Feedback
Table Of Contents
Viewing Remote Access Settings
Configuring Crypto Connections
Editing Xauth User Information
Remote Access Configuration
With CVDM-VPNSM, you can configure the parameters for the Easy VPN Server feature on this device. This feature allows a remote end user to communicate using IP Security (IPSec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are "pushed" to the client by the server, helping to ensure that the connection has up-to-date policies in place before the connection is established.
This chapter contains the following sections:
•
Viewing Remote Access Settings
•
Viewing Remote Access Settings
From the Remote Access main page, you can view the remote access settings that are currently configured on the module. To access this page, click Setup at the top of the window and then click Remote Access (see Figure 4-1).
Figure 4-1 Remote Access Main Page
Configuring Crypto Connections
Click Setup at the top of the window, click Remote Access from the left-most pane, and select Crypto Connections from the selector to display the main Crypto Connections page.
The upper portion of the Crypto Connections page contains a graphical display of the crypto connection configured on the device. The lower portion of the page shows the following information:
Inside column
Contains the following subcolumns:
•
•
•
•
Outside column
Contains the following subcolumns:
•
•
•
•
Add button
Click to launch the Add Crypto Connection dialog box.
See Adding Crypto Connections for more information.
Edit button
With a connection selected, click to launch the Edit Crypto Connection dialog box.
See Editing Crypto Connections for more information.
Delete button
Click to delete the selected crypto connection.
Adding Crypto Connections
You can create crypto connections between the inside VLAN and the outside port on a remote access connection.
Step 1
Step 2
Step 3
Interface VLAN field
Specify the interface VLAN, which is the Layer 3 VLAN that contains only the VPN module inside port.
Before a router can forward the packets using the correct routing table entries, the router needs to know which interface that a packet was received on. For each port VLAN, you need to create another VLAN so that the packets from every switch outside port are presented to the router with the corresponding VLAN number.
Note
You can create a VLAN or select from an available VLAN.
Click
and do one of the following:
•
•
You can select Clear VLAN to clear the VLAN that is specified in this field.
IP Address field
Enter the IP address of the interface VLAN.
Mask list
Select the subnet mask of the interface VLAN from the list or enter it in the field.
Crypto Map field
Specify the crypto map attached to the interface VLAN. Click
You can also clear the crypto map entry by clicking
Connection Mode radio button
Specify if you want the outside VLAN attached to an access or trunk port or to a VLAN. You can select the Access/Trunk or Routed Port radio button.
If you select the Access/Trunk radio button, do the following:
•
–
–
You can select Clear VLAN to clear the VLAN that is specified in this field.
•
to open the Port Selector dialog box. For more information, see Port Selector.
•
If you select the Routed Port radio button, you must select a routed port. From the Routed Port field, click
Standby Group Name field
Specify the Hot Standby Routing Protocol (HSRP) standby group name. Click
An HSRP group is a set of routers that work together as a single virtual router to the hosts on the network.
Standby IP Address field
Specify the IP address of the standby device in the HSRP group. The standby device assumes the packet-forwarding duties of the active router if the active router fails.
Priority field
Enter the HSRP priority value. The default value is 100. The range of values you can use is 0 to 255.
The router with the highest priority immediately becomes the active router. Priority is determined first by the configured priority value, and then by the IP address. In each case, a higher value is of greater priority.
Preempt check box
Select this check box to enable HSRP preemption; this allows the device with highest priority to immediately become the active router. Priority is determined first by the HSRP priority value, then by IP address.
Next, do the following:
•
•
Minimum (Sec) field
Enter the time, in seconds, to postpone the local router from taking over the active role.
The default value is 1. The range of values you can use is 0 to 10000.
Reload (Sec) field
Enter the time, in seconds, to postpone the local router from taking over the active role after the router has reloaded. This delay value applies to the first interface-up event after the router has reloaded.
The default value is 5. The range of values you can use is 0 to 10000.
Hello Interval (Sec) field
Enter the time, in seconds, between hello packets before other devices declare the active router to be down.
The default value is 3. The range of values you can use is 1 to 254.
You can select the Millisecond checkbox to enter the hello interval in milliseconds. The range of values you can use is 15 to 254000.
Hold Time (Sec) field
Enter the hold time, in seconds, before other devices declare the active router to be down.
The default value is 10. The range of values you can use is 1 to 256.
You can select the Millisecond checkbox to enter the hold time in milliseconds. The range of values you can use is 50 to 256000.
Track Interfaces table
You can add interfaces and VLANs to track. Interface tracking allows you to specify another interface on the device for the HSRP process to monitor and to alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP priority of this device is reduced, allowing another HSRP device with higher priority to become active.
You can do the following:
•
•
•
Step 4
VLAN Selector
For more information, see VLAN Selector.
Create VLAN Dialog Box
For more information, see Create VLAN Dialog Box.
Port Selector
For more information, see Port Selector.
Select Crypto Map Dialog Box
For more information, see Select Crypto Map Dialog Box.
Select Routed Ports Dialog Box
For more information, see Select Routed Port Dialog Box.
Select HSRP Dialog Box
For more information, see Select HSRP Group Dialog Box.
Select Interfaces to Track Dialog Box
For more information, see Select Interfaces to Track Dialog Box.
Editing Crypto Connections
You can edit crypto connections between the inside VLAN and the outside port on a remote access connection.
Step 1
Step 2
Step 3
Interface VLAN field
Interface VLAN ID. You cannot modify this field.
IP Address field
Enter the IP address of the interface VLAN.
Mask list
Select the subnet mask of the interface VLAN from the list or enter it in the field.
Crypto Map field
Specify the crypto map attached to the interface VLAN. Click
You can also clear the crypto map entry by clicking
Connection Mode radio button
Specify if you want the outside VLAN attached to an access or trunk port or to a VLAN. You can select the Access/Trunk or Routed Port radio button.
If you select the Access/Trunk radio button, do the following:
•
–
–
You can select Clear VLAN to clear the VLAN that is specified in this field.
•
•
If you select the Routed Port radio button, you must select a routed port. From the Routed Port field, click
Standby Group Name field
Specify the Hot Standby Routing Protocol (HSRP) standby group name. Click
An HSRP group is a set of routers that work together as a single single virtual router to the hosts on the network.
Standby IP Address field
Specify the IP address of the standby device in the HSRP group. The standby device assumes the packet-forwarding duties of the active router if the active router fails.
Priority field
Enter the HSRP priority value. The default value is 100. The range of values you can use is 0 to 255.
The router with the highest priority immediately becomes the active router. Priority is determined first by the configured priority value, and then by the IP address. In each case, a higher value is of greater priority.
Preempt check box
Select this check box to enable HSRP preemption; this allows the device with highest priority to immediately become the active router. Priority is determined first by the HSRP priority value, then by IP address.
Next, do the following:
•
•
Minimum (Sec) field
Enter the time, in seconds, to postpone the local router from taking over the active role.
The default value is 1. The range of values you can use is 0 to 10000.
Reload (Sec) field
Enter the time, in seconds, to postpone the local router from taking over the active role after the router has reloaded. This delay value applies to the first interface-up event after the router has reloaded.
The default value is 5. The range of values you can use is 0 to 10000.
Hello Interval (Sec) field
Enter the time, in seconds, between hello packets before other devices declare the active router to be down.
The default value is 3. The range of values you can use is 1 to 254.
You can select the Millisecond checkbox to enter the hello interval in milliseconds. The range of values you can use is 15 to 254000.
Hold Time (Sec) field
Enter the hold time, in seconds, before other devices declare the active router to be down.
The default value is 10. The range of values you can use is 1 to 256.
You can select the Millisecond checkbox to enter the hold time in milliseconds. The range of values you can use is 50 to 256000.
Track Interfaces table
You can add interfaces and VLANs to track. Interface tracking allows you to specify another interface on the device for the HSRP process to monitor and alter the HSRP priority for a given group. If the line protocol of the specified interface goes down, the HSRP priority of this device is reduced, allowing another HSRP device with higher priority to become active.
You can do the following:
•
•
•
Step 4
Configuring Global Settings
To access the Global Settings overview page, click Setup at the top of the window, click Remote Access from the left-most pane, and then click Global Settings from the selector.
From the Global Settings overview page, you can view detail information for both Extended Authentication (Xauth) users and address pools configured on the device.
The following table describes the information provided on the Global Settings overview page.
Username column
Name of an Xauth user.
Password column
Password configured for an Xauth user.
Privilege Level column
Privilege level set for a user.
Privilege levels range from 0 to 15, where 15 is the highest level.
Add button
Click to launch the Add Xauth User dialog box.
See Adding Xauth Users for more information.
Edit button
With a user selected, click to launch the Edit Xauth User dialog box.
See Editing Xauth User Information for more information.
Delete button
Click to delete the selected Xauth user.
Pool Name column
Name of an address pool.
Address Range column
IP address range configured for an address pool.
Note
Cache Size column
Number of IP addresses that the address pool's cache contains.
Group Name column
Name of the group the address pool belongs to.
Add button
Click to launch the Add Address Pool dialog box.
See Adding Address Pools for more information.
Edit button
With a pool selected, click to launch the Edit Address Pool dialog box.
See Editing Address Pools for more information.
Delete button
Click to delete the selected address pool.
Adding Xauth Users
From this dialog box, you can configure the settings for a new Extended Authentication (Xauth) user.
Step 1
Step 2
Step 3
Step 4
Editing Xauth User Information
From this dialog box, you can edit the settings for an existing Extended Authentication (Xauth) user.
Step 1
Step 2
Step 3
Step 4
Adding Address Pools
From this dialog box, you can configure the settings for a new address pool.
Step 1
Step 2
Use pool name as "default" check box
Select to create a new address pool named default.
Note the following:
•
•
Pool Name field
Enter the name of the new address pool.
Note
Group Name field
Enter the name of the group the new address pool belongs to.
Note
Cache Size (0-100) field
Enter the number of IP addresses that the new address pool's cache contains.
Note the following:
•
•
IP Address Range table
Lists the ranges of IP addresses configured for the address pool.
Multiple address ranges can be configured for an address pool, provided that the range you want to specify does not contain addresses that overlap with a range that has already been configured for this address pool or another pool that belongs to the same group.
Note
Add button
Click to open the Add Address Pool Range dialog box.
See Adding an Address Pool Range for more information.
Edit button
Click to open the Edit Address Pool Range dialog box.
See Editing an Address Pool Range for more information.
Delete button
Click to delete the selected IP address range.
Step 3
Step 4
Editing Address Pools
From this dialog box, you can edit the settings for an existing address pool.
Step 1
Step 2
Pool Name field
Name of the selected address pool.
This field cannot be edited.
Group Name field
Name of the group the selected address pool belongs to.
This field cannot be edited.
Cache Size (0-100) field
Edit the number of IP addresses that the cache for the selected address pool contains.
Note the following:
•
•
IP Address Range table
Lists the ranges of IP addresses configured for the address pool.
Multiple address ranges can be configured for an address pool, provided that the range you want to specify does not contain addresses that overlap with a range that has already been configured for this address pool or another pool that belongs to the same group.
Note
Add button
Click to open the Add Address Pool Range dialog box.
See Adding an Address Pool Range for more information.
Edit button
Click to open the Edit Address Pool Range dialog box.
See Editing an Address Pool Range for more information.
Delete button
Click to delete the selected IP address range.
Step 3
Step 4
Adding an Address Pool Range
From this dialog box, you can configure the settings for a new address pool range.
Step 1
•
•
Step 2
Step 3
Step 4
Step 5
Editing an Address Pool Range
From this dialog box, you can edit the settings for an existing address pool range.
Step 1
Step 2
Step 3
Step 4
Step 5
Configuring Group Policies
To access the Group Policies overview page, click Setup at the top of the window, click Remote Access from the left-most pane, and then click Group Policies from the selector.
From the Group Policies overview page, you can view detail information for the group policies configured on the device. Group policies are used to identify resources for Easy VPN Remote clients.
The following table describes the information provided on this page.
Name column
Name of a group policy.
Address Pool column
Name of the address pool associated with a group policy.
Key column
Preshared key used for group policy attribute definition.
Domain Name column
Name of the domain to which a group policy belongs.
Split Tunnel ACL column
IPSec rule to be applied for traffic protection.
DNS column
DNS servers associated with a group policy.
Note
Add button
Click to open the Add Group Policy dialog box.
See Adding Group Policies for more information.
Edit button
Click to open the Edit Group Policy dialog box.
See Editing Group Policies for more information.
Delete button
Click to delete the selected group policy.
Access Restrict field
Indicates the interfaces that clients in the group policy are restricted from accessing.
Group Lock field
Indicates whether the group lock feature is enabled.
By default, the feature is disabled.
WINS field
IP address of the group policy's WINS server.
Max. Users per Group field
Maximum number of users in a group.
Max. Logins per User field
Maximum number of logins for users in a group.
Split DNS field
Indicates the IPSec rule to be applied for traffic protection.
Backup Server(s) field
IP address of the group's backup gateway.
Firewall, Are You There? field
Indicates whether the Firewall Are-You-There attribute, which restricts VPN connections to clients running Black Ice or Zone Alarm personal firewalls, is enabled.
By default, the feature is disabled.
Save Password field
Indicates whether extended authentication usernames and passwords you saved locally on your Easy VPN client.
By default, the feature is disabled.
Include Local LAN field
Indicates whether the Include-Local-LAN attribute, which allows a non-split tunneling connection to access the local subnetwork at the same time as the client, is enabled.
By default, the feature is disabled.
Perfect Forwarding Secrecy (PFS) field
Indicates whether Perfect Forwarding Secrecy (PFS) is enabled.
Note
PFS is a property of some asymmetric key agreement protocols that allows for the use of different keys at different times during a session, to ensure that the compromising of any single key will not compromise the session as a whole.
Address Pool field
Pool of IP addresses from which remote clients connecting to the device are assigned an IP address.
Cache Size field
Number of IP addresses that an address pool's cache contains.
Start IP Address column
Lowest IP address in an address range configured for an address pool.
End IP Address column
Highest IP address in an address range configured for an address pool.
Adding Group Policies
From this dialog box, you can configure the settings for a new group policy.
Step 1
Step 2
Group Name field
Enter the name of the new group policy.
Key field
Enter the preshared key used for group policy attribute definition.
Confirm Key field
Re-enter the preshared key used for group policy attribute definition.
Create a new pool radio button
Select to create a new IP address pool.
In the IP Address Range fields, enter the lowest and highest IP addresses in an address range.
Select from an existing pool radio button
Select this radio button to select an IP address pool that has already been configured on the device.
See Selecting an IP Pool for more information.
Domain Name field
Enter the name of the domain the group policy belongs to.
DNS check box
Select to configure the primary and secondary DNS servers.
Primary DNS Server field
Enter the IP address of the primary DNS server.
This field is enabled when the DNS check box is selected.
Secondary DNS Server field
Enter the IP address of the secondary DNS server.
This field is enabled when the DNS check box is selected.
WINS check box
Select to configure the primary and secondary WINS servers.
Primary WINS Server field
Enter the IP address of the primary WINS server.
This field is enabled when the WINS check box is selected.
Secondary WINS Server field
Enter the IP address of the secondary WINS server.
This field is enabled when the WINS check box is selected.
Split DNS button
Click to launch the Configure Group Split DNS dialog box.
See Configuring Group Split DNS for more information.
Backup Server button
Click to launch the Backup Server dialog box.
See Configuring Group Backup Servers for more information.
Enable Split Tunneling check box
Select to enable split tunneling.
Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. In other words, all traffic sourced from the client will be sent to the destination subnet via the VPN tunnel.
Enter the protected subnets radio button
Select to specify the subnets on which split tunneling is enabled. This radio button is enabled when the Enable Split Tunneling check box is selected.
See Adding a Network for more information.
Select the split tunneling ACL radio button
Select this radio button to specify an IPSec rule to be applied for traffic protection. The radio button is enabled when the Enable Split Tunneling check box is selected.
Click
•
•
•
Enable Group Lock check box
Select to restrict a user from establishing connections to the Easy VPN server from the specified user group only.
By default, the feature is disabled.
Max. Users per Group field
Enter the maximum number of users a group can have.
Valid values range from 1 to 5000.
Max. Logins per User field
Enter the maximum number of connections a user can establish simultaneously.
Valid values range from 1 to 10.
Firewall, Are You There? check box
Select to restrict VPN connections to clients running Black Ice or Zone Alarm personal firewalls.
By default, the feature is disabled.
Save Password check box
Select to save extended authentication usernames and passwords locally on your Easy VPN client.
By default, the feature is disabled.
Include Local LAN check box
Select to allow a non-split tunneling connection to access the local subnetwork at the same time as the client.
By default, the feature is disabled.
Perfect Forwarding Secrecy (PFS) check box
Select to enable Perfect Forwarding Secrecy (PFS).
Note
PFS is a property of some asymmetric key agreement protocols that allows for the use of different keys at different times during a session, to ensure that the compromising of any single key will not compromise the session as a whole.
Access-Restricted Interfaces button
Click to launch the Configure Group Access Restricted Interface(s) dialog box.
See Configuring Restricted Interfaces for more information.
Step 3
Step 4
Editing Group Policies
From this dialog box, you can edit the settings for an existing group policy.
Step 1
Step 2
Group Name field
Name of the selected group policy.
This field cannot be edited.
Key field
Modify the preshared key used for group policy attribute definition.
Confirm Key field
Re-enter the preshared key used for group policy attribute definition.
Create a new pool radio button
Select to create a new IP address pool.
In the IP Address Range fields, enter the lowest and highest IP addresses in an address range.
Select from an existing pool radio button
Select this radio button to select an IP address pool that has already been configured on the device.
See Selecting an IP Pool for more information.
Domain Name field
Edit the name of the domain the group policy belongs to.
DNS check box
Select to configure the primary and secondary DNS servers.
Primary DNS Server field
Edit the IP address of the primary DNS server.
This field is enabled when the DNS check box is selected.
Secondary DNS Server field
Edit the IP address of the secondary DNS server.
This field is enabled when the DNS check box is selected.
WINS check box
Select to configure the primary and secondary WINS servers.
Primary WINS Server field
Edit the IP address of the primary WINS server.
This field is enabled when the WINS check box is selected.
Secondary WINS Server field
Edit the IP address of the secondary WINS server.
This field is enabled when the WINS check box is selected.
Split DNS button
Click to launch the Configure Group Split DNS dialog box.
See Configuring Group Split DNS for more information.
Backup Server button
Click to launch the Backup Server dialog box.
See Configuring Group Backup Servers for more information.
Enable Split Tunneling check box
Select to enable split tunneling.
Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. In other words, all traffic sourced from the client will be sent to the destination subnet via the VPN tunnel.
Enter the protected subnets radio button
Select to specify the subnets on which split tunneling is enabled. This radio button is enabled when the Enable Split Tunneling check box is selected.
See Adding a Network for more information.
Select the split tunneling ACL radio button
Select this radio button to specify an IPSec rule to be applied for traffic protection. The radio button is enabled when the Enable Split Tunneling check box is selected.
Click
•
•
•
Enable Group Lock check box
Select to restrict a user from establishing connections to the Easy VPN server from the specified user group only.
By default, the feature is disabled.
Max. Users per Group field
Edit the maximum number of users a group can have.
Valid values range from 1 to 5000.
Max. Logins per User field
Edit the maximum number of connections a user can establish simultaneously.
Valid values range from 1 to 10.
Firewall, Are You There? check box
Select to restrict VPN connections to clients running Black Ice or Zone Alarm personal firewalls.
By default, the feature is disabled.
Save Password check box
Select to save extended authentication usernames and passwords locally on your Easy VPN client.
By default, the feature is disabled.
Include Local LAN check box
Select to allow a non-split tunneling connection to access the local subnetwork at the same time as the client.
By default, the feature is disabled.
Perfect Forwarding Secrecy (PFS) check box
Select to enable Perfect Forwarding Secrecy (PFS).
Note
PFS is a property of some asymmetric key agreement protocols that allows for the use of different keys at different times during a session, to ensure that the compromising of any single key will not compromise the session as a whole.
Access-Restricted Interfaces button
Click to launch the Configure Group Access Restricted Interface(s) dialog box.
See Configuring Restricted Interfaces for more information.
Step 3
Step 4
Configuring Group Split DNS
Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. In other words, all traffic sourced from the client will be sent to the destination subnet via the VPN tunnel.
In the Configure Group Split DNS dialog box, you can configure the domains on which split tunneling is enabled.
Step 1
•
Note
•
Step 2
Configuring Group Backup Servers
In the Backup Server dialog box, you can configure backup servers for a group policy.
Step 1
•
Note
•
Step 2
Adding a Network
From this dialog box, you can specify the subnets on which split tunneling is enabled.
Step 1
Step 2
Step 3
•
–
–
•
Configuring Restricted Interfaces
From this dialog box, you can specify the interfaces that clients in the group policy are restricted from accessing.
Step 1
Step 2
•
–
Note
–
•
