• No results found

Network Security 2. Module 6 Configure Remote Access VPN

N/A
N/A
Protected

Academic year: 2021

Share "Network Security 2. Module 6 Configure Remote Access VPN"

Copied!
108
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

Network Security 2

Module 6 – Configure Remote Access VPN

(3)

Learning Objectives

6.1 Introduction to Cisco Easy VPN 6.2 Configure the Easy VPN Server

6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x 6.4 Configure Cisco Easy VPN Remote for Access Routers 6.5 Configure the PIX Security Appliance as an Easy VPN Server

6.6 Configure a PIX 501 or 506E as an Easy VPN Client 6.7 Configure the Adaptive Security Appliance to Support WebVPN

(4)

Module 6 – Configure Remote Access VPN

6.1 Introduction to Cisco EasyVPN

(5)

Cisco Easy VPN Components

• The Cisco Easy VPN is made up of two components

Easy VPN Server – Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Series

Concentrators to act as VPN head-end devices in site-to- site or remote-access VPNs, where the remote office

devices are using the Cisco Easy VPN Remote feature

Easy VPN Remote – Enables Cisco IOS routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Hardware Clients or Software Clients to act as remote VPN Clients

(6)

Remote Access Using Cisco Easy VPN

PC with Easy Remote VPN Client 4.x

Cisco 800 Router

Cisco 900 Router

Cisco 1700 Router

Cisco IOS router 12.3(11)T (or later) Easy VPN Server

(7)

Easy VPN Remote Connection Process

Step 1 – The VPN Client initiates the IKE Phase 1 process.

Step 2 – The VPN Client establishes an ISAKMP SA.

Step 3 – The Easy VPN Server accepts the SA proposal.

Step 4 – The Easy VPN Server initiates a username/

password challenge.

Step 5 – The mode configuration process is initiated.

Step 6 – The RRI process is initiated.

Step 7 – IPSec quick mode completes the connection.

(8)

Step 1 – The VPN Client Initiates the IKE Phase 1 Process

Cisco IOS router 12.3(11)T Easy VPN

Server Remote PC with

Easy Remote VPN Client 4.x

Using pre-shared keys? Initiate aggressive mode (AM).

Using digital certificates? Initiate main mode (MM).

(9)

Step 2 – The VPN Client Establishes an ISAKMP SA

Cisco IOS router 12.3(11)T Easy VPN

Server Remote PC with

Easy Remote VPN Client 4.x

Proposal 1, proposal 2, proposal 3

The VPN Client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server.

To reduce manual configuration on the VPN Client, these ISAKMP proposals include several combinations of the following –

Encryption and hash algorithms Authentication methods

Diffie-Hellman group sizes

(10)

Step 3 – The Easy VPN Server Accepts the SA Proposal

The Easy VPN Server searches for a match –

The first proposal to match the server’s list is accepted (highest-priority match).

The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority).

ISAKMP SA is successfully established.

Device authentication ends and user authentication begins.

Remote PC with Easy Remote VPN Client 4.x

Cisco IOS router 12.3(11)T Easy VPN

Server Proposal 1

Proposal checking

finds proposal 1

match

(11)

Step 4 – Username/Password Challenge

Remote PC with Easy Remote VPN Client 4.x

Cisco IOS router 12.3(11)T Easy VPN

Server

Username/password

AAA checking Username/password challenge

If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge –

The user enters a username/password combination.

The username/password information is checked against authentication entities using AAA.

All Easy VPN Servers should be configured to enforce user authentication.

(12)

Step 5 – The Mode Configuration Process Is Initiated

If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server –

Mode configuration starts.

The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the VPN Client.

Remember that the IP address is the only required parameter in a group profile. All other parameters are optional.

Remote PC with Easy Remote VPN Client 4.x

Cisco IOS router 12.3(11)T Easy VPN

Server Client Requests Parameters

System Parameters via Mode Config

(13)

Step 6 – The RRI Process Is Initiated

Remote PC with Easy Remote VPN Client 4.x

Cisco IOS router 12.3(11)T

Easy VPN Server

RRI

static route creation

VPN Tunnel

After the Easy VPN Server knows the VPN Client’s assigned IP address, it must determine how to route packets through the appropriate VPN tunnel –

RRI creates a static route on the Easy VPN Server for each VPN Client’s internal IP address.

RRI must be enabled on the crypto maps supporting VPN Clients.

RRI need not be enabled on a crypto map applied to a GRE tunnel that is already being used to distribute routing information.

(14)

Step 7 – IPSec Quick Mode Completes the Connection

Cisco IOS router 12.3(11)T Easy VPN

Server Remote PC with

Easy Remote

VPN Client 4.x Quick mode

IPSec SA establishment

VPN tunnel

After the configuration parameters have been successfully received by the VPN Client, ISAKMP quick mode is initiated to negotiate IPSec SA

establishment.

After IPSec SA establishment, the VPN connection is complete.

(15)

Module 6 – Configure Remote Access VPN

6.2 Configure the EasyVPN Server

(16)

Easy VPN Server General Configuration Tasks

• The following general tasks are used to configure Easy VPN Server on a Cisco router –

Task 1 – Create IP address pool.

Task 2 – Configure group policy lookup.

Task 3 – Create ISAKMP policy for remote VPN Client access.

Task 4 – Define group policy for mode configuration push.

Task 5 – Create a transform set.

Task 6 – Create a dynamic crypto map with RRI.

Task 7 – Apply mode configuration to the dynamic crypto map.

Task 8 – Apply the crypto map to the router interface.

Task 9 – Enable IKE DPD. Task 10 – Configure XAUTH.

Task 11 – (Optional) Enable XAUTH save password feature.

(17)

Task 1 – Create IP Address Pool

REMOTE-POOL 10.0.1.100 to

10.0.1.150 Pool

vpngate1 Remote client

router(config)#

ip local pool {default | pool-name low-ip-address [high-ip-address]}

vpngate1(config)# ip local pool REMOTE-POOL 10.0.1.100 10.0.1.150

Creating a local address pool is optional if an external DHCP server is in use on the network.

(18)

Task 2 – Configure Group Policy Lookup

vpngate1 Remote client

VPN-REMOTE-ACCESS

Group

router(config)#

aaa new-model router(config)#

aaa authorization network list-name local [method1 [method2…]]

vpngate1(config)# aaa new-model

vpngate1(config)# aaa authorization network

(19)

Task 3 – Create ISAKMP Policy for Remote VPN Client Access

Authen – Preshared keys Encryption – 3-DES Diffie-Hellman – Group 2 Other settings – Default

Policy 1

vpngate1 Remote client

vpngate1(config)# crypto isakmp enable vpngate1(config)# crypto isakmp policy 1 vpngate1(config-isakmp)# authen pre-share vpngate1(config-isakmp)# encryption 3des vpngate1(config-isakmp)# group 2

vpngate1(config-isakmp)# exit

(20)

Task 4 – Define Group Policy for Mode Configuration Push

• Task 4 contains the following steps –

Step 1 – Add the group profile to be defined.

Step 2 – Configure the ISAKMP pre-shared key.

Step 3 – Specify the DNS servers.

Step 4 – Specify the WINS servers.

Step 5 – Specify the DNS domain.

Step 6 – Specify the local IP address pool.

(21)

Task 4-Step 1 – Add the Group Profile to Be Defined

router(config)#

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150

Group – VPN-REMOTE-ACCESS

vpngate1 Remote client

crypto isakmp client configuration group {group-name | default}

vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS

(22)

Task 4-Step 2 – Configure the IKE Pre-Shared Key

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150

Group – VPN-REMOTE-ACCESS

Remote client

vpngate1 vpngate1

router(config-isakmp-group)#

key name

(23)

Task 4-Step 3 – Specify the DNS Servers

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150

Group – VPN-REMOTE-ACCESS

Remote client

vpngate1

router(config-isakmp-group)#

dns primary-server secondary-server

vpngate1(config-isakmp-group)# dns DNS1 DNS2 vpngate1(config-isakmp-group)# dns

(24)

Task 4-Step 4 – Specify the WINS Servers

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS

Remote client

vpngate1

router(config-isakmp-group)#

wins primary-server secondary-server

vpngate1(config-isakmp-group)# wins WINS1 WINS2

(25)

Task 4-Step 5 – Specify the DNS Domain

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS

vpngate1 Remote client

router(config-isakmp-group)#

domain name

vpngate1(config-isakmp-group)# domain cisco.com

(26)

Task 4-Step 6 – Specify the Local IP Address Pool

vpngate1 Remote client

Key – MYVPNKEY DNS – DNS1 & DNS2 WINS – WINS1 & WINS2 Domain – cisco.com

Pool name – REMOTE-POOL Pool – 10.0.1.100 to 10.0.1.150 Group – VPN-REMOTE-ACCESS

router(config-isakmp-group)#

pool name

vpngate1(config-isakmp-group)# pool REMOTE-POOL

(27)

Task 5 – Create Transform Set

Transform set name

router(config)#

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

vpngate1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac

vpngate1(cfg-crypto-trans)# exit

VPNTRANSFORM

vpngate1 Remote client

(28)

Task 6 – Create a Dynamic Crypto Map with RRI

• Task 6 contains the following steps –

Step 1 – Create a dynamic crypto map.

Step 2 – Assign a transform set.

Step 3 – Enable RRI.

(29)

Task 6-Step 1 – Create a Dynamic Crypto Map

DYNMAP 1

Dynamic Crypto map name/sequence #

vpngate1 Remote client

router(config)#

crypto dynamic-map dynamic-map-name dynamic-seq-num

vpngate1(config)# crypto dynamic-map DYNMAP 1 vpngate1(config-crypto-map)#

(30)

Task 6-Step 2 – Assign Transform Set to Dynamic Crypto Map

VPNTRANSFORM Transform set name

Remote client

vpngate1

router(config-crypto-map)#

set transform-set transform-set-name

[transform-set-name2…transform-set-name6]

vpngate1(config-crypto-map)# set transform-set VPNTRANSFORM

(31)

Task 6-Step 3 – Enable RRI

vpngate1 Remote client

10.0.1.100 File

server

Tunnel

RRI routing announcement to

inside network

router(config-crypto-map)#

reverse-route

vpngate1(config-crypto-map)# reverse-route

(32)

Task 7 – Apply Mode Configuration to Crypto Map

• Task 7 contains the following steps –

Step 1 – Configure the router to respond to mode configuration requests.

Step 2 – Enable IKE querying for a group policy.

Step 3 – Apply the dynamic crypto map to the crypto map.

(33)

Task 7-Step 1 – Configure Router to Respond to Mode Configuration Requests

vpngate1 Remote client

router(config)#

crypto map map-name client configuration address {initiate | respond}

vpngate1(config)# crypto map CLIENTMAP client configuration address respond

(34)

Task 7-Step 2 – Enable ISAKMP Querying for Group Policy

vpngate1 Remote client

VPN-REMOTE-ACCESS

Group

router(config)#

crypto map map-name isakmp authorization list list-name

vpngate1(config)# crypto map CLIENTMAP isakmp

(35)

Task 7-Step 3 – Apply Dynamic Crypto Map to the Crypto Map

Crypto map name/sequence # CLIENTMAP 65535

vpngate1 Remote client

router(config)#

crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name

vpngate1(config)# crypto map CLIENTMAP 65535

(36)

Task 8 – Apply the Crypto Map to Router Outside Interface

CLIENTMAP Crypto map name

vpngate1 e0/1

Remote client

vpngate1(config)# interface ethernet0/1 vpngate1(config-if)# crypto map CLIENTMAP vpngate1(config-if)# exit

(37)

Task 9 – Enable ISAKMP DPD

vpngate1 Remote client

1) DPD send – Are you there?

2) DPD Reply – Yes I am here.2) DPD reply – Yes, I am here.

router(config)#

crypto isakmp keepalive secs retries

vpngate1(config)# crypto isakmp keepalive 20 10

(38)

Task 10 – Configure XAUTH

• Task 10 contains the following steps –

Step 1 – Enable AAA login authentication.

Step 2 – Set the XAUTH timeout value.

Step 3 – Enable ISAKMP XAUTH for the dynamic crypto map.

(39)

Task 10, Step 1 – Enable AAA Login Authentication

vpngate1 Remote client

VPNUSERS VPN user group

router(config)#

aaa authentication login list-name method1 [method2…]

vpngate1(config)# aaa authentication login VPNUSERS local

(40)

Task 10, Step 2 – Set XAUTH Timeout Value

vpngate1

Remote client 20 seconds

VPNUSERS VPN user group

router(config)#

crypto isakmp xauth timeout seconds

vpngate1(config)# crypto isakmp xauth timeout 20

(41)

Task 10, Step 3 – Enable ISAKMP XAUTH for Crypto Map

vpngate1 Remote client

VPNUSERS VPN user group

CLIENTMAP Crypto map name

router(config)#

crypto map map-name client authentication list list-name

vpngate1(config)# crypto map CLIENTMAP client

(42)

Task 11 – (Optional) Enable XAUTH Save Password

VPN-REMOTE-ACCESS Group

Remote client

vpngate1

router(config-isakmp-group)#

save-password

vpngate1(config)# crypto isakmp client configuration group VPN-REMOTE-ACCESS

vpngate1(config-isakmp-group)# save-password

This step could have been completed in Step 1 of Task 4

(43)

Easy VPN Server Configuration Example

version 12.3

hostname Router1

!

aaa new-model

aaa authentication login VPNAUTHEN local aaa authorization network VPNAUTHOR local ip domain-name cisco.com

ip dhcp excluded-address 10.0.1.1 10.0.1.12

!

ip dhcp pool POD1_INSIDE

network 10.0.1.0 255.255.255.0 default-router 10.0.1.2

!

crypto isakmp policy 3 hash md5

authentication pre-share group 2

!

ip local pool IPPOOL 11.0.1.20 11.0.1.30

(44)

Easy VPN Server Configuration Example

crypto isakmp client configuration group SALES key cisco123

domain cisco.com pool IPPOOL

save-password

!

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

!

crypto dynamic-map DYNMAP 10 set transform-set MYSET reverse-route

!

crypto map CLIENTMAP client authentication list VPNAUTHEN crypto map CLIENTMAP isakmp authorization list VPNAUTHOR crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

!

interface FastEthernet 0/1

(45)

Task 12 – Verify

router#

show crypto map [interface interface | tag map- name]

Router# show crypto map interface ethernet 0

•Displays crypto map configuration.

router#

show run

Router# show run

•Displays running configuration.

(46)

Module 6 – Configure Remote Access VPN

6.3 Configure Easy VPN Remote for the Cisco VPN Client 4.x

(47)

Configuring Easy VPN Remote for the Cisco VPN Client 4.x – General Tasks

Task 1 – Install Cisco VPN Client 4.x.

Task 2 – Create a new client connection entry.

Task 3 – Choose an authentication method.

Task 4 – Configure transparent tunneling.

Task 5 – Enable and add backup servers.

Task 6 – Configure connection to the Internet through dial-up networking.

(48)

Task 1 – Install Cisco VPN Client 4.x

(49)

Error Message

(50)

Task 2 – Create a New Client Connection

Entry

(51)

Task 3 – Configure Client Authentication

Properties

(52)

Task 4 – Configure Transparent

Tunneling

(53)

Task 5 – Enable and Add Backup

Servers

(54)

Task 6 – Configure Connection to the Internet through Dial-up Networking

(55)

Module 6 – Configure Remote Access VPN

6.4 Configure Cisco Easy VPN Remote for Access Routers

(56)

Easy VPN Remote Client Mode

Cisco 831 router Cisco router (Easy VPN

Server) 12.3(11)T 10.0.0.3

10.0.0.4

10.0.0.2

192.168.100.X

VPN tunnel

(57)

Easy VPN Remote Network Extension Mode

Cisco 831(Easy VPN Remote)

Cisco router (Easy VPN

Server) 12.3(11)T 172.16.10.5

172.16.10.6

.4

172.16.X.X

VPN tunnel

(58)

Easy VPN Remote Configuration General Tasks for Access Routers

Task 1 – (Optional) Configure the DHCP server pool.

Task 2 – Configure and assign the Cisco Easy VPN client profile.

Task 3 – (Optional) Configure XAUTH password save.

Task 4 – Initiate the VPN tunnel.

Task 5 – Verify the Cisco Easy VPN configuration.

(59)

Task 1

Configure the DHCP Server Pool

router(config)#

ip dhcp pool pool-name router(dhcp-config)#

network ip-address [ mask | /prefix-length]

default-router address [address2 ... addressN]

import all

lease {days [ hours][ minutes] | infinite}

exit

router(config)#

(60)

Task 1 Example – DHCP Server Pool

20.20.20.0

vpnRemote1(config)# ip dhcp pool CLIENT

vpnRemote1(dhcp-config)# network 10.10.10.0 255.255.255.0

vpnRemote1(dhcp-config)# default-router 10.10.10.1 vpnRemote1(dhcp-config)# import all

vpnRemote1(dhcp-config)# lease 3

VPNREMOTE1 VPNGATE1

30.30.30.0 10.10.10.0

.2 .1

.1

(61)

Task 2 – Configure the Cisco Easy VPN Client Profile

router(config)#

crypto ipsec client ezvpn name router(config-crypto-ezvpn)#

group group-name key group-key peer [ ip-address | hostname]

mode {client | network-extension | network-plus}

exit

(62)

Task 2 Example – Configure the Cisco Easy VPN Client Profile

VPNREMOTE1 VPNGATE1

30.30.30.0 10.10.10.0

.1 .2

Group: VPN-REMOTE-ACCESS

Peer: 20.20.20.2 Key: MYVPNKEY Mode: Client

VPNGATE1

.1

20.20.20.0

vpnRemote1(config)# crypto ipsec client ezvpn VPNGATE1 vpnRemote1(config-crypto-ezvpn)# group VPNREMOTE1 key

MYVPNKEY

vpnRemote1(config-crypto-ezvpn)# peer 20.20.20.2 vpnRemote1(config-crypto-ezvpn)# mode client

vpnRemote1(config-crypto-ezvpn)# exit

(63)

Task 2 Example – Assign Easy VPN Remote to the Interface

vpnRemote1(config)# interface ethernet1

vpnRemote1(config-if)# crypto ipsec client ezvpn VPNGATE1

vpnRemote1(config-if)# exit

VPNGate1

VPNREMOTE1 VPNGATE1

30.30.30.0 10.10.10.0

.2 .1

20.20.20.0 .1

router(config-if)#

crypto ipsec client ezvpn name [inside | outside]

(64)

Task 3 – (Optional) Configure XAUTH Save Password Feature

router(config)#

crypto ipsec client ezvpn name router(config-crypto-ezvpn)#

username aaa-username password aaa-password vpnRemote1(config)# crypto ipsec client ezvpn

VPNGATE1

vpnRemote1(config-crypto-ezvpn)# username VPNUSER password VPNPASS

vpnRemote1(config-crypto-ezvpn)# exit

(65)

Task 4 – (Optional) Initiate the VPN Tunnel (XAUTH)

Cisco IOS message: Waiting for valid XAUTH username and password.

01:34:42: EZVPN: Pending XAuth Request, Please enter the following command:

01:34:42: EZVPN: crypto ipsec client ezvpn xauth

router#

crypto ipsec client ezvpn xauth

vpnRemote1# crypto ipsec client ezvpn xauth Enter Username and Password: vpnusers

Password: ********

• With XAUTH: When SA expires, username and password must be manually entered.

• With XAUTH Password Save enabled: When SA expires, the last valid username and

(66)

Task 5 – Verify the Cisco Easy VPN Configuration

vpnRemote1# show crypto ipsec client ezvpn Easy VPN Remote Phase: 2

Tunnel name : VPNGATE1

Inside interface list: Ethernet0, Outside interface: Ethernet1

Current State: IPSEC_ACTIVE Last Event: SOCKET_UP

Address: 30.30.30.24 Mask: 255.255.255.255

DNS Primary: 30.30.30.10 DNS Secondary: 30.30.30.11

NBMS/WINS Primary: 30.30.30.12

(67)

Easy VPN Remote Configuration Example

version 12.2

hostname VPNREMOTE1

!

username admin privilege 15 password 7 070E25414707485744 ip subnet-zero

ip domain-name cisco.com

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool CLIENT import all

network 10.10.10.0 255.255.255.0 default-router 10.10.10.1

lease 3

!

crypto ipsec client ezvpn VPNGATE1 connect auto

group VPNREMOTE1 key 0 MYVPNKEY mode client

peer 20.20.20.2

(68)

Easy VPN Remote Configuration Example (Cont.)

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

crypto ipsec client ezvpn VPNGATE1 inside

!

interface Ethernet1

ip address 20.20.20.1 255.255.255.0 crypto ipsec client ezvpn VPNGATE1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip route 30.30.30.0 255.255.255.0 Ethernet1 ip http server

no ip http secure-server

!

line con 0

no modem enable stopbits 1

line aux 0

(69)

Module 6 – Configure Remote Access VPN

6.5 Configure the PIX Security Appliance as an Easy VPN Server

(70)

EasyVPN Server General Configuration Tasks

• Task 1 – Create an ISAKMP policy for remote Cisco VPN Client access.

• Task 2 – Create an IP address pool.

• Task 3 – Define a group policy for a mode configuration push.

• Task 4 – Create a transform set.

• Task 5 – Create a dynamic crypto map.

• Task 6 – Assign a dynamic crypto map to a static crypto map.

• Task 7 – Apply a dynamic crypto map to the PIX Security Appliance interface.

• Task 8 – Configure XAUTH.

• Task 9 – Configure NAT and NAT 0.

• Task 10 – Enable IKE dead peer detection (DPD).

(71)

Create ISAKMP Policy

(72)

Create IP Address Pool

(73)

Define Group Policy for Mode Configuration Push

• Step 1 Set the Tunnel Group Type

• Step 2 Configure the IKE Pre-shared Key

• Step 3 Specify the Local IP Address Pool

• Step 4 Configure the Group Policy Type

• Step 5 Enter the Group Policy Attributes Submode

• Step 6 Specify the DNS Servers

• Step 7 Specify the WINS Servers

• Step 8 Specify the DNS Domain

• Step 9 Specify the Idle Timeout

(74)

Set Tunnel Group Type

(75)

Configure IKE Pre-Shared Key

(76)

Specify Local IP Address Pool

(77)

Configure the Group Policy Type

(78)

Enter the Group Policy Attributes

Submode

(79)

Specify DNS Servers

(80)

Specify WINS Servers

(81)

Specify DNS Domain

(82)

Specify Idle Time

(83)

Create Transform Set

(84)

Create Dynamic Crypto Map

(85)

Assign Dynamic Crypto Map to Static

Crypto Map

(86)

Apply Dynamic Crypto Map

(87)

Configure XAUTH

• Step 1 Enable AAA login authentication.

• Step 2 Define AAA server IP address and encryption key.

• Step 3 Enable IKE XAUTH for the crypto map.

(88)

Configure NAT and NAT 0

(89)

Enable IKE DPD

(90)

Module 6 – Configure Remote Access VPN

6.6 Configure a PIX 501 or 506E as an Easy VPN Client

(91)

PIX Easy VPN Remote

(92)

Easy VPN Remote Client Configuration

(93)

Easy VPN Client Device Mode

(94)

Module 6 – Configure Remote Access VPN

6.7 Configure the Adaptive Security Appliance to Support WebVPN

(95)

Home Page

(96)

Website Access

(97)

Port Forwarding

(98)

Enabling WebVPN

(99)

Home Page Look and Feel Configuration

(100)

Enabling WebVPN

(101)

Servers and URL Configuration Example

(102)

Enable Port Forwarding

(103)

Port Forwarding Configuration Example

(104)

Enable Email Proxy

(105)

Email Proxy Configuration Example

(106)

HTML Content Filtering

(107)

HTML Content Filtering

(108)

WebVPN ACLs

References

Related documents

o You will be dropped from the course if you fail to participate in the discussion forum for three (3) consecutive weeks OR fail to submit three (assignments). **NOTE:

This configuration guide describes how to configure TheGreenBow IPSec VPN Client software with a Juniper NetScreen 5GT firewall to establish VPN connections for remote access

2004 The Manipulation of Human Remains in Moche Society: Delayed Burials, Grave Reopening, and Secondary Offerings of Human Bones on the Peruvian North Coast. 1992 Determination

This configuration guide describes how to configure TheGreenBow IPsec VPN Client software with a SOPHOS XG Firewall VPN router to establish VPN connections for remote access

The list-name argument is used to determine the appropriate username and password storage location, local or RADIUS, as defined in the aaa authentication login

TheGreenBow VPN Client allows to configure the "Remote Desktop" logon in the VPN tunnel with one click only: With one click, the VPN tunnel opens to the remote network, and

SSL VPN policy determines access mode available to the remote users and also controls the access to the private network (corporate network) in the form bookmarks.. To configure SSL

It supports Cisco Easy VPN, which allows the client to receive security policies upon a VPN tunnel connection from the central site VPN device (Cisco Easy VPN Server),