vpn conc core sample

8/8/2019 VPN Conc Core Sample

1/17

CCIE Sec urity: VPN

Conc entra to r 3000 Series

W R I T T E N B Y :

A S H W I N K O H L I

C C I E # 8877

S U N I L S E T H I

C I S C O Q U A L I F I E D S P E C I A L I S T (S E C U R I T Y )

CCSP


2/17

CCIE Practice Lab: VPN Concentrator 3000 SeriesAshwin Kohli, CCIE #8877

Copyright 2005 Netcg, Inc.

Published by:

Network Learning Inc.

1997 Whitney Mesa Dr.

Henderson, LV 89014 USAAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic

or mechanical, including photocopying, recording, or by any information storage and retrieval system, without

written permission from the publisher, except for the inclusion of brief quotations in a review.

Printed in the United States of America

Warning and DisclaimerThis book contains a practice lab and step-by-step instructions on how to complete the practice lab. Every effort has

been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an as is basis. The author, Netcg, Inc. shall have neither liability nor responsibility

to any person or entity with respect to any loss or damages arising from the information contained in this book.

The opinions expressed in this book belong to the authors and are not necessarily those of Network Learning Inc.

Trademark AcknowledgmentsAll terms mentioned in this book that are known to be trademarks or service marks have been appropriately

capitalized. Netcg, Inc. or Network Learning, Inc. cannot attest to the accuracy of this information. Use of a team

in this book should not be regarded as affecting the validity of any trademark or service mark.

Feedback InformationAt Network Learning Inc., our goal is to create in-depth technical books of the highest quality and value. Each book

is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members

from the professional technical community.

Readers feedback is a natural continuation of this process. If you have any comments regarding how we could

improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at

[email protected]. Please make sure to include the book title in your message.

We greatly appreciate the assistance.


3/17

ABOUT THE AUTHOR

ASHWIN KOHLI,Ashwin Kohli is a dual CCIE #8877 (Routing/Switching and Security). He

is currently a Global Architect for one of the top three financial companies, and is

responsible for architecting enterprise solutions. He has worked at many of the top financial

companies over the last 10 years. Ashwin also holds the CCNP, CCDP and a BSc in

Computer Science & Accounting form Manchester University, United Kingdom. He has

more than 10 years experience in Cisco networking and security including planning,

designing, implementing, and troubleshooting enterprise multi-protocol networks. Ashwin

also writes Cisco training material for Network Learning, Inc.

SUNIL SETHI, is Cisco Qualified Specialist in Cisco Security and currently working on hisCCIE security lab exam. He is working as a Sr. Network Security Consultant, and is

responsible for designing, implementing, monitoring and training field engineer on cisco

security products in Washington DC area. Sunil also holds the CCNP, CCDP and has

passed CCIE Security written exam. He has more than 8 years experience in Cisco

networking, security.


4/17

Table of Contents i

TABLE OF CONTENTS

VPNCONCENTRATORSERIES3000HANDS-ON ......................Error! Bookmark not defined.

LAB1-SETUP ..........................................................................Error! Bookmark not defined.

LAB2-ROUTING ON VPN 3000 STATIC ROUTING ................................................................ 5

LAB3-CONFIGURE RIP AND OSPF ON VPNCONCENTRATOR DYNAMIC ROUTING ......................... 7

LAB4-ACCESSING VPN3000 FROM THE INTERNET USING HTTP,HTTPS,SSH ..Error! Bookmark

not defined.

LAB5-CONFIGURE VPN3000 FOR REMOTE ACCESS USING PRESHARED KEYS ....Error! Bookmark

not defined.

LAB6-CONFIGURING IPSEC OVER TCP ON A CISCO VPN3000CONCENTRATORError! Bookmark

not defined.

LAB7-CONFIGURING SPLIT DNS ...............................................Error! Bookmark not defined.

LAB8-CONFIGURING CISCO VPNCLIENT AND THE CISCO INTEGRATED CLIENT TO SECURE

NONENCRYPTED TRAFFIC WHILE USING SPLIT TUNNELING .......... Error! Bookmark not

defined.

LAB9-PPTPCLIENTCONFIGURATIONTOVPN3000LOCAL AUTHENTICATION ............ Error!

Bookmark not defined.

LAB10-ROUTERTOVPN3000TUNNEL ..................................Error! Bookmark not defined.

LAB11-CONFIGURING NATTRANSPARENT MODE FOR IPSEC ON THE VPN3000

CONCENTRATOR ......................................................................................................... 11

LAB12-CONFIGURINGLAN-TO-LANTUNNELS ON A VPN3000CONCENTRATOR

WITH A CISCO IOSROUTER CONFIGURED FOR DHCP ...Error! Bookmark not defined.

LAB13-CONCENTRATOR TO CISCO VPN3000CONCENTRATOR TO THE PIXFIREWALL ........ Error!

Bookmark not defined.

LAB14-RADIUS AUTHENTICATION FOR IPSECCLIENT VERSION 4.X.......... Error! Bookmark not

defined.


5/17

LAB15-CONFIGURING THE CISCO VPN3000CONCENTRATOR 4.1 TO GET A DIGITAL

CERTIFICATE USING SCEPFROM MICROSOFT CERTIFICATE SERVER

NETWORK BASED ENROLLMENT (AUTOMATED) .............Error! Bookmark not defined.

LAB16-CONFIGURING THE VPNCLIENT 4.X TO GET A DIGITAL CERTIFICATE.............................. 13

LAB17-CONFIGURING THE LAN-TO-LANVPN WITH DIGITAL CERTIFICATE ....Error! Bookmark

not defined.

LAB18-CONFIGURING THE LAN-TO-LANVPN WITH DIGITAL CERTIFICATE ROUTER

USING NAT ................................................................................................................ 14


6/17

VPN Concentrator 3000 Series: Sample Document

CLICK ADD TO DEFINE NEW USER

CLICK ON GENERAL TAB TO DEFINE USER SETTINGS


7/17


CLICK ON IPSEC SETTINGS TO DEFINE USER IPSECSA

IF USERS WILL BE USING PPTP CLICK ON PPTP/L2TP TAB


8/17


LAB2ROUTING ON VPN 3000 STATIC ROUTING

Click Add to insert another static route

Adding a route to network 192.168.1.0 / 24 point to perimeter router but if your vpn concentrator is a gateway

just check the interface below router.


9/17


Configure a Default Route


10/17


LAB3CONFIGURE RIP AND OSPF ON VPNCONCENTRATOR DYNAMIC ROUTINGVPN CONCENTRATOR SERIES 3000 SUPPORTS RIP AND OSPFRIP ROUTING ON CONCENTRATOR

Routing configuration is interface based to configure routing using Rip or OSPF access the interface

configuration under CONFIGURAION option. Click on Private Interface

Click on RIP tab


11/17


Above capture shows RIP V2 going out of the interface and RIP V1/V2 for inbound traffic.


12/17


ROUTER R1interface Loopback1

ip address 11.11.11.11 255.255.255.0

!

interface Loopback2

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

ip address 10.0.1.10 255.255.255.0

half-duplex

!

interface Serial0/0

no ip address

shutdown

!

router ospf 1

router-id 1.1.1.1

log-adjacency-changes

network 1.1.1.0 0.0.0.255 area 0

network 10.0.1.0 0.0.0.255 area 0

!

router rip

version 2

network 10.0.0.0

network 11.0.0.0

no auto-summary

!

r1#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

10.0.1.100 0 FULL/DROTHER 00:00:38 10.0.1.100 Ethernet0/0

r1#


13/17


Step 5. Define IP allocation method

Step 6. Definethe server type once user is authenticated.


14/17


LAB11CONFIGURING NATTRANSPARENT MODE FOR IPSEC ON THE VPN3000CONCENTRATOR

Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single

routable (public) address; this is also known as Port Address Translation (PAT). The association is

implemented at the port level. The PAT solution creates a problem for IPSec traffic that does not use any

ports.

ENCAPSULATING SECURITY PAYLOADProtocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec.

Most PAT devices do not work with ESP since they have been programmed to work only with

Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control MessageProtocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs).

The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP

and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is

IPSec through NAT. A new protocol NAT-T which is an IETF standard (still in the DRAFT stage as of the

writing this article) also encapsulates IPSec packets in UDP, but it works on port 4500. That port is not

configurable.

HOW DOES NATTRANSPARENT MODE WORK?Activating IPSec transparent mode on the VPN Concentrator creates non-visible filter rules and applies

them to the public filter. The configured port number is then passed to the VPN Client transparently whenthe VPN Client connects. On the inbound side, UDP inbound traffic from that port passes directly to IPSec

for processing. Traffic is decrypted and decapsulated, and then routed normally. On the outbound side

IPSec encrypts, encapsulates and then applies a UDP header (if so configured). The runtime filter rules are

deactivated and deleted from the appropriate filter under three conditions: when IPSec over UDP is

disabled for a group, when the group is deleted, or when the last active IPSec over UDP SA on that port is

deleted. Keepalives are sent to prevent a NAT device from closing the port mapping due to inactivity.


15/17


If IPSec over NAT-T is enabled on the VPN Concentrator, then the VPN Concentrator/VPN Client uses

NAT-T mode of UDP encapsulation. NAT-T works by auto-detecting any NAT device between the VPN

Client and VPN Concentrator during IKE negotiation. You must ensure that UDP port 4500 is not blocked

between the VPN Concentrator/VPN Client for NAT-T to work. Also, if you are using a previous

IPSec/UDP configuration that is already using that port, you must reconfigure that earlier IPSec/UDP

configuration to use a different UDP port. Since NAT-T is an IETF draft, it helps when using multivendor

devices if the other vendor implements this standard.

NAT-T works with both VPN Client connections and LAN-to-LAN connections unlike IPSec over

UDP/TCP. Also, Cisco IOS routers and the PIX firewall devices support NAT-T. You do not need IPSec

over UDP to be enabled to have NAT-T working.

Use the following procedure to configure NAT transparent mode on the VPN Concentrator.

Note: IPSec over UDP is configured on a per group basis, while IPSec over TCP/ NAT-T is configuredglobally.

1. Configure IPSec over UDP:On the VPN Concentrator, select Configuration > User Management > Groups.

a. To add a group, select Add. To modify an existing group, select it and click Modify.b. Click the IPSec tab, check IPSec through NAT and configure the IPSec through NAT

UDP Port.c. The default port for IPSec through NAT is 10000 (source and destination), but this setting

may be changed.

2. Configure IPSec over NAT-T and/or IPSec over TCP:

a. On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec >NAT Transparency.

b. Check the IPSec over NAT-T and/or TCP check box.If everything is enabled, use this precedence:

IPSec over TCP. 1.

IPSec over NAT-T. 2.

IPSec over UDP. 3.

CISCO VPNCLIENT CONFIGURATION TO USE NATTRANSPARENCYTo use IPSec over UDP or NAT-T you need to enable IPSec over UDP on Cisco VPN Client 3.6 and later.

The UDP port is assigned by the VPN Concentrator in case of IPSec over UDP, while for NAT-T it is fixed

to UDP port 4500.

To use IPSec over TCP, you need to enable it on the VPN Client and configure the port that should be used

manually.


16/17


LAB16CONFIGURING THE VPNCLIENT 4.X TO GET A DIGITAL CERTIFICATE

VPN3000CONFIGURATIONStep 1. Check the active IKE proposal list. For client to LAN with digital certificate to work the

concentrator requires of an RSA IKE proposal.

Step 2. Check the IKE proposalStep 3. Modify or add an SAStep 4. Configure Cisco VPN client versions 4.x


17/17


LAB18CONFIGURING THE LAN-TO-LANVPN WITH DIGITAL CERTIFICATE ROUTER USING NAT

VPN 3000 configuration is same as in previous lab with one more step to enable NAT-T

vpn conc core sample

Documents