Cisco ASA 5500 Series Getting Started Guide, 8.2
Scenario - IPsec Remote-Access VPN Configuration
Download this chapter
Scenario - IPsec Remote-Access VPN ConfigurationScenario - IPsec Remote-Access VPN Configuration
Download the complete book
Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0 (PDF - 5 MB)
give_us_feedback

Table Of Contents

Scenario: IPsec Remote-Access VPN Configuration

Example IPsec Remote-Access VPN Network Topology

Implementing the IPsec Remote-Access VPN Scenario

Information to Have Available

Configuring an IPsec Remote-Access VPN

Selecting VPN Client Types

Specifying the VPN Tunnel Group Name and Authentication Method

Specifying a User Authentication Method

(Optional) Configuring User Accounts

Configuring Address Pools

Configuring Client Attributes

Configuring the IKE Policy

Specifying Address Translation Exception and Split Tunneling

Verifying the Remote-Access VPN Configuration

What to Do Next


Scenario: IPsec Remote-Access VPN Configuration

This chapter describes how to use the adaptive security appliance to accept remote-access IPsec VPN connections. A remote-access VPN allows you to create secure connections, or tunnels, across the Internet, which provides secure access to off-site users. In this type of VPN configuration, remote users must be running the Cisco VPN client to connect to the adaptive security appliance.

If you are implementing an Easy VPN solution, this chapter describes how to configure the Easy VPN server (sometimes called a headend device).

This chapter includes the following sections:

Example IPsec Remote-Access VPN Network Topology

Implementing the IPsec Remote-Access VPN Scenario

What to Do Next

Example IPsec Remote-Access VPN Network Topology

Figure 9-1 shows an adaptive security appliance configured to accept requests from and establish IPsec connections with VPN clients, such as a Cisco Easy VPN software or hardware clients, over the Internet.

Figure 9-1 Network Layout for Remote Access VPN Scenario

Implementing the IPsec Remote-Access VPN Scenario

This section describes how to configure the adaptive security appliance to accept IPsec VPN connections from remote clients and devices. If you are implementing an Easy VPN solution, this section describes how to configure an Easy VPN server (also known as a headend device).

Values for example configuration settings are taken from the remote-access scenario illustrated in Figure 9-1.

This section includes the following topics:

Information to Have Available

Configuring an IPsec Remote-Access VPN

Selecting VPN Client Types

Specifying the VPN Tunnel Group Name and Authentication Method

Specifying a User Authentication Method

(Optional) Configuring User Accounts

Configuring Address Pools

Configuring Client Attributes

Configuring the IKE Policy

Specifying Address Translation Exception and Split Tunneling

Specifying Address Translation Exception and Split Tunneling

Verifying the Remote-Access VPN Configuration

Information to Have Available

Before you begin configuring the adaptive security appliance to accept remote access IPsec VPN connections, make sure that you have the following information available:

Range of IP addresses to be used in an IP pool. These addresses are assigned to remote VPN clients as they are successfully connected.

List of users to be used in creating a local authentication database, unless you are using a AAA server for authentication.

Networking information to be used by remote clients when connecting to the VPN, including the following:

IP addresses for the primary and secondary DNS servers

IP addresses for the primary and secondary WINS servers

Default domain name

List of IP addresses for local hosts, groups, and networks that should be made accessible to authenticated remote clients

Configuring an IPsec Remote-Access VPN

To configure a remote-access VPN, perform the following steps:

Step 1 In the main ASDM window, choose IPsec VPN Wizard from the Wizards drop-down menu. The VPN Wizard Step 1 screen appears.

Step 2 In Step 1 of the VPN Wizard, perform the following steps:

a. Click the Remote Access radio button.

b. From the drop-down list, choose Outside as the enabled interface for the incoming VPN tunnels.

c. Click Next to continue.

Selecting VPN Client Types

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Specify the type of VPN client that will enable remote users to connect to this adaptive security appliance. For this scenario, click the Cisco VPN Client radio button.

You can also use any other Cisco Easy VPN remote product.

Step 2 Click Next to continue.

Specifying the VPN Tunnel Group Name and Authentication Method

In Step 3 of the VPN Wizard, perform the following steps:

Step 1 Specify the type of authentication that you want to use by performing one of the following steps:

To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, "Cisco"). This key is used for IPsec negotiations.

To use digital certificates for authentication, click the Certificate radio button, choose the Certificate Signing Algorithm from the drop-down list, and then choose a preconfigured trustpoint name from the drop-down list.

If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by using one of the other two options. You can revise the authentication configuration later using the standard ASDM windows.

Click the Challenge/Response Authentication (CRACK) radio button to use that method of authentication.

Step 2 Enter a Tunnel Group Name (such as "Cisco") for the set of users that use common connection parameters and client attributes to connect to this adaptive security appliance.

Step 3 Click Next to continue.

Specifying a User Authentication Method

Users can be authenticated either by a local authentication database or by using external authentication, authorization, and accounting (AAA) servers (RADIUS, TACACS+, SDI, NT, Kerberos, and LDAP).

In Step 4 of the VPN Wizard, perform the following steps:

Step 1 If you want to authenticate users by creating a user database on the adaptive security appliance, click the Authenticate Using the Local User Database radio button.

Step 2 If you want to authenticate users with an external AAA server group:

a. Click the Authenticate Using an AAA Server Group radio button.

b. Choose a preconfigured server group from the Authenticate using a AAA server group drop-down list, or click New to add a new AAA server group.

Step 3 Click Next to continue.

(Optional) Configuring User Accounts

If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface.

In Step 5 of the VPN Wizard, perform the following steps:

Step 1 To add a new user, enter a username and password, and then click Add.

Step 2 When you have finished adding new users, click Next to continue.

Configuring Address Pools

For remote clients to gain access to your network, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1-209.166.201.20.

In Step 6 of the VPN Wizard, perform the following steps:

Step 1 Enter a pool name or choose a preconfigured pool from the Pool Name drop-down list.

Alternatively, click New to create a new address pool.

The Add IP Pool dialog box appears.

Step 2 In the Add IP Pool dialog box, do the following:

a. Enter the Starting IP address and Ending IP address of the range.

b. (Optional) Enter a subnet mask or choose a subnet mask for the range of IP addresses from the Subnet Mask drop-down list.

c. Click OK to return to Step 6 of the VPN Wizard.

Step 3 Click Next to continue.

Configuring Client Attributes

To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name. Instead of configuring each remote client individually, you can provide the client information to ASDM. The adaptive security appliance pushes this information to the remote client or Easy VPN hardware client when a connection is established.

Make sure that you specify the correct values, or remote clients will not be able to use DNS names for resolution or use Windows networking.

In Step 7 of the VPN Wizard, perform the following steps:

Step 1 Enter the network configuration information to be pushed to remote clients.

Step 2 Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels.

To specify the IKE policy in Step 8 of the VPN Wizard, perform the following steps:

Step 1 Choose the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the adaptive security appliance during an IKE security association.

Step 2 Click Next to continue.

Specifying Address Translation Exception and Split Tunneling

Split tunneling enables remote-access IPsec clients to send packets conditionally over an IPsec tunnel in encrypted form or to a network interface in text form.

The adaptive security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally. You can make exceptions to this network protection by identifying local hosts and networks that should be made accessible to authenticated remote users.

In Step 9 of the VPN Wizard, perform the following steps:

Step 1 Specify hosts, groups, and networks that should be in the list of internal resources made accessible to authenticated remote users.

To add or remove hosts, groups, and networks dynamically from the Selected Hosts/Networks area, click Add or Delete, respectively.

Step 2 To enable split tunneling, check the Enable Split Tunneling check box. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel.

Step 3 To enable perfect forwarding secrecy (PFS), check the Enable Perfect Forwarding Secrecy check box. Enabling PFS sets the size of the numbers to use in generating Phase 2 IPsec keys.

PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys. PFS ensures that a session key derived from a set of long-term public and private keys is not compromised if one of the private keys is compromised in the future.

Note PFS must be enabled on both sides of the connection.

Step 4 Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC).

Step 5 Click Next to continue.

Verifying the Remote-Access VPN Configuration

In Step 10 of the VPN Wizard, review the configuration attributes for the new VPN tunnel. The displayed configuration should be similar to the following:

If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.

If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the old configuration takes effect the next time the device starts.

What to Do Next

To establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers, obtain the Cisco VPN client software.

For more information about the Cisco Systems VPN client, see the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html.

If you are deploying the adaptive security appliance solely in a remote-access VPN environment, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps.

To Do This...
See...

Refine configuration and configure optional and advanced features

Cisco ASA 5500 Series Configuration Guide using the CLI

Learn about daily operations

Cisco ASA 5500 Series Command Reference

Cisco ASA 5500 Series System Log Messages


You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This...
See...

Configure an SSL VPN for the Cisco AnyConnect software client

Chapter 10, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"

Configure a clientless (browser-based) SSL VPN

Chapter 10, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"

Configure a site-to-site VPN

Chapter 12, "Scenario: Site-to-Site VPN Configuration"