Create an IP Address Pool

Create an IP Address Pool
If the remote client is using the Easy VPN Server to obtain its IP address, you must define a
local address pool using the ip local pool command. The syntax for this command is as
follows:
ip local pool {pool_name low_ip_address [-high_ip_address]}
For instance, suppose that you want to assign the remote clients addresses in the range from
10.20.100.1 through 10.20.100.254. Using a pool name of vpn-pool, then the command line
would be as follows:
Pix(config)# ip local pool vpn_pool 10.20.100.1-10.20.100.254
lifetime Keyword indicating that the next parameter specifies the lifetime for the IKE policy.
md5 Specifies that the MD5 hash algorithm will be used by the IKE policy.
pre-share Specifies that the IKE policy will use preshared keys for initial authentication.
priority An integer (1 to 65,534) uniquely identifying the IKE policy and assigning it a
priority (1 is the highest priority, and 65,534 is the lowest priority).
rsa-sig Specifies that the IKE policy will use RSA signatures for initial authentication.
sha Specifies that the SHA-1 hash algorithm will be used by the IKE policy. This is the
default hash algorithm.
Table 14-3 isakmp policy Parameters (Continued)
Parameter Description
412 Chapter 14: Configuring Access VPNs

isakmp policy Parameters

isakmp policy Parameters
Parameter Description
aes Specifies AES with a 128-bit key to be the encryption algorithm used by the IKE
policy.
aes-192 Specifies AES with a 192-bit key to be the encryption algorithm used by the IKE
policy.
aes-256 Specifies AES with a 256-bit key to be the encryption algorithm used by the IKE
policy.
des Specifies DES with a 56-bit key to be the encryption algorithm used by the IKE
policy.
3des Specifies 3DES to be the encryption algorithm used by the IKE policy.
encryption Keyword indicating that the next parameter specifies the encryption algorithm for
the IKE policy
group Keyword indicating that the next parameter is a Diffie-Hellman group. You can
specify 1, 2, or 5 (1 is the default).
hash Keyword indicating that the next parameter specifies the hash algorithm to be used
by the IKE policy.

isakmp policy Parameters (Continued)
Parameter Description

lifetime Keyword indicating that the next parameter specifies the lifetime for the IKE policy.
md5 Specifies that the MD5 hash algorithm will be used by the IKE policy.
pre-share Specifies that the IKE policy will use preshared keys for initial authentication.
priority An integer (1 to 65,534) uniquely identifying the IKE policy and assigning it a
priority (1 is the highest priority, and 65,534 is the lowest priority).
rsa-sig Specifies that the IKE policy will use RSA signatures for initial authentication.
sha Specifies that the SHA-1 hash algorithm will be used by the IKE policy. This is the
default hash algorithm.

For instance, suppose that you want to configure an ISAKMP policy based on the following
criteria:
■ Preshare key initial authentication
■ AES encryption algorithm (128-bit)
■ SHA hash algorithm
■ Diffie-Hellman group 5
The commands to define this ISAKMP policy are as follows:
Pix(config)# isakmp enable outside
Pix(config)# isakmp policy 30 authentication pre-share
Pix(config)# isakmp policy 30 encryption aes
Pix(config)# isakmp policy 30 hash sha
Pix(config)# isakmp policy 30 group 5

Create an ISAKMP Policy

Create an ISAKMP Policy
To create the ISAKMP policy, you must use the standard ISAKMP configuration commands
to define the following parameters:
■ Authentication type
■ Encryption algorithm
■ Hash algorithm
■ Diffie-Hellman group ID
■ SA lifetime
The syntax for these commands is as follows:
isakmp policy priority authentication {pre-share | rsa-sig}
isakmp policy priority encryption {aes | aes-192 | aes-256 | des | 3des}
isakmp policy priority group {1 | 2 | 5}
isakmp policy priority hash {md5 | sha}
isakmp policy priority lifetime seconds
Table 14-3 outlines the parameters for the isakmp policy command.

Extended Authentication Configuration

Extended Authentication Configuration
XAUTH enables the Easy VPN Server to require username/password authentication in order
to establish the VPN connection. This authentication is performed by an AAA server. To
configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the
Easy VPN Server and configure it to perform XAUTH. The complete configuration process
involves performing the following tasks:
■ Create an Internet Security Association and Key Management Protocol (ISAKMP) policy
for remote Cisco VPN Client access
■ Create an IP address pool
■ Define a group policy for mode configuration push
■ Create a transform set
■ Create a dynamic crypto map
■ Assign the dynamic crypto map to a static crypto map
■ Apply the static crypto map to an interface
■ Configure XAUTH
■ Configure NAT and NAT 0
■ Enable IKE DPD

IKE Quick Mode Completes the Connection

IKE Quick Mode Completes the Connection
After the VPN Client receives the various configuration parameters from the Easy VPN
Server, IKE quick mode is initiated to negotiate the IPSec SA establishment.

Mode Configuration Process Is Initiated

Mode Configuration Process Is Initiated
After successfully authenticating with the Easy VPN Server, the VPN Client requests the
remaining configuration parameters from the Easy VPN Server such as the following:
■ IP address
■ Domain Name System (DNS) information
■ Split tunneling configuration
Step 6: IKE Quick Mode Completes the Connection
After the VPN Client receives the various configuration parameters from the Easy VPN
Server, IKE quick mode is initiated to negotiate the IPSec SA establishment.
Extended Authentication Configuration
XAUTH enables the Easy VPN Server to require username/password authentication in order
to establish the VPN connection. This authentication is performed by an AAA server. To
configure the Easy VPN Server to use XAUTH for remote VPN clients, you must set up the
Easy VPN Server and configure it to perform XAUTH. The complete configuration process
involves performing the following tasks:
■ Create an Internet Security Association and Key Management Protocol (ISAKMP) policy
for remote Cisco VPN Client access
■ Create an IP address pool
■ Define a group policy for mode configuration push
■ Create a transform set
■ Create a dynamic crypto map
■ Assign the dynamic crypto map to a static crypto map
■ Apply the static crypto map to an interface
■ Configure XAUTH
■ Configure NAT and NAT 0
■ Enable IKE DPD
NOTE VPN devices that handle remote Cisco VPN Clients should always be configured
to enforce user authentication.
NOTE The IP address is the only required parameter in the group profile. All other
parameters are optional.

Easy VPN Server Initiates a Username-password Challenge

Easy VPN Server Initiates a Username/Password Challenge
If the Easy VPN Server is configured for XAUTH, the VPN Client waits for a username/
password challenge once the proposal is accepted. The username and password entered by
the user are checked against the data stored in an authentication, authorization, and
accounting (AAA) server.

Easy VPN Server Accepts the SA Proposal

Easy VPN Server Accepts the SA Proposal
After receiving the various proposals from the VPN Client, the Easy VPN Server searches for
a valid match in its configuration. The first proposal to match is accepted. To ensure that the
most secure proposal is always accepted, you should store the valid proposals on the server
in order from the most secure option to the least secure option.

VPN Client Negotiates an IKE Security Association

VPN Client Negotiates an IKE Security Association
The client attempts to establish an SA between the client and server peer Internet Protocol
(IP) addresses by sending multiple IKE proposals to the Easy VPN Server. To reduce manual
configuration on the VPN Client, these IKE proposals include several combinations of the
following parameters:
■ Encryption and hash algorithms
■ Authentication methods
■ Diffie-Hellman (DH) group sizes
Proposing multiple IKE proposals with various parameters means that one combination is
likely to match one of the options configured on the server.

VPN Client Initiates IKE Phase 1 Process

VPN Client Initiates IKE Phase 1 Process
When initiating the VPN connection, the client can use one of the following two IKE
authentication mechanisms:
■ Preshared keys
■ Digital certificates
When using preshared keys, the client initiates IKE aggressive mode negotiation. The group
name entered in the configuration GUI (ID-KEY-ID) is used to identify the group profile
associated with the VPN Client.
Using digital certificates requires the client to initiate IKE main mode negotiation. The
Organizational Unit (OU) field of the distinguished name (DN) is used to identify the group
profile associated with the VPN Client.

Easy VPN Remote Connection Process

Easy VPN Remote Connection Process
When the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway,
the interaction between the peers involves the following major steps:
Step 1 VPN Client initiates the IKE phase 1 process.
Step 2 VPN Client negotiates an IKE SA.
Step 3 Easy VPN Server accepts the SA proposal.
Step 4 Easy VPN Server initiates a username/password challenge.
Step 5 Mode configuration process is initiated.
Step 6 IKE quick mode completes the connection.

Cisco Easy VPN Remote Router Clients

Cisco Easy VPN Remote Router Clients
To provide a comprehensive solution, Cisco Easy VPN also supports several router-based
clients. You can use the following router platforms as Cisco Easy VPN remote clients:
■ Cisco 800 Series routers (806, 826, 827,828)
■ Cisco 900 Series routers (uBR905, uBR925)
■ Cisco 1700 Series routers (1710, 1720, 1721, 1750, 1751, 1760)
Cable modems, xDSL routers, and other forms of broadband access provide Internet access,
but many situations require VPN connections to secure data that traverses the Internet.
Establishing a VPN connection between two VPN endpoints, however, can be complicated
because it usually requires coordination between administrators to perform the tedious tasks
necessary to define the connection parameters.
Cisco Easy VPN Remote eliminates most of the tedious work by implementing the Cisco
VPN Client protocol. This protocol allows many of the VPN parameters to be configured on
the access server. Once the access server is configured, the additional configuration on the
VPN Client is minimal. When the IPSec client initiates the VPN connection, the VPN remote
access server pushes the required IPSec policies to the IPSec client and creates the
corresponding IPSec tunnel.

Cisco PIX 501 and 506 VPN Clients

Cisco PIX 501 and 506 VPN Clients
The following two PIX Firewall models are commonly used as VPN clients:
■ PIX 501
■ PIX 506/506E
The PIX 501 delivers enterprise-class security for small offices and telecommuters. For small
offices with always-on broadband connections, the PIX 501 provides security functionality,
numerous networking features, and powerful remote management capabilities in a compact
single-box solution.
Up to four individual systems can share a single broadband connection, using the integrated
four-port auto-sensing, auto MDIX switch for the inside interface. Like the Hardware Client,
this switch eliminates the need for crossover cables when connecting a device to a port. The
Ethernet ports support 10/100BASE-T (100BASE-T with the 6.3 software release). The PIX
501 also provides a RS-232 console port interface (RJ-45 connector and 9600 baud).
The PIX 506/506E enables companies to utilize the power of the Internet to enable users to
work remotely from home securely. It delivers full firewall protection in conjunction with
IPSec and VPN functionality. Connecting simultaneously with up to 25 VPN peers, the PIX
506/506E provides a complete implementation of IPSec standards. It comes with two
integrated 10/100BASE-T (100BASE-T with the 6.3 software release) ports in a compact
platform (8 inches by 12 inches by 1.7 inches). Updates to image files are downloaded using
the Trivial File Transfer Protocol (TFTP).
NOTE Both Hardware Client models have one public Ethernet interface. The difference
between the two Hardware Clients is that the 8E has eight private 10/100BASE-T ports
instead of only one. These eight ports utilize auto Medium Dependent Interface Crossover
(MDIX) technology that eliminates the need for crossover cables when connecting a device
to a port.
Overview of Easy VPN Remote Feature 407
Cisco Easy VPN Remote Router Clients
To provide a comprehensive solution, Cisco Easy VPN also supports several router-based
clients. You can use the following router platforms as Cisco Easy VPN remote clients:
■ Cisco 800 Series routers (806, 826, 827,828)
■ Cisco 900 Series routers (uBR905, uBR925)
■ Cisco 1700 Series routers (1710, 1720, 1721, 1750, 1751, 1760)
Cable modems, xDSL routers, and other forms of broadband access provide Internet access,
but many situations require VPN connections to secure data that traverses the Internet.
Establishing a VPN connection between two VPN endpoints, however, can be complicated
because it usually requires coordination between administrators to perform the tedious tasks
necessary to define the connection parameters.
Cisco Easy VPN Remote eliminates most of the tedious work by implementing the Cisco
VPN Client protocol. This protocol allows many of the VPN parameters to be configured on
the access server. Once the access server is configured, the additional configuration on the
VPN Client is minimal. When the IPSec client initiates the VPN connection, the VPN remote
access server pushes the required IPSec policies to the IPSec client and creates the
corresponding IPSec tunnel.
Easy VPN Remote Connection Process
When the Easy VPN Remote Client initiates a connection with the Easy VPN Server gateway,
the interaction between the peers involves the following major steps:
Step 1 VPN Client initiates the IKE phase 1 process.
Step 2 VPN Client negotiates an IKE SA.
Step 3 Easy VPN Server accepts the SA proposal.
Step 4 Easy VPN Server initiates a username/password challenge.
Step 5 Mode configuration process is initiated.
Step 6 IKE quick mode completes the connection.
NOTE Before software release 6.3, the Ethernet ports on the PIX 501 and 506/506E were
10BASE-T. After upgrading to the 6.3 software release on either the PIX 501 or 506/506E,
these ports become 10/100BASE-T ports. This speed enhancement is accomplished strictly
by a software update (no hardware upgrades are necessary).

Cisco VPN 3002 Hardware Client

Cisco VPN 3002 Hardware Client
The Cisco VPN Hardware Client has the Cisco VPN Software Client software built into it,
enabling it to emulate the Cisco 3000 Series VPN Concentrator Software Client. You simply
can connect the remote PCs into the Hardware Client instead of loading the Cisco VPN
Software Client software on the remote PCs.
The Hardware Client comes in the following two versions:
■ Hardware Client
■ Hardware Client 8E
406 Chapter 14: Configuring Access VPNs
The Hardware Client operates in one of the following two modes:
■ Client mode
■ Network extension mode
You can select the modes locally using the command-line interface (CLI) or the graphical user
interface (GUI) or remotely using an IPSec tunnel or Secure Shell (SSH).
The Hardware Client is powered by an external power supply and can auto sense either
110V or 220V.
Cisco PIX 501 and 506 VPN Clients
The following two PIX Firewall models are commonly used as VPN clients:
■ PIX 501
■ PIX 506/506E
The PIX 501 delivers enterprise-class security for small offices and telecommuters. For small
offices with always-on broadband connections, the PIX 501 provides security functionality,
numerous networking features, and powerful remote management capabilities in a compact
single-box solution.
Up to four individual systems can share a single broadband connection, using the integrated
four-port auto-sensing, auto MDIX switch for the inside interface. Like the Hardware Client,
this switch eliminates the need for crossover cables when connecting a device to a port. The
Ethernet ports support 10/100BASE-T (100BASE-T with the 6.3 software release). The PIX
501 also provides a RS-232 console port interface (RJ-45 connector and 9600 baud).
The PIX 506/506E enables companies to utilize the power of the Internet to enable users to
work remotely from home securely. It delivers full firewall protection in conjunction with
IPSec and VPN functionality. Connecting simultaneously with up to 25 VPN peers, the PIX
506/506E provides a complete implementation of IPSec standards. It comes with two
integrated 10/100BASE-T (100BASE-T with the 6.3 software release) ports in a compact
platform (8 inches by 12 inches by 1.7 inches). Updates to image files are downloaded using
the Trivial File Transfer Protocol (TFTP).
NOTE Both Hardware Client models have one public Ethernet interface. The difference
between the two Hardware Clients is that the 8E has eight private 10/100BASE-T ports
instead of only one. These eight ports utilize auto Medium Dependent Interface Crossover
(MDIX) technology that eliminates the need for crossover cables when connecting a device
to a port.

The Hardware Client operates in one of the following two modes:
■ Client mode
■ Network extension mode
You can select the modes locally using the command-line interface (CLI) or the graphical user
interface (GUI) or remotely using an IPSec tunnel or Secure Shell (SSH).
The Hardware Client is powered by an external power supply and can auto sense either
110V or 220V.

Cisco VPN Software Client

Cisco VPN Software Client
The Cisco Easy VPN Remote feature supports the Cisco VPN Client software (software
version 3.x and later). Simple to deploy and operate, this client software enables customers
to establish secure, end-to-end encrypted tunnels to any Easy VPN Server. The Cisco VPN
Software Client is available from the Cisco.com website for any central-site remote access
VPN product and is included free of charge with the Cisco VPN 3000 Concentrator.
VPN access policies and configurations are downloaded to the Cisco VPN Software Client
from the Easy VPN Server when the client establishes a connection. This configuration
simplifies deployment, management, and scalability. By preconfiguring the client software,
the initial user login requires little user intervention even in mass deployment scenarios.
The Cisco VPN Software Client operates with the following operating systems:
■ Microsoft Windows 95, 98, Me, NT 4.0, 2000, and XP
■ Linux
■ Solaris (UltraSPARC 32- and 64-bit)
■ MAC OS X 10.1

Supported Clients

Supported Clients
The Easy VPN Remote feature supports the following client platforms:
■ Cisco VPN Software Client
■ Cisco VPN 3002 Hardware Client
■ Cisco PIX 501 and 506/506E VPN Clients
■ Cisco Easy VPN Remote router clients

Overview of Easy VPN Remote Feature

Overview of Easy VPN Remote Feature
The Cisco Easy VPN Remote feature enables Cisco Security Appliance, Cisco VPN 3002
Hardware Clients, Cisco VPN Software Clients, and certain IOS routers to act as remote
Cisco VPN Clients. The Cisco Easy VPN Remote feature provides for automatic
management of the following items:
■ Negotiating tunnel parameters
■ Establishing tunnels according to parameters
■ Automatically creating the Network Address Translation (NAT)/Port Address
Translation (PAT) and associated access list if necessary
■ Authenticating users
■ Managing security keys for encryption and decryption
■ Authenticating, encrypting, and decrypting data through the VPN tunnel
This section explains the following characteristics of the Easy VPN Remote feature:
■ Supported clients
■ Easy VPN remote connection process
■ XAUTH configuration

Supported Servers

Supported Servers
The Easy VPN Remote feature requires that the destination peer be a VPN gateway or
concentrator that supports the Easy VPN Server. Some of the currently supported Easy VPN
Server platforms include the following:
■ Cisco 806, 826, 827, and 828 routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco 1700 Series routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco 2600 Series routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco 3620, 3640, and 3660 routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco 7100 Series VPN routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco 7200 Series routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco 7500 Series routers (Cisco IOS Software Release 12.2[8]T or later)
■ Cisco uBR905 and uBR925 cable access routers (Cisco IOS Software Release 12.2[8]T
or later)
■ Cisco VPN 3000 Series (Software Release 3.11 or later)
■ Cisco PIX 500 Series (Software Release 6.2 or later)

IPSec Options and Attributes-cisco

The Cisco Easy VPN supports the IPSec options and attributes shown in Table 14-2.
Initial Contact
If a Cisco VPN Client is suddenly disconnected, the gateway might not immediately detect
this, so the current connection information (IKE and IPSec security associations [SA]) will
still be valid. Then, if the VPN Client attempts to reestablish a connection, the new
connection will be refused because the gateway still has the previous connection marked
as valid. To avoid this scenario, Initial Contact has been implemented in all Cisco VPN
products. Initial Contact enables the VPN Client to send an initial message that instructs
the gateway to ignore and delete any existing connections from that client, thus preventing
connection problems caused by SA synchronization issues.
Table 14-2 IPSec Options and Attributes
IPSec Option Attributes
Authentication Algorithms • Keyed-Hash Message Authentication Code (HMAC)
• Message Digest 5 (MD5)
• HMAC Secure Hash Algorithm (SHA-1)
Authentication Types • Preshared keys
• Rivest-Shamir-Adleman (RSA) digital signatures (not supported
by Cisco Easy VPN Remote phase II)
Diffie-Hellman (DH) Groups • Group 1
• Group 2
• Group 5
IKE Encryption Algorithms • Data Encryption Standard (DES)
• Triple Data Encryption Standard (3DES)
• Advanced Encryption Standard (AES)
IPSec Encryption Algorithms • DES
• 3DES
• AES
• NULL
IPSec Protocol Identifiers • Encapsulating Security Payload (ESP)
• IP Payload Compression Protocol (IPComp)
• STAC-Lempel-Ziv Compression (LZS)
IPSec Protocol Mode • Tunnel Mode

Initial Contact

Initial Contact
If a Cisco VPN Client is suddenly disconnected, the gateway might not immediately detect
this, so the current connection information (IKE and IPSec security associations [SA]) will
still be valid. Then, if the VPN Client attempts to reestablish a connection, the new
connection will be refused because the gateway still has the previous connection marked
as valid. To avoid this scenario, Initial Contact has been implemented in all Cisco VPN
products. Initial Contact enables the VPN Client to send an initial message that instructs
the gateway to ignore and delete any existing connections from that client, thus preventing
connection problems caused by SA synchronization issues.

Dead Peer Detection

Dead Peer Detection
Dead peer detection (DPD) enables two IPSec peers to determine if each other is still
“alive” during the lifetime of the VPN connection. This functionality is useful to clean up
valuable VPN resources that are allocated to a peer that no longer exists.
A Cisco VPN device can be configured to send and reply to DPD messages. DPD messages
are sent when no other traffic is traversing the IPSec tunnel. If a configured amount of time
passes without a DPD message, a dead peer can be detected. DPD messages are
unidirectional and automatically sent by Cisco VPN Clients. DPD is configured on the
server only if the server wishes to send DPD messages to VPN Clients to assess their health.

Server Functions

Server Functions
The Security Appliance version 6.3 VPN Server supports the following functionality:
■ Mode Configuration version 6
■ Extended Authentication (XAUTH) version 6
■ Internet Key Exchange (IKE) dead peer detection (DPD)
■ Split tunneling control
■ Initial contact
■ Group-based policy control

Major Features

Major Features
The Security Appliance VPN Server includes the following major features:
■ Support for Easy VPN Remote clients
■ Ability for remote users to communicate using IPSec with supported Security Appliance
gateways
■ Central management of IPSec policies that are pushed to the clients by the server

Overview of the Easy VPN Server

Overview of the Easy VPN Server
The Easy VPN Server serves as the headend for your VPN configuration. To utilize Cisco
Easy VPN effectively, you need to understand the following characteristics of the Security
Appliance Easy VPN Server:
■ Major features
■ Server functions
■ Supported servers

Cisco Easy VPN

Cisco Easy VPN
 
􀀀



 

􀀀



  􀀀

􀀀



 

􀀀



 

􀀀

 
   􀀀

Easy VPN Remote Feature

Easy VPN Remote Feature
The Easy VPN Remote feature enables Security Appliances, Cisco VPN 3002 Hardware
Clients, Cisco VPN Software Clients, and certain Cisco IOS routers to act as remote VPN
clients. The Easy VPN Server can push security policies to these clients, thus minimizing VPN
configuration requirements at remote locations. This cost-effective solution is ideal for
remote offices with little information technology (IT) support as well as large deployments
where it is impractical to configure individual remote devices.

Easy VPN Server

Easy VPN Server
The Easy VPN Server enables Cisco IOS routers, Security Appliances, and Cisco VPN 3000
Series concentrators to serve as VPN headend devices when remote offices are running the
Easy VPN Remote feature. The configuration works for both site-to-site and remote access
configurations. With Cisco Easy VPN, security policies defined at the headend are pushed to
the remote VPN device, ensuring that the connection has up-to-date policies in place before
the connection is established.
Mobile workers running the VPN Client software on their PCs can initiate Internet Protocol
Security (IPSec) tunnels that are terminated on the Easy VPN Server. This flexibility enables
telecommuters and traveling employees to access critical data and applications easily that
reside at the headquarter facilities.

Introduction to Cisco Easy VPN

Introduction to Cisco Easy VPN
Cisco Easy VPN greatly simplifies VPN deployment for remote offices and telecommuters.
Based on a Cisco Unified Client Framework, Cisco Easy VPN centralizes management across
all Cisco VPN devices, thus greatly reducing the complexity in configuring and deploying
VPN configurations. The Cisco Easy VPN consists of the following two components (see
Figure 14-1):
■ Easy VPN Server
■ Easy VPN Remote feature

Configuring Access VPNs

Configuring Access VPNs
The Cisco Easy VPN, a software enhancement for Cisco Security Appliances and security
appliances, greatly simplifies virtual private network (VPN) deployment for remote
offices and telecommuters. By centralizing VPN management across all Cisco VPN
devices, Cisco Easy VPN reduces the complexity of VPN deployments. Cisco Easy VPN
enables you to integrate various remote VPN solutions (Cisco IOS routers, Cisco PIX
Firewalls, Cisco ASA 55X0 series firewalls, Cisco VPN 3002 Hardware Clients, and
Cisco VPN Software Clients) within a single deployment using a consistent VPN policy
and key management method that greatly simplifies administration of the remote clients.

LA Configuration with Comments

LA Configuration with Comments
􀀀 
􀀀


 

   
 


  

 


    
!
"# $ %  &'()*##  $
$ % ')*#)(+&)  $
  , -.#

/ %%%0$ 

1$ $ # $ 

1$ $ # $ +

1$ $ # $ (

1$ $ # )
 

 /#

" $ 

$    2+
 /#

" $ 
 $    2+ 3 %%%
 /#

" $ 
 $    2+ 3 445
 /#

" $ 
 $    2+ 3 %%%
 /#

" $ 
 $    2+ 3 445
 /#

" $ 
 $    2+ 3 %%%
 /#

" $ 
 $    2+ 3 445
 /#

" $ 
 $    2+5 3 $
 /#

" $ 
 $    2+ 3 445
 /#
  $ 
 $ ! ((((((   4 3 $
􀀀

     
􀀀

     
􀀀  
     
􀀀 􀀀􀀀 
     
$. #
 4
#..
. 
#..
. 
 $

    

    

    
 
 (


 (

$   
 2+ ((((((

$  

  ((((((

$    ! ((((((

#

# 
 􀀀􀀀

# $## (

#
$   
 2+

#
$  

 

#
$    !
 $ 
 44
.#"# 
  2+/(
 

     
􀀀   􀀀


  6
 2+ !  ) ((((((((  

  6
 2+ !  ) ((((((((  

  6
 2+ !  ) ((((((((  

  6
 2+5 !5  ) ((((((((  
 /. $
"

  

 /. $ 

  
 
   2+(4 

 1# 5􀀀􀀀

  􀀀􀀀 #/#  􀀀􀀀 $ 􀀀􀀀

  􀀀(􀀀 " #
/   7-0-08 $ #  8
/   9-: $ # 

 $/   #

 $/   
$/   
 $"#

 $/   "#  $
#.  "#
   
 

    
􀀀
 􀀀 
    􀀀

    
􀀀
  !    􀀀

  􀀀 􀀀 
   􀀀"

  􀀀 􀀀 
  􀀀 􀀀
 

  􀀀 􀀀 
   
#$%

  􀀀 􀀀 
   
􀀀
 􀀀 


  􀀀 􀀀 
   􀀀"

  􀀀 􀀀 
  􀀀 􀀀
 􀀀􀀀

  􀀀 􀀀 
   
#$%

  􀀀 􀀀 
   
􀀀
 􀀀 


  􀀀 􀀀 
 
􀀀 &
􀀀" 􀀀' &
􀀀" " (((((((( 􀀀
 #$% 􀀀" 
􀀀" " (((((((( 􀀀
 #$% 􀀀" 
􀀀"  􀀀

􀀀"   􀀀&􀀀
􀀀

􀀀"   
  
􀀀"   􀀀 
􀀀"  
& 
􀀀"    %$)
 
# %
 +
0 $) 􀀀#*5(4(425!" ; (45(
- #
     $
 "% , -.#    #

- #

   <-7  #          # 


 "%
< $
7      
  "
< 

7  $/$  =   3 "  %
## 
#
> ?0  .
  - 
. '?
7 0 $/$ 
.   /#
 @= A       


7
< $
 = 
2+
7 ?0    
 0$ 
7  $/$  -#  3 "  %
## 
#
> ?0  .
  - 
. '?
7 0 $/$ 
.   /#
 -#A       


7
< $
 -#
2+5
7 ?0    
 0$ 
7  $
 %
## " $#   

 
'?
"#   

 
    '   #
   - $
'? %
##

 - $ "  
'? %
## 
 - $ 
. $ /   )
'? %
## .
   .  $
 #.
  5?
'? %
## .
   .
.
 #.
  (
'? %
##   

/## . $  4 "
   ' ?1.
7 #

   -
+64  4

How the Configuration Lines Interact

How the Configuration Lines Interact
Figure 13-11 shows the completed configuration for Los Angeles, with a brief explanation
for each entry. Note that each entry is connected to one or more other entries on the right.
This diagram depicts how the lines of the configuration are dependent on each other. Keep
this in mind when trying to troubleshoot a VPN configuration. It might help you to find
which line is missing or incorrectly configured.

Completed Configuration for Atlanta

Completed Configuration for Atlanta
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password ksjfglkasglc encrypted
8. passwd kjngczftglkacytiur encrypted
9. hostname Atlanta
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol smtp 25
14. fixup protocol skinny 2000
15. names
16. access-list inbound permit icmp any host 192.168.3.10
17. access-list inbound permit tcp any host 192.168.3.10 eq www
18. access-list inbound permit tcp any host 192.168.3.10 eq 443
19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
20. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
21. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255.255.0
Example 13-19 Completed Configuration for Boston (Continued)
continues
22. access-list LosAngeles permit ip 10.10.3.0 255.255.255.0 10.10.10.0
255.255.255.0
23. access-list Boston permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
24. pager lines 24
25. logging on
26. logging timestamp
27. interface ethernet0 auto
28. interface ethernet1 auto
29. interface ethernet2 auto
30. mtu outside 1500
31. mtu inside 1500
32. ip address outside 192.168.3.1 255.255.255.0
33. ip address inside 10.10.3.1 255.255.255.0
34. ip address DMZ 172.16.3.1 255.255.255.0
35. arp timeout 14400
36. global (outside) 1 192.168.3.20-192.168.3.200
37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38. nat (inside) 0 access-list VPN
39. static (inside DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0
40. static (DMZ outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
41. access-group inbound in interface outside
42. access-group DMZ in interface DMZ
43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
44. timeout xlate 3:00:00
45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
46. timeout uauth 0:05:00 absolute
47. aaa-server TACACS+ protocol tacacs+
48. aaa-server RADIUS protocol radius
49. no snmp-server location
50. no snmp-server contact
51. snmp-server community public
52. no snmp-server enable traps
53. floodguard enable
54. sysopt connection permit-ipsec
55. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac
56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
57. crypto map Chapter11 10 ipsec-isakmp
58. crypto map Chapter11 10 match address LosAngeles
59. crypto map Chapter11 10 set peer 192.168.1.1
60. crypto map Chapter11 10 set transform-set Chapter11
61. crypto map Chapter11 20 ipsec-isakmp
62. crypto map Chapter11 20 match address Boston
63. crypto map Chapter11 20 set peer 192.168.2.1
64. crypto map Chapter11 20 set transform-set Chapter11
65. crypto map Chapter11 interface outside
66. isakmp enable outside
67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255

68. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
69. isakmp identity address
70. isakmp policy 20 authentication pre-share
71. isakmp policy 20 encryption 3des
72. isakmp policy 20 hash md5
73. isakmp policy 20 group 2
74. isakmp policy 20 lifetime 86400
75. terminal width 80
76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

Completed Configuration for Boston

Completed Configuration for Boston
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password ksjfglkasglc encrypted
8. passwd kjngczftglkacytiur encrypted
9. hostname Boston
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol smtp 25
14. fixup protocol skinny 2000
15. names
16. access-list inbound permit icmp any host 192.168.2.10
17. access-list inbound permit tcp any host 192.168.2.10 eq www
18. access-list inbound permit tcp any host 192.168.2.10 eq 443
19. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
20. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.10.0 255.255.255.0
21. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
22. access-list LosAngeles permit ip 10.10.2.0 255.255.255.0 10.10.10.0
255.255.255.0
23. access-list Atlanta permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
24. pager lines 24
25. logging on
26. logging timestamp
27. interface ethernet0 auto
28. interface ethernet1 auto
29. interface ethernet2 auto
30. mtu outside 1500
31. mtu inside 1500
32 ip address outside 192.168.2.1 255.255.255.0
33. ip address inside 10.10.2.1 255.255.255.0
34. ip address DMZ 172.16.2.1 255.255.255.0
35. arp timeout 14400
36. global (outside) 1 192.168.2.20-192.168.2.200
37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38. nat (inside) 0 access-list VPN
39. static (inside DMZ) 10.10.2.240 10.10.2.240 netmask 255.255.255.255 0 0
40. static (DMZ outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
41. access-group inbound in interface outside
42. access-group DMZ in interface DMZ
43. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
44. timeout xlate 3:00:00
45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
46. timeout uauth 0:05:00 absolute
47. aaa-server TACACS+ protocol tacacs+
48. aaa-server RADIUS protocol radius
49. no snmp-server location
50. no snmp-server contact
51. snmp-server community public
52. no snmp-server enable traps
53. floodguard enable
54. sysopt connection permit-ipsec
55. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac

56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
57. crypto map Chapter11 10 ipsec-isakmp
58. crypto map Chapter11 10 match address LosAngeles
59. crypto map Chapter11 10 set peer 192.168.1.1
60. crypto map Chapter11 10 set transform-set Chapter11
61. crypto map Chapter11 20 ipsec-isakmp
62. crypto map Chapter11 20 match address Atlanta
63. crypto map Chapter11 20 set peer 192.168.3.1
64. crypto map Chapter11 20 set transform-set Chapter11
65. crypto map Chapter11 interface outside
66. isakmp enable outside
67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
68. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
69. isakmp identity address
70. isakmp policy 20 authentication pre-share
71. isakmp policy 20 encryption 3des
72. isakmp policy 20 hash md5
73. isakmp policy 20 group 2
74. isakmp policy 20 lifetime 86400
75. terminal width 80
76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

Completed Configuration for Los Angeles

Completed Configuration for Los Angeles
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password HtmvK15kjhtlyfvcl encrypted
8. passwd Kkjhlkf1568Hke encrypted
9. hostname LosAngeles
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol h323 1720
14. fixup protocol rsh 514
15. fixup protocol smtp 25
16. fixup protocol sqlnet 1521
17. fixup protocol sip 5060
18. fixup protocol skinny 2000
19. names
20. access-list inbound permit icmp any host 192.168.1.10
21. access-list inbound permit tcp any host 192.168.1.10 eq www
22. access-list inbound permit tcp any host 192.168.1.10 eq 443
23. access-list inbound permit tcp any host 192.168.1.11 eq www
24. access-list inbound permit tcp any host 192.168.1.11 eq 443
25. access-list inbound permit tcp any host 192.168.1.12 eq www
26. access-list inbound permit tcp any host 192.168.1.12 eq 443
27. access-list inbound permit tcp any host 192.168.1.13 eq ftp
28. access-list inbound permit tcp any host 192.168.1.10 eq 443
29. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
30. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
31. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
32. access-list Boston permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
33. access-list Atlanta permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
34. pager lines 24
35. logging on
36. logging timestamp
37. interface ethernet0 auto
38. interface ethernet1 auto
39. interface ethernet2 auto
40. mtu outside 1500
41. mtu inside 1500
42. ip address outside 192.168.1.1 255.255.255.0
43. ip address inside 10.10.10.1 255.255.255.0
44. ip address DMZ 172.16.1.1 255.255.255.0
45. failover
46. failover timeout 0:00:00
47. failover poll 15
48. failover ip address outside 192.168.1.2
49. failover ip address inside 10.10.10.2
50. failover ip address DMZ 172.16.1.2
51. arp timeout 14400
52. global (outside) 1 192.168.1.20-192.168.1.250
53. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
54. nat (inside) 0 access-list VPN
55. static (inside DMZ) 10.10.10.240 10.10.10.240 netmask 255.255.255.255 0 0
56. static (DMZ outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
57. static (DMZ outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
58. static (DMZ outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
59. static (DMZ outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
60. access-group inbound in interface outside
61. access-group DMZ in interface DMZ
62. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
63. timeout xlate 3:00:00
64. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

sip 0:30:00 sip_media 0:02:00
65. timeout uauth 0:05:00 absolute
66. aaa-server TACACS+ protocol tacacs+
67. aaa-server RADIUS protocol radius
68. no snmp-server location
69. no snmp-server contact
70. snmp-server community public
71. no snmp-server enable traps
72. floodguard enable
73. sysopt connection permit-ipsec
74. no sysopt route dnat
75. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac
76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
77. crypto map Chapter11 10 ipsec-isakmp
78. crypto map Chapter11 10 match address Boston
79. crypto map Chapter11 10 set peer 192.168.2.1
80. crypto map Chapter11 10 set transform-set Chapter11
81. crypto map Chapter11 20 ipsec-isakmp
82. crypto map Chapter11 20 match address Atlanta
83. crypto map Chapter11 20 set peer 192.168.3.1
84. crypto map Chapter11 20 set transform-set Chapter11
85. crypto map Chapter11 interface outside
86. isakmp enable outside
87. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
88. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
89. isakmp identity address
90. isakmp policy 20 authentication pre-share
91. isakmp policy 20 encryption 3des
92. isakmp policy 20 hash md5
93. isakmp policy 20 group 2
94. isakmp policy 20 lifetime 86400
95. terminal width 80
96. Cryptochecksum:e0clmj3546549637cbsFds54132d5

Completed PIX Configurations

Completed PIX Configurations
To reduce confusion, it is a good idea to use a common naming convention when creating
access lists, transforms, and crypto maps. Example 13-18 shows the completed configuration
for the Los Angeles headquarters.

Atlanta Configuration

Atlanta Configuration
Fill in the missing lines in Example 13-17:
Line 20: ______________________________________________________________________
Line 21: ______________________________________________________________________
Line 22: ______________________________________________________________________
Line 23: ______________________________________________________________________
Line 55: ______________________________________________________________________
Line 58: ______________________________________________________________________
Line 59: ______________________________________________________________________
Line 61: ______________________________________________________________________
Line 62: ______________________________________________________________________
Line 63: ______________________________________________________________________
Line 65: ______________________________________________________________________
Line 66: ______________________________________________________________________
Line 67: ______________________________________________________________________
Line 68: ______________________________________________________________________
Line 70: ______________________________________________________________________

Boston Configuration

Boston Configuration
Fill in the missing lines in Example 13-16:
Line 20: ______________________________________________________________________
Line 21: ______________________________________________________________________
Line 22: ______________________________________________________________________
Line 23: ______________________________________________________________________
Line 54: ______________________________________________________________________
Line 55: ______________________________________________________________________
Line 56: ______________________________________________________________________
Line 59: ______________________________________________________________________
Line 64: ______________________________________________________________________
Line 65: ______________________________________________________________________
Line 71: ______________________________________________________________________
Line 72: ______________________________________________________________________
Line 73: ______________________________________________________________________
Line 74: ______________________________________________________________________

Los Angeles Configuration

Los Angeles Configuration
Fill in the missing lines in Example 13-15:
Line 31: ______________________________________________________________________
Line 32: ______________________________________________________________________
Line 33: ______________________________________________________________________
Line 77: ______________________________________________________________________
Line 78: ______________________________________________________________________
Line 79: ______________________________________________________________________
Line 82: ______________________________________________________________________
Line 83: ______________________________________________________________________
Line 84: ______________________________________________________________________
Line 86: ______________________________________________________________________
Line 87: ______________________________________________________________________
Line 88: ______________________________________________________________________
Line 89: ______________________________________________________________________
Line 90: ______________________________________________________________________
Line 91: ______________________________________________________________________
Line 92: ______________________________________________________________________
Line 93: ______________________________________________________________________
Line 94: ______________________________________________________________________

PIX Configuration for Atlanta

PIX Configuration for Atlanta
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password ksjfglkasglc encrypted
8. passwd kjngczftglkacytiur encrypted
9. hostname Atlanta
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol smtp 25
14. fixup protocol skinny 2000
15. names
16. access-list inbound permit icmp any host 192.168.3.10
17. access-list inbound permit tcp any host 192.168.3.10 eq www
18. access-list inbound permit tcp any host 192.168.3.10 eq 443
19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
20. access-list________________________________________________________________
21. access-list________________________________________________________________
22. access-list________________________________________________________________
23. access-list________________________________________________________________
24. pager lines 24
25. logging on
26. logging timestamp
27. interface ethernet0 auto
28. interface ethernet1 auto
29. interface ethernet2 auto
30. mtu outside 1500
31. mtu inside 1500
32. ip address outside 192.168.3.1 255.255.255.0
33. ip address inside 10.10.3.1 255.255.255.0
34. ip address DMZ 172.16.3.1 255.255.255.0
35. arp timeout 14400
36. global (outside) 1 192.168.3.20-200
37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38. nat (inside) 0 access-list VPN
39. static (inside DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0
40. static (DMZ outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
41. access-group inbound in interface outside
42. access-group DMZ in interface DMZ
43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
44. timeout xlate 3:00:00
45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00

46. timeout uauth 0:05:00 absolute
47. aaa-server TACACS+ protocol tacacs+
48. aaa-server RADIUS protocol radius
49. no snmp-server location
50. no snmp-server contact
51. snmp-server community public
52. no snmp-server enable traps
53. floodguard enable
54. sysopt connection permit-ipsec
55. crypto ipsec transform-set_____________________________________________________
56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
57. crypto map Chapter11 10 ipsec-isakmp
58. crypto map_____________________________________________________________________
59. crypto map_____________________________________________________________________
60. crypto map Chapter11 10 set transform-set Chapter11____________________________
61. crypto map_____________________________________________________________________
62. crypto map_____________________________________________________________________
63. crypto map_____________________________________________________________________
64. crypto map Chapter11 20 set transform-set Chapter11____________________________
65. crypto map_____________________________________________________________________
66. isakmp_________________________________________________________________________
67. isakmp key ********____________________________________________________________
68. isakmp key_____________________________________________________________________
69. isakmp identity address________________________________________________________
70. isakmp policy 20_______________________________________________________________
71. isakmp policy 20 encryption 3des
72. isakmp policy 20 hash md5
73. isakmp policy 20 group 2
74. isakmp policy 20 lifetime 86400
75. terminal width 80
76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

Each line of the configuration is numbered, and certain lines have not been completed. Your
job is to complete the lines and verify each configuration against the configuration of the
VPN peer. The following sections give the blank lines for each configuration. The completed
configurations are listed at the end of the chapter, along with a full description of each
element from the configuration in Los Angeles. You will not find all the information needed
to complete the configuration on a single firewall. Remember that the configurations must
match on each end of the VPN.

PIX Configuration for Boston

PIX Configuration for Boston
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password ksjfglkasglc encrypted
8. passwd kjngczftglkacytiur encrypted
9. hostname Boston
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol smtp 25
14. fixup protocol skinny 2000
15. names
16. access-list inbound permit icmp any host 192.168.2.10
17. access-list inbound permit tcp any host 192.168.2.10 eq www
18. access-list inbound permit tcp any host 192.168.2.10 eq 443
19. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
20. access-list___________________________________________________________________
21. access-list___________________________________________________________________
22. access-list___________________________________________________________________
23. access-list___________________________________________________________________
24. pager lines 24
25. logging on
26. logging timestamp
27. interface ethernet0 auto
28. interface ethernet1 auto
29. interface ethernet2 auto
30. mtu outside 1500
31. mtu inside 1500
32. ip address outside 192.168.2.1 255.255.255.0
33. ip address inside 10.10.2.1 255.255.255.0

34. ip address DMZ 172.16.2.1 255.255.255.0
35. arp timeout 14400
36. global (outside) 1 192.168.2.20-200
37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38. nat (inside) 0 access-list VPN
39. static (inside DMZ) 10.10.2.240 10.10.2.240 netmask 255.255.255.255 0 0
40. static (DMZ outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
41. access-group inbound in interface outside
42. access-group DMZ in interface DMZ
43. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
44. timeout xlate 3:00:00
45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
46. timeout uauth 0:05:00 absolute
47. aaa-server TACACS+ protocol tacacs+
48. aaa-server RADIUS protocol radius
49. no snmp-server location
50. no snmp-server contact
51. snmp-server community public
52. no snmp-server enable traps
53. floodguard enable
54. ___________________________________________________________
55. ___________________________________________________________
56. ___________________________________________________________
57. crypto map Chapter11 10 ipsec-isakmp
58. crypto map Chapter11 10 match address LosAngeles
59. _____________________________________________
60. crypto map Chapter11 10 set transform-set Chapter11
61. crypto map Chapter11 20 ipsec-isakmp
62. crypto map Chapter11 20 match address Atlanta
63. crypto map Chapter11 20 set peer 192.168.3.1
64. _____________________________________________
65. _____________________________________________
66. isakmp enable outside
67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
68. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
69. isakmp identity address
70. isakmp policy 20 authentication pre-share
71. _____________________________________________
72. _____________________________________________
73. _____________________________________________
74. _____________________________________________
75. terminal width 80
76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

PIX Configuration for Los Angeles

PIX Configuration for Los Angeles
1. : Saved
2. :
3. PIX Version 6.3(3)
4. nameif ethernet0 outside security0
5. nameif ethernet1 inside security100
6. nameif ethernet2 DMZ security70
7. enable password HtmvK15kjhtlyfvcl encrypted
8. passwd Kkjhlkf1568Hke encrypted
9. hostname LosAngeles
10. domain-name www.Chapter11.com
11. fixup protocol ftp 21
12. fixup protocol http 80
13. fixup protocol h323 1720
14. fixup protocol rsh 514
15. fixup protocol smtp 25
16. fixup protocol sqlnet 1521
17. fixup protocol sip 5060
18. fixup protocol skinny 2000
19. names
20. access-list inbound permit icmp any host 192.168.1.10
21. access-list inbound permit tcp any host 192.168.1.10 eq www
22. access-list inbound permit tcp any host 192.168.1.10 eq 443
23. access-list inbound permit tcp any host 192.168.1.11 eq www
24. access-list inbound permit tcp any host 192.168.1.11 eq 443
25. access-list inbound permit tcp any host 192.168.1.12 eq www
26. access-list inbound permit tcp any host 192.168.1.12 eq 443
27. access-list inbound permit tcp any host 192.168.1.13 eq ftp
28. access-list inbound permit tcp any host 192.168.1.13 eq 443
29. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
30. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
31. _____________________________________________________________________________
32. _____________________________________________________________________________
33. _____________________________________________________________________________
34. pager lines 24
35. logging on
36. logging timestamp
37. interface ethernet0 auto
38. interface ethernet1 auto
39. interface ethernet2 auto
40. mtu outside 1500
41. mtu inside 1500

42. ip address outside 192.168.1.1 255.255.255.0
43. ip address inside 10.10.10.1 255.255.255.0
44. ip address DMZ 172.16.1.1 255.255.255.0
45. failover
46. failover timeout 0:00:00
47. failover poll 15
48. failover ip address outside 192.168.1.2
49. failover ip address inside 10.10.10.2
50. failover ip address DMZ 172.16.1.2
51. arp timeout 14400
52. global (outside) 1 192.168.1.20-250
53. nat (inside) 1 0.0.0.0 0.0.0.0
54. nat (inside) 0 access-list VPN
55. static (inside DMZ) 10.10.10.240 10.10.10.240 netmask 255.255.255.255 0 0
56. static (DMZ outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
57. static (DMZ outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
58. static (DMZ outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
59. static (DMZ outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
60. access-group inbound in interface outside
61. access-group DMZ in interface DMZ
62. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
63. timeout xlate 3:00:00
64. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
sip 0:30:00 sip_media 0:02:00
65. timeout uauth 0:05:00 absolute
66. aaa-server TACACS+ protocol tacacs+
67. aaa-server RADIUS protocol radius
68. no snmp-server location
69. no snmp-server contact
70. snmp-server community public
71. no snmp-server enable traps
72. floodguard enable
73. sysopt connection permit-ipsec
74. no sysopt route dnat
75. crypto ipsec transform-set
76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
77. ____________________________________________________________________
78. ____________________________________________________________________
79. ____________________________________________________________________
80. crypto map Chapter11 10 set transform-set Chapter11
81. crypto map Chapter11 20 ipsec-isakmp
82. _____________________________________________________________________
83. _____________________________________________________________________
84. _____________________________________________________________________
85. crypto map Chapter11 interface outside
86. _____________________________________________________________________
87. _____________________________________________________________________

88. _____________________________________________________________________
89. _____________________________________________________________________
90. _____________________________________________________________________
91. _____________________________________________________________________
92. _____________________________________________________________________
93. _____________________________________________________________________
94. _____________________________________________________________________
95. terminal width 80
96. Cryptochecksum:e0clmj3546549637cbsFds54132d5

VPN Network Layout

VPN Network Layout
��  


��   

   

  


  
 

�� ��


 ��



    
   
��    

    





 


��
378 Chapter 13: Virtual Private Networks
The three locations have all provided their current PIX configurations, but each has a
significant amount of information missing. It is your responsibility to complete each of the
configurations and ensure that they are correct. Example 13-15 shows the configuration for
the corporate headquarters in Los Angeles.

VPN Configurations

VPN Configurations
Clearly, the most detail-oriented and time-consuming portion of configuring VPNs is
ensuring that both peers have matching configurations. This task usually becomes more
complicated because you might have access to only one peer and are relying on someone else
to configure the other end. A single discrepancy between the configurations can prevent the
key exchange from completing or prevent encryption from occurring. It is best to compare
the configurations on both peers before attempting the connection rather than trying to
troubleshoot the VPN after an unsuccessful connection.
In this scenario, you are working as a consultant and have been assigned the task of
configuring a full-mesh VPN between corporate headquarters and two branch offices. Figure
13-10 shows the layout of each network and how the VPNs are to connect.

Scenario

Scenario
This scenario gives you the opportunity to configure three locations (New York, Los Angeles,
and Atlanta) for a site-to-site fully meshed VPN. The configurations for the three locations
are listed with specific items missing. By reviewing the network layout and each firewall
Scenario 377
configuration, you will find the items that are missing from the individual firewall
configurations.

-Access - Intranet - Extranet - WebVPN

The “Foundation Summary” provides a convenient review of many key concepts in this
chapter. If you are already comfortable with the topics in this chapter, this summary can help
you recall a few details. If you just read this chapter, this review should help solidify some
key facts. If you are doing your final preparation before the exam, this summary provides a
convenient way to review the day before the exam.
There are four different VPN types:
■ Access
■ Intranet
■ Extranet
■ WebVPN
Access VPNs are used for remote users and normally require client software. Intranet and
extranet VPNs are configured as site-to-site VPNs. WebVPNs are used for remote users, but
they do not require client software.
VPN peers need to authenticate each other and negotiate the IPSec SA. The negotiation is
completed automatically using IKE. The authentication is completed using preshared keys,
RSA signatures (certificates), or RSA nonces. The Security Appliance does not support RSA
nonces. To configure IKE on the PIX, you use the following commands:
■ isakmp policy
— Configures the authentication type
— Configures the message encryption algorithm
— Configures the message integrity algorithm
— Configures the key exchange parameters
— Defines the SA lifetime (reinitiates the Diffie-Hellman key exchange)
■ isakmp enable—Applies the ISAKMP policy to an interface, allowing that interface to
receive UDP 500 traffic
■ isakmp identity—Identifies the local peer by IP address or host name
■ isakmp key—If you are using a preshared key, defines the key and the peer
(by IP address)

After you configure IKE, you are ready to configure IPSec. Follow these steps:
Step 1 Use the access-list command to configure the access list so that the PIX knows
which traffic should be encrypted.
Step 2 Use the transform-set command to create transform sets to define the encryption
and integrity to be used for the session.
Step 3 Use the ipsec security-association lifetime command (optional) to define the SA
lifetime to reduce the opportunity of others to crack your encryption.
Step 4 Configure the crypto map:
• Define the SA negotiation (manual or IKE)
• Apply the access list to the crypto map
• Apply the transform set to the crypto map
• Identify the SA peer by IP address or host name
• Apply the crypto map to an interface
Three commands (and many options for each) are available to troubleshoot VPN
connectivity:
■ show—Displays the current configuration or current SA status
■ clear—Removes the current configuration or setting (usually used to regenerate the
connection)
■ debug—Allows you to see ongoing sessions and key negotiations
WebVPNs are a flexible way for end users to access resources on an enterprise network
anywhere in the world. WebVPN uses a front-end portal interface to authenticate and give
access to end users through a web browser, using an https connection. Services supported by
WebVPN are as follow:
■ E-mail proxy—Support for POP3S, IMAP3S, SMTPS, and MAPI through e-mail
proxies.
■ File sharing and browsing—Support for SMB/CIFS file servers, as well as file access and
distribution.
■ Website URL access—Access to internal and external websites.
■ Port forwarding—Support for TCP-based port-forwarding through a Java applet.
Security administrators might require content filtering of websites by an end user using
WebVPN. This can be done through two means: content filtering and ACLs. Content filtering
enables a security administrator to strip unwanted images, scripts, and cookies from

unapproved websites. Access restrictions through ACLs can also be applied to WebVPN
connections.
Cisco VPN Client is used to connect remote users to internal resources by an encrypted
tunnel. The package handles all the negotiation and encryption and can operate using any
connection to the Internet.
To develop a scalable VPN solution, you must implement a dynamic means of
authentication. The most effective and scalable method today is the use of IKE and
certification authorities.

Configuring Security Appliances for Scalable VPNs

Configuring Security Appliances for Scalable VPNs
Earlier in this chapter, you learned about the different methods of negotiating an IPSec
connection:
■ Manual IPSec, which requires you to configure each peer manually. This method is not
recommended by Cisco because it does not allow for key exchanges and, therefore,
would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec
is not a scalable solution.
■ IKE, which dynamically negotiates your SA using preshared keys or digital certificates.
Preshared keys still require you to enter a preshared key manually into each IPSec peer.
■ IKE with digital certificates, which is the most dynamic solution that lets IKE negotiate
your IPSec SA and a CA server authenticating each peer. This system is completely
dynamic, very secure, and very scalable.

Setting Up Filters and ACLs

Setting Up Filters and ACLs
WebVPNs support content filtering and ACL filters. Content filtering is supported only by
group-policies. WebVPN content filtering allows the security administrator to block parts of
websites that contain malicious or unauthorized content.
Table 13-15 Authentication Types
Command Description
AAA Provides a username and password that the ASA checks against a previously
configured AAA server.
certificate Provides a certificate during SSL negotiations.
mailhost Authenticates via the remote mail server. POP3S and IMAP4S configure this
by default; will not be displayed as a configuration option for those types.
piggyback Requires that an https WebVPN session already exists.
Example 13-14 Proxy E-Mail Configuration Example
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# pop3s
tgasa(config-group-pop3s)# enable outside
tgasa(config-group-pop3s)# enable inside
tgasa(config-group-pop3s)# server 10.2.2.38
tgasa(config-group-pop3s)# authentication-server-group REMOTEGROUP
tgasa(config-group-pop3s)# authentication piggyback
tgasa(config-group-pop3s)# exit
tgasa(config-group)# smtps
tgasa(config-group-smtps)# enable outside
tgasa(config-group-smtps)# enable inside
tgasa(config-group-smtps)# authentication-server-group REMOTEGROUP
tgasa(config-group-pop3s)# authentication mailhost
tgasa(config-group-pop3s)# port 998
372 Chapter 13: Virtual Private Networks
The html-content-filter command is used to configure these options:
html-content-filter {cookies | images | java | none | scripts}
The command options are described as follows:
■ cookies—Removes cookies from images.
■ images—Removes the tags from a website.
■ java—Removes reference to Java and ActiveX.
■ none—Disables filtering.
■ scripts—Removes references to scripting.
You can string multiple attributes onto one html-content-filter command. The ASA 55X0
Security Device defaults to no content filtering.
You can assign an ACL to a username or group-policy by using the following command:
filter {value ACLname | none}
The ACL must use the access-list web-type commands to be supported.

Proxy E-Mail Configuration Example

Proxy E-Mail Configuration Example
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# pop3s
tgasa(config-group-pop3s)# enable outside
tgasa(config-group-pop3s)# enable inside
tgasa(config-group-pop3s)# server 10.2.2.38
tgasa(config-group-pop3s)# authentication-server-group REMOTEGROUP
tgasa(config-group-pop3s)# authentication piggyback
tgasa(config-group-pop3s)# exit
tgasa(config-group)# smtps
tgasa(config-group-smtps)# enable outside
tgasa(config-group-smtps)# enable inside
tgasa(config-group-smtps)# authentication-server-group REMOTEGROUP
tgasa(config-group-pop3s)# authentication mailhost
tgasa(config-group-pop3s)# port 998

Authentication Types

Authentication Types
Command Description
AAA Provides a username and password that the ASA checks against a previously
configured AAA server.
certificate Provides a certificate during SSL negotiations.
mailhost Authenticates via the remote mail server. POP3S and IMAP4S configure this
by default; will not be displayed as a configuration option for those types.
piggyback Requires that an https WebVPN session already exists.

Assign an Authentication Server

Assign an Authentication Server
To assign a preconfigured authentication server group to a proxy e-mail service, use the
following command:
Command Description
default-group-policy Assigns a name of the group-policy to use when AAA does not
return a CLASSID attribute. If this is not assigned, and no
CLASSID has been used with the AAA, the session will be
rejected.
port Assigns the port that the proxy listens to. This defaults to 995.
server address Assigns the default mail server to be used when the user
connects to the mail proxy service and does not specify a mail
server.
outstanding number Sets the number of outstanding, nonauthenticated sessions
that are allowed. If the number of connections exceeds this
setting, the oldest connection is terminated to help reduce
DOS attacks. The default setting is 20; the range is from 1 to
100.
name-separator symbol This is the separator between the e-mail and VPN usernames
and passwords. Choices are “@”, “|”, “:”, “#”, “,” and “;”.
The default is “:”.
server-separator symbol This is the separator between the e-mail and server names.
Choices are “@”, “|”, “:”, “#”, “,” and “;”. The default is “:”.
Table 13-14 Proxy Subcommands (Continued)
Configuring the Security Appliance as a WebVPN Gateway 371
authentication-server-group group tag
The ASA defaults to not having an authentication-group assigned to the proxy e-mail service.
You must set an authentication type for a proxy e-mail service. The ASA 55X0 supports four
authentication types (see Table 13-15). The default type used is AAA. Use the authentication
command to assign the authentication type to the proxy e-mail service:
authentication {AAA | certificate | mailhost | piggyback}

Assign a Proxy Mail Server

There are two steps to configure an e-mail proxy:
Step 1 Assign a proxy mail server.
Step 2 Assign an authentication server.
These steps work for POP3S, IMAP4S, and SMTPS. These commands are used in the proxy’s
subcommand mode.

Assign a Proxy Mail Server
To assign an e-mail server, use the following command:
server {ipaddr | hostname}
This command specifies a default e-mail proxy server to use if an end user does not
specify one.

Proxy Subcommands

Proxy Subcommands
Command Description
accounting-server-group Assigns a preconfigured accounting server group to use with
proxy. None are initially configured.
authentication Assigns an authentication mode for proxy users. The user
must always authenticate with the mail host.
authentication-server-group Assigns a preconfigured authentication server group to use
with proxy. None are initially configured.
authorization-server-group Assigns a preconfigured authorization server group to use with
proxy. None are initially configured.

Command Description
default-group-policy Assigns a name of the group-policy to use when AAA does not
return a CLASSID attribute. If this is not assigned, and no
CLASSID has been used with the AAA, the session will be
rejected.
port Assigns the port that the proxy listens to. This defaults to 995.
server address Assigns the default mail server to be used when the user
connects to the mail proxy service and does not specify a mail
server.
outstanding number Sets the number of outstanding, nonauthenticated sessions
that are allowed. If the number of connections exceeds this
setting, the oldest connection is terminated to help reduce
DOS attacks. The default setting is 20; the range is from 1 to
100.
name-separator symbol This is the separator between the e-mail and VPN usernames
and passwords. Choices are “@”, “|”, “:”, “#”, “,” and “;”.
The default is “:”.
server-separator symbol This is the separator between the e-mail and server names.
Choices are “@”, “|”, “:”, “#”, “,” and “;”. The default is “:”.

Configuring E-Mail Proxies

Configuring E-Mail Proxies
The WebVPN service supports four types of e-mail proxies:
■ POP3S
■ IMAP4S
■ STMPS
■ MAPI
Of the four types of e-mail proxies, only MAPI is handled through the functions command:
tgasa(config-group-webvpn)# functions mapi
The other three are handled in subcommand mode similar to WebVPN mode, as described
previously. Each proxy’s subcommand mode can use the commands listed in Table 13-14.

Assigning an Application List

Assigning an Application List
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)# functions port-forwarding
tgasa(config-group-webvpn)# port-forwading value HRApps
tgasa(config-group-webvpn)# exit

Assign a Port Forward Application List to a User or Group-Policy

Assign a Port Forward Application List to a User or Group-Policy
Once you create the application list, you must assign it to a username or group-policy in a
fashion similar to URL lists. To assign an application list to a username or group-policy, the
WebVPN mode is entered within either configuration mode. The functions command is then
used to enable port-forwarding for the username or group-policy:
tgasa(config-group-webvpn)# functions port-forwarding
Table 13-13 port-forward Command Arguments
Command Description
listname Groups the set of applications WebVPN users can access. Maximum 64
characters.
localport Sets the local port that listens for TCP traffic for an application. This port
number must be unique per listname. Recommended TCP ports are from
1024 to 65,535.
remoteserver Sets the DNS name or IP address of the remote server for an application.
remoteport Sets the port to connect to for this application on the remote server.
description Provides the application name or description that displays on the end user
port forwarding Java applet. Maximum 64 characters.
Configuring the Security Appliance as a WebVPN Gateway 369
Once you have enabled port forwarding, you can assign an application list. Use the portforwarding
command while in the WebVPN mode of a username or group-policy
configuration mode to accomplish this task:
port-forwarding {value listname | none}
Example 13-13 shows the configuration of an application list on an ASA 5520 Security
Appliance.

port-forward Command Arguments

port-forward Command Arguments
Command Description
listname Groups the set of applications WebVPN users can access. Maximum 64
characters.
localport Sets the local port that listens for TCP traffic for an application. This port
number must be unique per listname. Recommended TCP ports are from
1024 to 65,535.
remoteserver Sets the DNS name or IP address of the remote server for an application.
remoteport Sets the port to connect to for this application on the remote server.
description Provides the application name or description that displays on the end user
port forwarding Java applet. Maximum 64 characters.

Create Port Forwarding Application Maps

Create Port Forwarding Application Maps
You must create a port forwarding application map for each application the ASA 55x0 will
need to port forward. This mapping information will be used by the ASA 55x0 to modify the
host file on the end user’s PC with mapping information. An application entry uses a
hostname or IP address as a unique identifier for port forwarding. This identifier must be
constant; otherwise the end user will be required to modify how these applications are
accessed each time the WebVPN service is used. The use of hostnames is recommended, as it
streamlines access to the application for the end user.
For the WebVPN service, a hostname can be configured with the IP address of the server the
application resides on, as well as the port number from the end user’s computer, which is
required to access the application. This will give the end user a simpler way to access the
application. For example, if the end user needs to telnet to server 10.2.2.12 port 2222, which
Example 13-12 Assigning a URL List
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)# url-list value URLS
tgasa(config-group-webvpn)# exit
NOTE The Java applet used for modifying the hosts file is sometimes seen as a malicious
attack by antivirus and antispyware applications. Disabling checking of the hosts file might
be necessary.
368 Chapter 13: Virtual Private Networks
has been assigned the hostname “Shell” in the Security Appliance, one of the following can
be done:
■ IP address—The end user must use telnet 10.2.2.12 2222 to access the specific server on
that port.
■ Hostname—The end user must use telnet Shell to access the server located at 10.2.2.12
on port 2222.
Each application must be entered separately, using the port-forward command in globalconfiguration
mode:
port-forward {listname localport remoteserver remoteport description}
For example:
tgasa(config)# port-forward HRApps 2222 10.2.2.12 20351 HR APP
To configure multiple applications within a single list group, the same listname is required.
Table 13-13 describes the arguments for the port-forward command.

Configuring Port Forwarding

Configuring Port Forwarding
Some end users will require access to applications outside of e-mail and file access. In a
traditional IPSec VPN, this can be done easily, since the end user is directly connected to the
enterprise network through the VPN. When using a WebVPN service, the end user has no
direct connection to the network, and must redirect all application use through the WebVPN
https service. This is done through port forwarding using a Java applet. A security
administrator enables port forwarding in two steps:
Step 1 Create port forwarding application maps.
Step 2 Assign a port forward application list to a user or group policy.
Step 1: Create Port Forwarding Application Maps
You must create a port forwarding application map for each application the ASA 55x0 will
need to port forward. This mapping information will be used by the ASA 55x0 to modify the
host file on the end user’s PC with mapping information. An application entry uses a
hostname or IP address as a unique identifier for port forwarding. This identifier must be
constant; otherwise the end user will be required to modify how these applications are
accessed each time the WebVPN service is used. The use of hostnames is recommended, as it
streamlines access to the application for the end user.
For the WebVPN service, a hostname can be configured with the IP address of the server the
application resides on, as well as the port number from the end user’s computer, which is
required to access the application. This will give the end user a simpler way to access the
application. For example, if the end user needs to telnet to server 10.2.2.12 port 2222, which
Example 13-12 Assigning a URL List
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)# url-list value URLS
tgasa(config-group-webvpn)# exit
NOTE The Java applet used for modifying the hosts file is sometimes seen as a malicious
attack by antivirus and antispyware applications. Disabling checking of the hosts file might
be necessary.

Assigning a URL List

Assigning a URL List
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)# url-list value URLS
tgasa(config-group-webvpn)# exit

url-list Global Command Arguments

url-list Global Command Arguments
Command Description
listname Provides the text that will be displayed on the WebVPN home page to
identify the URL. Maximum 64 characters.
displayname Groups the set of URLs that the WebVPN end user can access. Maximum 64
characters. Semicolons (;), ampersands (&), and less-than (<) characters are
not allowed.
url Specifies the URL link. Suports URL types http, https, and cifs.
A URL list can have one or more URL links listed by assigning the URL list a listname. Every
list entry for that list must have the same listname:
tgasa(config)# url-list URLS “HR Server” http://192.168.1.22
tgasa(config)# url-list URLS “Shared” cifs://192.168.1.210
Once the URL lists are created, they must be assigned to a user or group-policy. The url-list
command can be used in WebVPN mode to assign a URL list to a username or group-policy:
url-list {none | value name}
The syntax for the url-list command differs from the syntax used in global-configuration
mode in the following ways:
■ value name—The name of a preconfigured URL list configured using the url-list
command in global-configuration mode.
■ none—Sets a null value for URL lists. This prevents inheriting a list from a default grouppolicy
configuration.

file-browsing-file-access

A username or group-policy must have file access enabled to access file servers and allow file
browsing. The file-access command enables the list of file servers to display on the WebVPN
home page. The file-browsing command is required to allow an end user to access a file server
from the displayed list. With these two commands, an end user should have access to any
server in the server list. To enable the ability of an end user to connect with a server that is
not listed in the application access window, the file-entry command must be used. This
command enables an end user to fill the network path field on the WebVPN home page and
attempt to access a server not on the server list. In Example 13-11, an ASA 5520 is configured
to support file browsing access for a group-policy.

Assigning WebVPN Access to Users and Groups

Assigning WebVPN Access to Users and Groups
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)#
tgasa(config)# username jsmith attributes
tgasa(config-username)# webvpn
tgasa(config-username-webvpn)#
Like the WebVPN mode that is used in the global-configuration mode, WebVPN mode in
username-configuration or policy-configuration mode supports commands to define access
Table 13-10 nbns-server Command Parameters
Command Description
hostname Specifies the hostname for the NBNS server.
ipaddr Specifies the IP address for the NBNS server.
master Sets the NBNS server as a master browser, instead of a WINS server.
timeout Indicates that a timeout value follows.
timeout Sets the amount of time the ASA 55X0 waits before retrying a query. The
default timeout is 2 seconds; the range is 1 to 30 seconds.
retry Indicates that a retry value follows.
retries Sets the number of times to retry queries to an NBNS server. The default value
is 2; the range is 1 to 10.
Example 13-10 Assigning WebVPN Access to Users and Groups
tgasa(config)# group-policy REMOTE1 attributes
tgasa(config-group-policy)# webvpn
tgasa(config-group-webvpn)#
tgasa(config)# username jsmith attributes
tgasa(config-username)# webvpn
tgasa(config-username-webvpn)#
Configuring the Security Appliance as a WebVPN Gateway 365
to files, MAPI proxy, URLs, and TCP applications over WebVPN. Content and ACL filters
are also supported in this mode. The commands affect only the user or group in which they
are configured, and all globally affecting commands must be done in global-configuration
mode.
The ASA 55X0 Security Appliance uses one command to enable access to MAPI Proxy, files,
file browsing, and URL entry over WebVPN. The functions command can be used in any
WebVPN mode to assign file and URL access. These commands can also be combined in one
functions statement, granting multiple accesses in one line. The full syntax for the functions
command is as follows:
functions {file-access | file-browsing | file-entry | filter | url-entry | mapi | portforwarding
| none}
Table 13-11 describes the options for the functions command.

Command Description
file-access Enables or disables file access.
file-browsing Enables or disables browsing for file servers and shares.
file-entry Applies a web-type ACL.
filter Applies a web-type ACL. When enabled, the Security Appliance applies
the web-type ACL defined with the WebVPN filter command.
url-entry Enables or disables user entry of URLs.
mapi Enables or disables Microsoft Outlook/Exchange port forwarding.
port-forwarding Enables port forwarding.
none Sets a null value for all WebVPN functions.

Configuring URLs and File Servers

Configuring URLs and File Servers
Using the WebVPN home page is useful only if the end user can access resources. Internal
websites and Active Directory file servers are some of the more frequently accessed resources
in an enterprise network. A security administrator might not want end users to have equal
access to internal websites or file servers, especially to confidential documents and information.
WebVPN resolves this with the ability to configure access to internal websites and
file servers on a per-user or per-group basis. To enable access to the WebVPN service, the user
configuration or group-policy configuration mode is entered. The webvpn command is then
used in either of these modes to enable the WebVPN service for that specific username or
group-policy, as demonstrated in Example 13-10.

nbns-server Command Parameters

nbns-server Command Parameters
Command Description
hostname Specifies the hostname for the NBNS server.
ipaddr Specifies the IP address for the NBNS server.
master Sets the NBNS server as a master browser, instead of a WINS server.
timeout Indicates that a timeout value follows.
timeout Sets the amount of time the ASA 55X0 waits before retrying a query. The
default timeout is 2 seconds; the range is 1 to 30 seconds.
retry Indicates that a retry value follows.
retries Sets the number of times to retry queries to an NBNS server. The default value
is 2; the range is 1 to 10.

Assign a NetBIOS Name Server

Assign a NetBIOS Name Server
Microsoft’s Common Internet File System (SMB/CIFS) requires a NetBIOS Name Server
(NBNS) for queries to map a NetBIOS name to IP addresses. WebVPN will use NetBIOS to
access or allow file sharing through a WebVPN connection. The initial NBNS server
configured will be the primary server, and all subsequent servers will be considered
redundant backups. The ASA 55X0 supports three NBNS server entries.
NBNS entries are assigned in WebVPN mode nested in global-configuration mode. To assign
an NBNS entry, use the following command:
nbns-server {ipaddr or hostname} [master] [timeout timeout] [retry retries]
Table 13-10 describes the parameters for the nbns-server command.

Assign Authentication for WebVPN

Assign Authentication for WebVPN
Assignment of an authentication server group to WebVPN is the final step to enable basic
WebVPN functionality. You must configure at least one authentication server group on the
ASA 55X0 Security Appliance before an authentication group to the WebVPN service can be
assigned. The authentication-server-group group tag command is used while in WebVPN
mode to assign one or more authentication server groups to the WebVPN service. This
command can also be used within the pop3s, imap4s, and smtps subcommand modes to
assign authentication for specific e-mail proxies.

Assign an Interface to WebVPN

Assign an Interface to WebVPN
With the HTTPS server enabled, WebVPN must be assigned an interface. WebVPN must be
enabled on all interfaces from which the end user will access the WebVPN service. This can
be accomplished by using the enable command while in the WebVPN mode:
enable if-name
tgasa(config)# webvpn
tgasa(config-webvpn)# enable outside
Step 4: Assign Authentication for WebVPN
Assignment of an authentication server group to WebVPN is the final step to enable basic
WebVPN functionality. You must configure at least one authentication server group on the
ASA 55X0 Security Appliance before an authentication group to the WebVPN service can be
assigned. The authentication-server-group group tag command is used while in WebVPN
mode to assign one or more authentication server groups to the WebVPN service. This
command can also be used within the pop3s, imap4s, and smtps subcommand modes to
assign authentication for specific e-mail proxies.
Step 5: Assign a NetBIOS Name Server
Microsoft’s Common Internet File System (SMB/CIFS) requires a NetBIOS Name Server
(NBNS) for queries to map a NetBIOS name to IP addresses. WebVPN will use NetBIOS to
access or allow file sharing through a WebVPN connection. The initial NBNS server
configured will be the primary server, and all subsequent servers will be considered
redundant backups. The ASA 55X0 supports three NBNS server entries.
Command Description
text-color Sets the color of the text bars on the login, home, and file
access pages.
secondary-colors Sets the color of the secondary title bars on the login, home,
and file access pages.
secondary-text-colors Sets the color of the secondary text bars on the login, home,
and file access pages.
NOTE Because both WebVPN and ASDM use HTTPS, they cannot be assigned the same
interface. If this is done, an error message will display, informing the end user of the
problem.

WebVPN Global Commands

WebVPN Global Commands
Command Description
accounting-server-group Assigns a preconfigured accounting server group to use with
WebVPN.
authentication Assigns an authentication mode for WebVPN users.
authentication-server-group Assigns a preconfigured authentication server group to use
with WebVPN.
authorization-server-group Assigns a preconfigured authorization server group to use with
WebVPN.
authorization-required Requires users to successfully authorize to connect.
authorization-dn-attributes Identifies the DN of the peer certificate to use as a username for
authorization.
default-group-policy Assigns the name of the group policy.
default-idle-timeout Sets the default idle timeout.
enable Assigns WebVPN to a specific interface.
http-proxy Sets the proxy server for HTTP requests.
https-proxy Sets the proxy server for HTTPS requests.
login message Sets the HTML text that prompts a user to log in.
logo Sets the logo image displayed on the WebVPN login and home
page.
logout message Sets the HTML text that prompts a user logging out.
nbns-server Sets a NetBIOS server for CIFS resolution.
username-prompt Sets the prompt for a username at the login page for WebVPN.
password-prompt Sets the prompt for a password at the login page for WebVPN.
title Sets the title HTML string for the WebVPN home page.
title-color Sets the color of the title bars on the login, home, and file
access pages.
Command Description
text-color Sets the color of the text bars on the login, home, and file
access pages.
secondary-colors Sets the color of the secondary title bars on the login, home,
and file access pages.
secondary-text-colors Sets the color of the secondary text bars on the login, home,
and file access pages.