Configure IPSec over NAT-T and/or IPSec over TCP:
a. On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec >NAT Transparency.
b. Check the IPSec over NAT-T and/or TCP check box.If everything is enabled, use this precedence:
IPSec over TCP. 1.
IPSec over NAT-T. 2.
IPSec over UDP. 3.
CISCO VPNCLIENT CONFIGURATION TO USE NATTRANSPARENCYTo use IPSec over UDP or NAT-T you need to enable IPSec over UDP on Cisco VPN Client 3.6 and later.
The UDP port is assigned by the VPN Concentrator in case of IPSec over UDP, while for NAT-T it is fixed
to UDP port 4500.
To use IPSec over TCP, you need to enable it on the VPN Client and configure the port that should be used
manually.
-
8/8/2019 VPN Conc Core Sample
16/17
VPN Concentrator 3000 Series: Sample Document
LAB16CONFIGURING THE VPNCLIENT 4.X TO GET A DIGITAL CERTIFICATE
VPN3000CONFIGURATIONStep 1. Check the active IKE proposal list. For client to LAN with digital certificate to work the
concentrator requires of an RSA IKE proposal.
Step 2. Check the IKE proposalStep 3. Modify or add an SAStep 4. Configure Cisco VPN client versions 4.x
-
8/8/2019 VPN Conc Core Sample
17/17
VPN Concentrator 3000 Series: Sample Document
LAB18CONFIGURING THE LAN-TO-LANVPN WITH DIGITAL CERTIFICATE ROUTER USING NAT
VPN 3000 configuration is same as in previous lab with one more step to enable NAT-T