Configuring for the Cisco Software VPN Client
You accept congenital a changeless VPN affiliation amid your all-around offices. Now let’s
enable IPsec-based alien admission for traveling and telecommuting employees. For
speed and simplicity, we will use the VPN Astrologer again. After this exercise, we
will accede chiral VPN configuration; you will apprehension a affecting difference
between the two techniques in agreement of affluence of VPN creation.
From the PDM menu, bang Wizards and baddest VPN Wizard.The VPN
Wizard window appears.This time, baddest the Alien Admission VPN radio
button and bang Next.You will be prompted to baddest a blazon of VPN from the
many PIX alien admission VPN capabilities, as apparent in Figure 9.69.
www.syngress.com
Figure 9.69 The Alien Admission Applicant Window
526 Chapter 9 • PIX Accessory Manager
The PIX firewall supports IPsec tunneling from the Cisco software VPN
client as able-bodied as Microsoft PPTP and L2TP protocols. Each blazon of VPN has
inherent strengths and weaknesses. Each blazon of VPN has a VPN Astrologer process
unique to its requirements.
Since you are amalgam a Cisco VPN applicant VPN, bang the Cisco VPN
Client, Release 3.x or college radio button and bang Next.The abutting wizard
window is the VPN Applicant Accumulation window, which allows you to actualize custom
groups for aggregate alien VPN access.These groups use a preshared IKE key or
certificates to affix and admission accumulation attributes.The VPN Applicant Group
window is apparent in Figure 9.70.
From the VPN Applicant Accumulation window, admission a accumulation name in the Group
Name acreage and authorize a preshared key by beat the Pre-shared Key radio
button and accounting a countersign for the accumulation in the Accumulation Countersign field.
Alternatively, you can use certificates for affidavit by beat the
Certificate radio button. Bang Abutting to appearance the Extended Client
Authentication window, as apparent in Figure 9.71.
www.syngress.com
Figure 9.70 The VPN Applicant Accumulation Window
PIX Accessory Manager • Chapter 9 527
If you accept an AAA server for authentication, bang the Accredit Extended
Client Affidavit analysis box and baddest a server accumulation from the AAA
Server Accumulation pull-down list.This action configures the PIX firewall to consult
the AAA server(s) in the defined server accumulation for analysis of user credentials
as users appeal VPN access. From this window, you can additionally actualize a new AAA
server accumulation by beat the New button. If your AAA server supports one-time
passwords, bang the analysis box beside AAA server uses ancient password.
For the purposes of this exercise, let’s accept that we accept no AAA server and
will not use affidavit for VPN connections.Therefore, uncheck the Enable
Extended Applicant Affidavit and bang Next.
After allegorical affidavit variables as apparent previously, you will be
prompted to baddest or actualize a VPN applicant abode basin from the Abode Pool
window, as apparent in Figure 9.72.
www.syngress.com
Figure 9.71 VPN Wizard: Extended Applicant Affidavit Window
528 Chapter 9 • PIX Accessory Manager
When audience affix via VPN, they are accustomed an IP abode to be acclimated over
the adit for the continuance of the connection.These addresses are established
from the Abode Basin window. If you accept already manually accustomed an
address pool, artlessly baddest the basin from the Basin Name pull-down menu. If
you accept not accustomed an abode pool, actualize a basin alleged SecureCorpPool.To
create this pool, blazon SecureCorpPool in the Basin Name acreage and actualize an
IP abode ambit for the VPN audience in the Ambit Start Abode and Range
End Abode fields. Use 172.20.200.0 as the Ambit Start Abode and
172.20.200.30 as the Ambit End Address. Be accurate not to actualize an address
pool that conflicts with one already in use or that is actuality offered via an internal
DHCP server.When finished, bang Abutting to proceed.
The awning apparent in Figure 9.73, the Applicant Attributes window, is area you
can specify alternative attributes to accelerate to the VPN applicant aloft connection. From
the Applicant Attributes window, you can specify DNS and WINS servers as able-bodied as
the absence area name.
In our example, use 172.20.1.53 and 172.20.2.53 as the Primary DNS
Server and Secondary DNS Server, respectively. Leave the WINS Server fields
blank, but blazon vpn.securecorp.com in the Absence Area Name acreage and
click Next.
www.syngress.com
Figure 9.72 The Abode Basin Window
PIX Accessory Manager • Chapter 9 529
The abutting two astrologer windows are the IKE Policy and the Transform Set
windows, which are identical to the windows displayed in the site-to-site VPN
Wizard. Like the site-to-site VPN, these windows authorize some of the crypto
parameters appropriate for VPN setup. Several options will action with best VPN
configurations, but it is important that the VPN applicant and server be configured
identically. Choose the absence options on these screens and bang Abutting until you
reach the NAT Exemption window apparent in Figure 9.74.
In best instances,VPN audience accustomed to the firewall are abutting for
internal services.Therefore, it ability be benign to admittance VPN audience admission to
the absolute IP abode of centralized servers after NAT application.To do so, you
must configure specific networks (or all networks) to be absolved from NAT with
regard to VPN clients. Additionally, you can configure breach tunneling from this
screen. Breach tunneling allows VPN audience admission to centralized assets back necessary
yet permits the applicant absolute admission to alien assets back applicable.
This agreement is advantageous because it conserves accumulated bandwidth;
clients are not appropriate to avenue all cartage to the centralized arrangement for external
resources. In some instances, administrators ability appetite to attenuate breach tunneling
to admission aegis and bigger clue VPN applicant arrangement activity.
www.syngress.com
Figure 9.73 The Applicant Attributes Window
530 Chapter 9 • PIX Accessory Manager
In our example, let’s accomplish the centralized arrangement absolved from NAT and
permit breach tunneling.To do so, bang the Browse button and baddest the internal
network abode of 172.20.0.0.Then, bang the -> button to move the network
www.syngress.com
Figure 9.74 The NAT Exception Window
Figure 9.75 The Examination CLI Commands Window
PIX Accessory Manager • Chapter 9 531
into the Selected field. Finally, bang the analysis box to accredit breach tunneling, and
click the Finish button to acknowledgment to the VPN tab.
In eight accessible steps, you accept created alien VPN admission to alien clients.
If you accept examination commands enabled aural PDM, you can see the relative
simplicity of the VPN Astrologer compared with manually creating a VPN via the
CLI. Remember, you can configure examination commands from the Options |
Preferences PDM capital menu. Figure 9.75 shows the CLI commands the PIX
configured for you in our example.
Now that you accept configured site-to-site and Cisco software VPN client
VPNs with the VPN Wizard, let’s acknowledgment to the VPN tab to altercate added specific
categories.
From the VPN tab, you can now see the two VPN configurations present by
clicking the IPSec Rules subcategory beneath the IPSec category. Note the difference
in the two rules as created by the VPN Wizard. From here, you can add,
modify, and annul IPsec rules application the Rules capital card bar, the adjustment buttons,
or by right-clicking in the rules screen. Beneath the IPSec class are two
other subcategories alleged Adit Policy and Transform Sets. From these subcategories,
you can configure new and added diminutive policies, such as free the
Security Association Lifetime in agreement of bytes or seconds. From the Adit Policy
subcategory, you may additionally configure Perfect Forwarding Secrecy.The Transform
Sets subcategory allows you to actualize new encryption and affidavit groups as
well as actuate whether a VPN exists in carriage or adit mode.
The additional class accessible from the VPN tab is IKE. From this category,
you can configure SA and IKE administration policies.The Behavior subcategory is
shown in Figure 9.76.
The IKE class additionally facilitates avant-garde agreement of authentication
and preshared key information. A abundant accord of avant-garde affidavit management
is accessible from the Affidavit subcategory. For instance, from the Certificate
subcategory, you can accomplish requests to a affidavit ascendancy and manage
existing certificates on the PIX firewall.
A third class on the VPN tab is Alien Access. From this category, you
can add, modify, and annul the assorted alien admission VPNs accurate on the
PIX firewall, such as Cisco VPN client, L2TP, and PPTP VPNs. From the
Remote Admission category, you can additionally configure IP pools for use with remote
clients. All the functions and appearance from these and about all added VPN tab categories
are accessible via the VPN Astrologer through an automatic interface.
The final two categories on the VPN tab are VPN System Options and Easy
VPN Remote. From the VPN System Options category, you can determine
whether the assorted VPN protocols are acceptable to bypass aegis to establish
www.syngress.com
532 Chapter 9 • PIX Accessory Manager
connections to the PIX firewall.This permits VPN admission after specific
permit aphorism statements in the PIX firewall aphorism sets and is enabled by default
when you use the VPN Astrologer to body VPN configurations.
From the Accessible VPN Alien category, you can configure the PIX firewall as
an IPsec applicant to addition PIX firewall, Cisco VPN Concentrator, or IOS device.