Table Of Contents
VPN Client Configuration Examples
Configuring Interoperability with a Cisco Secure VPN Client
VPN Client Access with Extended Authentication, IKE Mode Config, and Wildcard Pre-Shared Key
Configuring the PIX Firewall
Configuring the Cisco Secure VPN Client
Configuring Interoperability with a Cisco VPN 3000 Client
VPN Client Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-Shared Key
Configuring the PIX Firewall
Configuring the Cisco VPN 3000 Client
VPN Client Access with Extended Authentication, IKE Mode Config, and Digital Certificates
Configuring the PIX Firewall
Configuring the Cisco VPN 3000 Client
VPN Client Configuration Examples
This chapter gives examples that show how to configure interoperability between a PIX Firewall and PIX Firewall-supported VPN clients. The following VPN clients are supported within version 5.2 or later of the PIX Firewall:
•
Cisco Secure VPN Client, version 1.1 or later
•Cisco VPN 3000 Client, version 2.5 or later
This chapter includes the following sections:
•Configuring Interoperability with a Cisco Secure VPN Client
•Configuring Interoperability with a Cisco VPN 3000 Client
Configuring Interoperability with a Cisco Secure VPN Client
This section shows one example of how to configure the PIX Firewall and the Cisco Secure VPN Client for interoperability. The example shows use of the following supported features:
•Extended Authentication (Xauth) for user authentication
•IKE Mode Config for VPN Client IP address assignment
•Wildcard Pre-shared key for IKE authentication (most commonly used method for IKE authentication among VPN users)
For more information about Xauth, see "Configuring Extended Authentication (Xauth)" within the "Advanced Configurations." For more information about IKE Mode Config, see "Configuring IKE Mode Config (Dynamic IP Address Assignment for VPN Client)" within the "Advanced Configurations."
Note An example of certificate use for IKE authentication is not covered in this chapter.
VPN Client Access with Extended Authentication, IKE Mode Config, and Wildcard Pre-Shared Key
The example in this section shows use of Extended Authentication (Xauth), IKE Mode Config and a wildcard, pre-shared key for IKE authentication between a PIX Firewall and a Cisco Secure VPN Client.
This section includes the following topics:
•Configuring the PIX Firewall
•Configuring the Cisco Secure VPN Client
Figure 10-1 illustrates the example network.
Figure 10-1 VPN Client Access
Configuring the PIX Firewall
Follow these steps to configure the PIX Firewall to interoperate with the VPN Client:
Step 1 Define AAA related parameters:
aaa-server TACACS+ protocol tacacs+
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5
Step 2 Configure the IKE policy:
isakmp policy 8 encr 3des
isakmp policy 8 authentication pre-share
Step 3 Configure a wildcard, pre-shared key:
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
Step 4 Create access lists that define the virtual IP addresses for VPN Clients:
access-list 80 permit ip host 10.0.0.14 host 192.168.15.1
access-list 80 permit ip host 10.0.0.14 host 192.168.15.2
access-list 80 permit ip host 10.0.0.14 host 192.168.15.3
access-list 80 permit ip host 10.0.0.14 host 192.168.15.4
access-list 80 permit ip host 10.0.0.14 host 192.168.15.5
Step 5 Configure NAT 0:
Step 6 Configure a transform set that defines how the traffic will be protected:
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
Step 7 Create a dynamic crypto map. Specify which transform sets are allowed for this dynamic crypto map entry:
crypto dynamic-map cisco 4 set transform-set strong-des
Step 8 Add the dynamic crypto map set into a static crypto map set:
crypto map partner-map 20 ipsec-isakmp dynamic cisco
Step 9 Apply the crypto map to the outside interface:
crypto map partner-map interface outside
Step 10 Enable Xauth:
crypto map partner-map client authentication partnerauth
Step 11 Configure IKE Mode Config related parameters:
ip local pool dealer 192.168.15.1-192.168.15.5
isakmp client configuration address-pool local dealer outside
crypto map partner-map client configuration address initiate
Step 12 Tell PIX Firewall to implicitly permit IPSec traffic:
sysopt connection permit-ipsec
Table 10-1 provides the complete PIX Firewall configuration.
Table 10-1 PIX Firewall with VPN Client and Manual IP Address
Configuration
|
Description
|
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
|
PIX Firewall provides nameif command statements for the inside and outside interfaces in the default configuration. This example shows the default name for the perimeter interface "dmz."
|
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
|
Default values for the privileged mode password and the Telnet password.
|
|
Define a host name for the PIX Firewall.
|
|
Set the domain name.
|
fixup protocol sqlnet 1521
|
Default fixup protocol values that define port usage.
|
|
Default values that let you use names instead of IP addresses, display 24 lines of text before you are prompted to continue, and disable syslog output.
|
|
Default interface definitions indicating that each Ethernet interface has automatic sensing capabilities to determine line speed and duplex.
|
|
Set the maximum transmission unit values for the Ethernet interfaces.
|
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
|
The IP addresses for each PIX Firewall interface.
|
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
|
Default values to disable failover.
|
|
Default value specifying that the ARP cache be reinitialized every four hours.
|
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|
Let users on the inside interface start connections on an interface with a lower security level.
|
access-list 80 permit ip host 10.0.0.14 host
192.168.15.1
access-list 80 permit ip host 10.0.0.14 host
192.168.15.2
access-list 80 permit ip host 10.0.0.14 host
192.168.15.3
access-list 80 permit ip host 10.0.0.14 host
192.168.15.4
access-list 80 permit ip host 10.0.0.14 host
192.168.15.5
|
Create access lists that define the virtual IP addresses for the VPN Clients.
|
|
Configure NAT 0.
|
global (outside) 1 209.165.200.45-209.165.200.50
netmask 255.255.255.224
|
Establish a pool of global addresses on the outside interface for translated addresses to use when users on the inside start connections to the outside.
|
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
|
Set the default route to be the router on the outside.
|
timeout xlate 3:00:00 conn 1:00:00 half-closed
0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
|
Default timeout values.
|
ip local pool dealer 192.168.15.1-192.168.15.5
|
Create a pool of IP addresses that remote users access after they are authenticated by the AAA server.
|
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2
abcdef timeout 5
|
Establish the AAA parameters. The first two command statements enable access to the TACACS+ and RADIUS protocols. The next command statement associates the partnerauth protocol to TACACS+.
|
snmp-server community public
no snmp-server enable traps
|
Default values to disable SNMP.
|
crypto map partner-map client configuration
address initiate
|
Specify the IKE Mode Configuration parameters.
|
isakmp client configuration address-pool local
dealer outside
|
Establish association to local pool of IP addresses.
|
crypto ipsec transform-set strong-des esp-3des
esp-sha-hmac
|
Create a transform set for Triple DES, ESP, SHA, and HMAC.
|
crypto dynamic-map cisco 4 set transform-set
strong-des
|
Create a dynamic crypto map that associates the access list and the transform set.
|
crypto map partner-map 20 ipsec-isakmp dynamic
cisco
|
Define a crypto map that enables the ISAKMP policy.
|
crypto map partner-map client authentication
partnerauth
|
Enable Xauth. Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.
|
crypto map partner-map interface outside
|
Apply the crypto map to the outside interface.
|
isakmp key cisco1234 address 0.0.0.0 netmask
0.0.0.0
|
Create a wildcard, pre-shared key.
|
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
|
Create the ISAKMP policy on the outside interface, to handle pre-shared keys, to have Triple DES encryption, and to provide an MD5 hash for additional security.
|
sysopt connection permit-ipsec
|
Implicitly permit IPSec connections through the PIX Firewall.
|
|
Default values for how long a Telnet console session can be idle and that a console session should display up to 80 characters wide on the console computer.
|
Configuring the Cisco Secure VPN Client
This section describes how to configure the Cisco Secure VPN Client for use with the PIX Firewall. Refer to the Release Notes for the Cisco Secure VPN Client Version 1.1 or later for the most current information. Before performing the information in this section, install the VPN Client as described in the Cisco Secure VPN Client release notes. You can find the Cisco Secure VPN Client release notes online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/index.htm
Follow these steps to configure the Cisco Secure VPN Client:
Step 1 Click Start>Programs>Cisco Secure VPN Client>Security Policy Editor.
Step 2 Click Options>Secure>Specified Connections.
Step 3 In the Network Security Policy window, click Other Connection and click Non-Secure from the panel on the right.
Step 4 Click File>New Connection. Rename New Connection. For example, ToSanJose.
Step 5 Under Connection Security, click Secure.
Step 6 Under Remote Party Identity and Addressing, set the following preferences in the panel on the right:
a. ID Type—Click IP address.
b. Enter the IP address of the internal host within the PIX Firewall unit's internal network to which the VPN Client will have access. Enter 10.0.0.14.
c. Click Connect using Secure Gateway Tunnel.
d. ID Type—Click IP address.
e. Enter the IP address of the outside interface of the PIX Firewall. Enter 209.165.200.229.
Step 7 In the Network Security Policy window, click the plus sign beside the ToSanJose entry to expand the selection, and click My Identity. Set the following preferences in the panel on the right:
a. Select Certificate—Click None.
b. ID Type—Click IP address.
c. Port—Click All.
d. Local Network Interface—Click Any.
e. Click Pre-Shared Key. When the Pre-Shared Key dialog box appears, click Enter Key to make the key field editable. Enter cisco1234 and click OK.
Step 8 In the Network Security Policy window, expand Security Policy and set the following preferences in the panel on the right:
a. Under Select Phase 1 Negotiation Mode, click Main Mode.
b. Select the Enable Replay Detection check box.
Leave any other values as they were in the panel.
Step 9 Click Security Policy>Authentication (Phase 1)>Proposal 1 and set the following preferences in the panel on the right:
a. Authentication Method—Click Pre-shared Key.
b. Encrypt Alg—Click Triple DES.
c. Hash Alg—Click MD5.
d. SA Life—Click Unspecified to accept the default values.
e. Key Group—Click Diffie-Hellman Group 1.
Step 10 Click Security Policy>Key Exchange (Phase 2)>Proposal 1 and enter the following values in the panel on the right:
a. Select the Encapsulation Protocol (ESP) check box.
b. Encryption Alg—Click Triple DES.
c. Hash Alg—Click SHA-1.
d. Encapsulation—Click Tunnel.
Step 11 Click File>Save Changes.
The VPN Client is now activated.
You can view connection process by right-clicking the SafeNet/Soft-PK icon in the Windows taskbar. Unless the taskbar is changed, this icon appears in lower right of the screen. Click Log Viewer to display the View Log feature.
An example of a typical View Log session follows:
time_stamp ToSanJose - Deleting IKE SA
time_stamp ToSanJose - SENDING>>>>ISAKMP OAK QM *(HASH, SA, NON, ID, ID)
time_stamp ToSanJose - RECEIVED<<<ISAKMP OAK TRANS *(HASH. ATTR)
time_stamp ToSanJose - Received Private IP Address = 192.168.15.3
time_stamp ToSanJose - SENDING>>>>ISAKMP OAK TRANS *(HASH, ATTR)
time_stamp ToSanJose - RECEIVED<<<ISAKMP OAK QM *(HASH, SA, NON, ID, ID,
NOTIFY:STATUS_RESP_LIFETIME)
time_stamp ToSanJose - SENDING>>>> ISAKMP OAK QM *(HASH)
time_stamp ToSanJose - Loading IPSec SA keys...
Configuring Interoperability with a Cisco VPN 3000 Client
Remote access VPN users employing the Cisco VPN 3000 Client, version 2.5 or later, can now securely access their private enterprise network through the PIX Firewall.
Unlike the Cisco Secure VPN Client, the Cisco VPN 3000 Client requires the gateway to push policy information to the Cisco VPN 3000 Client. To support the Cisco VPN 3000 Client, the IKE Mode Config feature within the PIX Firewall has been extended to include the downloading of DNS, WINS, default domain, and split tunnel mode attributes to the Cisco VPN 3000 Client. The split tunnel mode allows the PIX Firewall to direct packets to a network interface in clear text form or over an IPSec tunnel in encrypted form.
The vpngroup command set allows you to configure Cisco VPN 3000 Client policy attributes to be associated with a VPN group name and downloaded to the Cisco VPN 3000 Client(s) that are part of the given group. These new commands' purpose is to configure the Cisco VPN 3000 Client policy groups. See the vpngroup command page within the Chapter 12, "Command Reference," for more information about these commands.
This section shows two examples of how to configure the PIX Firewall and the Cisco VPN 3000 Client for interoperability. The first example shows use of the following supported features:
•Extended Authentication (Xauth) for user authentication
•RADIUS Authorization for user services authorization
•IKE Mode Config for VPN IP address assignment
•Wildcard Pre-shared key for IKE authentication
The second example shows use of the following supported features:
•Extended Authentication (Xauth) for user authentication
•IKE Mode Config for VPN IP address assignment
•Digital Certificate for IKE authentication
For more information about Xauth, see "Configuring Extended Authentication (Xauth)" within "Advanced Configurations." For more information about IKE Mode Config, see "Configuring IKE Mode Config (Dynamic IP Address Assignment for VPN Client)" within "Advanced Configurations." For more information about RADIUS authorization, see "RADIUS Authorization Feature" within the aaa command page of Chapter 5, "Command Reference" in the Configuration Guide for the Cisco Secure PIX Firewall Version 5.2.
Note If you have the Cisco Secure VPN Client installed on the computer, uninstall it from your computer and ensure all directories containing this VPN Client application are cleared of it before you install the Cisco VPN 3000 Client.
This section includes the following topics:
•VPN Client Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-Shared Key
•VPN Client Access with Extended Authentication, IKE Mode Config, and Digital Certificates
VPN Client Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-Shared Key
The example in this section shows use of Extended Authentication (Xauth), RADIUS authorization, IKE Mode Config, and a wildcard, pre-shared key for IKE authentication between a PIX Firewall and a Cisco VPN 3000 Client.
With the vpngroup command set, you configure the PIX Firewall for a specified group of Cisco VPN 3000 Client users with the following parameters:
•group name for a given group of Cisco VPN 3000 Client users.
•pre-shared key or group password (used to authenticate your VPN access to the remote server
(PIX Firewall).
Note This pre-shared key is equivalent to the password that you enter within the Group Password field of the Cisco VPN 3000 Client while configuring your group access information for a connection entry.
•a pool of local addresses to be assigned to the VPN group.
•an IP address of a DNS server to download to the Cisco VPN 3000 Client. (optional)
•an IP address of a WINS server to download to the Cisco VPN 3000 Client. (optional)
•a default domain name to download to the Cisco VPN 3000 Client. (optional)
•enable split tunneling on the PIX Firewall allowing both encrypted and clear traffic between the Cisco VPN 3000 Client and the PIX Firewall. (optional)
Note If split tunneling is not enabled, all traffic between the Cisco VPN 3000 Client and the PIX Firewall will be encrypted.
•the inactivity timeout for the Cisco VPN 3000 Client. The default is 30 minutes. (optional)
On the Cisco VPN 3000 Client, you would configure the vpngroup name and group password to match that which you configured on the PIX Firewall.
When the Cisco VPN 3000 Client initiates ISAKMP with the PIX Firewall, the VPN group name and pre-shared key are sent to the PIX Firewall. The PIX Firewall then uses the group name to look up the configured client policy attributes for the given Cisco VPN 3000 Client and downloads the matching policy attributes to the client during the IKE negotiation.
This section includes the following topics:
•Configuring the PIX Firewall
•Configuring the Cisco VPN 3000 Client
Figure 10-2 illustrates the example network.
Figure 10-2 Cisco VPN 3000 Client Access
Configuring the PIX Firewall
Follow these steps to configure the PIX Firewall to interoperate with the Cisco VPN 3000 Client using Xauth, IKE Mode Config, AAA Authorization with RADIUS, and Wildcard Pre-Shared Key:
Step 1 Define AAA related parameters:
aaa-server radius protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5
Step 2 Configure the IKE policy:
isakmp policy 8 encr 3des
isakmp policy 8 authentication pre-share
Step 3 Configure a wildcard, pre-shared key:
isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0
Step 4 Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection:
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
Step 5 Create access lists that define the services the VPN Clients are authorized to use with the RADIUS server:
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq http
Note Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. In this example, the access-list ID is 100. Your entry in the authentication server would then be acl=100.
Step 6 Configure NAT 0:
nat (inside) 0 access-list 80
Step 7 Configure a transform set that defines how the traffic will be protected:
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
Step 8 Create a dynamic crypto map. Specify which transform sets are allowed for this dynamic crypto map entry:
crypto dynamic-map cisco 4 set transform-set strong-des
Step 9 Add the dynamic crypto map set into a static crypto map set:
crypto map partner-map 20 ipsec-isakmp dynamic cisco
Step 10 Apply the crypto map to the outside interface:
crypto map partner-map interface outside
Step 11 Enable Xauth:
crypto map partner-map client authentication partnerauth
Step 12 Configure IKE Mode Config related parameters:
ip local pool dealer 10.1.1.1-10.1.1.254
crypto map partner-map client configuration address initiate
Step 13 Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN 3000 Client:
vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 80
vpngroup superteam idle-time 1800
The keyword "superteam" is the name of a VPN group. You will enter this VPN group name within the Cisco VPN 3000 Client as part of the Group access information. See Step 9 within "Configuring the Cisco VPN 3000 Client."
Step 14 Tell PIX Firewall to implicitly permit IPSec traffic:
sysopt connection permit-ipsec
Table 10-2 provides the complete PIX Firewall configuration.
Table 10-2 VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Wildcard Pre-Shared Key
Configuration
|
Description
|
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
|
PIX Firewall provides nameif command statements for the inside and outside interfaces in the default configuration. This example shows the default name for the perimeter interface "dmz."
|
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
|
Default values for the privileged mode password and the Telnet password.
|
|
Define a host name for the PIX Firewall.
|
|
Set the domain name.
|
fixup protocol sqlnet 1521
|
Default fixup protocol values that define port usage.
|
|
Default values that let you use names instead of IP addresses, display 24 lines of text before you are prompted to continue, and disable syslog output.
|
|
Default interface definitions indicating that each Ethernet interface has automatic sensing capabilities to determine line speed and duplex.
|
|
Set the maximum transmission unit values for the Ethernet interfaces.
|
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
|
The IP addresses for each PIX Firewall interface.
|
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
|
Default values to disable failover.
|
|
Default value specifying that the ARP cache be reinitialized every four hours.
|
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|
Let users on the inside interface start connections on an interface with a lower security level.
|
access-list 80 permit ip 10.0.0.0 255.255.255.0
10.1.1.0 255.255.255.0
|
Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection. To be used for split tunnelling.
|
access-list 100 permit tcp 10.1.1.0 255.255.255.0
10.0.0.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.1.1.0 255.255.255.0
10.0.0.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.1.1.0 255.255.255.0
10.0.0.0 255.255.255.0 eq http
|
Create access lists that define the services the VPN Clients are authorized to use with the RADIUS server:
|
nat (inside) 0 access-list 80
|
Configure NAT 0.
|
global (outside) 1 209.165.200.45-209.165.200.50
netmask 255.255.255.224
|
Establish a pool of global addresses on the outside interface for translated addresses to use when users on the inside start connections to the outside.
|
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
|
Set the default route to be the router on the outside.
|
timeout xlate 3:00:00 conn 1:00:00 half-closed
0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
|
Default timeout values.
|
ip local pool dealer 10.1.1.1-10.1.1.254
|
Create a pool of IP addresses that remote users access after they are authenticated by the AAA server.
|
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2
abcdef timeout 5
|
Establish the AAA parameters. The first two command statements enable access to the TACACS+ and RADIUS protocols. The next command statement associates the partnerauth protocol to TACACS+.
|
snmp-server community public
no snmp-server enable traps
|
Default values to disable SNMP.
|
crypto map partner-map client configuration
address initiate
|
Specify the IKE Mode Configuration parameters.
|
crypto ipsec transform-set strong-des esp-3des
esp-sha-hmac
|
Create a transform set for Triple DES, ESP, SHA, and HMAC.
|
crypto dynamic-map cisco 4 set transform-set
strong-des
|
Create a dynamic crypto map that associates the access list and the transform set.
|
crypto map partner-map 20 ipsec-isakmp dynamic
cisco
|
Define a crypto map that enables the ISAKMP policy.
|
crypto map partner-map client authentication
partnerauth
|
Enable the Extended Authentication feature. Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.
|
crypto map partner-map interface outside
|
Apply the crypto map to the outside interface.
|
isakmp key cisco1234 address 0.0.0.0 netmask
0.0.0.0
|
Create a wildcard, pre-shared key.
|
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
|
Create the ISAKMP policy on the outside interface, to handle pre-shared keys, to have Triple DES encryption, and to provide an MD5 hash for additional security.
|
vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 80
vpngroup superteam idle-time 1800
|
Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN 3000 Client.
|
sysopt connection permit-ipsec
|
Implicitly permit IPSec connections through the PIX Firewall.
|
|
Default values for how long a Telnet console session can be idle and that a console session should display up to 80 characters wide on the console computer.
|
Configuring the Cisco VPN 3000 Client
This section describes how to configure the Cisco VPN 3000 Client to match the configurations within "Configuring the PIX Firewall," in the previous section. It is assumed the Cisco VPN 3000 Client is already installed on your system and is configured for general use. You can find the Cisco VPN 3000 Client documentation online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
For the Cisco VPN 3000 Client to gain VPN access to the PIX Firewall using a pre-shared key, you must create one connection entry for the Cisco VPN 3000 Client to use that identifies the following:
•the host name or IP address of the remote server you want to access, which in this case is a PIX Firewall
•name of the VPN group you belong to
•pre-shared key or password of the VPN group you belong to
Refer to the chapter "Configuring the VPN Client" in the VPN 3000 Client User Guide for the detailed steps to follow when configuring the Cisco VPN 3000 Client.
Follow these steps to configure the Cisco VPN 3000 Client to interoperate with the PIX Firewall:
Step 1 Click Start>Programs>Cisco Systems VPN 3000 Client>VPN Dialer.
Step 2 At the VPN Client main dialog box, click New.
The first New Connection Entry Wizard dialog box appears.
Step 3 Enter a unique name for the connection.
Step 4 (Optional) Enter a description of this connection.
Step 5 Click Next.
The second New Connection Entry Wizard dialog box appears.
Step 6 Enter the host name or IP address of the remote PIX Firewall you want to access.
Step 7 Click Next.
The third New Connection Entry Wizard dialog box appears.
Step 8 Click Group Access Information.
Step 9 Enter the name of the VPN group to which you belong and the password for you VPN group.
The password displays in asterisks.
Step 10 Click Next.
The fourth New Connection Entry Wizard dialog box appears.
Step 11 Review the connection entry name.
Step 12 Click Finish.
VPN Client Access with Extended Authentication, IKE Mode Config, and Digital Certificates
This example shows use of Xauth, IKE Mode Config, and digital certificates for IKE authentication between a PIX Firewall and a Cisco VPN 3000 Client. For example purposes, the PIX Firewall is shown to interoperate with the Entrust CA server. The specific CA-related commands you enter depend on the CA you are using.
Note Both the PIX Firewall and the Cisco VPN 3000 Client are required to obtain digital certificates from the same CA server so that both are certified by the same root CA server. The PIX Firewall only supports use of one root CA server per VPN peer.
Note The PIX Firewall supports CA servers developed by VeriSign, Entrust, Baltimore Technologies, and Microsoft. See Chapter 11, "CA Configuration Examples," for examples on how to interoperate with each of the PIX Firewall-supported CA servers.
On the PIX Firewall, configure the unit to interoperate with the CA server to obtain a digital certificate. With the vpngroup command set, configure the PIX Firewall for a specified group of Cisco VPN 3000 Client users the following:
•a pool of local addresses to be assigned to the VPN group
•an IP address of a DNS server to download to the Cisco VPN 3000 Client (optional)
•an IP address of a WINS server to download to the Cisco VPN 3000 Client (optional)
•a default domain name to download to the Cisco VPN 3000 Client (optional)
•enable split tunneling on the PIX Firewall allowing both encrypted and clear traffic between the Cisco VPN 3000 Client and the PIX Firewall. (optional)
Note If split tunnelling is not enabled, all traffic between the Cisco VPN 3000 Client and the PIX Firewall will be encrypted.
•the inactivity timeout for the Cisco VPN 3000 Client. The default is 30 minutes. (optional)
On the Cisco VPN 3000 Client, configure the client to obtain a digital certificate. After obtaining the certificate, set up your Cisco VPN 3000 Client connection entry to use the digital certificate.
When the Cisco VPN 3000 Client initiates ISAKMP with the PIX Firewall, the digital certificate is sent to the PIX Firewall. The PIX Firewall uses the digital certificate to look up the configured client policy attributes for the given Cisco VPN 3000 Client and downloads the matching policy attributes to the client during the IKE negotiation.
This section includes the following topics:
•Configuring the PIX Firewall
•Configuring the Cisco VPN 3000 Client
Figure 10-3 illustrates the example network.
Figure 10-3 Cisco VPN 3000 Client Access
Configuring the PIX Firewall
Follow these steps to configure the PIX Firewall to interoperate with the Cisco VPN 3000 Client:
Step 1 Define AAA related parameters:
aaa-server TACACS+ protocol tacacs+
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5
Step 2 Define a host name:
Step 3 Define the domain name:
Step 4 Generate the PIX Firewall RSA key pair:
This command is entered at the command line and does not get stored in the configuration.
Step 5 Declare a CA:
ca identity abcd 209.165.200.228 209.165.200.228
This command is stored in the configuration.
Step 6 Configure the parameters of communication between the PIX Firewall and the CA:
ca configure abcd ra 1 20 crloptional
This command is stored in the configuration. 1 is the retry period, 20 is the retry count, and the crloptional option disables CRL checking.
Step 7 Authenticate the CA by obtaining its public key and its certificate:
This command is entered at the command line and does not get stored in the configuration.
Step 8 Request signed certificates from your CA for your PIX Firewall's RSA key pair. Before entering this command, contact your CA administrator because they will have to authenticate your PIX Firewall manually before granting its certificate(s):
"cisco" is a challenge password. This can be anything. This command is entered at the command line and does not get stored in the configuration.
Step 9 Verify that the enrollment process was successful using the show ca certificate command:
Step 10 Save keys and certificates, and the CA commands (except those indicated) in Flash memory:
Note Use the ca save all command any time you add, change, or delete ca commands in the configuration. This command is not stored in the configuration.
Step 11 Configure the IKE policy:
isakmp policy 8 encr 3des
isakmp policy 8 authentication rsa-sig
Step 12 Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection:
access-list 90 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
Step 13 Configure NAT 0:
nat (inside) 0 access-list 90
Step 14 Configure a transform set that defines how the traffic will be protected:
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
Step 15 Create a dynamic crypto map. Specify which transform sets are allowed for this dynamic crypto map entry:
crypto dynamic-map cisco 4 set transform-set strong-des
Step 16 Add the dynamic crypto map set into a static crypto map set:
crypto map partner-map 20 ipsec-isakmp dynamic cisco
Step 17 Apply the crypto map to the outside interface:
crypto map partner-map interface outside
Step 18 Tell PIX Firewall to implicitly permit IPSec traffic:
sysopt connection permit-ipsec
Step 19 Enable Xauth:
crypto map partner-map client authentication partnerauth
Step 20 Configure IKE Mode Config related parameters:
ip local pool dealer 10.1.1.1-10.1.1.254
crypto map partner-map client configuration address initiate
Step 21 Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN 3000 Client:
vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam access-list 90
vpngroup superteam idle-time 1800
Table 10-3 provides the complete PIX Firewall configuration.
Table 10-3 VPN Access with Extended Authentication, RADIUS Authorization, IKE Mode Config, and Digital Certificates
Configuration
|
Description
|
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
|
PIX Firewall provides nameif command statements for the inside and outside interfaces in the default configuration. This example shows the default name for the perimeter interface "dmz."
|
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
|
Default values for the privileged mode password and the Telnet password.
|
|
Define a host name for the PIX Firewall.
|
|
Set the domain name.
|
fixup protocol sqlnet 1521
|
Default fixup protocol values that define port usage.
|
|
Default values that let you use names instead of IP addresses, display 24 lines of text before you are prompted to continue, and disable syslog output.
|
|
|
Default interface definitions indicating that each Ethernet interface has automatic sensing capabilities to determine line speed and duplex.
|
|
Set the maximum transmission unit values for the Ethernet interfaces.
|
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 192.168.101.1 255.255.255.0
|
The IP addresses for each PIX Firewall interface.
|
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
|
Default values to disable failover.
|
|
Default value specifying that the ARP cache be reinitialized every four hours.
|
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
|
Let users on the inside interface start connections on an interface with a lower security level.
|
access-list 90 permit ip 10.0.0.0 255.255.255.0
10.1.1.0 255.255.255.0
|
Create an access list that defines the PIX Firewall local network(s) requiring IPSec protection. To be used for split tunnelling.
|
access-list 100 permit tcp 10.1.1.0 255.255.255.0
10.0.0.0 255.255.255.0 eq telnet
access-list 100 permit tcp 10.1.1.0 255.255.255.0
10.0.0.0 255.255.255.0 eq ftp
access-list 100 permit tcp 10.1.1.0 255.255.255.0
10.0.0.0 255.255.255.0 eq http
|
Create access lists that define the services the VPN Clients are authorized to use with the RADIUS server:
|
nat (inside) 0 access-list 90
|
Configure NAT 0.
|
global (outside) 1 209.165.200.45-209.165.200.50
netmask 255.255.255.224
|
Establish a pool of global addresses on the outside interface for translated addresses to use when users on the inside start connections to the outside.
|
route outside 0.0.0.0 0.0.0.0 209.165.200.227 1
|
Set the default route to be the router on the outside.
|
timeout xlate 3:00:00 conn 1:00:00 half-closed
0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
|
Default timeout values.
|
ip local pool dealer 10.1.1.1-10.1.1.254
|
Create a pool of IP addresses that remote users access after they are authenticated by the AAA server.
|
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol tacacs+
aaa-server partnerauth (dmz) host 192.168.101.2
abcdef timeout 5
|
Establish the AAA parameters. The first two command statements enable access to the TACACS+ and RADIUS protocols. The next command statement associates the partnerauth protocol to TACACS+.
|
snmp-server community public
no snmp-server enable traps
|
Default values to disable SNMP.
|
crypto map partner-map client configuration
address initiate
|
Specify the IKE Mode Configuration parameters.
|
crypto ipsec transform-set strong-des esp-3des
esp-sha-hmac
|
Create a transform set for Triple DES, ESP, SHA, and HMAC.
|
crypto dynamic-map cisco 4 set transform-set
strong-des
|
Create a dynamic crypto map that associates the access list and the transform set.
|
crypto map partner-map 20 ipsec-isakmp dynamic
cisco
|
Define a crypto map that enables the ISAKMP policy.
|
crypto map partner-map client authentication
partnerauth
|
Enable Xauth. Be sure to specify the same AAA server name within the crypto map client authentication command statement as was specified in the aaa-server command statement.
|
crypto map partner-map interface outside
|
Apply the crypto map to the outside interface.
|
isakmp policy 8 encryption 3des
isakmp policy 8 authentication rsa-sig
|
Create the ISAKMP policy on the outside interface, to handle digital certificates, to have Triple DES encryption, and to provide an MD5 hash for additional security.
|
vpngroup superteam address-pool dealer
vpngroup superteam dns-server 10.0.0.15
vpngroup superteam wins-server 10.0.0.15
vpngroup superteam default-domain example.com
vpngroup superteam split-tunnel 90
vpngroup superteam idle-time 1800
|
Configure Cisco VPN 3000 Client policy attributes to download to the Cisco VPN 3000 Client.
|
ca identity abcd 209.165.200.228 209.165.200.228
ca configure abcd ra 1 100 crloptional
|
Define CA-related enrollment commands.
|
sysopt connection permit-ipsec
|
Implicitly permit IPSec connections through the PIX Firewall.
|
|
Default values for how long a Telnet console session can be idle and that a console session should display up to 80 characters wide on the console computer.
|
Configuring the Cisco VPN 3000 Client
This section describes how to configure the Cisco VPN 3000 Client to match the configurations within "Configuring the PIX Firewall," in the previous section. It is assumed the Cisco VPN 3000 Client is already installed on your system and is configured for general use. You can find the Cisco VPN 3000 Client documentation online at the following site:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/index.htm
For the Cisco VPN 3000 Client to gain VPN access to the PIX Firewall using a digital certificate, obtain a digital certificate from a CA server. Once you have this certificate, create a VPN Client connection entry that identifies the following:
•the host name or IP address of the remote server you want to access, which in this case is a PIX Firewall.
•certificate name. (This should already be installed on your Cisco VPN 3000 Client.)
Note When configuring the VPN 3000 Client certificate, be sure to match the VPN group name you specified within the associated vpngroup commands in your PIX Firewall configuration. To specify a VPN group name within the VPN 3000 Client certificate, enter the name of the VPN group in the "Organization Unit" (OU) field. The PIX Firewall will use this VPN group name to match a given VPN Client's policy. For example, if the name of your VPN group is "superteam", you would enter "superteam" in the OU field. You would use "superteam" as the VPN group name to configure on the PIX Firewall using the vpngroup commands.
This section does not cover how to obtain a digital certificate for the Cisco VPN 3000 Client. For information about obtaining a certificate on the Cisco VPN 3000 Client, refer to the chapter "Obtaining a Certificate" within the VPN 3000 Client User Guide.
To obtain the detailed steps to follow when configuring the Cisco VPN 3000 Client, refer to the chapter "Configuring the VPN Client" in the VPN 3000 Client User Guide.
Follow these steps to configure the Cisco VPN 3000 Client:
Step 1 Click Start>Programs>Cisco Systems VPN 3000 Client>VPN Dialer.
Step 2 At the Cisco VPN 3000 Client main dialog box, click New.
The first New Connection Entry Wizard dialog box appears.
Step 3 Enter a unique name for the connection.
Step 4 (Optional) Enter a description of this connection.
Step 5 Click Next.
The second New Connection Entry Wizard dialog box appears.
Step 6 Enter the host name or IP address of the remote PIX Firewall you want to access.
Step 7 Click Next.
The third New Connection Entry Wizard dialog box appears.
Step 8 Click the Certificate button.
Step 9 Click the name of the certificate you are using.
Step 10 Click Next.
The fourth New Connection Entry Wizard dialog box appears.
Step 11 Review the connection entry name.
Step 12 Click Finish.
