Upload
shona-cooper
View
217
Download
0
Embed Size (px)
DESCRIPTION
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Easy VPN Server. Describe the Easy VPN Remote. Configure the Easy VPN Server. Configure the Easy VPN Remote using the Cisco VPN Client Release 3.6.
Citation preview
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1
Lesson 15
Configuring PIX Firewall Remote Access Using Cisco Easy VPN
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-2
Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-3
Objectives
Upon completion of this lesson, you will be able to perform the following tasks:• Describe the Easy VPN Server.• Describe the Easy VPN Remote.• Configure the Easy VPN Server.• Configure the Easy VPN Remote using the Cisco
VPN Client Release 3.6.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-4
Introduction to the Cisco Easy VPN
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-5
The Cisco Easy VPN
Cisco IOS > 12.2(8)T router
PIX Firewall > 6.2
Cisco VPN 3000 > 3.11(> 3.5.1 recommended)
Cisco VPN Client 3.x
Cisco 800 Series Router
Cisco 900 Series Router
Cisco 1700 Series Router
Cisco VPN 3002 Hardware Client
Cisco PIX 501/506 Firewall
Easy VPN ServersEasy VPN Remote
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-6
Overview of the Easy VPN Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-7
Cisco Easy VPN Server Features
• The Cisco PIX Firewall Software Version 6.2 Easy VPN Server introduces server support for the Cisco Easy VPN Remote Clients.• It allows remote end users to communicate
using IPSec with supported PIX Firewall VPN gateways.• Centrally managed IPSec policies are pushed to
the clients by the server, minimizing configuration by the end users.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-8
PIX Firewall Version 6.3 Easy VPN Server Functions
• User-level authentication• Updated VPN 3000 support• Certificate support• Diffie-Hellman group 5 support• AES encryption support
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-9
Supported Easy VPN Servers
Cisco IOS > 12.2(8)T router
PIX Firewall > 6.2
Cisco VPN 3000 > 3.11(> 3.5.1 recommended)
Cisco 900 Series Router
Cisco 1700 Series Router
Cisco PIX 501/506 Firewall
Cisco VPN Client 3.xCisco 800 Series Router
Cisco VPN 3002 Hardware Client
Easy VPN Servers
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-10
Overview of the Easy VPN Remote Feature
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-11
Implementing Easy VPN RemotePC with Easy Remote VPN Client 3.x
Cisco 800 Series Router
Cisco 900 Series Router
Cisco 1700 Series Router
Cisco VPN 3002 Hardware Client
Cisco PIX 501/506 Firewall
PIX Firewall version 6.2
Easy VPN Server
Easy VPN Remote
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-12
Supported Easy VPN Remote Clients
• Cisco VPN Client (software version) > 3.x• Cisco VPN 3002 Hardware Client > 3.x• Cisco PIX Firewall 501/506 VPN client > 6.2• Cisco Easy VPN Remote router clients–Cisco 800 Series–Cisco 900 Series–Cisco 1700 Series
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-13
Cisco VPN Client Software Version > 3.x
• Software-based Cisco VPN Client
• Supports several operating systems
• Comes standard with the Cisco VPN 3000 Series Concentrator
• Available for download from Cisco.com
• Supports Cisco VPN Client protocol
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-14
Cisco VPN 3002 Hardware Client > 3.x
Cisco VPN 3002 Hardware Client Cisco VPN 3002-8E Hardware Client
PrivatePublic
ConsoleHardware
reset
Power
PrivatePublic
Console
Hardware reset
Power
Supports Cisco VPN Client protocol
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-15
Cisco PIX Firewall 501 and 506 VPN Client
PIX Firewall 501 PIX Firewall 506/506E
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-16
Cisco Easy VPN Remote Router Clients
• All models support the Cisco VPN Client protocol.
• Always check Cisco.com for the latest listing of supported Cisco Easy VPN Remote router clients.
800 Series 900 Series 1700 Series806 uBR905 1710826 uBR925 1720827 1721828 1750
17511760
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-17
Easy VPN Remote Modes of Operation
Easy VPN Remote supports two modes of operation: • Client mode– Specifies that NAT/PAT be used.– Client automatically configures the NAT/PAT
translation and ACLs needed to implement the VPN tunnel.
– Supports split tunneling.• Network extension mode– Specifies that the hosts at the client end of the VPN
connection use fully routable IP addresses.– PAT is not used.– Supports split tunneling.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-18
Easy VPN Remote Client Mode
PIX Firewall 501/506(Easy VPN Remote)
PIX Firewall 525 (Easy VPN Server)
192.168.1.2
10.0.0.0/24
VPN tunnel
10.0.1.2
192.168.1.3
192.168.1.1
PAT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-19
Easy VPN Remote Network Extension Mode
Cisco 1710 router (Easy VPN Remote)
12.2(8)YJ
PIX Firewall 525 (Easy VPN Server)
172.16.10.5
172.16.10.6
172.16.10.4
VPN tunnel
VPN tunnel
PIX Firewall 501
Easy VPN Remote
172.16.20.5
172.16.20.6
10.0.0.0/24
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-20
Overview of the Cisco VPN 3.6 Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-21
Cisco VPN Client Release 3.6
192.168.1.5
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-22
Cisco VPN Client 3.6 Features and Benefits
The Cisco VPN Client provides the following features and benefits:• Intelligent peer availability detection• SCEP• Data compression (LZS)• Command-line options for connecting, disconnecting, and connection
status• Configuration file with option locking• Support for Microsoft network login (all platforms)• DNS, WINS, and IP address assignment• Load balancing and backup server support• Centrally controlled policies• Integrated personal firewall (stateful firewall): Zone Labs technology
(Windows only)• Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-23
Cisco VPN Client 3.6 Specifications
• Supported tunneling protocols• Supported encryption/authentication• Supported key management techniques• Supported data compression technique• Digital certificate support• Authentication methodologies• Profile management• Policy management
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-24
How the Cisco Easy VPN Works
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-25
The Easy VPN Remote Connection Process
• Step 1—The VPN Client initiates the IKE Phase 1 process.• Step 2—The VPN Client negotiates an IKE SA.• Step 3—The Easy VPN Server accepts the SA proposal.• Step 4—The Easy VPN Server initiates a
username/password challenge.• Step 5—The mode configuration process is initiated.• Step 6—IKE quick mode completes the connection.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-26
Step 1—Cisco VPN Client Initiates IKE Phase 1 Process
• Using preshared keys? Initiate AM.• Using digital certificates? Initiate MM.
Remote PC with Easy Remote VPN Client 3.x PIX Firewall 6.2
Easy VPN Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-27
Step 2—Cisco VPN Client Negotiates an IKE SA
• The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server.
• To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following:– Encryption and hash algorithms– Authentication methods– DH group sizes
Remote PC with Easy Remote VPN Client 3.x PIX Firewall 6.2
Easy VPN Server
Proposal 1, proposal 2, proposal 3
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-28
Step 3—The Easy VPN Server Accepts SA Proposal
• The Easy VPN Server searches for a match:– The first proposal to match the servers list is accepted
(highest priority match).– The most secure proposals are always listed at the top of
the Easy VPN Server’s proposal list (highest priority).• IKE SA is successfully established. • Device authentication ends and user authentication begins.
Remote PC with Easy Remote VPN Client 3.x
Proposal 1 Proposal checking
finds proposal 1
match
PIX Firewall 6.2Easy VPN Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-29
Step 4—The Easy VPN Server Initiates a Username/Password Challenge
• If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/password challenge:– The user enters a username/password combination.– The username/password information is checked against
authentication entities using AAA.• All Easy VPN Servers should be configured to enforce user
authentication.
Remote PC with Easy Remote VPN Client 3.x
Username/passwordAAA
checking
Username/password challenge
PIX Firewall 6.2Easy VPN Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-30
Step 5—The Mode Configuration Process is Initiated
• If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server:– Mode configuration starts.– The remaining system parameters (IP address, DNS, split
tunneling information, and so on) are downloaded to the VPN Client.
• Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.
Remote PC with Easy Remote VPN Client 3.x
Client requests parameters
System parameters via mode config
PIX Firewall 6.2Easy VPN Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-31
Step 6—IKE Quick Mode Completes the Connection
• After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment.
• After IPSec SA establishment, the VPN connection is complete.
Remote PC with Easy Remote VPN Client 3.x Quick mode
IPSec SA establishment
VPN tunnel
PIX Firewall 6.2Easy VPN Server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-32
Configuring the Easy VPN Server for Extended
Authentication
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-33
Easy VPN Server General Configuration Tasks
The following general tasks are used to configure Easy VPN Server on a PIX Firewall:• Task 1—Create ISAKMP policy for remote VPN Client access.• Task 2—Create IP address pool.• Task 3—Define group policy for mode configuration push.• Task 4—Create transform set.• Task 5—Create dynamic crypto map.• Task 6—Assign dynamic crypto map to static crypto map.• Task 7—Apply crypto map to PIX Firewall interface.• Task 8—Configure XAUTH.• Task 9—Configure NAT and NAT 0.• Task 10—Enable IKE DPD.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-34
Task 1—Create ISAKMP Policy for Remote VPN Client Access
pix1(config)# isakmp enable outside
pix1(config)# isakmp policy 20 authentication pre-share
pix1(config)# isakmp policy 20 encryption des
pix1(config)# isakmp policy 20 hash sha
pix1(config)# isakmp policy 20 group 2
Remote client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
ISAKMPPre-share
DESSHA
Group 2
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-35
Task 2—Create IP Address Pool
pixfirewall(config)#ip local pool pool_name address-pool
pix1(config)# ip local pool vpnpool 10.0.11.1-10.0.11.254
• Creates an optional local address pool if the remote client is using the remote server as an external DHCP server.
Remote client
192.168.1.5Server
10.0.0.15Internet
InsideOutside172.26.26.1
10.0.11.1-10.0.11.254
vpnpool
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-36
Group Policy
EngineeringPolicyPush
to client
10.0.0.0 /24
10.0.1.0/24
Mktg
Eng
Internet
Engineering
Marketing
Training
MarketingPolicyTrainingPolicy
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-37
Task 3—Define Group Policy for Mode Configuration Push
Task 3 contains the following steps:• Step 1—Configure the IKE pre-shared key.• Step 2—Specify the DNS servers.• Step 3—Specify the WINS servers.• Step 4—Specify the DNS domain.• Step 5—Specify the local IP address pool.• Step 6—Specify idle timeout.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-38
Step 1—Configure IKE Pre-Shared Key
pixfirewall(config)#vpngroup group_name password preshared_key
pix1(config)# vpngroup rmt_user_1 password cisco123
Remote client
Server10.0.0.15Internet
InsideOutside172.26.26.1
VPN groupPre-share
DNS serverWINS serverDNS domainAddress pool
Idle time
Pushto client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-39
Step 2—Specify DNS Servers
pixfirewall(config)#vpngroup group_name dns-server dns_ip_prim [dns_ip_sec]
pix1(config)# vpngroup rmt_user_1 dns-server 10.0.0.15
Remote client
Server10.0.0.15Internet
InsideOutside172.26.26.1
VPN groupPre-share
DNS serverWINS serverDNS domainAddress pool
Idle time
Pushto client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-40
Step 3—Specify WINS Servers
pixfirewall(config)#vpngroup group_name wins-server wins_ip_prim [wins_ip_sec]
pix1(config)# vpngroup rmt_user_1 wins-server 10.0.0.15
Remote client
Server10.0.0.15Internet
InsideOutside172.26.26.1
Pushto client
VPN groupPre-share
DNS serverWINS serverDNS domainAddress pool
Idle time
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-41
Step 4—Specify DNS Domain
pixfirewall(config)#vpngroup group_name default-domain domain_name
pix1(config)# vpngroup rmt_user_1 default-domain cisco.com
Remote client
Server10.0.0.15
Cisco.comInternet
InsideOutside172.26.26.1
Pushto client
VPN groupPre-share
DNS serverWINS serverDNS domainAddress pool
Idle time
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-42
Step 5—Specify Local IP Address Pool
pixfirewall(config)#vpngroup group_name address-pool pool_name
pix1(config)# vpngroup rmt_user_1 address-pool vpnpool
Remote client
Server10.0.0.15Internet
InsideOutside172.26.26.1
Pushto client
VPN groupPre-share
DNS serverWINS serverDNS domainAddress pool
Idle time
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-43
Step 6—Specify Idle Time
pixfirewall(config)#vpngroup group_name idle-time idle_seconds
pix1(config)# vpngroup rmt_user_1 idle-time 600
Remote client
Server10.0.0.15Internet
InsideOutside172.26.26.1
Pushto client
VPN groupPre-share
DNS serverWINS serverDNS domainAddress pool
Idle time
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-44
Task 4—Create Transform Set
pix1(config)#crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
pix1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac
Remote client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
Transform setDES
SHA-HMAC
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-45
Task 5—Create Dynamic Crypto Map
pixfirewall(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1
pix1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1
Remote client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-46
Task 6—Assign Dynamic Crypto Map to Static Crypto Map
pixfirewall(config)#crypto map map-name seq-num ipsec-isakmp | ipsec-manual [dynamic dynamic-map-name]
pix1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map
Remote client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-47
Task 7—Apply Dynamic Crypto Map to PIX Firewall Outside Interface
pix1(config)# crypto map rmt-user-map outside
pixfirewall(config)#crypto map map-name interface interface-name
Remote client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-48
Task 8—Configure XAUTH
Task 8 contains the following steps:• Step 1—Enable AAA login authentication.• Step 2—Define AAA server IP address and
encryption key.• Step 3—Enable IKE XAUTH for the dynamic
crypto map.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-49
Step 1—Enable AAA Login Authentication
pixfirewall(config)#aaa-server server_tag protocol auth_protocol
pix1(config)# aaa-server mytacacs protocol tacacs+
Remote client
192.168.1.5
TACACS+server
10.0.0.15Internet
InsideOutside172.26.26.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-50
Step 2—Define AAA Server IP Address and Encryption Key
pixfirewall(config)#aaa-server server_tag [(if_name)] host server_ip [key][timeout seconds]
pix1(config)# aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5
Remote client
192.168.1.5
TACACS+server
10.0.0.15Internet
InsideOutside172.26.26.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-51
Step 3—Enable IKE XAUTH for Crypto Map
pixfirewall(config)#crypto map map-name client [token] authentication aaa-server-name
pix1(config)# crypto map rmt-user-map client authentication mytacacs
XAUTH
Remote client
192.168.1.5
TACACS+server
10.0.0.15Internet
InsideOutside172.26.26.1
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-52
Task 9—Configure NAT and NAT 0
pix1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
pix1(config)# nat (inside) 0 access-list 101pix1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0pix1(config)# global (outside) 1 interface
Remote client
192.168.1.5
TACACS+server
10.0.0.15Internet
InsideOutside10.0.11.0
Encrypted — no translation
Clear text — translation
10.0.0.0
• Matches ACL—Encrypted data and no translation (NAT 0)• Does not match ACL—Clear text and translation (PAT)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-53
Task 10—Enable IKE DPD
Remote clientTACACS+
server10.0.0.15
Internet
InsideOutside10.0.11.0 10.0.0.0
1) DPD send: Are you there?2) DPD reply: Yes, I am here.
pixfirewall(config)#isakmp keepalive seconds [retry_seconds]
pix1(config)# isakmp keepalive 30 10
• Number of seconds between DPD messages• Number of seconds between retries
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-54
Easy VPN Server Configuration Summary
version 6.3(2)hostname pix1!--- Configure Phase 1 Internet Security Association!-- and Key Management Protocol (ISAKMP) parameters.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption aesisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400
!--- Configure IPSec transform set and dynamic crypto map.crypto ipsec transform-set remoteuser1 esp-aes esp-md5-hmaccrypto dynamic-map rmt-dyna-map 10 set transform-set mysetcrypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map!--- Apply crypto map to the outside interface.crypto map rmt-user-map interface outside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-55
Easy VPN Server Configuration Summary (Cont.)
!--- Configure remote client pool of IP addressesip local pool ippool 10.0.11.1-10.0.11.254!--- Configure VPNGroup parameters, to be sent down to the client.
vpngroup rmt_user_1 address-pool ippoolvpngroup rmt_user_1 dns-server 10.0.0.15vpngroup rmt_user_1 wins-server 10.0.0.15vpngroup rmt_user_1 default-domain cisco.comvpngroup rmt_user_1 idle-time 1800vpngroup rmt_user_1 password ********vpngroup rmt_user_1 idle-time 600!--- Configure AAA-Server and Xauth parameters.aaa-server mytacacs protocol tacacs+aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5
crypto map rmt-user-map client authentication mytacacs
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-56
Easy VPN Server Configuration Summary (Cont.)
!--- Specify "nonat" access list.access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
!--- Configure Network Address Translation (NAT)/!--- Port Address Translation (PAT) for regular traffic,!--- as well as NAT for IPSec traffic.nat (inside) 0 access-list 101nat (inside) 1 0.0.0.0 0.0.0.0 0 0global (outside) 1 interface!--- Enable IKE keepalives on the PIX gateway.isakmp keepalive 30 10
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-57
Cisco VPN Client 3.6 Manual Configuration Tasks
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-58
Cisco VPN Client 3.6 Manual Configuration Tasks
The following general tasks are used to configure Cisco VPN Client 3.6:• Task 1—Install Cisco VPN Client 3.X.• Task 2—Create a New Connection Entry.• Task 3—(Optional) Modify VPN Client Options.• Task 4—Configure VPN Client General Properties.• Task 5—Configure VPN Client Authentication Properties.• Task 6—Configure VPN Client Connection Properties.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-59
Task 1—Install Cisco VPN Client 3.x
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-60
Task 2—Create New Connection Entry
rmt_user_1
192.168.1.5
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-61
Task 3—(Optional.) Modify Cisco VPN Client Options
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-62
Task 4—Configure Cisco VPN Client General Properties
Win 95/98/ME Win-NT 4/2000/XP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-63
Task 5—Configure Cisco VPN Client Authentication Properties
The end user never sees this after the
initial configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-64
Task 6—Configure Cisco VPN Client Connections Properties
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-65
Working with the Cisco VPN 3.6 Client
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-66
Cisco VPN Client Program Menu
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-67
Cisco VPN Client Log Viewer
Tool bar
Log display
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-68
Setting MTU Size
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-69
Cisco VPN Client Connection Status—General Tab
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-70
Cisco VPN Client Connection Status—Statistics Tab
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-71
Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-72
Summary
• Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers.• The Easy VPN Server adds several new
commands to PIX Firewall version 6.3.• The Cisco VPN Client release 3.6 can be
configured manually by users or automatically using preconfiguration files.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-73
Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-74
Lab Visual Objective
192.168.P.0
Student PCVPN Client
.1172.26.26.P
10.0.P.0
.2 .1
PIX Firewall
.150WebFTP.10
172.26.26.0RBB