Download pixfirewall(config)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
Document related concepts
no text concepts found
Transcript 
Lesson 16
Easy VPN Remote—Small Office/Home Office
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-1
Objectives
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-2
Objectives
Upon completion of this lesson, you will be able to
perform the following tasks:
• Describe the Easy VPN two modes of operation.
• Configure the PIX Firewall as an Easy VPN Remote client.
• Explain the PIX Firewall’s Secure Unit Authentication and
Individual User Authentication feature.
• Configure the PIX Firewall for Secure Unit Authentication
and Individual User Authentication.
• Describe the PIX Firewall’s DHCP server feature.
• Configure the PIX Firewall as a DHCP server.
• Configure the PIX Firewall’s PPPoE client.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-3
PIX Firewall Easy VPN Remote
Feature Overview
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-4
Implementing PIX Firewall
Easy VPN Remote
PIX Easy VPN Remote
Easy VPN Servers
Cisco PIX Firewall 501/506E
Cisco IOS > 12.2(8)T router
Cisco PIX Firewall 501/506E
Push
Policy
PIX Firewall > 6.2
Cisco PIX Firewall 501/506E
Cisco PIX Firewall 501/506E
© 2004, Cisco Systems, Inc. All rights reserved.
VPN 3000 > 3.11
(> 3.5.1 recommended)
CSPFA 3.2—16-5
Easy VPN Remote
Configuration
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-6
Easy VPN Remote Client
Configuration
10.1.1.2
10.1.1.1
209.165.201.5
10.0.0.0/24
10.1.1.3
PIX1
192.168.1.2
pixfirewall(config)#
vpnclient group_name password preshared_key
• Group name and pre-shared key
vpnclient username { xauth_username} password { xauth_password}
• VPN client extended authentication username and password
vpnclient server { ip_primary} [ ip_secondary_n]
• Easy VPN server IP address
pix1(config)# vpngroup training password
cisco123
pix1(config)# vpnclient username student1 password training
pix1(config)# vpnclient server 192.168.1.2
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-7
Easy VPN Client Device Mode
Hidden address
Client mode
PAT
10.1.1.2
209.165.201.5
VPN tunnel
10.1.1.3
PIX Firewall 501/506E
(Easy VPN Remote)
Network extension
mode
10.1.1.2
10.1.1.1
10.0.0.0/24
PIX Firewall 525
(Easy VPN Server)
Visible address
209.165.201.5
VPN tunnel
10.1.1.3
© 2004, Cisco Systems, Inc. All rights reserved.
PIX Firewall 501/506
(Easy VPN Remote)
10.0.0.0/24
PIX Firewall 525
(Easy VPN Server)
CSPFA 3.2—16-8
Easy VPN Client Device Mode
Configuration
10.1.1.2
10.1.1.1
209.165.201.5
10.0.0.0/24
PIX1
10.1.1.3
192.168.1.2
Network extension mode—
address visible from central site
pixfirewall(config)#
vpnclient mode {client-mode | network-extension-mode}
• Sets the easy VPN remote device mode — client of network extension mode.
pix1(config)# vpnclient mode network-extension-mode
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-9
Enable Easy VPN Remote Device
10.1.1.2
10.0.0.0/24
10.1.1.3
PIX1
VPN tunnel
pixfirewall(config)#
vpnclient enable
• Enables the Easy VPN Remote device.
pix1(config)# vpnclient enable
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-10
Secure Unit Authentication
ACS
10.1.1.2
10.0.0.0/24
10.1.1.3
PIX2
PIX1
Secure-unit-authentication policy
pushed to Easy VPN Client
Easy VPN Client must
authenticate
pixfirewall(config)#
vpngroup groupname secure-unit-authentication
• Enables secure-unit-authentication policy at central site.
pix2(config)# vpngroup training secure-unit-authentication
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-11
Individual User Authentication
ACS
10.1.1.2
10.0.0.0/24
10.1.1.3
PIX2
PIX1
VPN tunnel
Individual authentication policy
pushed to Easy VPN Client
Remote user must
authenticate
pixfirewall(config)#
vpngroup groupname user-authentication
vpngroup groupname user-idle-timeout
vpngroup groupname authentication-server server_tag
• Enables individual user authentication policy at central site.
pix2(config)# vpngroup training user-authentication
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-12
PPPoE and the PIX Firewall
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-13
The PIX Firewall as a PPPoE Client
PPPoE
client
ISP
PPPoE access
DSL concentrator
modem
10.0.0.0/24
PPPoE
IPSec
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-14
Configure a Virtual Private Dial-Up
Networking Group
10.0.0.0/24
PIX1
DSL
modem
ISP
PPPoE access
concentrator
pixfirewall(config)#
vpdn group group_name request dialout pppoe
• Defines a VPDN group to be used for PPPoE.
vpdn group group_name ppp authentication PAP | CHAP | MSCHAP
• Selects an authentication method.
vpdn group group_name localname username
• Associates the username assigned by your ISP with the VPDN group.
pix1(config)# vpdn group PPPOEGROUP request dialout pppoe
pix1(config)# vpdn group PPPOEGROUP ppp authentication pap
pix1(config)# vpdn group PPPOEGROUP localname MYUSERNAME
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-15
Create VPDN Username and Password
10.0.0.0/24
PIX1
DSL
modem
ISP
PPPoE access
concentrator
pixfirewall(config)#
vpdn username name password pass
• Creates a username and password pair for the PPPoE connection.
pix1(config)# vpdn username student1 password training
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-16
Enable PPPoE Client
10.0.0.0/24
PIX1
DSL
modem
ISP
PPPoE access
concentrator
pixfirewall(config)#
ip address if_name pppoe [setroute]
• Enables PPPoE client.
pix1(config)# ip address outside pppoe
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-17
Monitoring the PPPoE Client
pixfirewall(config)#
show vpdn
• Displays tunnel and session information.
pixfirewall(config)#
show vpdn session [l2tp | pptp | pppoe] [id
session_id | packets | state | window]
• Displays session information.
pixfirewall(config)#
show vpdn tunnel [l2tp | pptp | pppoe] [id
tunnel_id | packets | state | summary | transport]
• Displays tunnel information.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-18
Monitoring the PPPoE Client (Cont.)
pixfirewall(config)#
show vpdn pppinterface [id intf_id]
• Displays the interface identification value.
pixfirewall(config)#
show vpdn username [name]
• Displays local usernames.
pixfirewall(config)#
show vpdn group [groupname]
• Displays configured groups.
pixfirewall(config)#
show ip address if_name pppoe
• Displays detailed information about a PPPOE connection.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-19
Debugging the PPPoE Client
pixfirewall(config)#
debug pppoe event | error | packet
• Enables debugging for the PPPoE client.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-20
DHCP Server Configuration
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-21
DHCP
The PIX Firewall’s DHCP server can be used
to dynamically assign:
• An IP address and subnet mask
• The IP address of a DNS server
• The IP address of a WINS server
• A domain name
• The IP address of a TFTP server
• A lease length
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-22
DHCP Server
Internet
1. DHCPDISCOVER—The
client seeks an address.
2. DHCPOFFER—The
server offers 10.1.1.2.
DHCP pool
10.1.1.2–10.1.1.20
3. DHCPREQUEST—The
client requests 10.1.1.2.
4. DHCPACK—The server
acknowledges the
assignment of 10.1.1.2.
© 2004, Cisco Systems, Inc. All rights reserved.
1
2
3
4
CSPFA 3.2—16-23
Configuring the PIX Firewall as a
DHCP Server
• Step 1—Assign a static IP address to the inside interface.
• Step 2—Specify a range of addresses for the DHCP
server to distribute.
• Step 3—(Optional.) Specify the IP address of the DNS
server.
• Step 4—(Optional.) Specify the IP address of the WINS
server.
• Step 5—(Optional.) Configure the domain name.
• Step 6—(Optional.) Specify the IP address of the TFTP
server.
• Step 7—Specify the lease length (default = 3,600
seconds).
• Step 8—Enable DHCP.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-24
Configure DHCP Address Pool
ACS
DHCP server
10.1.1.2
10.0.0.0/24
10.1.1.3
DHCP address pool:
10.1.1.2-10.1.1.15
pixfirewall(config)#
dhcpd address ip1[-ip2][if_name]
• Specifies a range of addresses for DHCP to assign.
pix1(config)# dhcpd address 10.1.1.2–10.1.1.15 inside
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-25
Specify WINS, DNS, and Domain Name
DHCP Server
10.0.0.2
WINS
10.0.0.0/24
10.0.0.3
WINS: 10.0.0.21
DNS: 10.0.0.14
Domain: cisco.com
DNS
pixfirewall(config)#
dhcpd wins wins1 [wins2]
• Defines a VPDN group to be used for PPPoE.
dhcpd dns dns1 [dns2]
• Selects an authentication method.
dhcpd domain domain_name
• Associates the username assigned by your ISP with the VPDN group.
pix1(config)# dhcpd wins 10.0.0.21
pix1(config)# dhcpd dns 10.0.0.14
pix1(config)# dhcpd domain cisco.com
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-26
DHCP Option 66 and 150
DHCP server
10.1.1.2
10.0.0.0/24
Option 150: 10.0.0.11
Option 66: 10.0.0.11
TFTP
server
10.0.0.11
pixfirewall(config)#
dhcpd option 66 ascii {server_name | server_ip_str}
• Distributes TFTP server for IP Phone connections.
dhcpd option 150 ip server_ip1 [server_ip2]
• Distributes list of TFTP servers for IP Phone connections.
pix1(config)# dhcpd option 150 ip 10.0.0.11
pix1(config)# dhcpd option 66 ip 10.0.0.11
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-27
Setting DHCP Lease Length
10.1.1.2
DHCP server
ACS
10.0.0.0/24
10.1.1.3
Lease
length
pixfirewall(config)#
dhcpd lease lease_length
• Specifies DHCP lease length.
pix1(config)# dhcpd lease 3000
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-28
Enable DHCP
10.1.1.2
DHCP server
ACS
10.0.0.0/24
10.1.1.3
pixfirewall(config)#
dhcpd enable [if_name]
• Enables DHCP server.
pix1(config)# dhcpd enable inside
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-29
DHCP Server Auto Configuration
WINS: 10.0.0.21
DNS: 10.0.0.15
Domain: cisco.com
WINS: 10.0.0.21
DNS: 10.0.0.15
Domain: cisco.com
IP Address: 10.1.1.2
DHCP
server
DHCP
client
pixfirewall(config)#
dhcpd auto_config[client_ifx_name]
• Enables the PIX Firewall to automatically configure DNS, WINS, and
domain name values from the DHCP client to the DHCP server.
pix1(config)# ip address outside dhcp
pix1(config)# dhcpd address 10.1.1.2-10.1.1.20 inside
pix1(config)# dhcpd auto_config
pix1(config)# dhcpd enable inside
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-30
debug dhcpd and
clear dhcpd Commands
pixfirewall(config)#
debug dhcpd event | packet
• Displays information associated with the DHCP server.
pixfirewall(config)#
clear dhcpd
• Removes all dhcpd command statements from the
configuration.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-31
Summary
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-32
Summary
• Easy VPN Remote can operate in client or network
extension mode.
• With Secure Unit Authentication, the remote PIX
Firewall must authenticate before the VPN tunnel
comes up.
• With Individual User Authentication, the remote user
must authenticate before the user gains access to
the VPN tunnel.
• The PIX Firewall can function as a DHCP client and
DHCP server.
• Configuring the PIX Firewall as a PPPoE client
enables it to secure broadband Internet connections
such as DSL.
© 2004, Cisco Systems, Inc. All rights reserved.
CSPFA 3.2—16-33
Related documents