NOTICE: ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Arguments for which you supply values are in italics.
Elements in square brackets are optional.
[ x | y | z ]
Optional alternative keywords are grouped in brackets and separated by vertical bars.
Screen examples use these conventions:
Terminal sessions and information in the displays are in screen font.
boldface screen font
Information you must enter is in boldface screen font.
italic screen font
Nonprinting characters, such as passwords, are in angle brackets.
Default responses to system prompts are in square brackets.
An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.
Cisco NGEW Architecture Overview
Figure 1. Enterprise Network Architecture
Enterprise networks must adapt to meet new and evolving business requirements. The introduction of cloud services (private, public, or hybrid) poses new challenges to current enterprise network designs. A more distributed workforce, the proliferation of bandwidth-intensive video-enabled endpoints, and the consolidation of servers into a few centralized locations require networks to carry more traffic, with increased efficiencies, while demanding the same or a high level of performance and availability.
® Next Generation Enterprise WAN (NGEW) is an end-to-end architecture that provides foundation building blocks for next-generation enterprise networks. The hierarchical design provides the scalability required by large enterprises, which can be extended and replicated throughout multiple regions and theaters. This consistency leads to ease of deployment, maintenance, and troubleshooting.
Internet Edge Topology
Figure 2. Internet Edge (Detailed Topology)
The enterprise edge is the interface between the controlled enterprise network and users or resources that are outside of the enterprise's control or visibility. Users can be employees, partners, or customers. Resources can be Internet access, business-to-business connectivity and collaboration, hosted services, or hosted applications. The enterprise resource edge is also a place where services such as security, collaboration acceleration, etc. can reside.
The enterprise edge presents a diverse set of requirements because of the variety of user types accessing a variety of resources. This situation is compounded further because either may be located inside or outside of the enterprise network, meaning the enterprise edge can exist in many locations, but every location may not have the same set of requirements. In this phase of NGEW, we focus only on the Internet edge, also known as the web edge.
In the enterprise edge module a pair of Cisco ASR 1000 Aggregation Services Routers act as the edge routers facing the Internet. Cicso Adaptive Security Appliance (ASA) firewallls sit behind the Internet edge routers to provide firewall and Network Address Translation (NAT) funtions. The Dynamic Multipoint VPN (DMVPN) and Easy VPN servers are behind firewalls. Two Cisco ASR 1000 Routers are used as DMVPN hubs and two as Easy VPN servers for redundancy with scaling. The DMVPN details are covered in the regional WAN (RWAN) deployment guide.
Internet Edge Deployment
The Internet edge is the part of the network where the enterprise connects to the Internet service provider. It is also sometimes called the web edge. The web edge provides the company a web presence, provides access to the Internet for the company's users (employees and guests), and terminates some of the VPNs. In this architecture the Internet edge terminates Easy VPN Remote and Cisco AnyConnect
™ clients connecting from the Internet. The Internet edge is also the gateway for enterprise users to access the Internet securely. It also enables the enterprise IPv6 users to access the IPv4 Internet. Following are the details for implementing the Internet edge.
The devices used in this design are listed in Table 1.
Table 1. Design Devices
Cisco ASR 1002
Based on RP and ESP
Cisco ASR 1000 Series Embedded Services Processor (ESP)
Up to 4-Gbps cryptography
Cisco ASR 1000 Series Route Processor (RP)
Sub-second convergence/100 terabytes per second (TBps)
The Cisco Easy VPN with Dynamic Virtual Tunnel Interface (DVTI) configuration provides a routable interface to selectively send traffic to different destinations, such as an Easy VPN concentrator, a different site-to-site peer, or the Internet. IP Security (IPsec) DVTI configuration does not require a static mapping of IPsec sessions to a physical interface, allowing for the flexibility of sending and receiving encrypted traffic on any physical interface, such as in the case of multiple paths. Traffic is encrypted when it is forwarded from or to the tunnel interface.
The traffic is forwarded to or from the tunnel interface by virtue of the IP routing table. Routes are dynamically learned during Internet Key Exchange (IKE) mode configuration and inserted into the routing table pointing to the DVTI. Dynamic IP routing can be used to propagate routes across the VPN. Using IP routing to forward the traffic to encryption simplifies the IPsec VPN configuration when compared with using access control lists (ACLs) with the cryptography map in native IPsec configuration.
In this design Easy VPN is deployed with two Cisco ASR 1000 Routers acting as Easy VPN servers. The Easy VPN remote clients are Cisco Integrated Services Routers (ISRs). All clients are configured with the two server addresses for redundancy. The Easy VPN servers are placed behind the firewall in this design. The Easy VPN clients are remote workers or home-office users who do not require much configuration on the client side.
The easiest way to define the users is the local user configuration. The more scalable way, however, is to define users on a RADIUS server. Both configurations follow:
no aaa new-model
username abc123 password 0 abc123
username ca-user2 password 0 ca-user2
If the users are defined on a RADIUS server, the following is the configuration:
Define the Phase 1 IKE Policy
crypto isakmp policy 1
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto isakmp xauth timeout 5
Define Client Configuration Group
crypto isakmp client configuration group CA_GROUP2001
The client needs connectivity to the Easy VPN server. In most deployments just a default route to the Internet gateway is needed on the remote device.
Cisco AnyConnect Security
Cisco AnyConnect security is part of the edge design. Cisco AnyConnect security is implemented on the Cisco ASA Router firewall to allow remote users to connect to the corporate network. The Cisco ASA 5510 is used in this setup. Cisco Adaptive Security Device manager (ASDM) version 6.4 is used to deploy and manage the Cisco AnyConnect clients.
To configure Cisco AnyConnect security on the Cisco ASA Router, use the Cisco AnyConnect VPN wizard. The following screen shots are steps to follow on the wizard.
1. Select the Cisco AnyConnect wizard from the VPN Wizards menu (Figure 3).
Figure 3. VPN Wizards
2. Click Next on the first screen (Figure 4).
Figure 4. Introduction Screen
3. Give a profile name and select the inside interface (Figure 5).
Figure 5. Profile Name and Inside Interface
4. Cisco AnyConnect security can use Secure Sockets Layer (SSL) or IPsec for security. Select SSL (Figure 6).
Figure 6. SSL Security
5. The Cisco ASA Router can directly upload the selected image to the client (Figure 7).
Figure 7. Uploading Image
6. Users can be specified locally or on the RADIUS or TACACS server. Select LOCAL and add a user (Figure 8).
Figure 8. Adding Users
7. Create a pool of addresses to be used by clients (Figure 9).
Figure 9. Creating Pool of Addresses
8. Specify server names and domains (Figure 10).
Figure 10. Specifying Server Names and Domains
9. VPN traffic should be exempt from translations (Figure 11).
Figure 11. Exempting VPN Traffic from Translations
10. Verify the configured parameters and finish (Figure 12).
Figure 12. Verification and Finishing
In NAT44 the Cisco ASA Router is used as the NAT device for IPv4 traffic getting out to the Internet. Other than some of the static NAT that is needed for different servers, the rest of the internal network goes through the NAT process dynamically. Following is the configuration for NAT on the Cisco ASA:
In this phase of NGEW, Stateless NAT64 provides address family translation services from IPv6 to IPv4. NAT64 is a mechanism that addresses scenarios where native IPv6 communication is not possible; for example, when a device on the network does not support dual stack. This technology is one of several IPv4-to-IPv6 migration and coexistence technologies available from Cisco. Stateless NAT64 is the mapping algorithm between IPv4 and IPv6 addresses. It is expected that service providers' IPv4 addresses will be mapped into IPv6 and used by physical IPv6 hosts. The original IPv4 forms of these blocks of service providers' IPv4 addresses are used to represent the physical IPv6 hosts in IPv4. This type of algorithm supports both IPv6- and IPv4-initiated communications. Stateless NAT64 does not maintain the bindings or session state like NAT44.
Following is the NAT64 configuration:
description Towards Internet and IPv4 address
ip address 126.96.36.199 255.255.255.252
description Towards Internal network and IPv6 address