Configuring for the Cisco Software VPN Client


Configuring for the Cisco Software VPN Client

You accept congenital a changeless VPN affiliation amid your all-around offices. Now let’s

enable IPsec-based alien admission for traveling and telecommuting employees. For

speed and simplicity, we will use the VPN Astrologer again. After this exercise, we

will accede chiral VPN configuration; you will apprehension a affecting difference

between the two techniques in agreement of affluence of VPN creation.

From the PDM menu, bang Wizards and baddest VPN Wizard.The VPN

Wizard window appears.This time, baddest the Alien Admission VPN radio

button and bang Next.You will be prompted to baddest a blazon of VPN from the

many PIX alien admission VPN capabilities, as apparent in Figure 9.69.

www.syngress.com

Figure 9.69 The Alien Admission Applicant Window

526 Chapter 9 • PIX Accessory Manager

The PIX firewall supports IPsec tunneling from the Cisco software VPN

client as able-bodied as Microsoft PPTP and L2TP protocols. Each blazon of VPN has

inherent strengths and weaknesses. Each blazon of VPN has a VPN Astrologer process

unique to its requirements.

Since you are amalgam a Cisco VPN applicant VPN, bang the Cisco VPN

Client, Release 3.x or college radio button and bang Next.The abutting wizard

window is the VPN Applicant Accumulation window, which allows you to actualize custom

groups for aggregate alien VPN access.These groups use a preshared IKE key or

certificates to affix and admission accumulation attributes.The VPN Applicant Group

window is apparent in Figure 9.70.

From the VPN Applicant Accumulation window, admission a accumulation name in the Group

Name acreage and authorize a preshared key by beat the Pre-shared Key radio

button and accounting a countersign for the accumulation in the Accumulation Countersign field.

Alternatively, you can use certificates for affidavit by beat the

Certificate radio button. Bang Abutting to appearance the Extended Client

Authentication window, as apparent in Figure 9.71.

www.syngress.com

Figure 9.70 The VPN Applicant Accumulation Window

PIX Accessory Manager • Chapter 9 527

If you accept an AAA server for authentication, bang the Accredit Extended

Client Affidavit analysis box and baddest a server accumulation from the AAA

Server Accumulation pull-down list.This action configures the PIX firewall to consult

the AAA server(s) in the defined server accumulation for analysis of user credentials

as users appeal VPN access. From this window, you can additionally actualize a new AAA

server accumulation by beat the New button. If your AAA server supports one-time

passwords, bang the analysis box beside AAA server uses ancient password.

For the purposes of this exercise, let’s accept that we accept no AAA server and

will not use affidavit for VPN connections.Therefore, uncheck the Enable

Extended Applicant Affidavit and bang Next.

After allegorical affidavit variables as apparent previously, you will be

prompted to baddest or actualize a VPN applicant abode basin from the Abode Pool

window, as apparent in Figure 9.72.

www.syngress.com

Figure 9.71 VPN Wizard: Extended Applicant Affidavit Window

528 Chapter 9 • PIX Accessory Manager

When audience affix via VPN, they are accustomed an IP abode to be acclimated over

the adit for the continuance of the connection.These addresses are established

from the Abode Basin window. If you accept already manually accustomed an

address pool, artlessly baddest the basin from the Basin Name pull-down menu. If

you accept not accustomed an abode pool, actualize a basin alleged SecureCorpPool.To

create this pool, blazon SecureCorpPool in the Basin Name acreage and actualize an

IP abode ambit for the VPN audience in the Ambit Start Abode and Range

End Abode fields. Use 172.20.200.0 as the Ambit Start Abode and

172.20.200.30 as the Ambit End Address. Be accurate not to actualize an address

pool that conflicts with one already in use or that is actuality offered via an internal

DHCP server.When finished, bang Abutting to proceed.

The awning apparent in Figure 9.73, the Applicant Attributes window, is area you

can specify alternative attributes to accelerate to the VPN applicant aloft connection. From

the Applicant Attributes window, you can specify DNS and WINS servers as able-bodied as

the absence area name.

In our example, use 172.20.1.53 and 172.20.2.53 as the Primary DNS

Server and Secondary DNS Server, respectively. Leave the WINS Server fields

blank, but blazon vpn.securecorp.com in the Absence Area Name acreage and

click Next.

www.syngress.com

Figure 9.72 The Abode Basin Window

PIX Accessory Manager • Chapter 9 529

The abutting two astrologer windows are the IKE Policy and the Transform Set

windows, which are identical to the windows displayed in the site-to-site VPN

Wizard. Like the site-to-site VPN, these windows authorize some of the crypto

parameters appropriate for VPN setup. Several options will action with best VPN

configurations, but it is important that the VPN applicant and server be configured

identically. Choose the absence options on these screens and bang Abutting until you

reach the NAT Exemption window apparent in Figure 9.74.

In best instances,VPN audience accustomed to the firewall are abutting for

internal services.Therefore, it ability be benign to admittance VPN audience admission to

the absolute IP abode of centralized servers after NAT application.To do so, you

must configure specific networks (or all networks) to be absolved from NAT with

regard to VPN clients. Additionally, you can configure breach tunneling from this

screen. Breach tunneling allows VPN audience admission to centralized assets back necessary

yet permits the applicant absolute admission to alien assets back applicable.

This agreement is advantageous because it conserves accumulated bandwidth;

clients are not appropriate to avenue all cartage to the centralized arrangement for external

resources. In some instances, administrators ability appetite to attenuate breach tunneling

to admission aegis and bigger clue VPN applicant arrangement activity.

www.syngress.com

Figure 9.73 The Applicant Attributes Window

530 Chapter 9 • PIX Accessory Manager

In our example, let’s accomplish the centralized arrangement absolved from NAT and

permit breach tunneling.To do so, bang the Browse button and baddest the internal

network abode of 172.20.0.0.Then, bang the -> button to move the network

www.syngress.com

Figure 9.74 The NAT Exception Window

Figure 9.75 The Examination CLI Commands Window

PIX Accessory Manager • Chapter 9 531

into the Selected field. Finally, bang the analysis box to accredit breach tunneling, and

click the Finish button to acknowledgment to the VPN tab.

In eight accessible steps, you accept created alien VPN admission to alien clients.

If you accept examination commands enabled aural PDM, you can see the relative

simplicity of the VPN Astrologer compared with manually creating a VPN via the

CLI. Remember, you can configure examination commands from the Options |

Preferences PDM capital menu. Figure 9.75 shows the CLI commands the PIX

configured for you in our example.

Now that you accept configured site-to-site and Cisco software VPN client

VPNs with the VPN Wizard, let’s acknowledgment to the VPN tab to altercate added specific

categories.

From the VPN tab, you can now see the two VPN configurations present by

clicking the IPSec Rules subcategory beneath the IPSec category. Note the difference

in the two rules as created by the VPN Wizard. From here, you can add,

modify, and annul IPsec rules application the Rules capital card bar, the adjustment buttons,

or by right-clicking in the rules screen. Beneath the IPSec class are two

other subcategories alleged Adit Policy and Transform Sets. From these subcategories,

you can configure new and added diminutive policies, such as free the

Security Association Lifetime in agreement of bytes or seconds. From the Adit Policy

subcategory, you may additionally configure Perfect Forwarding Secrecy.The Transform

Sets subcategory allows you to actualize new encryption and affidavit groups as

well as actuate whether a VPN exists in carriage or adit mode.

The additional class accessible from the VPN tab is IKE. From this category,

you can configure SA and IKE administration policies.The Behavior subcategory is

shown in Figure 9.76.

The IKE class additionally facilitates avant-garde agreement of authentication

and preshared key information. A abundant accord of avant-garde affidavit management

is accessible from the Affidavit subcategory. For instance, from the Certificate

subcategory, you can accomplish requests to a affidavit ascendancy and manage

existing certificates on the PIX firewall.

A third class on the VPN tab is Alien Access. From this category, you

can add, modify, and annul the assorted alien admission VPNs accurate on the

PIX firewall, such as Cisco VPN client, L2TP, and PPTP VPNs. From the

Remote Admission category, you can additionally configure IP pools for use with remote

clients. All the functions and appearance from these and about all added VPN tab categories

are accessible via the VPN Astrologer through an automatic interface.

The final two categories on the VPN tab are VPN System Options and Easy

VPN Remote. From the VPN System Options category, you can determine

whether the assorted VPN protocols are acceptable to bypass aegis to establish

www.syngress.com

532 Chapter 9 • PIX Accessory Manager

connections to the PIX firewall.This permits VPN admission after specific

permit aphorism statements in the PIX firewall aphorism sets and is enabled by default

when you use the VPN Astrologer to body VPN configurations.

From the Accessible VPN Alien category, you can configure the PIX firewall as

an IPsec applicant to addition PIX firewall, Cisco VPN Concentrator, or IOS device.