Configuring Remote Access VPN via ASDM
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.01 MB, 45 trang )
Configuring Remote-Access VPNs via ASDM
Created by Bob Eckhoff
This white paper discusses the Cisco Easy Virtual Private Network (VPN) components, modes of
operation, and how it works. This document also gives an overview of the Cisco VPN Client and
explains how it is configured for Cisco Easy VPN. In addition, this white paper explains how to
configure remote-access VPNs via the Cisco Adaptive Security Device Manager (ASDM).
Introduction to Cisco Easy VPN
This topic discusses Cisco Easy VPN, its two components, and its modes of operation.
Cisco Easy VPN
Cisco Easy VPN Clients
Cisco VPN Client > 3.x
Cisco Easy VPN Servers
Cisco 800 and uBR900 Series Router
Cisco IOS Release >
12.2(8)T Router
Cisco 1700 and 1800 Series Router
Cisco 2800 and 3800 Series Router
Cisco PIX Firewall
Software Version > 6.2
Cisco PIX 501 and 506E Security Appliance
Cisco ASA 5500 Series
Cisco ASA 5505 Security Appliance
© 2008 Cisco Systems, Inc. All rights reserved.
1
Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and
teleworkers. Based on the Cisco Unified Client Framework, Cisco Easy VPN centralizes VPN
management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments.
Cisco Easy VPN consists of two components: the Cisco Easy VPN server and the Cisco Easy VPN
client.
The Cisco Easy VPN Server feature enables Cisco IOS routers and security appliances to act as
VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are
using the Cisco Easy VPN Remote feature. In addition, a Cisco IOS router or security appliance
with Cisco Easy VPN Server feature can terminate IP Security (IPsec) tunnels initiated by mobile
remote workers who are running Cisco VPN Client software on PCs. This flexibility makes it
possible for mobile and remote workers, such as salespeople on the road or teleworkers, to access
the company intranet, where critical data and applications exist. Centrally managed IPsec policies
are pushed to the clients by the server, minimizing configuration by the end users and ensuring
that those connections have up-to-date policies set before the connection is established.
1
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
The Cisco Easy VPN Remote feature enables Cisco security appliances and Cisco IOS routers to
act as Cisco Easy VPN clients. As such, these devices can receive security policies from a Cisco
Easy VPN server, minimizing VPN configuration requirements at the remote location. This costeffective solution is ideal for remote offices with little IT support or large customer premises
equipment (CPE) deployments where it is impractical to individually configure multiple remote
devices. This feature makes VPN configuration as easy as entering a password, which increases
productivity and lowers costs as the need for local IT support is minimized.
Cisco Easy VPN Connection Process
Step 1: The Easy VPN client initiates the IKE Phase 1 process.
Step 2: The Easy VPN client proposes IKE SAs.
Step 3: The Easy VPN server accepts the SA proposal.
Step 4: The Easy VPN server initiates a username/password
challenge.
Step 5: The mode configuration process is initiated.
Step 6: IKE quick mode completes the connection.
© 2008 Cisco Systems, Inc. All rights reserved.
2
The Cisco Easy VPN connection process consists of the following steps:
2
Step 1
The Cisco Easy VPN client initiates the Internet Key Exchange (IKE) Phase
1 process.
Step 2
The Cisco Easy VPN client proposes IKE security associations (SAs).
Step 3
The Cisco Easy VPN server accepts the SA proposal, and device (group
level) authentication is complete.
Step 4
If user authentication using IKE Extended Authentication (XAUTH) is
configured, the Cisco Easy VPN Server initiates a username and password
challenge.
Step 5
The IKE Mode Configuration process, which enables a VPN gateway to
download an IP address and other network configuration parameters to the
client, is initiated.
Step 1
An IPsec SA is created, and IKE quick mode completes the connection.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 1: Cisco Easy VPN Client Initiates
IKE Phase 1 Process
Remote PC with
Cisco VPN Client
(Easy VPN client)
Cisco ASA
(Easy VPN server)
Using Pre-shared Keys (PSKs)? Initiate aggressive mode.
Using digital certificates? Initiate main mode.
© 2008 Cisco Systems, Inc. All rights reserved.
3
The Cisco Easy VPN Remote feature supports a two-stage process for authenticating to the Cisco
Easy VPN Server. The first step is Group Level Authentication and is part of the control channel
creation. In this first stage, two types of authentication credentials can be used: either preshared
keys (PSK) or digital certificates.
The second authentication step is called Extended Authentication or XAUTH. In this step, the
remote side (in this case, the Cisco VPN software client) submits a username and password to the
Cisco Easy VPN Server.
Because there are two ways to perform the group level authentication, the Cisco Easy VPN client
must consider the following when initiating this phase:
3
If a PSK is to be used for authentication, the Cisco Easy VPN client initiates
aggressive mode.
If digital certificates are to be used for authentication, the Cisco Easy VPN client
initiates main mode.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 2: Cisco Easy VPN Client Proposes
IKE SAs
Remote PC with
Cisco VPN Client
(Easy VPN client)
Cisco ASA
(Easy VPN server)
Proposal 1, Proposal 2, Proposal 3
The Cisco Easy VPN client attempts to establish an SA between
peer IP addresses by sending multiple IKE proposals to the Cisco
Easy VPN server.
To reduce manual configuration on the Cisco Easy VPN client,
these IKE proposals include several combinations of the following:
– Encryption and hash algorithms
– Authentication methods
– DH group sizes
© 2008 Cisco Systems, Inc. All rights reserved.
4
To reduce the amount of manual configuration on the Cisco Easy VPN client, a fixed combination
of encryption, hash algorithms, authentication methods (preshared key or digital certificate), and
Diffie-Hellman (DH) group sizes is proposed by the Cisco Easy VPN client.
4
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 3: Cisco Easy VPN Server Accepts
SA Proposal
Remote PC with
Cisco VPN Client
(Easy VPN client)
Cisco ASA
(Easy VPN server)
Proposal 1
Proposal
checking
finds
proposal 1
match.
The Cisco Easy VPN server searches for a match:
– Starting with its highest priority policy and continuing in order
of priority, the server compares its own policies to the policies
received from the client until a match is found.
– The first proposal to match the server list is accepted.
The IKE SA is successfully established.
Device authentication ends and user authentication begins.
© 2008 Cisco Systems, Inc. All rights reserved.
5
IKE policy is global for the Cisco Easy VPN server and can consist of several proposals. Starting
with its highest priority policy and continuing in order of priority, the server compares its own
policies to the policies received from the client until it finds a match. The server accepts the first
proposal that matches one of its own. After an IKE proposal is accepted, the IKE SA is established.
At that point, device (group level) authentication ends and user authentication begins.
Note
5
Because the Cisco Easy VPN server uses the first match, you should always assign the
highest priorities to your most secure IKE policies.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 4: Cisco Easy VPN Server Initiates a
Username/Password Challenge
Remote PC with
Cisco VPN Client
(Easy VPN client)
Cisco ASA
(Easy VPN server)
Username/Password Challenge
Username/Password
If the Cisco Easy VPN server is configured for XAUTH, the Easy
VPN client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against
authentication entities.
All Cisco Easy VPN servers should be configured to enforce user
authentication.
© 2008 Cisco Systems, Inc. All rights reserved.
6
After the IKE SA is successfully established, and if the Cisco Easy VPN server is configured for
XAUTH, the client waits for a username and password challenge. When prompted, the user must
enter a valid username and password pair. The Cisco Easy VPN server checks the username and
password pair against authentication entities using authentication, authorization, and accounting
(AAA) protocols such as RADIUS and TACACS+. Token cards may also be used via AAA proxy.
Note
6
VPN devices that are configured to handle remote Cisco VPN Clients should always be
configured to enforce user authentication.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 5: Mode Configuration Process Is
Initiated
Remote PC with
Cisco VPN Client
(Easy VPN client)
Cisco ASA
(Easy VPN server)
Client Requests Parameters
System Parameters via
Mode Configuration
If the Cisco Easy VPN server indicates successful authentication, the Cisco
Easy VPN client requests the remaining configuration parameters from the
Cisco Easy VPN server:
– Mode configuration starts.
– The remaining system parameters, such as IP address, DNS, split
tunneling information, are downloaded to the
Cisco Easy VPN client.
The IP address is the only parameter that must be downloaded to the Cisco
Easy VPN client from the Cisco Easy VPN server; all other parameters are
optional.
© 2008 Cisco Systems, Inc. All rights reserved.
7
If the Cisco Easy VPN server indicates that authentication was successful, the client requests
further configuration parameters from the Cisco Easy VPN server. The remaining system
parameters, such as IP address, Domain Name System (DNS), and split tunnel attributes, are
pushed to the client at this time using mode configuration. The IP address is the only required
parameter; all other parameters are optional.
7
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 6: IKE Quick Mode Completes
Connection
Remote PC with
Cisco VPN Client
(Easy VPN client)
Quick Mode
IPsec SA
Establishment
Cisco ASA
(Easy VPN server)
VPN Tunnel
After the configuration parameters have been successfully
received by the Cisco Easy VPN client, IKE quick mode is initiated
to negotiate IPsec SA establishment.
After IPsec SA establishment, the VPN connection is complete.
© 2008 Cisco Systems, Inc. All rights reserved.
8
After IPsec SAs are created, the connection is complete.
8
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Overview of Cisco VPN Client
This topic introduces you to Cisco VPN Client, software that enables customers to establish
secure, end-to-end encrypted tunnels to any Cisco Easy VPN server. This thin client design, which
is an IPsec-compliant implementation, is available at Cisco.com.
Cisco VPN Software Client for Windows
© 2008 Cisco Systems, Inc. All rights reserved.
10
This figure displays the Cisco VPN Client window. You can preconfigure the connection entry
(name of connection) and hostname or IP address of remote Cisco VPN device such as the Cisco
ASA Adaptive Security Appliance. Clicking Connect initiates IKE Phase 1.
The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require very
little user intervention. VPN access policies and configurations are downloaded from the Cisco
Easy VPN Server and pushed to the Cisco VPN Client when a connection is established, allowing
simple deployment and management.
The Cisco VPN Client provides support for the following operating systems:
Microsoft Windows 2000, XP, and Vista (x86/32-bit only)
Linux (Intel)
Solaris UltraSPARC 32-bit and -64 bit
MAC OS X 10.4
The Cisco VPN Client is compatible with the following Cisco products:
9
Cisco IOS software-based platforms Release 12.2(8)T and later releases
Cisco ASA 5500 Series Adaptive Security Appliance Version 7.0 and later versions
Cisco PIX Security Appliance Software Version 6.0 and later versions
Cisco 7600/6500 IPsec VPN Services Module and VPN Shared Port Adapter
(SPA) with Cisco IOS Software Release 12.2SX and later releases
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Cisco VPN Client as Cisco Easy VPN
Client
The following general tasks are used to configure Cisco
VPN Client as Cisco Easy VPN client:
Task 1: Install Cisco VPN Client.
Task 2: Create a new connection entry.
Task 3: (Optional) Configure Cisco VPN Client transport properties.
Task 4: (Optional) Configure Cisco VPN Client backup servers
properties.
Task 5: (Optional) Configure dialup properties.
© 2008 Cisco Systems, Inc. All rights reserved.
12
Complete the following tasks to install and configure the Cisco VPN Client:
10
Task 1
Install Cisco VPN Client.
Task 2
Create a new connection entry.
Task 3
(Optional) Configure Cisco VPN Client transport properties.
Task 4
(Optional) Configure properties of Cisco VPN Client backup servers.
Task 5
(Optional) Configure dialup properties.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Task 1: Install Cisco VPN Client
© 2008 Cisco Systems, Inc. All rights reserved.
13
Installation of the Cisco VPN Client varies slightly based on the type of operating system. Always
review the installation instructions that come with the Cisco VPN Client before attempting any
installation. Generally, installation of the Cisco VPN Client involves the following steps. (This
example is based on using the Microsoft Installer [MSI) to install the Cisco VPN Client on a
Windows 2000 PC.)
11
Step 1
Double-click the vpnclient_setup.msi file. The Welcome window opens.
Step 2
Read the Welcome window and click Next. The License Agreement page is
displayed.
Step 3
Read the license agreement, click the I Accept the License Agreement
radio button, and click Next. The Destination Folder page is displayed.
Step 4
Click Next to accept the default destination folder. The Ready to Install the
Application page is displayed.
Step 5
Click Next. After the files are copied to the hard disk drive of the PC, a new
page displays the message "Cisco Systems VPN Client 5.0 has been
successfully installed.”
Step 6
Click Finish.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Task 2: Create New Connection Entry
Connection Entry
Host
Authentication
© 2008 Cisco Systems, Inc. All rights reserved.
14
The Cisco VPN Client enables users to configure multiple connection entries. Multiple connection
entries enable the user to build a list of possible network connection points. For example, a
corporate telecommuter may want to connect to the sales office in Boston for sales data (the first
connection entry), and then the telecommuter and the sales office may want to connect to the
Austin factory for inventory data (a second connection entry). Each connection contains a specific
entry name and remote server hostname or IP address.
Generally, creating a new connection entry involves the following steps (This example is based on
creating new connection entries on a Windows 2000 PC.):
12
Step 1
Choose Start > Programs > Cisco Systems VPN Client > VPN Client. The
VPN Client window opens (not shown).
Step 2
Click New. The VPN Client | Create New VPN Connection Entry window
opens.
Step 3
Enter a name for the new connection entry in the Connection Entry field. In
the figure, CorpNet is entered.
Step 4
(Optional) Enter a description for the new connection entry in the
Description field. In the figure, Corporate Network is entered.
Step 5
Enter the public interface IP address or hostname of the remote Cisco Easy
VPN server in the Host field. In the figure, 192.168.1.2 is entered.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Step 6
Step 7
13
In the Authentication tab, click the radio button for the authentication method
you want to use. You can connect as part of a group (which must be
configured on the Cisco Easy VPN server) or by supplying an identity digital
certificate. For this example, group authentication is used. Complete the
following substeps to configure group authentication:
In the Name field, enter a group name that matches a group on the
Cisco Easy VPN server. The group name and its password must match
what is configured within the Cisco Easy VPN server. Entries are case
sensitive. In the figure, TRAINING is entered.
In the Password field, enter the group password that matches the group
password (key) on the Cisco Easy VPN server. Entries are case
sensitive. In the figure, cisco123 is entered; however, only asterisks are
displayed.
Enter the password again in the Confirm Password field. In the figure,
cisco123 is entered again.
Click Save.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Task 3: (Optional) Configure Cisco VPN
Client Transport Properties
Connection Entry
Host
Transport
© 2008 Cisco Systems, Inc. All rights reserved.
15
From the Transport tab, you can configure the following Cisco VPN Client options:
Transparent tunneling
Local LAN access
Peer response timeout
Transparent Tunneling
Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure
gateway through a router serving as a firewall, which may also be performing NAT or PAT.
Transparent tunneling encapsulates Protocol 50 (which is ESP) traffic within UDP packets and can
allow for both IKE (which uses UDP 500) and Protocol 50 traffic to be encapsulated in TCP
packets before it is sent through the NAT or PAT devices or firewalls. The most common
application for transparent tunneling is behind a home router performing PAT. To use transparent
tunneling, the central-site group in the Cisco Easy VPN server must also be configured to support
it. This parameter is enabled by default. To disable this parameter, deselect the Enable
Transparent Tunneling check box under the Transport tab. It is recommended that you leave this
parameter enabled.
Note
Not all devices support multiple simultaneous connections behind them. Some cannot map
additional sessions to unique source ports. Be sure to check with the vendor of your device
to verify whether this limitation exists. Some vendors support Protocol 50 (ESP) PAT (IPsec
pass-through), which might let you operate without enabling transparent tunneling.
You must choose a mode of transparent tunneling, over UDP or over TCP. The mode you use
must match that used by the secure gateway to which you are connecting. Either mode operates
properly through a PAT device. Multiple simultaneous connections might work better with TCP. If
you are in an extranet environment, then in general, TCP mode is preferable. UDP does not
operate with stateful firewalls, so in that case, you should use TCP.
14
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
The following transport tunneling options are available:
IPsec over UDP (NAT/PAT): Select this radio button to enable IPsec over UDP
(using NAT or PAT). With UDP, the port number is negotiated. UDP is the default
mode.
IPsec over TCP: Select this radio button to enable IPsec over TCP. When using
TCP, you must also enter the port number for TCP in the TCP port field. This port
number must match the port number configured on the secure gateway. The
default port number is 10000.
Allowing Local LAN Access
In a multiple-network-interface-card (NIC) configuration, local LAN access pertains only to network
traffic on the interface on which the tunnel was established. Allow Local LAN Access gives you
access to the resources on your local LAN (printer, fax, shared files, and other systems) when you
are connected through a secure gateway to a central-site VPN device. When this parameter is
enabled and your central site is configured to permit it, you can access local resources while
connected. When this parameter is disabled, all traffic from your Cisco VPN Client system goes
through the IPsec connection to the secure gateway.
To enable this feature, select the Allow Local LAN Access check box; to disable it, deselect the
check box. If the local LAN you are using is not secure, you should disable this feature. For
example, you would disable this feature when you are using a local LAN in a hotel or airport.
A network administrator at the central site configures a list of networks at the Cisco VPN Client
side that you can access. You can access up to ten networks when this feature is enabled. When
local LAN access is allowed and you are connected to a central site, all traffic from your system
goes through the IPsec tunnel except traffic to the networks excluded from doing so (in the network
list).
When this feature is enabled and configured on the Cisco VPN Client and permitted on the centralsite VPN device, you can see a list of the local LANs available by looking at the Routes table.
Adjusting the Peer Response Timeout Value
The Cisco VPN Client uses a keepalive mechanism, dead peer detect (DPD), to check the
availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy
or unreliable, you might need to increase the number of seconds to wait before the Cisco VPN
Client decides that the peer is no longer active. The default number of seconds to wait before
terminating a connection is 90 seconds. The minimum number you can configure is 30 seconds,
and the maximum is 480 seconds. To adjust the setting, enter the number of seconds in the Peer
Response Timeout (Seconds) field. The Cisco VPN Client continues to send DPD requests every 5
seconds until it reaches the number of seconds specified by the peer response timeout value.
15
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Task 4: (Optional) Configure Cisco VPN
Client Backup Servers Properties
Connection Entry
Host
Backup
Servers
© 2008 Cisco Systems, Inc. All rights reserved.
16
The private network may include one or more backup servers to use if the primary VPN server is
not available. Information on backup servers can download automatically from a VPN server, or
you can manually enter this information.
To enable backup servers from the VPN Client, complete the following steps:
Step 1
Check the Enable Backup Servers check box in the Backup Servers tab.
Step 2
Click Add. The VPN Client | Enter Backup Server window opens.
Step 3
Enter the host name or IP address of a backup server in the Enter Backup
Server Hostname or IP Address field (not shown). You can use a
maximum of 255 characters.
Step 4
Click OK. The hostname or IP address is displayed in the Enable Backup
Servers list.
Step 5
Click Save.
You can add more backup servers by repeating Steps 2, 3, 4, and 5. To remove a server from the
backup list, select the server in the list, click Remove, and then click Save.
When necessary, the Cisco VPN Client tries the backup servers in the order in which they appear
in the backup servers list, starting at the top. To reorder the servers in the list, select a server and
click the up arrow to increase the server's priority or the down arrow to decrease the server's
priority.
16
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Cisco VPN Client Statistics
© 2008 Cisco Systems, Inc. All rights reserved.
21
The Statistics window provides information about the VPN connection, routing information, and
firewall parameters information in three tabs. To access the Statistics window, click Status in the
menu bar and choose Statistics (not shown). The Tunnel Details tab displays the following
statistics for the VPN tunnel:
17
Address Information
—
Client IP address: The IP address assigned to the VPN Client for the
current session.
—
Server IP address: The IP address of the VPN device to which the VPN
Client is connected.
Connection Information
—
Entry: The name of the profile you are using to establish the connection.
—
Time: The length of time the connection has been up.
Bytes
—
Received: The total amount of data received after a secure packet has been
successfully decrypted.
—
Sent: The total amount of encrypted data transmitted through the tunnel.
Crypto
—
Encryption: The data encryption method for traffic through this tunnel.
Encryption makes data unreadable if intercepted.
—
Authentication: The data, or packet, authentication method used for traffic
through this tunnel. Authentication verifies that no one has tampered with
data.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Packets
—
Encrypted: The total number of secured data packets transmitted out the
port.
—
Decrypted: The total number of data packets received on the port.
—
Discarded: The total number of data packets that the VPN Client rejected
because they did not come from the secure VPN device gateway.
—
Bypassed: The total number of data packets that the VPN Client did not
process because they did not need to be encrypted. Local ARPs and DHCP
fall into this category.
Transport
—
Transparent Tunneling: The status of tunnel transparent mode in the VPN
Client, either active or inactive.
—
Local LAN: Whether access to your local area network while the tunnel is
active is enabled or disabled.
—
Compression: Whether data compression is in effect as well as the type of
compression in use. Currently, LZS is the only type of compression that the
VPN Client supports.
The next tab is the Route Details tab, which displays routing information. This tab enables you to
view the network addresses of the networks you can access on your local LAN while you are
connected to your organization's private network through an IPsec tunnel. A network administrator
at the central site must configure the networks you can access from the client side.
The last tab is the Firewall tab. The Firewall tab displays information about the firewall
configuration of the Cisco VPN Client.
18
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Configuring Remote-Access VPNs
This topic explains how to use the Cisco Adaptive Security Device Manager (ASDM) IPsec VPN
Wizard to configure remote-access VPNs.
Company XYZ Need: Secure Connectivity
for Remote Workers
Home Office
Internet
Web
FTP
Corporate
DMZ
10.0.1.0/24
Headquarters
© 2008 Cisco Systems, Inc. All rights reserved.
18
Company XYZ employs remote workers in various locations who need access to resources at
corporate headquarters. The network security administrator for Company XYZ configures the
corporate Cisco ASA security appliance to accept remote-access VPN connections to give these
remote workers secure connectivity to headquarters.
19
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Specifying the Tunnel Type
VPN
Tunnel
Type
Remote
access
IPsec
VPN
VPN
Tunnel
Type:
Remote
Access
VPN
Tunnel
Interface
© 2008 Cisco Systems, Inc. All rights reserved.
19
Use the IPsec VPN Wizard to create a remote access to the Cisco VPN Client. On this wizard
page, configure the VPN tunnel type:
20
Step 1
Click Wizards in the Cisco ASDM menu bar (not shown).
Step 2
Choose IPsec VPN Wizard. The VPN Wizard window opens.
Step 3
Choose the Remote Access radio button from the VPN Tunnel Type
options.
Step 4
Verify that outside is displayed in the VPN Tunnel Interface drop-down list.
Step 5
Verify that the Enable Inbound IPsec Sessions to Bypass Interface
Access Lists check box is checked.
Step 6
Click Next. The Remote Access Client page is displayed.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Specifying the Remote Access Client Type
Cisco VPN
Client
Remote
Access
Client
VPN Client
Type: Cisco
VPN Client,
Release 3.x
or Higher
© 2008 Cisco Systems, Inc. All rights reserved.
20
On this VPN Wizard page, configure the Cisco VPN client type.
21
Step 7
From the Cisco VPN Client Type radio buttons, choose Cisco VPN Client,
Release 3.x or Higher, or Other Easy VPN Remote Product.
Step 8
Click Next. The Cisco VPN Client Authentication Method and Tunnel Group
Name page is displayed.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Specifying the VPN Client Authentication
Method and Tunnel Group Name
Cisco VPN
Client
Tunnel group:
TRAINING
VPN Client
Authentication
Method and
Tunnel Group
Name
Authentication
Method: PreShared Key
pre-shared key:
cisco123
Tunnel
Group Name
© 2008 Cisco Systems, Inc. All rights reserved.
21
On this VPN Wizard page, configure the VPN tunnel authentication type and tunnel group.
22
Step 9
From the Authentication Method options, choose the Pre-Shared Key radio
button.
Step 10
Enter the preshared key in the Pre-Shared Key field. In the figure, cisco123
is entered.
Step 11
Enter a name for the tunnel group in the Tunnel Group Name field. In the
figure, the name TRAINING is entered. A tunnel group/connection profile
consists of a small number of attributes applicable to creating the tunnel
itself, for example, the AAA server to contact for authentication and
authorization. Tunnel groups include a pointer to a group policy that defines
further connection parameters. A group policy is a set of user-oriented
attribute value pairs for the IPsec connection. The tunnel group refers to a
group policy to set terms for users’ connections once the tunnel is
established. An example of a group policy is a spilt tunnel policy for remoteaccess users or groups.
Step 12
Click Next. The Client Authentication page is displayed.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Configuring Client Authentication
Cisco VPN
Client
Client
Authentication
XAUTH
AAA server
10.0.1.10
MYRADIUS
© 2008 Cisco Systems, Inc. All rights reserved.
22
On this VPN Wizard page, configure the remote user authentication (XAUTH) method.
Step 13
Choose one of the following radio buttons to configure client authentication
(XAUTH):
Authenticate Using the Local User Database
If you choose this option, the security appliance authenticates remote users using the local user
database.
Authenticate Using a AAA Server Group
If you choose the Authenticate Using a AAA Server Group radio button, specify the name of the
AAA server group in the AAA Server Group Name field. You can specify the name by selecting a
previously configured AAA server group from the drop-down list, or you can create a new group by
clicking the New button and completing the fields in the window it opens. In the figure, the AAA
Server Group name MYRADIUS is entered.
Step 14
23
Click Next. The Address Pool page is displayed.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Configuring an Address Pool
Address
Pool
Cisco VPN
Client
10.0.21.1
Name
Starting IP
Address
Ending IP
Address
Subnet
Mask
© 2008 Cisco Systems, Inc. All rights reserved.
23
On this VPN Wizard page, configure a pool of addresses which will be dynamically assigned to
remote users.
Step 15
Specify a pool of local IP addresses to be assigned dynamically to remote
VPN clients. You can choose a previously configured pool from the Pool
Name drop-down list, or you can create a new pool by clicking the New
button and completing the fields in the window it opens. In the figure, a new
IP address pool is created. To create a new pool, complete the following
substeps:
1. Enter a name for the IP address pool in the Name field.
2. In the Starting IP Address field, enter the first IP address in the range of
addresses for the pool.
3. In the Ending IP Address field, enter the last IP address in the range of
addresses for the pool.
4. From the Subnet Mask drop-down list, choose the subnet mask that
applies to the range of addresses.
Step 16
24
Click Next. The (Mode Configuration) Attributes Pushed to Clients page is
displayed.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
Specifying Optional Attributes to
Be Pushed to Client
Cisco VPN
Client
DNS:
10.0.1.15
172.30.1.15
WINS:
10.0.1.16
172.30.1.16
Domain:
training.com
Attributes
Pushed to
Client
(Optional)
Primary
DNS Server
Secondary
DNS Server
Primary
WINS Server
Secondary
WINS Server
Default
Domain
Name
AAA
server
© 2008 Cisco Systems, Inc. All rights reserved.
24
On this VPN Wizard page, configure the optional attributes which will be pushed down to remote
users (mode configuration).
25
Step 17
(Optional) In the Primary DNS Server field, enter the IP address of the DNS
server that you want to use for host name resolution. In the figure, 10.0.1.15
is entered.
Step 18
(Optional) In the Secondary DNS Server field, enter the IP address of a
backup DNS server. In the figure, 10.0.1.16 is entered.
Step 19
(Optional) In the Primary WINS Server field, enter the IP address of the
Microsoft Windows Internet Name Service (WINS) server that you want to
use for NetBIOS name resolution. In the figure, 10.0.1.17 is entered.
Step 20
(Optional) In the Secondary WINS Server field, enter the IP address of a
backup WINS server. In the figure, 10.0.1.18 is entered.
Step 21
(Optional) In the Default Domain Name field, enter the name of the DNS
domain to which the tunnel group specified at the top of this page belongs.
The security appliance passes the default domain name to the IPsec client
to append to DNS queries that omit the domain field. This domain name
applies only to tunneled packets. When there is no default domain name,
users inherit the default domain name in the default group policy. In the
figure, training.com is entered.
Step 22
Click Next. The IKE Policy page is displayed.
Configuring Remote-Access VPNs via ASDM
© 2008 Cisco Systems, Inc.
