The “Foundation Summary” provides a convenient review of many key concepts in this
chapter. If you are already comfortable with the topics in this chapter, this summary can help
you recall a few details. If you just read this chapter, this review should help solidify some
key facts. If you are doing your final preparation before the exam, this summary provides a
convenient way to review the day before the exam.
There are four different VPN types:
■ Access
■ Intranet
■ Extranet
■ WebVPN
Access VPNs are used for remote users and normally require client software. Intranet and
extranet VPNs are configured as site-to-site VPNs. WebVPNs are used for remote users, but
they do not require client software.
VPN peers need to authenticate each other and negotiate the IPSec SA. The negotiation is
completed automatically using IKE. The authentication is completed using preshared keys,
RSA signatures (certificates), or RSA nonces. The Security Appliance does not support RSA
nonces. To configure IKE on the PIX, you use the following commands:
■ isakmp policy
— Configures the authentication type
— Configures the message encryption algorithm
— Configures the message integrity algorithm
— Configures the key exchange parameters
— Defines the SA lifetime (reinitiates the Diffie-Hellman key exchange)
■ isakmp enable—Applies the ISAKMP policy to an interface, allowing that interface to
receive UDP 500 traffic
■ isakmp identity—Identifies the local peer by IP address or host name
■ isakmp key—If you are using a preshared key, defines the key and the peer
(by IP address)
After you configure IKE, you are ready to configure IPSec. Follow these steps:
Step 1 Use the access-list command to configure the access list so that the PIX knows
which traffic should be encrypted.
Step 2 Use the transform-set command to create transform sets to define the encryption
and integrity to be used for the session.
Step 3 Use the ipsec security-association lifetime command (optional) to define the SA
lifetime to reduce the opportunity of others to crack your encryption.
Step 4 Configure the crypto map:
• Define the SA negotiation (manual or IKE)
• Apply the access list to the crypto map
• Apply the transform set to the crypto map
• Identify the SA peer by IP address or host name
• Apply the crypto map to an interface
Three commands (and many options for each) are available to troubleshoot VPN
connectivity:
■ show—Displays the current configuration or current SA status
■ clear—Removes the current configuration or setting (usually used to regenerate the
connection)
■ debug—Allows you to see ongoing sessions and key negotiations
WebVPNs are a flexible way for end users to access resources on an enterprise network
anywhere in the world. WebVPN uses a front-end portal interface to authenticate and give
access to end users through a web browser, using an https connection. Services supported by
WebVPN are as follow:
■ E-mail proxy—Support for POP3S, IMAP3S, SMTPS, and MAPI through e-mail
proxies.
■ File sharing and browsing—Support for SMB/CIFS file servers, as well as file access and
distribution.
■ Website URL access—Access to internal and external websites.
■ Port forwarding—Support for TCP-based port-forwarding through a Java applet.
Security administrators might require content filtering of websites by an end user using
WebVPN. This can be done through two means: content filtering and ACLs. Content filtering
enables a security administrator to strip unwanted images, scripts, and cookies from
unapproved websites. Access restrictions through ACLs can also be applied to WebVPN
connections.
Cisco VPN Client is used to connect remote users to internal resources by an encrypted
tunnel. The package handles all the negotiation and encryption and can operate using any
connection to the Internet.
To develop a scalable VPN solution, you must implement a dynamic means of
authentication. The most effective and scalable method today is the use of IKE and
certification authorities.