Configuring Remote Access VPN via ASDM_Posted_1!15!09

1 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc.

Configuring Remote-Access VPNs via ASDM Created by Bob Eckhoff

This white paper discusses the Cisco Easy Virtual Private Network (VPN) components, modes of operation, and how it works. This document also gives an overview of the Cisco VPN Client and explains how it is configured for Cisco Easy VPN. In addition, this white paper explains how to configure remote-access VPNs via the Cisco Adaptive Security Device Manager (ASDM).

Introduction to Cisco Easy VPN This topic discusses Cisco Easy VPN, its two components, and its modes of operation.

© 2008 Cisco Systems, Inc. All rights reserved. 1

Cisco Easy VPN

Cisco IOS Release >12.2(8)T Router

Cisco PIX Firewall Software Version > 6.2

Cisco ASA 5500 Series

Cisco VPN Client > 3.x

Cisco 800 and uBR900 Series Router

Cisco 1700 and 1800 Series Router

Cisco 2800 and 3800 Series Router

Cisco ASA 5505 Security Appliance

Cisco PIX 501 and 506E Security Appliance

Cisco Easy VPN ServersCisco Easy VPN Clients

Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworkers. Based on the Cisco Unified Client Framework, Cisco Easy VPN centralizes VPN management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments. Cisco Easy VPN consists of two components: the Cisco Easy VPN server and the Cisco Easy VPN client.

The Cisco Easy VPN Server feature enables Cisco IOS routers and security appliances to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. In addition, a Cisco IOS router or security appliance with Cisco Easy VPN Server feature can terminate IP Security (IPsec) tunnels initiated by mobile remote workers who are running Cisco VPN Client software on PCs. This flexibility makes it possible for mobile and remote workers, such as salespeople on the road or teleworkers, to access the company intranet, where critical data and applications exist. Centrally managed IPsec policies are pushed to the clients by the server, minimizing configuration by the end users and ensuring that those connections have up-to-date policies set before the connection is established.


The Cisco Easy VPN Remote feature enables Cisco security appliances and Cisco IOS routers to act as Cisco Easy VPN clients. As such, these devices can receive security policies from a Cisco Easy VPN server, minimizing VPN configuration requirements at the remote location. This cost-effective solution is ideal for remote offices with little IT support or large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices. This feature makes VPN configuration as easy as entering a password, which increases productivity and lowers costs as the need for local IT support is minimized.


Cisco Easy VPN Connection Process

Step 1: The Easy VPN client initiates the IKE Phase 1 process.Step 2: The Easy VPN client proposes IKE SAs.Step 3: The Easy VPN server accepts the SA proposal.Step 4: The Easy VPN server initiates a username/password

challenge.Step 5: The mode configuration process is initiated.Step 6: IKE quick mode completes the connection.

The Cisco Easy VPN connection process consists of the following steps:

Step 1 The Cisco Easy VPN client initiates the Internet Key Exchange (IKE) Phase 1 process.

Step 2 The Cisco Easy VPN client proposes IKE security associations (SAs).

Step 3 The Cisco Easy VPN server accepts the SA proposal, and device (group level) authentication is complete.

Step 4 If user authentication using IKE Extended Authentication (XAUTH) is configured, the Cisco Easy VPN Server initiates a username and password challenge.

Step 5 The IKE Mode Configuration process, which enables a VPN gateway to download an IP address and other network configuration parameters to the client, is initiated.

Step 1 An IPsec SA is created, and IKE quick mode completes the connection.



Step 1: Cisco Easy VPN Client Initiates IKE Phase 1 Process

Using Pre-shared Keys (PSKs)? Initiate aggressive mode.Using digital certificates? Initiate main mode.

Remote PC with Cisco VPN Client (Easy VPN client)

Cisco ASA(Easy VPN server)

The Cisco Easy VPN Remote feature supports a two-stage process for authenticating to the Cisco Easy VPN Server. The first step is Group Level Authentication and is part of the control channel creation. In this first stage, two types of authentication credentials can be used: either preshared keys (PSK) or digital certificates.

The second authentication step is called Extended Authentication or XAUTH. In this step, the remote side (in this case, the Cisco VPN software client) submits a username and password to the Cisco Easy VPN Server.

Because there are two ways to perform the group level authentication, the Cisco Easy VPN client must consider the following when initiating this phase:

If a PSK is to be used for authentication, the Cisco Easy VPN client initiates aggressive mode.

If digital certificates are to be used for authentication, the Cisco Easy VPN client initiates main mode.



Step 2: Cisco Easy VPN Client Proposes IKE SAs

The Cisco Easy VPN client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the CiscoEasy VPN server.To reduce manual configuration on the Cisco Easy VPN client, these IKE proposals include several combinations of the following:– Encryption and hash algorithms– Authentication methods– DH group sizes



Proposal 1, Proposal 2, Proposal 3

To reduce the amount of manual configuration on the Cisco Easy VPN client, a fixed combination of encryption, hash algorithms, authentication methods (preshared key or digital certificate), and Diffie-Hellman (DH) group sizes is proposed by the Cisco Easy VPN client.



Step 3: Cisco Easy VPN Server Accepts SA Proposal

The Cisco Easy VPN server searches for a match:– Starting with its highest priority policy and continuing in order

of priority, the server compares its own policies to the policies received from the client until a match is found.

– The first proposal to match the server list is accepted.The IKE SA is successfully established. Device authentication ends and user authentication begins.


Proposal 1 Proposal checking

finds proposal 1

match.


IKE policy is global for the Cisco Easy VPN server and can consist of several proposals. Starting with its highest priority policy and continuing in order of priority, the server compares its own policies to the policies received from the client until it finds a match. The server accepts the first proposal that matches one of its own. After an IKE proposal is accepted, the IKE SA is established. At that point, device (group level) authentication ends and user authentication begins.

Note Because the Cisco Easy VPN server uses the first match, you should always assign the highest priorities to your most secure IKE policies.



Step 4: Cisco Easy VPN Server Initiates a Username/Password Challenge

If the Cisco Easy VPN server is configured for XAUTH, the Easy VPN client waits for a username/password challenge:– The user enters a username/password combination.– The username/password information is checked against

authentication entities.All Cisco Easy VPN servers should be configured to enforce user authentication.


Username/Password

Username/Password Challenge


After the IKE SA is successfully established, and if the Cisco Easy VPN server is configured for XAUTH, the client waits for a username and password challenge. When prompted, the user must enter a valid username and password pair. The Cisco Easy VPN server checks the username and password pair against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+. Token cards may also be used via AAA proxy.

Note VPN devices that are configured to handle remote Cisco VPN Clients should always be configured to enforce user authentication.



Step 5: Mode Configuration Process Is Initiated

If the Cisco Easy VPN server indicates successful authentication, the Cisco Easy VPN client requests the remaining configuration parameters from the Cisco Easy VPN server:– Mode configuration starts.– The remaining system parameters, such as IP address, DNS, split

tunneling information, are downloaded to the Cisco Easy VPN client.

The IP address is the only parameter that must be downloaded to the Cisco Easy VPN client from the Cisco Easy VPN server; all other parameters are optional.


Client Requests Parameters

System Parameters via Mode Configuration


If the Cisco Easy VPN server indicates that authentication was successful, the client requests further configuration parameters from the Cisco Easy VPN server. The remaining system parameters, such as IP address, Domain Name System (DNS), and split tunnel attributes, are pushed to the client at this time using mode configuration. The IP address is the only required parameter; all other parameters are optional.



Step 6: IKE Quick Mode Completes Connection

After the configuration parameters have been successfully received by the Cisco Easy VPN client, IKE quick mode is initiated to negotiate IPsec SA establishment.After IPsec SA establishment, the VPN connection is complete.

Remote PC with Cisco VPN Client (Easy VPN client) Quick Mode

IPsec SA Establishment

VPN Tunnel


After IPsec SAs are created, the connection is complete.


Overview of Cisco VPN Client This topic introduces you to Cisco VPN Client, software that enables customers to establish secure, end-to-end encrypted tunnels to any Cisco Easy VPN server. This thin client design, which is an IPsec-compliant implementation, is available at Cisco.com.


Cisco VPN Software Client for Windows

This figure displays the Cisco VPN Client window. You can preconfigure the connection entry (name of connection) and hostname or IP address of remote Cisco VPN device such as the Cisco ASA Adaptive Security Appliance. Clicking Connect initiates IKE Phase 1.

The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require very little user intervention. VPN access policies and configurations are downloaded from the Cisco Easy VPN Server and pushed to the Cisco VPN Client when a connection is established, allowing simple deployment and management.

The Cisco VPN Client provides support for the following operating systems:

Microsoft Windows 2000, XP, and Vista (x86/32-bit only)

Linux (Intel)

Solaris UltraSPARC 32-bit and -64 bit

MAC OS X 10.4

The Cisco VPN Client is compatible with the following Cisco products:

Cisco IOS software-based platforms Release 12.2(8)T and later releases

Cisco ASA 5500 Series Adaptive Security Appliance Version 7.0 and later versions

Cisco PIX Security Appliance Software Version 6.0 and later versions

Cisco 7600/6500 IPsec VPN Services Module and VPN Shared Port Adapter (SPA) with Cisco IOS Software Release 12.2SX and later releases



Cisco VPN Client as Cisco Easy VPN Client

The following general tasks are used to configure Cisco VPN Client as Cisco Easy VPN client:Task 1: Install Cisco VPN Client.Task 2: Create a new connection entry.Task 3: (Optional) Configure Cisco VPN Client transport properties.Task 4: (Optional) Configure Cisco VPN Client backup servers

properties.Task 5: (Optional) Configure dialup properties.

Complete the following tasks to install and configure the Cisco VPN Client:

Task 1 Install Cisco VPN Client.

Task 2 Create a new connection entry.

Task 3 (Optional) Configure Cisco VPN Client transport properties.

Task 4 (Optional) Configure properties of Cisco VPN Client backup servers.

Task 5 (Optional) Configure dialup properties.



Task 1: Install Cisco VPN Client

Installation of the Cisco VPN Client varies slightly based on the type of operating system. Always review the installation instructions that come with the Cisco VPN Client before attempting any installation. Generally, installation of the Cisco VPN Client involves the following steps. (This example is based on using the Microsoft Installer [MSI) to install the Cisco VPN Client on a Windows 2000 PC.)

Step 1 Double-click the vpnclient_setup.msi file. The Welcome window opens.

Step 2 Read the Welcome window and click Next. The License Agreement page is displayed.

Step 3 Read the license agreement, click the I Accept the License Agreement radio button, and click Next. The Destination Folder page is displayed.

Step 4 Click Next to accept the default destination folder. The Ready to Install the Application page is displayed.

Step 5 Click Next. After the files are copied to the hard disk drive of the PC, a new page displays the message "Cisco Systems VPN Client 5.0 has been successfully installed.”

Step 6 Click Finish.



Task 2: Create New Connection Entry

Connection Entry

Host

Authentication

The Cisco VPN Client enables users to configure multiple connection entries. Multiple connection entries enable the user to build a list of possible network connection points. For example, a corporate telecommuter may want to connect to the sales office in Boston for sales data (the first connection entry), and then the telecommuter and the sales office may want to connect to the Austin factory for inventory data (a second connection entry). Each connection contains a specific entry name and remote server hostname or IP address.

Generally, creating a new connection entry involves the following steps (This example is based on creating new connection entries on a Windows 2000 PC.):

Step 1 Choose Start > Programs > Cisco Systems VPN Client > VPN Client. The VPN Client window opens (not shown).

Step 2 Click New. The VPN Client | Create New VPN Connection Entry window opens.

Step 3 Enter a name for the new connection entry in the Connection Entry field. In the figure, CorpNet is entered.

Step 4 (Optional) Enter a description for the new connection entry in the Description field. In the figure, Corporate Network is entered.

Step 5 Enter the public interface IP address or hostname of the remote Cisco Easy VPN server in the Host field. In the figure, 192.168.1.2 is entered.


Step 6 In the Authentication tab, click the radio button for the authentication method you want to use. You can connect as part of a group (which must be configured on the Cisco Easy VPN server) or by supplying an identity digital certificate. For this example, group authentication is used. Complete the following substeps to configure group authentication:

In the Name field, enter a group name that matches a group on the Cisco Easy VPN server. The group name and its password must match what is configured within the Cisco Easy VPN server. Entries are case sensitive. In the figure, TRAINING is entered.

In the Password field, enter the group password that matches the group password (key) on the Cisco Easy VPN server. Entries are case sensitive. In the figure, cisco123 is entered; however, only asterisks are displayed.

Enter the password again in the Confirm Password field. In the figure, cisco123 is entered again.

Step 7 Click Save.



Task 3: (Optional) Configure Cisco VPN Client Transport Properties

Connection Entry

Host

Transport

From the Transport tab, you can configure the following Cisco VPN Client options:

Transparent tunneling

Local LAN access

Peer response timeout

Transparent Tunneling Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure gateway through a router serving as a firewall, which may also be performing NAT or PAT. Transparent tunneling encapsulates Protocol 50 (which is ESP) traffic within UDP packets and can allow for both IKE (which uses UDP 500) and Protocol 50 traffic to be encapsulated in TCP packets before it is sent through the NAT or PAT devices or firewalls. The most common application for transparent tunneling is behind a home router performing PAT. To use transparent tunneling, the central-site group in the Cisco Easy VPN server must also be configured to support it. This parameter is enabled by default. To disable this parameter, deselect the Enable Transparent Tunneling check box under the Transport tab. It is recommended that you leave this parameter enabled.

Note Not all devices support multiple simultaneous connections behind them. Some cannot map additional sessions to unique source ports. Be sure to check with the vendor of your device to verify whether this limitation exists. Some vendors support Protocol 50 (ESP) PAT (IPsec pass-through), which might let you operate without enabling transparent tunneling.

You must choose a mode of transparent tunneling, over UDP or over TCP. The mode you use must match that used by the secure gateway to which you are connecting. Either mode operates properly through a PAT device. Multiple simultaneous connections might work better with TCP. If you are in an extranet environment, then in general, TCP mode is preferable. UDP does not operate with stateful firewalls, so in that case, you should use TCP.


The following transport tunneling options are available:

IPsec over UDP (NAT/PAT): Select this radio button to enable IPsec over UDP (using NAT or PAT). With UDP, the port number is negotiated. UDP is the default mode.

IPsec over TCP: Select this radio button to enable IPsec over TCP. When using TCP, you must also enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.

Allowing Local LAN Access In a multiple-network-interface-card (NIC) configuration, local LAN access pertains only to network traffic on the interface on which the tunnel was established. Allow Local LAN Access gives you access to the resources on your local LAN (printer, fax, shared files, and other systems) when you are connected through a secure gateway to a central-site VPN device. When this parameter is enabled and your central site is configured to permit it, you can access local resources while connected. When this parameter is disabled, all traffic from your Cisco VPN Client system goes through the IPsec connection to the secure gateway.

To enable this feature, select the Allow Local LAN Access check box; to disable it, deselect the check box. If the local LAN you are using is not secure, you should disable this feature. For example, you would disable this feature when you are using a local LAN in a hotel or airport.

A network administrator at the central site configures a list of networks at the Cisco VPN Client side that you can access. You can access up to ten networks when this feature is enabled. When local LAN access is allowed and you are connected to a central site, all traffic from your system goes through the IPsec tunnel except traffic to the networks excluded from doing so (in the network list).

When this feature is enabled and configured on the Cisco VPN Client and permitted on the central-site VPN device, you can see a list of the local LANs available by looking at the Routes table.

Adjusting the Peer Response Timeout Value The Cisco VPN Client uses a keepalive mechanism, dead peer detect (DPD), to check the availability of the VPN device on the other side of an IPsec tunnel. If the network is unusually busy or unreliable, you might need to increase the number of seconds to wait before the Cisco VPN Client decides that the peer is no longer active. The default number of seconds to wait before terminating a connection is 90 seconds. The minimum number you can configure is 30 seconds, and the maximum is 480 seconds. To adjust the setting, enter the number of seconds in the Peer Response Timeout (Seconds) field. The Cisco VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the peer response timeout value.



Task 4: (Optional) Configure Cisco VPN Client Backup Servers Properties

Connection Entry

HostBackup Servers

The private network may include one or more backup servers to use if the primary VPN server is not available. Information on backup servers can download automatically from a VPN server, or you can manually enter this information.

To enable backup servers from the VPN Client, complete the following steps:

Step 1 Check the Enable Backup Servers check box in the Backup Servers tab.

Step 2 Click Add. The VPN Client | Enter Backup Server window opens.

Step 3 Enter the host name or IP address of a backup server in the Enter Backup Server Hostname or IP Address field (not shown). You can use a maximum of 255 characters.

Step 4 Click OK. The hostname or IP address is displayed in the Enable Backup Servers list.

Step 5 Click Save.

You can add more backup servers by repeating Steps 2, 3, 4, and 5. To remove a server from the backup list, select the server in the list, click Remove, and then click Save.

When necessary, the Cisco VPN Client tries the backup servers in the order in which they appear in the backup servers list, starting at the top. To reorder the servers in the list, select a server and click the up arrow to increase the server's priority or the down arrow to decrease the server's priority.



Cisco VPN Client Statistics

The Statistics window provides information about the VPN connection, routing information, and firewall parameters information in three tabs. To access the Statistics window, click Status in the menu bar and choose Statistics (not shown). The Tunnel Details tab displays the following statistics for the VPN tunnel:

Address Information

— Client IP address: The IP address assigned to the VPN Client for the current session.

— Server IP address: The IP address of the VPN device to which the VPN Client is connected.

Connection Information

— Entry: The name of the profile you are using to establish the connection.

— Time: The length of time the connection has been up.

Bytes

— Received: The total amount of data received after a secure packet has been successfully decrypted.

— Sent: The total amount of encrypted data transmitted through the tunnel.

Crypto — Encryption: The data encryption method for traffic through this tunnel.

Encryption makes data unreadable if intercepted.

— Authentication: The data, or packet, authentication method used for traffic through this tunnel. Authentication verifies that no one has tampered with data.


Packets

— Encrypted: The total number of secured data packets transmitted out the port.

— Decrypted: The total number of data packets received on the port.

— Discarded: The total number of data packets that the VPN Client rejected because they did not come from the secure VPN device gateway.

— Bypassed: The total number of data packets that the VPN Client did not process because they did not need to be encrypted. Local ARPs and DHCP fall into this category.

Transport — Transparent Tunneling: The status of tunnel transparent mode in the VPN

Client, either active or inactive.

— Local LAN: Whether access to your local area network while the tunnel is active is enabled or disabled.

— Compression: Whether data compression is in effect as well as the type of compression in use. Currently, LZS is the only type of compression that the VPN Client supports.

The next tab is the Route Details tab, which displays routing information. This tab enables you to view the network addresses of the networks you can access on your local LAN while you are connected to your organization's private network through an IPsec tunnel. A network administrator at the central site must configure the networks you can access from the client side.

The last tab is the Firewall tab. The Firewall tab displays information about the firewall configuration of the Cisco VPN Client.


Configuring Remote-Access VPNs This topic explains how to use the Cisco Adaptive Security Device Manager (ASDM) IPsec VPN Wizard to configure remote-access VPNs.


Company XYZ Need: Secure Connectivity for Remote Workers

Internet

CorporateDMZ

Headquarters

WebFTP

Home Office

10.0.1.0/24

Company XYZ employs remote workers in various locations who need access to resources at corporate headquarters. The network security administrator for Company XYZ configures the corporate Cisco ASA security appliance to accept remote-access VPN connections to give these remote workers secure connectivity to headquarters.



Specifying the Tunnel Type

VPN Tunnel Type

VPN Tunnel Interface

VPN Tunnel Type: Remote Access

Remote access IPsec VPN

Use the IPsec VPN Wizard to create a remote access to the Cisco VPN Client. On this wizard page, configure the VPN tunnel type:

Step 1 Click Wizards in the Cisco ASDM menu bar (not shown).

Step 2 Choose IPsec VPN Wizard. The VPN Wizard window opens.

Step 3 Choose the Remote Access radio button from the VPN Tunnel Type options.

Step 4 Verify that outside is displayed in the VPN Tunnel Interface drop-down list.

Step 5 Verify that the Enable Inbound IPsec Sessions to Bypass Interface Access Lists check box is checked.

Step 6 Click Next. The Remote Access Client page is displayed.



Specifying the Remote Access Client Type

Remote Access Client

VPN Client Type: Cisco VPN Client, Release 3.x or Higher

Cisco VPN Client

On this VPN Wizard page, configure the Cisco VPN client type.

Step 7 From the Cisco VPN Client Type radio buttons, choose Cisco VPN Client, Release 3.x or Higher, or Other Easy VPN Remote Product.

Step 8 Click Next. The Cisco VPN Client Authentication Method and Tunnel Group Name page is displayed.



Specifying the VPN Client Authentication Method and Tunnel Group Name

Cisco VPN Client

VPN Client Authentication Method and Tunnel Group Name

Tunnel Group Name

Authentication Method: Pre-Shared KeyTunnel group:

TRAINING

pre-shared key: cisco123

On this VPN Wizard page, configure the VPN tunnel authentication type and tunnel group.

Step 9 From the Authentication Method options, choose the Pre-Shared Key radio button.

Step 10 Enter the preshared key in the Pre-Shared Key field. In the figure, cisco123 is entered.

Step 11 Enter a name for the tunnel group in the Tunnel Group Name field. In the figure, the name TRAINING is entered. A tunnel group/connection profile consists of a small number of attributes applicable to creating the tunnel itself, for example, the AAA server to contact for authentication and authorization. Tunnel groups include a pointer to a group policy that defines further connection parameters. A group policy is a set of user-oriented attribute value pairs for the IPsec connection. The tunnel group refers to a group policy to set terms for users’ connections once the tunnel is established. An example of a group policy is a spilt tunnel policy for remote-access users or groups.

Step 12 Click Next. The Client Authentication page is displayed.



Configuring Client Authentication

Client Authentication

AAA server10.0.1.10

MYRADIUS

Cisco VPN Client

XAUTH

On this VPN Wizard page, configure the remote user authentication (XAUTH) method.

Step 13 Choose one of the following radio buttons to configure client authentication (XAUTH):

Authenticate Using the Local User Database If you choose this option, the security appliance authenticates remote users using the local user database.

Authenticate Using a AAA Server Group If you choose the Authenticate Using a AAA Server Group radio button, specify the name of the AAA server group in the AAA Server Group Name field. You can specify the name by selecting a previously configured AAA server group from the drop-down list, or you can create a new group by clicking the New button and completing the fields in the window it opens. In the figure, the AAA Server Group name MYRADIUS is entered.

Step 14 Click Next. The Address Pool page is displayed.



Configuring an Address Pool

Address Pool

Name

Starting IP Address

Ending IP Address

Subnet Mask

Cisco VPN Client

10.0.21.1

On this VPN Wizard page, configure a pool of addresses which will be dynamically assigned to remote users.

Step 15 Specify a pool of local IP addresses to be assigned dynamically to remote VPN clients. You can choose a previously configured pool from the Pool Name drop-down list, or you can create a new pool by clicking the New button and completing the fields in the window it opens. In the figure, a new IP address pool is created. To create a new pool, complete the following substeps:

1. Enter a name for the IP address pool in the Name field.

2. In the Starting IP Address field, enter the first IP address in the range of addresses for the pool.

3. In the Ending IP Address field, enter the last IP address in the range of addresses for the pool.

4. From the Subnet Mask drop-down list, choose the subnet mask that applies to the range of addresses.

Step 16 Click Next. The (Mode Configuration) Attributes Pushed to Clients page is displayed.



Specifying Optional Attributes to Be Pushed to Client

Attributes Pushed to Client (Optional)

Primary DNS ServerSecondary DNS Server

Secondary WINS Server

Primary WINS Server

Default Domain Name

DNS: 10.0.1.15

172.30.1.15WINS:

10.0.1.16 172.30.1.16

Domain: training.com

Cisco VPN Client

AAA server

On this VPN Wizard page, configure the optional attributes which will be pushed down to remote users (mode configuration).

Step 17 (Optional) In the Primary DNS Server field, enter the IP address of the DNS server that you want to use for host name resolution. In the figure, 10.0.1.15 is entered.

Step 18 (Optional) In the Secondary DNS Server field, enter the IP address of a backup DNS server. In the figure, 10.0.1.16 is entered.

Step 19 (Optional) In the Primary WINS Server field, enter the IP address of the Microsoft Windows Internet Name Service (WINS) server that you want to use for NetBIOS name resolution. In the figure, 10.0.1.17 is entered.

Step 20 (Optional) In the Secondary WINS Server field, enter the IP address of a backup WINS server. In the figure, 10.0.1.18 is entered.

Step 21 (Optional) In the Default Domain Name field, enter the name of the DNS domain to which the tunnel group specified at the top of this page belongs. The security appliance passes the default domain name to the IPsec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there is no default domain name, users inherit the default domain name in the default group policy. In the figure, training.com is entered.

Step 22 Click Next. The IKE Policy page is displayed.



Configuring the IKE Policy

IKE Policy

Encryption

Authentication

DH Group

Cisco VPN Client

3DES

SHA

Group 2

AAA server

On this VPN Wizard page, configure the IKE encryption, authentication, and DH group parameters.

Step 23 From the Encryption drop-down list, choose the encryption algorithm that the VPN devices will use to negotiate an IKE SA. The encryption algorithm must match the encryption algorithm that you configure on the other end of the connection.

Step 24 From the Authentication drop-down list, choose the authentication algorithm that the VPN devices will use to negotiate an IKE SA. The authentication algorithm must match the authentication algorithm that you configure on the other end of the connection.

Step 25 From the DH Group drop-down list, choose the Diffie-Hellman group that the VPN devices will use to negotiate an IKE SA. The DH group must match the DH group that you configure on the other end of the connection.

Step 26 Click Next. The IPsec Encryption and Authentication page is displayed.



Configuring IPsec Encryption and Authentication

IPsec Encryption and Authentication

Encryption

Authentication

Cisco VPN Client

3DES

SHA

AAA server

On this VPN Wizard page, configure the IPsec encryption and authentication parameters.

Step 27 From the Encryption drop-down list, choose the encryption algorithm for this IPsec VPN tunnel. The encryption algorithm must match the encryption algorithm that you configure on the other end of the connection.

Step 28 From the Authentication drop-down list, choose the authentication algorithm for the IPsec VPN tunnel. The authentication algorithm must match the authentication algorithm that you configure on the other end of the connection.

Step 29 Click Next. The Address Translation Exemption and Split Tunneling page is displayed.



Configuring Address Translation Exemption and Split Tunneling

Address Translation Exemption and Split Tunneling

Enable Split Tunneling. . .

Host/Network

10.0.1.0/24

10.0.21.1

EncryptedNo translation

Cisco VPN Client

AAA server

On this VPN Wizard page, configure the address translation exemption.

Step 30 From the Interface drop-down list, choose the interface where hosts or networks that do not require address translation reside. In the figure, inside is chosen.

Step 31 In the Address field, enter the IP address for the host or network that does not require address translation. In the figure, 10.0.1.0/24 is entered. With this configuration, traffic sent through the VPN tunnel from network 10.0.1.0/24 bypasses address translation.

Step 32 Click Add to move the IP address to the Selected Hosts/Networks list.

Note If you want all hosts and networks to be exempt from NAT, configure nothing on this panel. If you create even one entry, all other hosts and networks are subject to NAT.

Step 33 (Optional) If you want to allow remote-access clients to send unencrypted traffic to the Internet, check the Enable Split Tunneling to Let Remote Users Have Simultaneous Encrypted Access to the Resources Defined Above, and Unencrypted Access to the Internet check box. With split-tunneling enabled, all packets bound for hosts on the other side of the IPsec tunnel must be encrypted, sent across the tunnel, decrypted, and then routed to a final destination; packets bound for other destinations travel unencrypted directly to their destination. Split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, it is recommended that you not enable split tunneling. In the figure, split tunneling is not enabled.

Step 34 Click Next. The Summary page is displayed.



Reviewing the Remote Access VPN Configuration

Summary

CorporateDMZ

Headquarters

Home Office

Internet

10.0.1.0/24

Review your configuration. The Summary panel displays all of the attributes of your remote-access VPN as configured. If you need to make changes, click the Back button until you reach the page on which the change needs to be made.

Step 35 When you are satisfied with the configuration, click Finish. After you click Finish, you can no longer use the VPN wizard to make changes to this configuration. Use the Remote Access VPN menu items to edit and configure advanced features.


Configuring Users and Groups This topic provides an overview of configuring users and groups.


Group PolicyEngineering

PolicyPush

to Client

10.0.0.0 /24

10.0.1.0/24

Mktg

Eng

Engineering

Marketing

Training

MarketingPolicy

TrainingPolicy

Internet

Within a corporation, not everyone has the same access requirements: customer service engineers may require 7-day, 24-hour access; sales entry personnel need 5-day, 8-hour access, and contractors might need access from 9 a.m. to 5 p.m., with restricted server access. The security appliance can accommodate different access and usage requirements. By using group policies, you can define different rights and privileges on a group basis. A customer service engineer, sales entry person, and contractor can be assigned to different groups. Within each group, you can configure different access hours, access protocols, idle timeouts, and server restrictions.

A group policy is a set of user-oriented attribute and value pairs for IPsec connections that are stored either internally on the security appliance or externally on a RADIUS server. The connection profile (tunnel-group) refers to a group policy that sets terms for user connections after the tunnel is established. Group policies enable you to apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user. Each remote VPN user belongs to a specific VPN group. As users establish VPN tunnels to the Cisco Easy VPN Server, they identify the group to which they belong. The Cisco Easy VPN Server responds by pushing the appropriate VPN group policy to the remote user.

If you decide to grant identical rights to all VPN users, you do not need to configure specific group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and a management information systems (MIS) group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Group policies provide the flexibility to do so securely.


The security appliance includes a default group policy named DfltGrpPolicy. This group policy always exists on the security appliance, but it does not take effect unless you configure the security appliance to use it. When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy. You cannot delete the default group policy, but you can modify it. You can also create one or more group policies specific to your environment. You can configure internal and external group policies. Internal groups are configured on the security appliance's internal database. External groups are configured on an external authentication server, such as RADIUS.

Group policies include the following attributes:

Identity

Server definitions

Client firewall settings

Tunneling protocols

IPsec settings

Hardware client settings

Filters

Client configuration settings

Connection settings

In the figure, there are three VPN group policies configured: Engineering, Marketing, and Training. Each Cisco VPN Client belongs to one group. As they establish VPN tunnels, they identify which VPN group they belong to. The central site security appliance pushes a specific policy to each remote user.



Groups and Users

DfltGrpPolicy Group:Corporate

Customer Service/DfltGrpPolicy/Service

MIS/DfltGrpPolicy/MIS

Finance/DfltGrpPolicy/Finance

UNIX SystemsAdministrator

Groups:Departments

Users:Individuals

Comptroller

Customer SupportEngineer

By default, users inherit all user attributes from the assigned group policy. The security appliance also lets you assign individual attributes at the user level, overriding values in the group policy that applies to that user. For example, you can specify a group policy giving all users access during business hours, but give a specific user 24-hour access.

To assign attributes to an individual user, the user account must already exist on the security appliance. For an existing user account, you can use the username attributes command to enter the configuration mode for username attributes and configure the attributes. Any attributes that you do not specify are inherited from the group policy. User specific attributes always take precedence over group specific attributes. By default, VPN users that you add with the username command have no attributes or group policy association. You must explicitly configure all values. You can use the CLI to configure the following attributes for a specific user:

group-lock: Name an existing connection profile with which the user is required to connect

password-storage: Enables or disables storage of the login password on the client system

vpn-access-hours: Specifies the name of a configured time-range policy vpn-filter: Specifies the name of a user-specific ACL vpn-framed-ip-address: Specifies the IP address and the net mask to be

assigned to the client vpn-group-policy: Specifies the name of a group-policy from which to inherit

attributes vpn-idle-timeout: Specifies the idle timeout period in minutes, or none to disable vpn-session-timeout: Specifies the maximum user connection time in minutes, or

none for unlimited time vpn-simultaneous-logins: Specifies the maximum number of simultaneous logins

allowed vpn-tunnel-protocol: Specifies permitted tunneling protocols



Configuring Group Policies

Configuration

Remote Access VPN

Network (Client) Access

Group Policies

To modify the default group policy or create a new internal group policy, complete the following steps:

Step 1 Click the Configuration button in the Cisco ASDM toolbar.

Step 2 Choose Remote Access VPN from the navigation pane.

Step 3 Expand the Network (Client) Access menu.

Step 4 Choose Group Policies. The Group Policies panel is displayed.

Step 5 To modify the default group policy, select it in the table in the Group Policies panel and click Edit. To create a new group policy, click Add and choose Internal Group Policy from the drop-down list. The Edit Internal Group Policy: DfltGrpPolicy window opens if you are editing the default group policy. The Add Internal Group Policy window opens if you are adding a new policy.

Note The default group policy is always internal. You cannot change it to external.



Configuring Internal Group Policies

Add Internal Group Policy

Advanced

General

Servers

Step 6 Verify that General is selected in the navigation pane.

Step 7 Enter a name for the group policy in the Name field. In the figure, the name MYGROUP is entered.

Step 8 Deselect the Inherit check boxes for the attributes you do not want the group to inherit from the default group policy. You can use the fields and buttons that become active to configure the attributes. In the figure, the Inherit check box for Access Hours is deselected, so the corresponding field and the Manage button are active. For this example, click the Manage button. This opens a separate window for configuring a time range for the group policy as shown in the next slide.

Step 9 If you want to specify DNS servers, WINS servers, or a default domain for the group policy, click Servers in the navigation pane. Then deselect the Inherit check boxes for the attributes you do not want the group policy to inherit from the default group policy, and use the fields and buttons that become active to configure the attributes.

Step 10 If you want to configure Advanced options such as split tunneling for the group policy, expand the Advanced menu in the navigation pane. Make your selection from the Advanced menu, and configure the settings as described in Steps 8 and 9 above.



Configuring Internal Group Policies (Cont.)

Browse Time Range

Add

Step 11 When you have completed your configuration, click OK until you return to the Group Policies panel.

Step 12 Click Apply in the Group Policies panel.

This figure shows the Browse Time Range window that opens as a result of clicking the Manage button for the Access Hours attribute. In this example, the Browse Time Range window and the Add Time Range and Recurring Time Range windows, which are accessible from it, are used to specify a time range that starts immediately and never ends. The time range is named OFFICE_HOURS and allows access only Monday through Friday from 7:00 a.m. to 6:00 p.m. (0700 to 1800).



Applying a Group Policy to a User Account

Configuration

Edit

Remote Access VPN

AAA Setup Local Users

To apply a new group policy to a specific user, complete the following steps:

Step 1 Click Configuration in the Cisco ASDM toolbar.

Step 2 Click Remote Access VPN in the navigation pane.

Step 3 Expand the AAA Setup menu.

Step 4 Click Local Users. The Local Users panel is displayed.

Step 5 Select the user account to which you want to apply the group policy.

Step 6 Click Edit. The Edit User Account window opens.



Applying a Group Policy to a User Account (Cont.)

Edit User Account

Group Policy

Tunneling Protocols

Filter

Tunnel Group Lock

Store Password on Client System

Connection Settings

Dedicated IP Address

Step 7 Click VPN Policy.

Step 8 Deselect the Group Policy: Inherit check box.

Step 9 Select the new group policy from the Group Policy drop-down list.

Step 10 Click OK.

Step 11 Click Apply in the Local Users panel.

If the other check boxes in this window remain checked, the corresponding settings take their values from the group policy. To specify a different value for any setting, deselect the check box for the setting and use the activated fields, drop-down lists, check boxes, or radio buttons to specify the value. You can configure the following VPN policy settings for the user:

Tunneling protocols: Specify one or more tunneling protocols that this user can use. The choices are IPsec, clientless SSL VPN, SSL VPN client, and L2TP over IPsec.

Filter: Specify a filter to use for the policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol.

Tunnel group lock: Specify whether the user is restricted to a specific tunnel group for remote-access VPN connections.

Store password on client system: Specify whether the login password is stored on the client system. If you select the No radio button, the user is required to enter the password with each connection. For maximum security, it is recommended that you accept this default setting to prohibit password storage. This parameter has no bearing on interactive hardware client authentication or individual user authentication for a VPN 3002.


In the Connection Settings area, you can configure the following settings:

Access hours: If the Inherit check box is not selected, you can select the name of an existing access hours policy, if any, or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is Unrestricted.

Simultaneous logins: If the Inherit check box is not selected, this parameter specifies the maximum number of simultaneous logins allowed for the user. The default value is 3. The minimum value is 0, which disables login and prevents user access.

Maximum connect time: If the Inherit check box is not selected, this parameter specifies the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000 years). To allow unlimited connection time, select the Unlimited check box (the default).

Idle timeout: If the Inherit check box is not selected, this parameter specifies this user's idle timeout period in minutes. If there is no communication activity on the user's connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. This value does not apply to users of clientless SSL VPN connections.

You can also specify an IP address for the user. To do so, enter the IP address in the IP address field, and choose the corresponding subnet mask from the Subnet Mask drop-down list.



Configuring External Group Policies

Add External Group Policy

Password

Name

Server Group

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name duplication between them.

Note External group names on the security appliance refer to user names on the RADIUS server. In other words, if you configure external group X on the security appliance, the RADIUS server sees the query as an authentication request for user X. Therefore, external groups are really just user accounts on the RADIUS server that have special meaning to the security appliance. If your external group attributes exist in the same RADIUS server as the users that you plan to authenticate, there must be no name duplication between them.

To configure an external group policy, complete the following steps:

Step 1 Click Add in the Group Policies panel (not shown).

Step 2 Choose External Group Policy from the drop-down list. The Add External Group Policy window opens.

Step 3 Enter a name for the group policy in the Name field.

Step 4 Choose a server group from the Server Group drop-down list, or click New to create a new server group. The new external group policy will get its attributes from the external server group you specify. If you click New to create a new server group, choose New RADIUS Server Group from the drop-down list. For an external group policy, RADIUS is the only supported AAA server type.


Step 5 In the Password field, enter the password to use when retrieving the attributes.

Step 6 Click OK.

Step 7 Click Apply in the Group Policies panel.


Monitoring and Verifying Remote-Access VPN This topic provides an overview of monitoring and verifying your remote-access VPN.


Using ASDM to Monitor the VPN

Crypto StatisticsEncryption StatisticsGlobal IKE/IPsec StatisticsProtocol StatisticsSessions

Monitoring

VPN Connection Graphs

VPN

VPN Statistics

IPsec Tunnels

To verify and monitor your remote-access VPN, click the Monitoring button in the Cisco ASDM toolbar and choose VPN from the navigation pane. Three submenus are displayed. The following two can be used for monitoring your IPsec remote-access VPN:

VPN Connection Graphs: Contains the IPsec Tunnels option, which enables you to display IPsec VPN connection data in graphical or tabular form.

VPN Statistics: Contains the following options that are useful for monitoring your remote-access VPN:

— Crypto Statistics: Crypto statistics for IPsec and IKE

— Encryption Statistics: Encryption statistics for tunnel groups

— Global IKE/IPsec Statistics: Global IKE and IPsec statistics

— Protocol Statistics: Protocol statistics for tunnel groups

— Sessions: Total number of remote-access VPN sessions and details on each session



VPN Statistics: Encryption Statistics

VPN Statistics

Encryption Statistics

Show Statistics For:

Refresh

TRAINING

The figure shows the Encryption Statistics panel displaying encryption statistics for tunnel group TRAINING.



VPN Statistics: Sessions

Sessions

VPN Statistics

Refresh

Logout Sessions

Filter Details Logout Ping

The Sessions panel lists the number of currently active remote-access sessions. In the figure, there is one active remote-access VPN session.

The Sessions panel also contains a table that displays information about currently active sessions. You can use the Filter By drop-down list to specify the type of session that the statistics in the table represent. The column headings in the table vary depending upon the type of session you choose from the Filter By drop-down list. You can also use the Filter button along with the unlabeled drop-down lists to the right of the Filter By drop-down list to filter on encryption, IP address, or protocol. In the figure, Remote Access is selected from the Filter By drop-down list; therefore, the table contains the following columns:

Username: Shows the username for the session.

Group Policy Connection: Shows the group policy being used for the session.

Assigned IP Address: Shows both the private IP address assigned by the Cisco Easy VPN server to the remote client for this session and the public IP address of the remote client.

Protocol/Encryption: Shows the protocol and the data encryption algorithm this session is using, if any.

Login Time/Duration: Shows the date and time that the session logged in and the length of the session. Time is displayed in 24-hour notation.

You can view details for a session by selecting it in the Session table and clicking the Details button. The session details are displayed in a separate window.

To terminate a specific session, select it in the Session table and click the Logout button. If you want to terminate all sessions or groups of sessions, use the Logout By drop-down lists and fields to specify the sessions you want to terminate, and then click the Logout Sessions button.

The Ping button in the Sessions panel opens a window that enables you to send an ICMP ping packet to test network connectivity. The Refresh button updates the screen and its data.



Using the CLI to Test and Verify Remote Access VPN Configuration

Verify ACLs and interesting traffic.– show run access-list

Verify correct IKE configuration.– show run isakmp– show run tunnel-group

Verify IPsec and ISAKMP SAs.– show crypto ipsec sa– show crypto isakmp sa

You can also use the CLI as follows to test and verify that you have correctly configured the VPN on the security appliance:

Verify ACLs that designate interesting traffic with the show run access-list command.

Verify correct IKE configuration with the show run isakmp and show run tunnel-group commands.

Verify IPsec and ISAKMP SAs have occurred with the show crypto ipsec sa and show crypto isakmp sa commands.



Test and Verify VPN Configuration (Cont.)

Verify correct crypto map configuration.– show run crypto map

Clear IPsec SA.– clear crypto ipsec sa

Clear IKE SA.– clear crypto isakmp sa

Debug IKE and IPsec traffic through the security appliance.– debug crypto ipsec– debug crypto isakmp

Verify the correct crypto map configuration with the show run crypto map command.

Clear IPsec SAs with the clear crypto ipsec sa command.

Clear IKE SAs with the clear crypto isakmp sa command.

Debug IKE and IPsec traffic through the security appliance with the debug crypto ipsec and debug crypto isakmp commands.

Documents

Configuring Remote Access VPN via ASDM_Posted_1!15!09