Table Of Contents
Policy Management
Configuration | Policy Management
Access Hours
Screen Elements
Access Hours | Add or Modify
Screen Elements
Traffic Management
Traffic Management | Network Lists
Screen Elements
Traffic Management | Network Lists | Add, Modify, or Copy
Screen Elements
Traffic Management | Rules
Screen Elements
Traffic Management | Rules | Add, Modify, or Copy
Creating Rules for a Firewall Filter
Screen Elements
Traffic Management | Rules | Delete
Screen Elements
Traffic Management | Security Associations
Screen Elements
Traffic Management | Security Associations | Add or Modify
About IPSec Parameters
About IKE Parameters
Screen Elements
Traffic Management | Security Associations | Delete
Screen Elements
Traffic Management | Filters
Upgrading Affects HTTPS Filters
Filters Screen
Screen Elements
Traffic Management | Filters | Add, Modify, or Copy
Screen Elements
Traffic Management | Assign Rules to Filter
Screen Elements
Traffic Management | Assign Rules to Filter | Add SA to Rule
Screen Elements
Traffic Management | Assign Rules to Filter | Change SA on Rule
Screen Elements
Traffic Management | NAT
Traffic Management | NAT | Enable
Screen Elements
Traffic Management | NAT | Interface Rules
Screen Elements
Traffic Management | NAT | Rules | No Public Interfaces
Traffic Management | NAT | Interface Rules | Add or Modify
Screen Elements
Traffic Management | NAT | LAN-to-LAN Rules
About LAN-to-LAN NAT
Screen Elements
Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify
Guideline for Defining NAT Rules and Types
Screen Elements
Traffic Management | Bandwidth Policies
Screen Elements
Traffic Management | Bandwidth Policies | Add or Modify
Overview of Bandwidth Management
Bandwidth Reservation
Bandwidth Policing
Configuring Bandwidth Management
Screen Elements
Certificate Group Matching
Screen Elements
Certificate Group Matching | Rules
Screen Elements
Certificate Group Matching | Rules | Add or Modify
Distinguished Name Component Options
Screen Elements
Certificate Group Matching | Policy
Screen Elements
Network Admission Control (NAC)
Screen Elements
Network Admission Control | Global Parameters
Screen Elements
Network Admission Control | Exception List
Screen Elements
Network Admission Control | Exception List | Add, Modify, or Copy
Screen Elements
Policy Management
Managing a VPN, and protecting the integrity and security of network resources, includes carefully designing and implementing policies that govern who can use the VPN, when, and what data traffic can flow through it. User management deals with "who can use it"; see "User Management" for that discussion. Policy management deals with "when" and "what data traffic can flow through it"; this section covers those topics.
You configure when remote users can access the VPN under Access Hours.
You configure "what data traffic can flow through it" under Traffic Management. The Cisco VPN 3000 Concentrator hierarchy is straightforward: you use filters that consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first configure rules and SAs, then use them to construct filters.
A filter determines whether to forward or drop a data packet traversing the system. It examines the data packet in accordance with one or more rules—direction, source address, destination address, ports, and protocol—which determine whether to forward, apply IPSec and forward, or drop. And it examines the rules in the order they are arranged on the filter.
You apply filters to Ethernet interfaces, and thus govern all traffic through an interface. You also apply filters to groups and users, and thus govern tunneled traffic through an interface.
If you are applying different filters to a large number of groups or users, you might find it more convenient to configure filters on an external RADIUS server. For more information on configuring the VPN Concentrator to use external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.
With IPSec, the VPN Concentrator negotiates Security Associations during tunnel establishment that govern authentication, key management, encryption, encapsulation, etc. Thus IPSec also determines how to transform a data packet before forwarding it. You apply Security Associations to IPSec rules when you include those rules in a filter, and you apply SAs to groups and users.
The VPN Concentrator also lets you create network lists, which are lists of network addresses that are treated as a single object. These lists simplify the configuration of rules for complex networks. You can also use them to configure split tunneling for groups and users, and to configure IPSec LAN-to-LAN connections.
To fully configure the VPN Concentrator, you should first develop policies (network lists, rules, SAs, and filters), since they affect Ethernet interfaces, groups, and users. And once you have developed policies, we recommend that you configure and apply filters to interfaces before you configure groups and users.
Traffic management on the VPN Concentrator also includes NAT (Network Address Translation) functions that translate private network addresses into legitimate public network addresses. Again, you develop rules to configure and use NAT.
Configuration | Policy Management
This section of the Manager lets you configure policies that apply to groups, users, and VPN Concentrator Ethernet interfaces.
Policies govern:
•
Access Hours: when remote users can access the VPN Concentrator.
•Traffic Management: what data traffic can flow through the VPN Concentrator, as governed by:
–Network Lists: lists of networks grouped as single objects.
–Rules: detailed parameters that govern the handling of data packets.
–SAs: IPSec Security Associations.
–Filters: structures for applying aggregated rules.
–NAT: Network Address Translation.
–Bandwidth Policies: policies prioritizing network traffic.
•Certificate Group Matching: which fields in a distinguished name to use for matching a user's certificate to a permission group.
•Network Admission Control (NAC): settings for how the VPN Concentrator functions as a NAC authenticator and ACS client.
Figure 14-1 Configuration | Policy Management Screen
Access Hours
This section of the Manager lets you configure access times, to control when remote-access groups and users can access the VPN Concentrator. You assign access hours to groups and users under Configuration | User Management. Access hours do not apply to LAN-to-LAN connections.
Figure 14-2 Configuration | Policy Management | Access Hours Screen
Screen Elements
•Current Access Hours — This list shows the names of configured access times. The Cisco-supplied default access times are:
–Never = No access at any time.
–Business Hours = Monday through Friday, 9 a.m. to 5 p.m.
Additional access times that you configure appear in the list.
•Add — Click to configure and add a new access time to the list. The Manager opens the Access Hours | Add or Modify screen.
•Modify — To modify a configured access time, select the entry from the list and click Modify. The Manager opens the Access Hours | Add or Modify screen.
•Delete — To remove a configured access time, select the entry from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the Current Access Hours list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Access Hours | Add or Modify
These Manager screens let you:
•Add: Configure and add a new access time to the list of configured access times.
•Modify: Modify a configured access time. Changing an access time has no effect on connected users, since the parameter is checked only when the tunnel is established. The change affects subsequent connections, however.
Figure 14-3 Configuration | Policy Management | Access Hours | Add or Modify Screens
Screen Elements
•Name — Enter a unique name for this set of access hours. Maximum is 48 characters.
•Sunday - Saturday — For each day of the week, click the Sunday - Saturday drop-down menu button and choose:
–during = Allow access during the hours in the range (default).
–except = Allow access at times except the hours in the range.
Enter or edit hours in the range fields. Times are inclusive: starting time through ending time. Enter times as HH:MM:SS and use 24-hour notation, for example: enter 5:30 p.m. as 17:30. By default, all ranges are 00:00:00 to 23:59:59.
•Add / Apply — To add this access time to the list, click Add. To apply your changes for this access time, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Access Hours screen. Any new entry appears in the Current Access Times list.
•Cancel — To discard your settings, click Cancel. The Manager returns to the Access Hours screen, and the Current Access Times list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management
This section of the Manager lets you configure network lists, rules, filters, and security associations, as well as network address translation and bandwidth policies. These features let you control the data traffic through the VPN Concentrator.
•Network lists let you treat lists of network addresses as a single object, thus simplifying the configuration of rules for complex networks.
•Filters consist of rules; and IPSec rules (rules in which you configure an Apply IPSec action) also have security associations. Therefore you first configure any network lists, then rules and SAs, and finally filters.
A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the default action specified in the filter.
You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they apply to all traffic. You also apply filters to groups and users under Configuration | User Management; these filters apply to tunneled traffic only.
•Network address translation (NAT) translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between networks that have overlapping private network addresses.
•Bandwidth policies let you set minimum and maximum amounts of bandwidth per group.
Figure 14-4 Configuration | Policy Management | Traffic Management Screen
Traffic Management | Network Lists
This section of the Manager lets you configure network lists, which are lists of networks that are grouped as single objects. Network lists make configuration easier: for example, you can use a network list to configure one filter rule for a set of networks rather than configuring separate rules for each network.
You can use network lists in configuring filter rules (see Traffic Management | Rules). You can also use them to configure split tunneling for groups and users (see Configuration | User Management), and to configure IPSec LAN-to-LAN connections (see IPSec | LAN-to-LAN).
The Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.
A single network list can contain a maximum of 200 network entries. The Manager does not limit the number of network lists you can configure.
Figure 14-5 Configuration | Policy Management | Traffic Management | Network Lists Screen
Screen Elements
•Network List — This field shows the names of the network lists you have configured. If no lists have been configured, the field shows --Empty--.
•Add — To configure and add a new network list, click Add. The Manager opens the Traffic Management | Network Lists | Add, Modify, or Copy screen.
•Modify — To modify a configured network list, select the list and click Modify. The Manager opens the Traffic Management | Network Lists | Add, Modify, or Copy screen.
•Copy — To copy a configured network list, modify it, and save it with a new name, select the list and click Copy. See the Traffic Management | Network Lists | Add, Modify, or Copy screen.
•Delete — To delete a configured network list, select the list and click Delete. If the network list is configured on a filter rule or an IPSec LAN-to-LAN connection, the Manager displays an error message indicating the action to take before you can delete the list. Otherwise, there is no confirmation or undo. The Manager deletes the list, refreshes the screen, and shows the remaining network lists.
Traffic Management | Network Lists | Add, Modify, or Copy
These screens let you:
•Add: Configure and add a new network list.
•Modify: Modify a previously configured network list.
•Copy: Copy a configured network list, modify its parameters, save it with a new name, and add it to the configured network lists.
On the Add and Modify screens, the Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.
Figure 14-6 Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy Screens
Screen Elements
•List Name — Enter a unique name for this network list. Maximum 48 characters, case-sensitive. Spaces are allowed.
If you use the Generate Local List feature on the Add screen, enter this name after the system generates the network list.
•Network List — Enter the networks in this network list. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is a network IP address and w.w.w.w is a wildcard mask.
Note Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.
If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.
You can include a maximum of 200 network/wildcard entries in a single network list.
•Generate Local List — On the Add or Modify screen, click this button to have the Manager automatically generate a network list containing the first 200 private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table (see Monitoring | Routing Table), and Inbound RIP must be enabled on that interface (see Configuration | Interfaces). The Manager refreshes the screen after it generates the list, and you can then edit the Network List and enter a List Name.
Note If you click Apply, the generated list replaces any existing entries in the Network List.
•Add / Apply — To add this network list to the configured network lists, click Add. Or to apply your changes to this network list, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Traffic Management | Network Lists screen. Any new entry appears at the bottom of the Network List field.
•Cancel — To discard your settings, click Cancel. The Manager returns to the Traffic Management | Network Lists screen, and the Network Lists field is unchanged.
Traffic Management | Rules
This section of the Manager lets you add, configure, modify, copy, and delete filter rules. You use rules to construct filters.
Caution The Cisco-supplied default rules are intended as templates that you should examine and modify to fit your network and security needs. Unmodified, or incorrectly applied, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter. For example, the default Incoming HTTP rules are intended to allow an administrator outside the private network to manage the VPN Concentrator with a browser. Unmodified, they could allow browser connections to any system on the private network. If you apply these rules to a filter, you should at least change the Source and Destination Address to limit the connections.
Cisco supplies several default rules that you can modify and use. See Table 14-1 for their parameters, and see Configuration | Policy Management | Traffic Management | Rules | Add for explanations of the parameters.
For all the default rules except VRRP In and Out, these parameters are identical:
•Action = Forward
•Source Address = Use IP Address/Wildcard-Mask = 0.0.0.0/255.255.255.255 = any address
•Destination Address = Use IP Address/Wildcard-Mask = 0.0.0.0/255.255.255.255 = any address
For maximum security and control, we recommend that you change the Source Address and Destination Address to fit your network addressing and security scheme.
Table 14-1 Cisco-Supplied Default Filter Rules
Filter Rule Name
|
Direction
|
Protocol
|
TCP
Connection
|
TCP/UDP
Source Port
|
TCP/UDP
Destination Port
|
ICMP
Packet
Type
|
Any In
|
Inbound
|
Any
|
Don't Care
|
Range 0-65535
|
Range 0-65535
|
0-255
|
Any Out
|
Outbound
|
Any
|
Don't Care
|
Range 0-65535
|
Range 0-65535
|
0-255
|
CRL over LDAP In
|
Inbound
|
TCP
|
Don't Care
|
LDAP (389)
|
Range 0-65535
|
—
|
CRL over LDAP Out
|
Outbound
|
TCP
|
Don't Care
|
Range 0-65535
|
LDAP (389)
|
—
|
EAPoUDP In
|
Inbound
|
UDP
|
Don't Care
|
21862
|
Range 0-65535
|
—
|
EAPoUDP Out
|
Outbound
|
UDP
|
Don't Care
|
Range 0-65535
|
21862
|
—
|
GRE In
|
Inbound
|
GRE
|
—
|
—
|
—
|
—
|
GRE Out
|
Outbound
|
GRE
|
—
|
—
|
—
|
—
|
ICMP In
|
Inbound
|
ICMP
|
—
|
—
|
—
|
0-18
|
ICMP Out
|
Outbound
|
ICMP
|
—
|
—
|
—
|
0-18
|
IKE In
|
Inbound
|
UDP
|
—
|
Range 0-65535
|
IKE (500)
|
—
|
IKE Out
|
Outbound
|
UDP
|
—
|
IKE (500)
|
Range 0-65535
|
—
|
Incoming HTTP In
|
Inbound
|
TCP
|
Don't Care
|
Range 0-65535
|
HTTP (80)
|
—
|
Incoming HTTP Out
|
Outbound
|
TCP
|
Don't Care
|
HTTP (80)
|
Range 0-65535
|
—
|
Incoming HTTPS In
|
Inbound
|
TCP
|
Don't Care
|
Range 0-65535
|
HTTPS (443)
|
—
|
Incoming HTTPS Out
|
Outbound
|
TCP
|
Don't Care
|
HTTPS (443)
|
Range 0-65535
|
—
|
IPSec-ESP In
|
Inbound
|
ESP
|
—
|
—
|
—
|
—
|
L2TP In
|
Inbound
|
UDP
|
—
|
Range 0-65535
|
L2TP (1701)
|
—
|
L2TP Out
|
Outbound
|
UDP
|
—
|
L2TP (1701)
|
Range 0-65535
|
—
|
LDAP In
|
Inbound
|
TCP
|
Don't Care
|
Range 0-65535
|
LDAP (389)
|
—
|
LDAP Out
|
Outbound
|
TCP
|
Don't Care
|
LDAP (389)
|
Range 0-65535
|
—
|
OSPF In
|
Inbound
|
OSPF
|
—
|
—
|
—
|
—
|
OSPF Out
|
Outbound
|
OSPF
|
—
|
—
|
—
|
—
|
Outgoing HTTP In
|
Inbound
|
TCP
|
Don't Care
|
HTTP (80)
|
Range 0-65535
|
—
|
Outgoing HTTP Out
|
Outbound
|
TCP
|
Don't Care
|
Range 0-65535
|
HTTP (80)
|
—
|
Outgoing HTTPS In
|
Inbound
|
TCP
|
Don't Care
|
HTTPS (443)
|
Range 0-65535
|
—
|
Outgoing HTTPS Out
|
Outbound
|
TCP
|
Don't Care
|
Range 0-65535
|
HTTPS (443)
|
—
|
PPTP In
|
Inbound
|
TCP
|
Don't Care
|
Range 0-65535
|
PPTP (1723)
|
—
|
PPTP Out
|
Outbound
|
TCP
|
Don't Care
|
PPTP (1723)
|
Range 0-65535
|
—
|
RIP In
|
Inbound
|
UDP
|
—
|
RIP (520)
|
RIP (520)
|
—
|
RIP Out
|
Outbound
|
UDP
|
—
|
RIP (520)
|
RIP (520)
|
—
|
SSH In
|
Inbound
|
TCP
|
Don't Care
|
Range 0-65535
|
SSH (22)
|
—
|
SSH Out
|
Outbound
|
TCP
|
Don't Care
|
SSH (22)
|
Range 0-65535
|
—
|
Telnet/SSL In
|
Inbound
|
TCP
|
Don't Care
|
Range 0-65535
|
Telnet/SSL (992)
|
—
|
Telnet/SSL Out
|
Outbound
|
TCP
|
Don't Care
|
Telnet/SSL (992)
|
Range 0-65535
|
—
|
VCA In
|
Inbound
|
UDP
|
—
|
Range 0-65535
|
9023
|
—
|
VCA Out
|
Outbound
|
UDP
|
—
|
9023
|
Range 0-65535
|
—
|
VRRP In1
|
Inbound
|
Other 112
|
—
|
—
|
—
|
—
|
VRRP Out1
|
Outbound
|
Other 112
|
—
|
—
|
—
|
—
|
Figure 14-7 Configuration | Policy Management | Traffic Management | Rules Screen
Screen Elements
•Filter Rules — This list shows the configured rules that are available to apply to filters. The list shows the rule name and the action/direction in parentheses. The rules are listed in the order they are configured.
•Add — Click to configure a new rule. The Manager opens the Traffic Management | Rules | Add, Modify, or Copy screen.
•Modify — To modify a rule that has been configured, select the rule from the list and click Modify. The Manager opens the Traffic Management | Rules | Add, Modify, or Copy screen.
•Copy — To copy a configured rule, modify it, and save it with a new name, select the rule from the list and click Copy. See the Traffic Management | Rules | Add, Modify, or Copy screen.
•Delete — To delete a configured rule, select the rule from the list and click Delete.
–If the rule is not being used in a filter, the Manager deletes the rule, refreshes the screen, and shows the remaining rules in the list. There is no confirmation or undo.
–If the rule is being used in a filter, the Manager asks you to confirm the deletion. See the Traffic Management | Rules | Delete screen.
–You cannot delete a rule that is configured as part of a LAN-to-LAN connection. See the IPSec| LAN-to-LAN | Add | Done screen.
Note Deleting a rule deletes it from every filter that uses it and deletes it from the VPN Concentrator active configuration. To remove a rule from a filter but retain it in the active configuration, see the Traffic Management | Assign Rules to Filter screen.
Traffic Management | Rules | Add, Modify, or Copy
These Manager screens let you:
•Add: Configure and add a new filter rule to the list of filter rules.
•Modify: Modify a previously configured filter rule.
•Copy: Copy a configured rule, modify its parameters, save it with a new name, and add it to the list of filter rules.
The VPN Concentrator applies rule parameters to data traffic (packets) in the order presented on this screen (from Protocol down) to see if they match. If all parameters match, the system takes the specified Action. If at least one parameter does not match, the system ignores the rest of this rule and examines the packet in accordance with the next rule, and so forth.
Note On the Modify screen, any changes take effect as soon as you click Apply. Changes affect all filters that use this rule. If this rule is being used by an active filter, changes might affect tunnel traffic.
Creating Rules for a Firewall Filter
If you are creating rules for a VPN Client firewall filter:
•Keep in mind that the VPN Concentrator pushes these rules down to the VPN Client, so you should create and define these rules relative to the VPN Client, not the VPN Concentrator. In this type of configuration, "in" and "out" refer to traffic inbound to and outbound from the VPN Client.
•When configuring firewall rules, be aware that the VPN Client integrated firewall is stateful only for TCP, UDP, and ICMP protocols. For all other protocols, it uses packet filtering.
•Two of the parameters on this screen are not relevant: TCP Connection and ICMP Packet Type. The VPN Client ignores these parameters.
•Choose either Drop or Forward from the Action drop-down menu. The other choices are not relevant to firewall configuration and the VPN Client ignores them.
For more information on configuring rules for VPN Client firewall filters, refer to the VPN Client Administrator Guide.
Figure 14-8 Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Screen
Screen Elements
•Rule Name — Enter a unique name for this rule. Maximum is 48 characters.
•Direction — Click this drop-down menu button and choose the data direction to which this rule applies:
–Inbound = Into the VPN Concentrator interface; or into the VPN tunnel from the remote client or host. (This is the default selection.)
–Outbound = Out of the VPN Concentrator interface; or out of the VPN tunnel to the remote client or host.
Note If you are configuring this rule to use for a VPN Client firewall filter, the direction is relative to the VPN Client, not the VPN Concentrator. For example, "Inbound" in a VPN Client firewall filter means into the VPN Client interface.
•Action — Click this drop-down menu button and choose the action to take if the data traffic (packet) matches all parameters that follow.
Note If you are configuring this rule to use for a VPN Client firewall filter, you must choose either Drop or Forward.
The choices are:
–Drop = Discard the packet (the default choice).
–Forward = Allow the packet to pass.
–Drop and Log = Discard the packet and log a filter debugging event (FILTERDBG event class). See Configuration | System | Events and see the following note.
–Forward and Log = Allow the packet to pass and log a filter debugging event (FILTERDBG event class). See the following note.
–Apply IPSec = Apply IPSec to the packet. Apply packet authentication, encryption, etc. a in accordance with parameters that are specified in a Security Association. You must configure a Security Association if you choose this action. Also, you can assign an SA to this rule only if you choose this (or the following) action; see Configuration | Policy Management | Traffic Management | Security Associations. See following note.
–Apply IPSec and Log = Apply IPSec to the packet and log a filter debugging event (FILTERDBG event class). See the following notes.
Note The Log actions are intended for use only while debugging filter activity. Since they generate and log an event for every matched packet, they consume significant system resources and might seriously degrade performance.
Note The Apply IPSec actions are for LAN-to-LAN traffic only, not for remote-access traffic. Remote-access IPSec traffic is authenticated and encrypted in accordance with the SAs negotiated with the remote client (tunnel group) and user. In LAN-to-LAN connections, individual hosts on the LANs do not negotiate SAs. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN.
•Protocol or Other — This parameter refers to the IANA (Internet Assigned Numbers Authority) assigned protocol number in an IP packet. The descriptions include the IANA number, in brackets, for reference.
Click the Protocol or Other drop-down menu button and choose the protocol to which this rule applies.
–Any = Any protocol [255] (the default choice).
–ICMP = Internet Control Message Protocol [1] (used by ping, for example). If you choose this protocol, you should also configure ICMP Packet Type.
–TCP = Transmission Control Protocol [6] (connection-oriented, for example: FTP, HTTP, SMTP, and Telnet). If you choose this protocol, you should configure TCP Connection and TCP/UDP Source Port or Destination Port.
–EGP = Exterior Gateway Protocol [8] (used for routing to exterior networks).
–IGP = Interior Gateway Protocol [9] (used for routing within a domain).
–UDP = User Datagram Protocol [17] (connectionless, for example: SNMP). If you choose this protocol, you should also configure TCP/UDP Source Port or Destination Port.
–ESP = Encapsulation Security Payload [50] (applies to IPSec).
–AH = Authentication Header [51] (applies to IPSec).
–GRE = Generic Routing Encapsulation [47] (used by PPTP).
–RSVP = Resource Reservation Protocol [46] (reserves bandwidth on routers).
–IGMP = Internet Group Management Protocol [2] (used in multicasting).
–OSPF = Open Shortest Path First [89] (interior routing protocol).
–Other = Other protocol not listed here. If you choose Other here, you must enter the IANA-assigned protocol number in the Other field.
•TCP Connection — Click this drop-down menu button to choose whether this rule applies to packets from established TCP connections. For example, you might want a rule to forward only those TCP packets that originate from established connections on the public network interface, to provide maximum protection against "spoofing."
Note Do not configure this field if you are using this rule for a client firewall filter.
The choices are:
–Established = Apply rule to packets from established TCP connections only.
–Don't Care = Apply rule to any TCP packets, whether from established connections or new connections (the default choice).
•Source Address — Specify the packet source address that this rule checks (the address of the sender).
•Source Address Network List — Click this drop-down menu button and choose the configured network list that specifies the source addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose Use IP Address/Wildcard-mask, which lets you enter a network address.
If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields.
Note An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses
•Source Address IP Address — Enter the source IP address. Default is 0.0.0.0.
•Source Address Wildcard-mask — Enter the source address wildcard mask. Default is 255.255.255.255.
•Destination Address — Specify the packet destination address that this rule checks (the address of the recipient).
•Destination Address Network List — Click this drop-down menu button and choose the configured network list that specifies the destination addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose Use IP Address/Wildcard-mask, which lets you enter a network address.
If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. See the preceding wildcard mask note.
•Destination Address IP Address — Enter the destination IP address. The default value is 0.0.0.0.
•Destination Address Wildcard-mask — Enter the destination address wildcard mask. The default value is 255.255.255.255.
•TCP/UDP Source Port — If you chose TCP or UDP under Protocol, choose the source port number that this rule checks.
Many different protocols or processes run in TCP or UDP environments, and each TCP or UDP process running on a network host is assigned a port number. Thus an IP address plus a port number uniquely identifies a process on a network host. Only TCP and UDP protocols use port numbers. The Internet Assigned Numbers Authority (IANA) manages port numbers and classifies them as Well Known, Registered, and Dynamic (or Private). The Well Known ports are those from 0 through 1023; the Registered Ports are those from 1024 through 49151; and the Dynamic ports are those from 49152 through 65535.
Click this drop-down menu button and choose the process (port number):
–ECHO (7) = Used by ping for network testing.
–DISCARD (9) = Used for network debugging and measurement.
–FTP-DATA (20) = File Transfer Protocol, data port.
–FTP (21) = File Transfer Protocol, control port.
–SSH (22) = Secure Shell Protocol.
–TELNET (23) = Terminal emulation.
–SMTP (25) = Simple Mail Transfer Protocol.
–DNS (53) = Domain Name System.
–TFTP (69) = Trivial File Transfer Protocol.
–FINGER (79) = Network user inquiry.
–HTTP (80) = Hypertext Transfer Protocol.
–POP3 (110) = Post Office Protocol, version 3.
–NNTP (119) = Network News Transfer Protocol.
–NTP (123) = Network Time Protocol.
–NetBIOS Name Service (137) = Network Basic Input Output System, host name assignment.
–NetBIOS (138) = NetBIOS datagram service.
–NetBIOS Session (139) = NetBIOS session management.
–IMAP (143) = Internet Mail Access Protocol.
–SNMP (161) = Simple Network Management Protocol.
–SNMP-TRAP (162) = SNMP event or trap handling.
–BGP (179) = Border Gateway Protocol.
–LDAP (389) = Lightweight Directory Access Protocol.
–HTTPS (443) = HTTP over a secure session (TLS/SSL).
–SMTPS (465) = SMTP over a secure session (TLS/SSL).
–IKE (500) = Internet Key Exchange Protocol (was ISAKMP/Oakley).
–SYSLOG (514) = UNIX syslog server (UDP only).
–RIP (520) = Routing Information Protocol (UDP only).
–NNTPS (563) = NNTP over a secure session (TLS/SSL).
–LDAP/SSL (636) = LDAP over a secure session (TLS/SSL).
–Telnet/SSL (992) = Telnet over a secure session (TLS/SSL).
–LapLink (1547) = Remote file management and mail.
–L2TP (1701) = Layer 2 Tunneling Protocol.
–PPTP (1723) = Point-to-Point Tunneling Protocol.
–NAT-T (4500) = NAT Traversal
•TCP/UDP Source Port Range — To specify a range of port numbers, or to specify a port not on the Cisco-supplied list, select Range (the default selection) in the drop-down list box and enter—in the Range [start] to [end] fields—the inclusive range of port numbers to which this rule applies. To specify a single port number, enter the same number in both fields. Defaults are 0 to 65535 (all ports). The Range fields are ignored if you choose a specific port from the drop-down list.
•TCP/UDP Destination Port — If you chose TCP or UDP under Protocol, choose the destination port number that this rule checks. See the preceding explanation of port numbers under TCP/UDP Source Port.
•TCP/UDP Destination Range — Specify a range of port numbers as described for TCP/UDP Source Port Range.
•ICMP Packet Type — If you selected ICMP under Protocol, enter the range of ICMP packet type numbers to which this rule applies. To specify a single packet type, enter the same number in both fields. Defaults are 0 to 255 (all packet types). For example, to specify the Timestamp and Timestamp Reply types only, enter 13 to 14.
Note Do not configure this field if you are using this rule for a client firewall filter.
The ICMP protocol has many messages that are identified by a type number. For example:
–0 = Echo Reply
–8 = Echo
–13 = Timestamp
–14 = Timestamp Reply
–17 = Address Mask Request
–18 = Address Mask Reply
The IANA manages these ICMP type numbers.
•Add / Apply — To add this rule to the list of configured filter rules, click Add. Or to apply your changes to this rule, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If the rule is being used by an active filter, changes might affect tunnel traffic. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen. Any new rule appears in the Filter Rules list.
•Cancel — Click to discard your entries. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.
Traffic Management | Rules | Delete
This screen asks you to confirm deletion of a rule that is being used in a filter. Doing so deletes the rule from all filters that use it, and deletes it from the VPN Concentrator active configuration. To remove a rule from a filter but retain it in the active configuration, see the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.
Figure 14-9 Configuration | Policy Management | Traffic Management | Rules | Delete Screen
Note The Manager deletes the rule from the filter as soon as you click Yes. If this rule is being used by an active filter, deletion might affect data traffic.
Screen Elements
•Yes — Click to delete this rule from all filters that use it, and delete it from the active configuration. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen and shows the remaining rules in the Filter Rules list.
•No — Click to not delete this rule. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.
Traffic Management | Security Associations
This section of the Manager lets you add, configure, modify, and delete Security Associations (SAs). SAs apply only to IPSec tunnels. During tunnel establishment the two parties negotiate Security Associations that govern authentication, encryption, encapsulation, key management, etc. In other words, while rules and filters specify what traffic to manage, SAs tell how to do it.
IPSec configurations actually involve two SA negotiation phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within—the use of—the tunnel (the IPSec SA). You must configure IKE proposals before configuring Security Associations. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals, or click the IKE Proposals link on this screen.
You apply SAs to filter rules that are configured with an Apply IPSec action, for LAN-to-LAN traffic. See Configuration | Policy Management | Traffic Management | Rules. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN. You also apply SAs to groups and users, for remote-access traffic, under the IPSec Parameters section on the appropriate Configuration | User Management screens.
You can use IPSec in both client-to-LAN (remote-access) configurations and LAN-to-LAN configurations. The Cisco VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called "secure gateways"). The instructions in this section, however, assume peer VPN Concentrators.
The Cisco VPN Client supports these IPSec attributes:
•Main mode for negotiating phase one ISAKMP SAs when using digital certificates for authentication
•Aggressive mode for negotiating phase one ISAKMP SAs when using preshared keys for authentication
•Authentication Algorithms:
–ESP-MD5-HMAC-128
–ESP-SHA1-HMAC-160
•Authentication Modes:
–Preshared Keys
–X.509 Digital Certificates
•Diffie-Hellman Groups 1, 2, and 5
•Encryption Algorithms:
–DES-56
–3DES-168
–AES-128
–AES-192
–AES-256
–ESP-NULL
Note AES encryption algorithms work only with VPN Concentrator software versions 3.6 and later.
•Extended Authentication (XAuth)
•Mode Configuration (also known as ISAKMP Configuration Method)
•Tunnel Encapsulation Mode
•IP compression (IPComp) using LZS
Figure 14-10 Configuration | Policy Management | Traffic Management | Security Associations Screen
Screen Elements
•IPSec SAs — This list shows the configured SAs that are available. The SAs are listed in alphabetical order.
Cisco supplies default SAs that you can use or modify; see Table 14-2 and Table 14-3. See the Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify section for explanations of the parameters.
Table 14-2 Cisco-Supplied Default Security Associations, Part 1
SA Name
Parameter
|
ESP-DES-MD5
|
ESP-3DES-
MD5
|
ESP/IKE-3DES-
MD5
|
ESP-3DES-
NONE
|
Inheritance
|
From Rule
|
From Rule
|
From Rule
|
From Rule
|
IPSec Parameters
|
Authentication
Algorithm
|
ESP/MD5/
HMAC-128
|
ESP/MD5/
HMAC-128
|
ESP/MD5/
HMAC-128
|
None
|
Encryption
Algorithm
|
DES-56
|
3DES-168
|
3DES-168
|
3DES-168
|
Encapsulation Mode
|
Tunnel
|
Tunnel
|
Tunnel
|
Tunnel
|
Perfect Forward Secrecy
|
Disabled
|
Disabled
|
Disabled
|
Disabled
|
Lifetime
Measurement
|
Time
|
Time
|
Time
|
Time
|
Data Lifetime
|
10000 KB
|
10000 KB
|
10000 KB
|
10000 KB
|
Time Lifetime
|
28800 sec
|
28800 sec
|
28800 sec
|
28800 sec
|
IKE Parameters
|
IKE Peer
|
0.0.0.0
|
0.0.0.0
|
0.0.0.0
|
0.0.0.0
|
Negotiation Mode
|
Main
|
Main
|
Main
|
Main
|
Digital Certificate
|
None (Use Preshared Keys)
|
None (Use Preshared Keys)
|
None (Use Preshared Keys)
|
None (Use Preshared Keys)
|
IKE Proposal
|
IKE-DES-
MD5
|
IKE-DES-
MD5
|
IKE-3DES-
MD5
|
IKE-3DES-
MD5
|
Table 14-3 Cisco-Supplied Default Security Associations, Part 2
SA Name
Parameter
|
ESP-L2TP-
TRANSPORT
|
ESP-3DES-
MD5-DH7
|
ESP-3DES-
MD5-DH5
|
ESP-AES-
128-SHA
|
Inheritance
|
From Rule
|
From Rule
|
Rule
|
Rule
|
IPSec Parameters
|
Authentication
Algorithm
|
ESP/MD5/
HMAC-128
|
ESP/MD5/
HMAC-128
|
ESP/MD5/
HMAC-128
|
ESP/SHA1/
HMAC-160
|
Encryption
Algorithm
|
DES-56
|
3DES-168
|
3DES-168
|
AES-128
|
Encapsulation Mode
|
Transport
|
Tunnel
|
Tunnel
|
Tunnel
|
Perfect Forward Secrecy
|
Disabled
|
Disabled
|
Disabled
|
Disabled
|
Lifetime
Measurement
|
Time
|
Time
|
Time
|
Time
|
Data Lifetime
|
10000 KB
|
10000 KB
|
10000 KB
|
10000 KB
|
Time Lifetime
|
3600 sec
|
28800 sec
|
28800 sec
|
28800 sec
|
IKE Parameters
|
IKE Peer
|
0.0.0.0
|
0.0.0.0
|
0.0.0.0
|
0.0.0.0
|
Negotiation Mode
|
Main
|
Aggressive
|
Aggressive
|
Aggressive
|
Digital Certificate
|
None (Use Preshared Keys)
|
None (Use Preshared Keys)
|
None (Use Preshared Keys)
|
None (Use Preshared Keys)
|
IKE Proposal
|
IKE-3DES-MD5
|
IKE-3DES-MD5-
DH7
|
CiscoVPNClient-
3DES-MD5-DH5
|
CiscoVPNClient-
AES128-SHA
|
•Add — To configure a new SA, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify screen.
•Modify — To modify an SA that has been configured, select the SA from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify screen.
•Delete — To delete a configured SA, select the SA from the list and click Delete.
–If the SA has not been assigned to a filter rule—even if it has been assigned to a group or user—the Manager deletes the SA, refreshes the screen, and shows the remaining SAs in the list. There is no confirmation or undo.
–If the SA has been assigned to a filter rule, the Manager asks you to confirm the deletion. See the Configuration | Policy Management | Traffic Management | Security Associations | Delete screen.
–You cannot delete an SA that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Done screen.
Traffic Management | Security Associations | Add or Modify
These screens let you:
•Add: Configure and add a new Security Association to the list of configured SAs.
•Modify: Modify a configured Security Association.
Note On the Modify screen, any changes take effect as soon as you click Apply. If the SA is being used by an active filter rule or group, changes might affect tunnel traffic.
Figure 14-11 Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify Screen
About IPSec Parameters
These parameters apply to IPSec SAs, which are Phase 2 SAs negotiated under IPSec, where the two parties establish conditions for use of the tunnel.
About IKE Parameters
These parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange automated key management information under the IKE (Internet Key Exchange) protocol (formerly called ISAKMP/Oakley).
All these parameters (except IKE Peer) must be configured the same on both parties; the IKE Peer entries must mirror each other. If you create multiple IPSec SAs for use between two IKE peers, the IKE SA parameters must be the same on all SAs.
For best performance and interoperability, we strongly recommend that you use the default parameters where appropriate.
Screen Elements
•SA Name — Enter a unique name for this Security Association. Maximum is 48 characters.
•Inheritance — Click this drop-down menu button to specify the granularity, or how many tunnels to build for this connection. Each tunnel uses a unique key.
–From Rule = One tunnel for each rule in the connection. A rule can specify multiple networks, thus many hosts can use the same tunnel. This is the default—and recommended—selection.
–From Data = One tunnel for every address pair within the address ranges specified in the rule. Each host uses a separate tunnel, and hence, separate keys. This selection is more secure but requires more processing overhead.
•Authentication Algorithm — This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as "data integrity" in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.
Click this drop-down menu button and choose the algorithm:
–None = No data authentication.
–ESP/MD5/HMAC-128 = ESP protocol using HMAC (Hashed Message Authentication Coding) with the MD5 hash function using a 128-bit key. This is the default selection.
–ESP/SHA/HMAC-160 = ESP protocol using HMAC with the SHA-1 hash function using a 160-bit key. This selection is more secure but requires more processing overhead.
•Encryption Algorithm — This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.
Click this drop-down menu button and choose the algorithm:
–Null = No packet encryption.
–DES-56 = Use DES encryption with a 56-bit key.
–3DES-168 = Use Triple-DES encryption with a 168-bit key. This algorithm is the default.
–AES-128 = Use AES encryption with a 128-bit key.
–AES-192 = Use AES encryption with a 192-bit key.
–AES-256 = Use AES encryption with a 256-bit key. This algorithm is the most secure.
•Encapsulation Mode — This parameter specifies the mode for applying ESP encryption and authentication; in other words, what part of the original IP packet has ESP applied.
Click this drop-down menu button and choose the mode:
–Tunnel = Apply ESP encryption and authentication to the entire original IP packet (IP header and data), thus hiding the ultimate source and destination addresses. This is the default selection, and it is the most secure.
–Transport = Apply ESP encryption and authentication only to the transport layer segment (data only) of the original IP packet. This mode protects packet contents but not the ultimate source and destination addresses. Use this mode for Windows 2000 client compatibility.
•Perfect Forward Secrecy — This parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless Perfect Forward Secrecy is specified. Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys.
Click this drop-down menu button and choose the Perfect Forward Secrecy option:
–Disabled = Do not use Perfect Forward Secrecy. IPSec session keys are based on Phase 1 keys. This is the default choice.
–Group 1 (768-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 1 to generate IPSec session keys, where the prime and generator numbers are 768 bits. This option is more secure but requires more processing overhead.
–Group 2 (1024-bits) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 2 to generate IPSec session keys, where the prime and generator numbers are 1024 bits. This option is more secure than Group 1 but requires more processing overhead.
–Group 7 (ECC) = Use Perfect Forward Secrecy, and use Diffie-Hellman Group 7 (ECC) to generate IPSec session keys, where the elliptic curve field size is 163 bits. This option is the fastest and requires the least overhead. It is intended for use with the movianVPN client, but you can use it with any peers that support Group 7 (ECC).
•Lifetime Measurement — This parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.
Note If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.
Click this drop-down menu button and choose the measurement method:
–Time = Use time (seconds) to measure the lifetime of the SA (the default). Configure the Time Lifetime parameter.
–Data = Use data (number of kilobytes) to measure the lifetime of the SA. Configure the Data Lifetime parameter.
–Both = Use both time and data, whichever occurs first, to measure the lifetime. Configure both Time Lifetime and Data Lifetime parameters.
–None = No lifetime measurement. The SA lasts until terminated for other reasons. It lasts a maximum of 86400 seconds (24 hours).
•Data Lifetime — If you chose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IPSec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.
•Time Lifetime — If you chose Time or Both under Lifetime Measurement, enter the number of seconds after which the IPSec SA expires. Minimum is 60 seconds, default is 28800 seconds (8 hours), maximum is 2147483647 seconds (about 68 years).
•Connection Type — (This field appears only when this SA is used in a LAN-to-LAN connection, and it appears only on the Security Associations | Modify page, not on the Security Associations | Add page.) View this field to determine the role of this VPN Concentrator in establishing the IKE tunnel of the LAN-to-LAN connection that uses this SA. This field is read-only.
–Bi-Directional: This VPN Concentrator can either initiate or accept IKE tunnels.
–Answer-Only: This VPN Concentrator only accepts IKE tunnels. It does not initiate them.
–Originate-Only: This VPN Concentrator only initiates IKE tunnels. It does not accept them.
To configure the Connection Type, see Connection Type on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add or Modify screen.
•IKE Peer(s) — This parameter applies only to IPSec LAN-to-LAN configurations. It is ignored for IPSec client-to-LAN configurations.
On the Configuration | Policy Management | Traffic Management | Security Associations | Modify page, this field is read-only.
Enter the IP address of the remote peer VPN Concentrator. This must be the IP address of the public interface on the peer VPN Concentrator.
This IP address must also match the Peer IP Address on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add or Modify screen. It must also match the Group Name for the LAN-to-LAN connection. When you configure the connection on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add or Modify screen, the Manager automatically creates a group with the Peer IP address as the Group Name. See Configuration | User Management for information on groups.
When you configure this parameter on the remote peer, enter the IP address of this VPN Concentrator. The entries must mirror each other.
•Negotiation Mode — This parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode that the initiator of the negotiation uses; the responder auto-negotiates.
Click this drop-down menu button and choose the mode:
–Aggressive = A faster mode using fewer packets and fewer exchanges, but which does not protect the identity of the communicating parties.
–Main = A slower mode using more packets and more exchanges, but which protects the identities of the communicating parties. This mode is more secure and it is the default selection.
•Digital Certificate — This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management.
Click this drop-down menu button and choose the option. The list shows any digital certificates that have been installed, plus None (Use Preshared Keys) (to authenticate the peer during Phase 1 IKE negotiations). This is the default selection.
•Certificate Transmission — If you configured authentication using digital certificates, choose the type of certificate transmission.
–Entire certificate chain = Send the peer the identity certificate and all issuing certificates. Issuing certificates include the root certificate and any subordinate CA certificates.
–Identity certificate only = Send the peer only the identity certificate.
•IKE Proposal — This parameter specifies the set of attributes that govern Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. When the VPN Concentrator is acting as an IPSec initiator, this is the only IKE proposal it negotiates. As an IPSec responder, the VPN Concentrator checks all active IKE proposals in priority order, to see if it can find one that agrees with parameters in the initiator's proposed SA. You must configure, activate, and prioritize IKE proposals before configuring SAs.
Click this drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are listed in the table below. The DH column refers to the Diffie-Hellman group used for SA key generation.
Note The IKE-3DES-MD5-DH7 proposal is intended for use with the movianVPN client; it can also be used with any peer that supports ECC groups for Diffie-Hellman key generation.
Table 14-4 Default IKE Proposals
Proposal
|
Encryption
|
Authentication
|
DH
|
Cisco VPN Client-3DES-MD51
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys (XAUTH)2
|
2
|
IKE-3DES-MD5
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
2
|
IKE-3DES-MD5-DH13
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
1
|
IKE-DES-MD53
|
DES 56-bit
|
MD5/HMAC-128
|
pre-shared keys
|
1
|
IKE-3DES-MD5-DH7
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys
|
7
|
IKE-3DES-MD5-RSA
|
3DES 168-bit
|
MD5/HMAC-128
|
RSA signatures
|
2
|
Cisco VPN Client-3DES-MD5-DH5
|
3DES 168-bit
|
MD5/HMAC-128
|
pre-shared keys (XAUTH)2
|
5
|
Cisco VPN Client-AES128-SHA
|
AES 128-bit
|
SHA/HMAC-160
|
pre-shared keys (XAUTH)2
|
2
|
IKE-AES128-SHA
|
AES 128-bit
|
SHA/HMAC-160
|
pre-shared keys
|
2
|
•Add / Apply — To add this Security Association to the list of configured SAs, click Add. Or to apply your changes to this Security Association, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If this SA is being used by an active filter rule or group, changes might affect tunnel traffic. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen. Any new SA appears at the bottom of the IPSec SAs list.
•Cancel — To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.
Traffic Management | Security Associations | Delete
This screen asks you to confirm deletion of a Security Association that is assigned to a rule in a filter. Doing so deletes the SA from the VPN Concentrator active configuration, deletes the SA from all rules that use it, and removes those rules from filters.
Figure 14-12 Configuration | Policy Management | Traffic Management | Security Associations | Delete Screen
Note The Manager deletes the SA as soon as you click Yes. If this SA is being used by an active filter, deletion might affect tunnel traffic.
Screen Elements
•Yes — Click to delete this SA from all rules that use it, and delete it from the active configuration. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen and shows the remaining SAs in the IPSec SAs list.
•No — Click to cancel deleting this SA. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | Filters
This section of the Manager lets you add, configure, modify, copy, and delete filters, and assign rules to filters.
Filters consist of rules. A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the Action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.
Configuring a filter involves two steps:
Step 1 Configure the basic filter parameters (name, default action, etc.) by clicking Add Filter, Modify Filter, or Copy Filter.
Step 2 Assign rules to a filter by clicking Assign Rules to Filter.
You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they govern all traffic through an interface. You also apply filters to groups and users under Configuration | User Management, and thus govern tunneled traffic through an interface.
Caution The Cisco-supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs. If left in their default configuration or if incorrectly configured, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter, which allows only tunneled and ICMP traffic.
Upgrading Affects HTTPS Filters
You must make important changes when upgrading from Release 4.0 to ensure the security of HTTPS filters.
The 4.0 VPN Concentrator enforces filter rules as follows:
•Rule 1. Allow HTTPS In/Out for PC 1.
•Rule 2. Drop all other HTTPS traffic (the default action).
When you upgrade to Release 4.7 (or Release 4.1) from Release 4.0 and enable the Allow Management HTTPS sessions or Allow WebVPN HTTPS sessions parameters on the public interface, enforcement changes. The VPN Concentrator now enforces filter rules in the following order:
•Rule 1. Allow HTTPS in/out for PC 1.
•Rule 2. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.
•Rule 3. Drop all other HTTPS traffic (the default action).
Rule 2 prevents Rule 3 from ever being enforced. Any PC on the public network can HTTPS in or out of the VPN Concentrator.
With Release 4.1 and later you must explicitly define rules to disallow HTTPS traffic from specific PCs. In the following example, you must define Rule 2:
•Rule 1. Allow HTTPS In/Out for PC 1.
•Rule 2. Disallow every other PC (0.0.0.0/255.255.255.255).
•Rule 3. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.
•Rule 4. Drop all other HTTPS traffic (the default action).
Filters Screen
This screen allows you only to configure filters on the VPN Concentrator. You can also configure filters on an external RADIUS server for use on the VPN Concentrator. For more information on configuring external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.
Figure 14-13 Configuration | Policy Management | Traffic Management | Filters Screen
Screen Elements
•Filter List — The Filter List shows configured filters, listed in alphabetical order.
Cisco supplies default filters that you can use and modify; see Table 14-5 for a list of the default settings for the Cisco-supplied filters.
Table 14-5 Cisco-Supplied Default Filters
Filter Name
|
Default Action
|
Source Routing
|
Fragments
|
Current Forwarding Rules in Filter
|
Private (Default)
|
Drop
|
No
|
Yes
|
Any In
|
Any Out
|
Public (Default)
|
Drop
|
No
|
Yes
|
GRE In
IPSEC-ESP In
IKE In
PPTP In
L2TP In
ICMP In
VRRP In
|
GRE Out
IKE Out
PPTP Out
L2TP Out
ICMP Out
VRRP Out
|
External (Default)
|
Drop
|
No
|
Yes
|
- Empty -
|
|
Firewall Filter for VPN Clients (Default)
|
Drop
|
N/A
|
N/A
|
|
Any Out
|
•Add Filter — Click to configure and add a new filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy screen. The Manager then automatically lets you assign rules to the filter.
•Assign Rules to Filter — To assign or change rules in a configured filter, select the filter from the list and click Assign Rules to Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen, which lets you assign and order the rules that apply to this filter.
•Modify Filter — Click to modify the basic parameters—but not the rules—for a filter that has been configured. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy screen.
•Copy Filter — Click to create a new filter by copying the basic parameters and rules from a filter that has been configured. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy screen.
•Delete Filter — To delete a configured filter, select the filter from the list and click Delete Filter. See the following note. The Manager refreshes the screen and shows the remaining entries in the Filter List.
Note You cannot delete a filter that has been applied to an interface. If you try to do so, the Manager displays an error message.
You can delete a filter that has been applied to a group or user, and there is no confirmation or undo. Doing so might affect their use of the VPN.
Traffic Management | Filters | Add, Modify, or Copy
These screens let you:
•Add: Configure the basic parameters for a new filter and add it to the list.
•Modify: Modify the basic parameters for a configured filter.
•Copy: Create a new filter that is a copy of a configured filter, and configure its basic parameters. The copy also includes all the rules and SAs of the original filter except rules with an Apply IPSec action.
You configure the rules in a filter on the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.
Note On the Modify screen, any changes take effect as soon as you click Apply. If this filter is being used by an interface or group, changes might affect data traffic.
Figure 14-14 Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy Screen
Screen Elements
•Filter Name — Enter a unique name for this filter. Maximum is 48 characters.
•Default Action — Click this drop-down menu button and choose the action that this filter takes if a data packet does not match any of the rules on this filter. The choices are:
–Drop = Discard the packet (the default choice).
–Forward = Allow the packet to pass.
–Drop and Log = Discard the packet and log a filter debugging event (FILTERDBG event class). See Configuration | System | Events and see the following note.
–Forward and Log = Allow the packet to pass and log a filter debugging event (FILTERDBG event class). See the following note.
Note The Log actions are intended for use only while debugging filter activity. Since they generate and log an event for every matched packet, they consume significant system resources and might seriously degrade performance.
•Source Routing — Check this box to allow IP source routed packets to pass. A source routed packet specifies its own route through the network and does not rely on the system to control forwarding. This box is unchecked by default, because source-routed packets can present a security risk.
•Fragments — Check this box to allow fragmented IP packets to pass. Large data packets might be fragmented on their journey through networks, and the destination system reassembles them. While you would normally allow fragmented packets to pass, you might disallow them if you suspect a security problem. This box is checked by default.
•Description — Enter a description of this filter. This optional field is a convenience for you or other administrators; use it to describe the purpose or use of the filter. Maximum is 255 characters.
•Add (Add screen) — Click to add this filter to the list of filters. The Manager opens the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen, which lets you assign and order the rules that apply to this filter.
•Apply (Modify screen) — To apply your changes to this filter, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the modified filter appears in same location in the Filter List. Any changes take effect as soon as you click Apply. If this filter is being used by an active interface or group, changes might affect data traffic.
•Apply (Copy screen) — To apply your settings and add this filter to the list of filters, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the new filter appears in the Filter List. To assign or change rules on the filter, select the filter from the list and click Assign Rules to Filter.
•Cancel — To discard your changes, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the Filter List is unchanged.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | Assign Rules to Filter
This section of the Manager lets you add, remove, and prioritize the rules in a filter, and assign security associations to rules that are configured with an Apply IPSec action.
A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a rule matches, the system takes the Action specified in the rule. If not, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.
The Manager groups applied rules by direction (inbound or outbound), with inbound rules first. You can prioritize rules only within a direction.
You configure rules on the Configuration | Policy Management | Traffic Management | Rules screens.
Note Rules affect the operation of the filter as soon as you add, remove, or prioritize them. If the filter is being used by an active interface or group, changes might affect data traffic.
Note Be careful about adding or changing rules on the Public (Default) filter. You could compromise security.
Figure 14-15 Configuration | Policy Management | Traffic Management | Assign Rules to Filter Screen
Screen Elements
•Filter Name — The name of the filter for which you are configuring the rules. You cannot change this name here. (See Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy.)
•Current Rules in Filter — This list shows the rules currently assigned to the filter. Use the scroll controls (if present) to see all the rules in the list. If no rules have been assigned, the list shows --Empty--. Each entry shows the rule name and the action/direction in parentheses; IPSec rules include their SA.
•Available Rules — This list shows all the rules currently configured on the system (all the rules in the active configuration) that have not been assigned to this filter. Use the scroll controls (if present) to see all the rules in the list. Each entry shows the rule name and the action/direction in parentheses. (Since Security Associations are added to Apply IPSec rules only when those rules are assigned to a filter, this list does not show SAs.)
•Add — To add a rule to the filter, select the rule from the Available Rules list and click Add. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and by default orders the current rules with all inbound rules preceding all outbound rules.
If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a security association to the rule. The Manager also, by default, adds Apply IPSec rules to the top of the group of rules with the same direction (inbound or outbound).
•Insert Above — To add an available rule above a current rule, select the rule from the Available Rules list, then select a target rule in the Current Rules in Filter list, and click Insert Above. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and orders the new rule above the current rule. Both selected rules must have the same direction (inbound or outbound).
If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a security association to the rule.
•Remove — To remove a rule from the filter, select the rule from the Current Rules in Filter list and click Remove. The Manager moves the rule to the Available Rules list, modifies the active configuration, refreshes the screen, and shows the remaining current rules in the filter.
You cannot remove a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec| LAN-to-LAN | Add | Done screen.
•Move Up / Move Down — To change the order in which a rule is applied within the filter, select the rule from the Current Rules in Filter list and click Move Up or Move Down. The Manager reorders the current rules, modifies the active configuration, refreshes the screen, and shows the reordered list. If you try to move a rule out of its direction group (inbound or outbound), the Manager displays an error message.
•Assign SA to Rule — To modify the security association applied to a current rule that has an Apply IPSec action configured, select the rule from the Current Rules in Filter list and click Assign SA to Rule. The Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule screen.
•Done — When you are finished configuring the rules in this filter, click Done. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen and refreshes the Filter List.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | Assign Rules to Filter | Add SA to Rule
This screen lets you add a configured Security Association to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.
You configure Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.
Figure 14-16 Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule Screen
Screen Elements
•Add SA to Rule on Filter — The Manager shows the name of filter to which you are adding a rule that has an Apply IPSec action configured. You cannot change this name here. See Policy Management | Traffic Management | Filters | Add, Modify, or Copy.
•IPSec SAs — This list shows the configured SAs that are available, that is, all the SAs in the active configuration.
•Apply — To add an SA to the rule, select the SA from the list and click Apply. The Manager returns to the Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its SA.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | Assign Rules to Filter | Change SA on Rule
This screen lets you change the configured Security Association that is applied to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.
On this screen, you change which SA is applied. You configure SAs themselves on the Configuration | Policy Management | Traffic Management | Security Associations screens.
Note The change takes effect as soon as you click Apply. If this filter is being used by an interface or group, the change might affect tunnel traffic.
Figure 14-17 Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule Screen
Screen Elements
•Change SA to Rule on Filter — The Manager shows the name of filter to which the IPSec rule is assigned. You cannot change this name here. See Policy Management | Traffic Management | Filters | Add, Modify, or Copy.
•IPSec SAs — This list shows the configured SAs that are available, that is, all the SAs in the active configuration. By default, the SA that is currently applied to the rule is selected.
•Apply — To apply a different SA to this rule, select the SA from the list and click Apply. The Manager returns to the Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its new SA. The change takes effect as soon as you click Apply. If this filter is being used by an active interface or group, the change might affect tunnel traffic.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | NAT
This section of the Manager lets you configure and enable NAT (Network Address Translation). NAT translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between the networks.
A NAT session is a translation instance. When a packet passing through the VPN Concentrator matches a NAT rule and is translated, a NAT session begins. The NAT session records details of the translation, including the source IP address and port, the destination IP address and port, and the translated, or mapped, address and port.
A NAT rule defines the criteria that a packet must meet to be translated. For interface NAT rules, criteria include the protocol: portless, UDP, or TCP. For LAN-to-LAN connections, the criteria are the source, translated, and destination IP addresses.
To use NAT, we recommend that you first configure NAT rules, then enable the function.
You can change NAT rules while NAT is enabled. Doing so affects subsequent sessions, but not current sessions, as long as the changed rule still allows the current session; if it doesn't traffic will stop.
For inbound packets, the destination address and port are mapped. For outbound traffic, the source address and port are mapped.
As packets pass through the VPN Concentrator, NAT sessions are searched for a match prior to applying NAT rules. If a match exists, the packet is translated in the same way as the packet that caused the session to initiate, and the session continues, allowing the VPN Concentrator to maintain address and port continuity within a session. NAT sessions expire and are deleted if they are unused for a certain time period, which varies depending on the protocol. Therefore, unless the NAT rule is a static rule, NAT sessions between the same clients may have different translated addresses for different NAT sessions.
For a detailed explanation of NAT and PAT, see http://www.cisco.com/warp/public/556/nat-cisco.shtml.
Figure 14-18 Configuration | Policy Management | Traffic Management | NAT Screen
Traffic Management | NAT | Enable
This screen lets you enable NAT operation for Interfaces, which applies NAT to all non-tunneled traffic flowing through the public interface, and for LAN-to-LAN tunnels. We recommend that you configure NAT rules before you enable the function.
Figure 14-19 Configuration | Policy Management | Traffic Management | NAT | Enable Screen
Screen Elements
•Interface NAT Rules Enabled — Check this box to enable NAT rules for interfaces, or uncheck it to disable these NAT rules. By default, the box is unchecked.
•LAN-to-LAN Tunnel NAT Rule Enabled — Check this box to enable NAT rules for LAN-to-LAN connections, or uncheck it to disable these NAT rules. By default, the box is unchecked.
•Apply — Click to enable or disable NAT rules and include your setting in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.
•Cancel — Click to discard your entry and leave the active configuration unchanged. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | NAT | Interface Rules
This section of the Manager lets you add, configure, modify, and delete Interface NAT rules. We recommend that you first configure and add rules, then enable the function. To configure Interface NAT rules, you must first configure a VPN Concentrator public interface; see Configuration | Interfaces.
You need at least one rule for each private network that the VPN Concentrator connects to, and that uses NAT.
Figure 14-20 Configuration | Policy Management | Traffic Management | NAT | Interface Rules Screen
Screen Elements
•Interface NAT Rules — The Interface NAT Rules list shows NAT rules that have been configured. If no rules have been configured, the list shows --Empty--. The format of each rule is: Private Address/Subnet-Mask-on Interface (Action); for example, 10.0.0.0/8 on Ethernet 2 (Public) (TCP).
•Add — To configure and add a new Interface NAT rule to the list of configured rules, click Add. The Manager opens the Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify screen. If you have not configured a public interface, the Manager displays the Policy Management | Traffic Management | NAT | Rules | No Public Interfaces screen.
•Modify — To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify screen.
•Delete — To delete a configured NAT rule, select the rule from the NAT Rules list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining rules in the list.
Traffic Management | NAT | Rules | No Public Interfaces
The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add a NAT rule. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.
You should designate only one VPN Concentrator interface as a public interface.
Figure 14-21 Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces Screen
Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.
Traffic Management | NAT | Interface Rules | Add or Modify
These screens let you:
•Add: Configure and add new Interface NAT rules.
•Modify: Modify a previously configured Interface NAT rule.
You must configure a public interface on the VPN Concentrator before you can add an Interface NAT rule. See the Configuration | Interfaces screens.
Figure 14-22 Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify Screen
Screen Elements
•Interface (Add screen) — Click the drop-down menu button and select the configured public interface for this Interface NAT rule. The list shows all interfaces that have the Public Interface parameter enabled. See Configuration | Interfaces.
(Modify screen) — The screen shows the configured public interface for this Interface NAT rule. You cannot change the interface. To move the rule to another interface, you must delete this rule and add a new one for the other interface.
•Private IP Address — Specify the private network (subnet) addresses that NAT translates to and from the public address. Enter the private IP address, for example: 10.0.0.1.
•Private Address Subnet Mask — Enter the subnet mask appropriate for the private IP address range. The default is 255.255.255.255. For example, to translate all private addresses in class A network 10, enter 255.0.0.0.
In the NAT Rules list, the subnet mask is shown as the number of ones; for example, 255.255.0.0 is shown as /16.
•Map Portless Protocols — Check to translate addresses for packets with protocols that do not use ports and thus do not involve port mapping (default). For example, this action supports ping, which uses ICMP.
•Map UDP — Check to map ports within outbound UDP packets to dynamic ports (49152 to 65535) on the public IP address, and vice versa.
•Map TCP — Check to map ports within outbound TCP packets to dynamic ports (49152 to 65535) on the public IP address, and vice versa.
•FTP Proxy — Check to provide FTP proxy server functions and map outbound ports to dynamic ports (49152 to 65535) on the public IP address. FTP requires specialized NAT behavior; this action allows outgoing FTP transactions to function properly.
•Add / Apply — To add this rule to the list of configured Interface NAT rules, click Add. Or to apply your changes to this Interface NAT rule, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Interface Rules screen. Any new rule appears at the bottom of the Interface NAT Rules list.
•Cancel — To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Interface Rules screen, and the Interface NAT Rules list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | NAT | LAN-to-LAN Rules
This section of the Manager lets you add, configure, modify, and delete LAN-to-LAN NAT rules that apply only to traffic that passes over LAN-to-LAN tunnels. We recommend that you first configure and add rules, then enable the function.
About LAN-to-LAN NAT
Private networks often use the same private address spaces. For connecting VPN networks, this duplication of IP addresses can prevent communication, because traffic from one private network to another using the same address space is perceived as local, and therefore does not travel to the second network. You can use NAT to solve this problem, translating private network addresses to legitimate public network addresses as packets enter the tunnel, rather than assigning new IP addresses to the networks.
Mapping rules that you configure determine how LAN-to-LAN NAT translates network addresses. There are three types of mapping rules:
•Static LAN-to-LAN NAT rules map source IP addresses to Translated IP addresses on a one-to-one basis. Static rules apply both to
–inbound traffic, which is traffic received over a LAN-to-LAN tunnel.
–outbound traffic, which is traffic bound for a LAN-to-LAN tunnel.
Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.
•Dynamic LAN-to-LAN NAT rules map source IP addresses to one of a pool of available translated IP addresses, or to a single address. Dynamic mappings apply only to outbound traffic.
•PAT LAN-to-LAN NAT rules are dynamic rules with Port Address Translation. PAT rules apply to outbound traffic only
Figure 14-23 is an example of a network topology that has complete overlap in the address spaces for the networks behind VPN Concentrators A and B.
Figure 14-23 LAN-to-LAN NAT Example
VPN Concentrator
|
Rule and Type
|
Mappings
|
VPN Concentrator A
|
A - Dynamic/PAT
|
10.10.10.0/24 -> 20.20.20.9
|
VPN Concentrator B
|
B - Static NAT
|
10.10.10.0/24 -> 30.30.30.0/24
|
The LAN-to-LAN NAT mapping rules for these VPN Concentrators are as follows:
The VPN Concentrators are configured as follows:
•A LAN-to-LAN tunnel connects networks 20.20.20.0/24 and 30.30.30.0/24.
•Concentrator A is configured to route traffic destined for 30.30.30.0 through the LAN-to-LAN tunnel.
•Concentrator B is configured to route traffic destined for 20.20.20.0 through the LAN-to-LAN tunnel.
A client with the IP address of 10.10.10.2 on network A sends a message to a server on network B with an IP address of 10.10.10.4. The clients on Network A already know the static address translation of the servers on Network B. Table Table 14-6 describes the message flow and the NAT translations that occur.
Table 14-6
Concentrator A
|
|
Concentrator B
|
Private network 10.10.10.0
|
After outbound NAT translation
|
After inbound NAT translation
|
tunnel direction
|
After inbound NAT translation
|
After outbound NAT translation
|
Private network 10.10.10.0
|
Host with source IP address of 10.10.10.2 sends a message to server on network B with destination IP address of 30.30.30.4
|
Source IP address translates to 20.20.20.9, using Rule A to create Session A1.
Destination IP address is 30.30.30.4.
|
|
->
->
|
Source IP address is 20.20.20.9.
Destination IP address 30.30.30.4 translates to 10.10.10.4, using Rule B to create Session B1.
|
|
Server with destination IP address 10.10.10.4 receives packet from host with source IP address of 20.20.20.9.
|
| |
|
|
|
|
|
| |
vv
|
| |
|
Source IP address is 30.30.30.4.
Destination IP address translates to 10.10.10.2, with Concentrator A using mapping information from Session A1.
|
<-
<-
|
|
Source IP address translates to 30.30.30.4, with Concentrator B using mapping information from Session B1.
Destination IP address is 20.20.20.9.
|
Server with source IP address of 10.10.10.4 replies to host with destination IP address of 20.20.20.9.
|
LAN-to-LAN NAT Message Flow for LAN-to-LAN Tunnel Networks 20.20.20.0/24 and 30.30.30.0/24
You configure LAN-to-LAN NAT rules in the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules screen.
Figure 14-24 Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules Screen
Screen Elements
•LAN-to-LAN NAT Rules — This list show rules that have been configured. If no LAN-to-LAN NAT rules have been configured, the list shows --Empty--.
–Source = This is the host IP address and wildcard mask on the private network.
–Translated = This is the translated IP address and wildcard mask for the local address of this LAN-to-LAN connection. This is also the translated address space.
–Remote = This is the destination IP address and wildcard mask for this LAN-to-LAN connection. The rule is applied only to packets bound for this address space. The address space must be part of the destination address space of a LAN-to-LAN connection.
–Type = This identifies the type of LAN-to-LAN NAT rule.
Static LAN-to-LAN NAT rules map source IP addresses to Translated IP addresses on a one-to-one basis. Static rules apply both to inbound traffic, which is traffic received over a public interface, and outbound traffic, which is traffic bound for a public interface.
Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.
Dynamic LAN-to-LAN NAT rules map source IP addresses to one of a pool of available translated IP addresses, or to a single address. Dynamic mappings apply only to outbound traffic.
PAT LAN-to-LAN NAT rules are dynamic rules with Port Address Translation. PAT rules apply to outbound traffic only.
•Add — Click to configure and add a new LAN-to-LAN NAT rule. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify screen.
•Modify — To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify screen.
•Delete — To delete a configured NAT rule, select the rule from the NAT Rules list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining rules in the list.
•Move Up / Move Down — You can use the Move Up and Move Down buttons to sort LAN-to-LAN NAT rules in priority order, except
–Static rules have priority over dynamic rules.
–You cannot prioritize static rules. The VPN Concentrator gives static rules for smaller networks a higher priority than those for larger networks. Therefore, the priority order of static rules is:
Host-to-host
Class C
Class B
Class A
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify
This screen lets you add or modify NAT LAN-to-LAN rules.
Guideline for Defining NAT Rules and Types
Understand this caveat as you define NAT rules for LAN-to-LAN connections:
If you expect inbound traffic, you need to define a static LAN-to-LAN NAT rule. This is because with any other type of NAT rule, the translated address is impossible to predict, leaving the sender no way of identifying the IP address to which it should send packets.
Figure 14-25 Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify Screens
Screen Elements
•NAT Type — This identifies the type of LAN-to-LAN NAT Rule:
–Static LAN-to-LAN NAT rules map source IP addresses to Translated IP addresses on a one-to-one basis. Static rules apply both to inbound traffic, which is traffic received over a public interface, and outbound traffic, which is traffic bound for a public interface.
Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.
–Dynamic LAN-to-LAN NAT rules map source IP addresses to one of a pool of available translated IP addresses, or to a single address. Dynamic mappings apply only to outbound traffic.
–PAT LAN-to-LAN NAT rules are Edenic rules with Port Address Translation. PAT rules apply to outbound traffic only.
•Source Network — This is the network IP address and wildcard mask the rule translates.
•Translated Network — This is the translated IP address and wildcard mask for the local network of this LAN-to-LAN connection.
•Remote Network — This is the destination IP network and wildcard mask for this LAN-to-LAN connection.
Note If you have a network with any remote access clients, you must specifically define the remote network, and not accept the default values of 0.0.0.0/255.255.255.255. If you were to accept these default values, and the source network and wildcard mask of the rule overlaps or is the same as the network addresses assigned to remote access clients, the VPN Concentrator attempts to NAT traffic intended for the remote access clients for the LAN-to-LAN connection instead, and that traffic never reaches the remote access clients. The only exception to this is for remote access clients that get their IP addresses from a third network, in which case you can use default values for this parameter.
•IP Address — Enter the source IP address . Default is 0.0.0.0.
•Wildcard Mask — Enter the wildcard mask in dotted decimal notation. Default is 255.255.255.255.
Note A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses
•Add / Apply — To add this rule to the list of configured LAN-to-LAN NAT rules, click Add. Or to apply your changes to this rule, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules screen. Any new rule appears at the bottom of the LAN-to-LAN NAT Rules list.
•Cancel — To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules screen, and the LAN-to-LAN NAT Rules list is unchanged.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Traffic Management | Bandwidth Policies
This section of the Manager lets you configure bandwidth management policies. You can configure a bandwidth policy to do one or all of the following:
•Reserve a minimum amount of bandwidth per session
•Limit users within groups to a maximum amount of bandwidth
Once you configure bandwidth policies, you can apply them either to an interface, or a group, or both. If you apply a policy to an interface only, it applies to each user on the interface. If you apply a policy to a group, it applies only to the users in that group. If you apply one policy to an interface and a different policy to a group, users who are members of that group use the group policy, and all other users use the interface policy.
Figure 14-26 Configuration | Policy Management | Traffic Management | Bandwidth Policies Screen
Screen Elements
•Bandwidth Policies — This list shows bandwidth policies that have been configured. If no bandwidth policies have been configured, the list shows --Empty--.
•Add — Click to create a new bandwidth policy. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.
•Modify — To modify a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen.
•Delete — To delete a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Delete.
Traffic Management | Bandwidth Policies | Add or Modify
This screen lets you configure and add a bandwidth policy or modify a previously configured bandwidth policy.
Overview of Bandwidth Management
There are two aspects of bandwidth management: bandwidth policing and bandwidth reservation. Bandwidth policing limits the maximum rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate. Bandwidth reservation sets aside a minimum bandwidth rate for tunneled traffic. Using bandwidth management, you can allocate bandwidth to groups and users equitably, thus preventing certain groups or users from consuming a majority of the bandwidth.
Bandwidth management applies only to tunneled traffic (L2TP, PPTP, IPSec) and is most commonly applied to the public interface.
Tip If you receive an error message when you're configuring any bandwidth management feature, check the event log. The event log gives very specific feedback for bandwidth management errors.
Bandwidth Reservation
Bandwidth reservation sets aside a minimum limit of bandwidth per tunnel for tunneled traffic. Each user receives at least a set amount of bandwidth. When there is little traffic on the box, users receive more than their allocated minimum of bandwidth. When the box becomes busy, they receive at least that much. When the combined total of the reserved bandwidth amounts of all active tunnels on an interface approaches the limit of the total bandwidth available on that interface, the VPN Concentrator refuses further connections to users who demand more reserved bandwidth than is available.
You can configure bandwidth reservation on just an interface (usually the public). In this case, every user who connects on the public interface receives the same reserved minimum bandwidth. If, in addition, you configure reserved bandwidth on a particular group, users in that group can claim an amount of reserved bandwidth that differs from that of the other users on the interface. You cannot configure reserved bandwidth on a specific group unless you have first configured reserved bandwidth on the interface.
Example One: A Bandwidth Reservation Policy Applied to an Interface
Suppose the link rate on your public interface is 1,544 kbps. And suppose you apply a reserved bandwidth policy to that interface that sets the reserved bandwidth to the default: 56 kbps per user. With this link rate and policy setting, only a total of 27 users can connect to the VPN Concentrator at one time. (1544 kbps per interface divided by 56 kbps per user equals 27 connections.)
•The first user who logs on to the VPN Concentrator gets his reserved 56 kbps plus the remainder of the bandwidth (1488 kbps).
•The second user who logs on to the VPN Concentrator gets his reserved 56 kbps plus he shares the remainder of the bandwidth (1432 kbps) with the first user.
•When the twenty-seventh user connects, all users are throttled to their minimum of 56 kbps per connection.
•When the twenty-eighth user attempts to connect, the VPN Concentrator refuses the connection. It does not allow any additional connections because it cannot supply the minimum 56 kbps reserve to more users.
Example Two: Bandwidth Reservation Policies Applied to an Interface and a Group
Add bandwidth reservation on a particular group to the above example. The group "Executives" reserves 112 kbps of the public interface bandwidth for any member of the group.
•The first user who logs on to the VPN Concentrator is not in the Executive group. He gets his reserved 56 kbps plus the remainder of the bandwidth (1488 kbps).
•Then, the president logs in. She gets her 112 kbps plus she shares the remainder of the bandwidth (1376 kbps) with the first user.
•As more executives and non-executives connect, they each receive the specified amount of bandwidth (112 kbps or 56 kbps) plus they share the bandwidth that remains. The VPN Concentrator allows users to connect until it can no longer provide the minimum reserve (56 kbps for a non-executive, 112 kbps for an executive).
Keep in mind that there may be many groups using the VPN Concentrator, each with different bandwidth policies.
Bandwidth Aggregation
From Example Two, you can see that configuring bandwidth reservation alone can lead to a scenario in which high priority, high bandwidth users are unable to connect to a congested VPN Concentrator because of their bandwidth requirements. For this case, the VPN Concentrator provides a feature called bandwidth aggregation. Bandwidth aggregation allows a particular group to reserve a fixed portion of the total bandwidth on the interface. (This fixed portion is known as an aggregation.) Then, as users from that group connect, each receives a part of the total bandwidth allocated for the group. Users who are not in that group cannot share this reserved portion, even if no one else is using it. When one group makes a reserved bandwidth aggregation, it does not affect the bandwidth allocated to users who are not in that group; however, those other users are now sharing a smaller amount of total bandwidth. Fewer of them can connect.
Suppose the company president in Example Three wants two top executives to be able to access the VPN Concentrator at any time. In this case, you can configure a bandwidth aggregation of x/2 (or half the bandwidth) for the group "Top Executives." Half the bandwidth of the interface would then be set aside for the use of this group. This means however, that all the other users on the interface compete for the remaining half of the bandwidth.
LAN-to-LANs and Bandwidth Reservation
Configure bandwidth reservation for a LAN-to-LAN connection as you would for a group with one user. In this way, you reserve a set amount of bandwidth for the connection. (The users on the LAN-to-LAN connection are not managed, only the connection.) When you apply a bandwidth reservation policy to a LAN-to-LAN connection, the VPN Concentrator automatically adds bandwidth aggregation.
Bandwidth Policing
Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate.
Because traffic is bursty, some flexibility is built into policing. Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The VPN Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. But should traffic bursts consistently exceed the burst rate, the VPN Concentrator enforces the policing rate threshold.
Configuring Bandwidth Management
To configure bandwidth management, follow these steps:
Step 1 Using this section of the Manager: define one or more bandwidth management policies.
Step 2 On the Configuration | Interfaces | Ethernet | Bandwidth Tab:
a. Enable bandwidth management on the public (or any other) interface.
b. Specify the link rate.
c. Assign a bandwidth policy to the interface to assign a default policy for all users on that interface. If you are further planning to assign a bandwidth reservation policy to a specific group, this default policy must include bandwidth reservation.
Step 3 If you also want to manage bandwidth for a specific group, use the Configuration | User Management | Groups | Bandwidth Policy screen to apply a bandwidth policy to that group.
Step 4 To manage bandwidth for a specific LAN-to-LAN connection, use the Bandwidth Policy parameters on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add or Modify screen to apply a bandwidth policy to that connection.
Note the following dependencies when assigning bandwidth management policies to an interface and a group combined:
•If you apply only a policing policy (i.e. no reservation policy) to an interface, you cannot subsequently assign bandwidth reservation policies to groups using that interface. To apply a bandwidth reservation policy to a group, you must first apply a bandwidth reservation policy to the interface.
•If you apply a reservation policy to an interface, all other policies applied to groups on that interface also include bandwidth reservation.
Use Table 14-7 as a guide to these dependencies when you configure this feature.
Table 14-7 Conceptual Overview of Bandwidth Management Configuration
If you want to...
|
Configure the following...
|
Enable Bandwidth Management on the Public Interface
|
Use this Type of Bandwidth Management Policy...
|
Apply the Bandwidth Management Policy to:
|
Bandwidth Policing
|
Bandwidth Reservation
|
Bandwidth Aggregation
|
Let users and tunnels consume bandwidth as needed on a first-come first-served basis.
|
-
|
-
|
-
|
-
|
-
|
Reserve every user on the interface a default minimum amount of the bandwidth of the interface.
|
Yes
|
-
|
Yes
|
-
|
Interface
|
Reserve every user in a particular group an equal minimum amount of the bandwidth of the interface. (Users not in the group use the bandwidth reservation assigned to the interface.)
|
Yes
|
-
|
Yes
|
-
|
Interface and group
|
Set aside a fixed amount of bandwidth for the exclusive use of members of a specific group. (Users not in this group cannot access this bandwidth, even if it is unused.)
|
Yes
|
-
|
Yes
|
Yes
|
Apply bandwidth reservation to the interface and apply bandwidth aggregation to the group.
|
Reserve a set amount of bandwidth for the exclusive use of a LAN-to-LAN tunnel. Ensure that bandwidth is always available for the LAN-to-LAN tunnel. (In other words, ensure that the LAN-to-LAN tunnel can always connect, even if the VPN Concentrator is congested.)
|
Yes
|
-
|
Yes
|
Yes (Done automatically)
|
Interface and LAN-to-LAN
|
|
Limit all users on the interface to a set bandwidth threshold.
|
Yes
|
Yes
|
-
|
-
|
Interface
|
Limit all users in a particular group to a set bandwidth threshold.
|
Yes
|
Yes
|
-
|
-
|
Apply either bandwidth reservation or policing to the Interface.
Apply policing to the group
|
Once you know which bandwidth management features you want to apply to which level (interface, group, or LAN-to-LAN), follow the steps in Table 14-8 to configure them.
Table 14-8 Bandwidth Management Configuration Guide
Task
|
Use this Screen...
|
Do this...
|
|
Create a Bandwidth Management Policy
|
Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add
|
Name the policy, then apply reservation and/or policing and set the corresponding parameters.
|
Enable Bandwidth Management on the Public Interface
|
Configuration | Interfaces | Ethernet 2, Bandwidth tab
|
Check the Bandwidth Management check box.
Set the link rate.
Apply a bandwidth management policy.
|
Use Bandwidth Policing
|
Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify
|
Create a policing policy: Check the Policing check box and enter the policing rate and burst size.
|
Use Bandwidth Reservation
|
Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify
|
Create a reservation policy: Check the Bandwidth Reservation check box and enter the minimum bandwidth.
|
Use Bandwidth Aggregation
|
Configuration | User Management | Groups | Bandwidth Policy | Interfaces
|
Set Aggregate Bandwidth to a value greater than zero.
|
Assign Bandwidth Policy(ies) to:
|
•Interface
|
Configuration | Interfaces | Ethernet 2, Bandwidth tab
|
Choose a policy from the Bandwidth Policy drop-down menu.
|
•Group
|
Configuration | User Management | Groups | Bandwidth Policy | Interfaces
|
Choose a policy from the Policy drop-down menu.
|
•LAN-to-LAN
|
Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify
|
Choose a policy from the Bandwidth Policy drop-down menu.
|
Figure 14-27 Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen
When configuring a bandwidth policy, you must enable (check) either Bandwidth Reservation or Policing. You can enable both policies.
Screen Elements
•Policy Name — Enter a unique name that can help you remember the policy. The maximum length is 32 characters.
•Bandwidth Reservation — Check to reserve a minimum amount of bandwidth for each session.
•Minimum Bandwidth — The amount of bandwidth reserved per user during periods of congestion. Enter a value and select one of the following units of measurement. The range is between 8000 bps and 100 Mbps. The default is 56000 (bps)
–bps—bits per second
–kbps—one thousand bits per second
–Mbps—one million bits per second
•Policing — Check to enable policing.
•Policing Rate — Enter a value and select the unit of measurement. The VPN Concentrator transmits traffic that is moving below the policing rate and drops all traffic that is moving above the policing rate. The range is between 56000 bps and 100 Mbps. The default is 56000 (bps)
•Normal Burst Size — Enter a value and select the unit of measurement. (Note that this is measured in bytes rather than bits.) The default is 10500 bytes. The minimum is 10500 bytes.
The VPN Concentrator drops traffic that are above the normal burst size. The normal burst size is the amount of instantaneous burst that the VPN Concentrator can send at any give time.
To set the burst size, use the following formula: (Policing Rate/8) * 1.5. For example, to limit users to 250 kbps of bandwidth, set the police rate to 250 kbps and set the burst size to 46875, that is: (250000 bps/8) * 1.5.
•Add — Click to add this policy to the configuration.
•Cancel — Click to discard your settings. The Manager returns to the Policy Management | Traffic Management | Bandwidth Policies screen, and the Bandwidth Policies list is unchanged.
Certificate Group Matching
This section of the Manager allows you to define rules to match a user's certificate to a permission group based on fields in the distinguished name (DN). In releases previous to 3.6, the VPN Concentrator used the OU field from a user's certificate to assign that user to a permission group. For example, if the OU field of a user's certificate were "Sales," the VPN Concentrator assigned that user to the "Sales" permission group. The certificate group matching feature allows you identify members of a permission group on the basis of other criteria: you can use other fields of the certificate or you can have all certificate users share a permission group.
To match users' permission groups based on other fields of the certificate, you must define rules that specify which fields to match for a group and then enable each rule for that selected group. Rules cannot be longer than 255 characters. A group must already exist in the configuration before you can create a rule for it.
You can assign multiple rules to the same group. When multiple rules are assigned to the same group, a match results for the first rule that tests true.
To match users' permission groups based on multiple fields in the certificate so that all the criteria must match for the user to be assigned to a permission group, create a single rule with multiple matching criteria. To match users' permission groups based on one criterion or another so that successfully matching any of the criteria identifies the member of the group, create multiple rules.
For example, to assign particular permissions to members of the Sales group who are in the division "VPNDIV" and who are located in San Jose, create a single rule and assign it to the group "Sales:"
sales <-- ou="vpndiv",l="san jose"
To assign particular permissions to members the Sales group who are either in the VPN division or located in San Jose, create two rules and apply both to the group "Sales:"
Once you have defined rules, you must configure a certificate group matching policy to define the method you want to use to identify the permission groups of certificate users: match the group from the rules, match the group from the OU field, or use a default group for all certificate users. You can use any or all of these methods.
Figure 14-28 Configuration | Policy Management | Certificate Group Matching Screen
Screen Elements
•Rules — Click this link to create certificate group matching rules.
•Matching Policy — Click this link to choose a method to identify the permission groups of certificate users.
Certificate Group Matching | Rules
This section of the Manager lets you add, modify, delete, and rearrange rules for certificate group matching.
Figure 14-29 Configuration | Policy Management | Certificate Group Matching | Rules Screen
Screen Elements
•Add — Click to configure and add a new rule.
•Modify — To modify an existing rule, select a rule in the Certificate Matching Rules box and click Modify. When you select a rule, the complete text appears in the box below the Certificate Matching Rules box.
•Delete — To delete a configured rule, select the rule from the list in the Certificate Matching Rules box and click Delete. The Manager refreshes the screen and shows the remaining rules in the list.
•Move Up — To have the VPN Concentrator check the rule earlier in the order, select the rule and click Move Up.
•Move Down — To have the VPN Concentrator check the rule later in the order, select the rule and click Move Down.
Certificate Group Matching | Rules | Add or Modify
These screens let you configure and add a new certificate group matching rule or modify a previously configured certificate matching rule.
Distinguished Name Component Options
Field
|
Content
|
Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology.
|
Subject
|
The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.
|
Issuer
|
The CA or other entity (jurisdiction) that issued the certificate.
|
A distinguished name can contain a selection from the following fields:
Field
|
Content
|
Common Name (CN)
|
The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.
|
Surname (SN)
|
The family name or last name of the certificate owner.
|
Country (C)
|
The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
|
Locality (L)
|
The city or town where the organization is located.
|
State/Province (S/P)
|
The state or province where the organization is located.
|
Organization (O)
|
The name of the company, institution, agency, association, or other entity.
|
Organizational Unit (OU)
|
The subgroup within the organization.
|
Title (T)
|
The title of the certificate owner, such as Dr.
|
Name (N)
|
The name of the certificate owner.
|
Given Name (GN)
|
The first name of the certificate owner.
|
Initials (I)
|
The first letters of each part of the certificate owner's name.
|
E-mail Address (EA)
|
The e-mail address of the person, system or entity that owns the certificate
|
Generational Qualifier (GENQ)
|
A generational qualifier such as Jr, Sr, or III.
|
DN Qualifier (DNQ)
|
A specific DN attribute.
|
Serial Number (SER)
|
The serial number of the certificate.
|
Figure 14-30 Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify Screen
Screen Elements
•Enable — Click to allow the VPN Concentrator to use the rule you are adding or modifying. To disable the rule, clear the Enable box. If the rule is disabled, it is marked with (D) in the Certificate Matching Rules box.
•Group — Select the group to assign this rule to from the pull-down menu. You can assign this rule only to groups that are currently defined in the configuration. If the group you want to use is not in the list, you must first go to Configuration | User Management | Groups and define the group.
•Distinguished Name — Select the type of distinguished name (Subject or Issuer) and the fields you want to use in the rule. See Distinguished Name Component Options, above.
•Operator — Select the relationship between the Distinguished Name and Value fields.
Field
|
Content
|
Equals (=)
|
The distinguished name field must exactly match the value.
|
Not Equals (!=)
|
The distinguished name field must not match the value.
|
Contains (*)
|
The distinguished name field must contain the value within it.
|
Does Not Contain (!*)
|
The distinguished name field must not contain the value within it.
|
•Value — The value to be matched against. The VPN Concentrator automatically places text values within double quotes. To enter values manually, follow the rules on the screen. Values are not case-sensitive.
•Append — To enter the next part of a rule, click Append. When you click Append, the VPN Concentrator adds on the part you have defined to the rule that appears under Matching Criteria. In this way, you can build a complex rule testing on multiple components. The VPN Concentrator checks the information in the certificate against all parts of the rule. All parts must test true for the rule to match for this group.
•Matching Criterion — This text box displays the rule. You can create or edit the rule directly in this box. If you create a rule in this way, separate the components with commas. Also, be sure to add double quotes values. If the value itself contains double quotes, replace them with two double quotes. For example, enter the value "Tech" Eng as: """Tech"" Eng".
•Add — Click after entering all parts of the rule for this group to complete the action.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Rules screen, and the rules list is unchanged.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Certificate Group Matching | Policy
This screen lets you configure a policy for certificate group matching. The VPN Concentrator processes the enabled policies in the order listed until it finds a match.
There are three ways to match a certificate to a group:
•Match Group from Rules: Uses the rules you have defined to match a certificate to a group.
•Obtain Group from OU: Uses the organizational unit field to determine the group to which to match the certificate. (This was the standard policy in releases previous to 3.6.)
•Default to Group: Lets you select a default group for certificate users that is used when neither of the above methods resulted in a match.
By default, the first choice is not checked and the second and third choices are checked.
Figure 14-31 Configuration | Policy Management | Certificate Group Matching | Policy Screen
Screen Elements
•Match Group from Rules — Check to use the rules you have defined for certificate group matching.
•Obtain Group from OU — Check to use the organizational unit in the certificate to specify the group to match. This choice is enabled by default.
•Default to Group — Check to use a default group or the Base Group for certificate users. Then select the group from the drop down box. The group must already exist in the configuration. If the group does not appear in the list, you must define it by using the Configuration | User Management | Groups screen. This choice is enabled for the Base Group by default.
•Apply — After checking the policies you want to use for certificate group matching, click Apply.
•Cancel — Click to discard your settings. The Manager returns to the Configuration | Policy Management | Certificate Group Matching screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Network Admission Control (NAC)
Network Admission Control (NAC) provides a method of validating a peer based on its posture, or state, in addition to the identity-based validation provided by PPP, IPSec, and other access methods. This is called posture validation. Posture validation may include checking that the peer is running applications with the latest patches. It may also include checking that anti-virus files, personal firewall rules, or intrusion protection software is up-to-date.
The VPN Concentrator works with other components of Cisco NAC architecture, including the Cisco Trust Agent (CTA) and the Cisco Secure Access Control Servers (ACS). The VPN Concentrator functions as a NAC authenticator and an ACS client.
The NAC Program is a program in which Cisco shares technology features with program participants. Participants design and sell their client and server applications as well as services that incorporate features that are compatible with the NAC infrastructure. For more information current NAC participants, go to http://www.cisco.com/web/partners/pr46/nac/partners.html.
As a NAC authenticator, the VPN Concentrator does the following:
•Initiates the exchange of credentials with the peer after IPSec session establishment and periodically thereafter
•Relays credential requests and responses between the peer and the authentication (ACS) server using Extensible Authentication Protocol (EAP)
•Enforces network access policy on an interface based on posture validation results from the ACS server
•Implements the configured EAP status query method
•Supports a local exception list based on the peer operating system
•Requests access policies from the ACS server for clientless hosts
As an ACS client, the VPN Concentrator supports the following:
•EAP over RADIUS
•RADIUS attributes required for NAC
When configured for NAC, the VPN Concentrator initiates posture validation immediately after IPSec session establishment. Only IPSec sessions trigger posture validation on the VPN 3000 Concentrator at this time. During posture validation, all IPSec traffic from the peer is subject to the default ACL configured for the peer's group on the Base Group | NAC Tab or Groups | NAC Tab.
Figure 14-32 Configuration | Policy Management | Network Admission Control Screen
Screen Elements
•Global Parameters — Click to change global settings for how the VPN Concentrator functions as a NAC authenticator and ACS client on the Network Admission Control | Global Parameters screen.
•Exception List — Click to set filter settings for remote clients that are exempt from NAC posture validation based on their operating system on the Network Admission Control | Exception List screen.
Network Admission Control | Global Parameters
Set global parameters for NAC on this screen. Enable NAC for groups on the Configuration | User Management | Base Group | NAC Tab or Groups | NAC Tab.
Figure 14-33 Configuration | Policy Management | Network Admission Control | Global Parameters Screen
Screen Elements
•Retransmission Timer — How long to wait for a response from a peer before resending the request. Enter a value between 1 and 60 seconds. Default 3.
•Hold Timer — How long after a failed credential validation or the configured maximum EAP over UDP Retries before the VPN Concentrator attempts to make a new association. Enter a value between 60 and 86400 seconds (1 to 1440 minutes [24 hours]). Default 180 (3 minutes).
•EAPoUDP Retries — The number of retransmissions allowed before the VPN Concentrator marks the EAP over UDP association as failed and invokes the Hold Timer. Enter a value between 1 and 3. Default 3.
•EAPoUDP Port — The port number used for EAP over UDP. Enter a value. Default 21862.
•Clientless Authentication: Enable — Check this box to allow authentication of peers without an active Cisco Trust Agent, that is, peers that do not respond to posture validation requests before exhausting their EAPoUDP Retries. If the ACS server has an access policy for these peers, check this box to enable its use. When this box is checked, the Username and Password fields become active.
•Clientless Authentication: Username — Enter a valid username for clientless peers on the ACS server. This field is only available when the Enable box for Clientless Authentication is checked.
•Clientless Authentication: Password — Enter the password for the specified username on the ACS server. This field is only available when the Enable box for Clientless Authentication is checked.
Network Admission Control | Exception List
Some operating systems do not support all Cisco NAC architecture components (such as CTA). To allow access from remote clients with these operating systems, configure NAC exception list entries. Clients that match the exception list are exempt from posture validation, but are subject to filters that you specify on the Configuration | Policy Management | Network Admission Control | Exception List | Add, Modify, or Copy screen.
Figure 14-34 Configuration | Policy Management | Network Admission Control | Exception List Screen
Screen Elements
•Exception List Entries — This list shows operating systems designated as exempt from posture validation. If there are no exception list entries, the list shows --Empty--.
•Add — Click to create a new exception list entry. The Manager opens the Configuration | Policy Management | Network Admission Control | Exception List | Add, Modify, or Copy screen.
•Modify — To modify a configured exception list entry, select the entry in the Exception List Entries list and click Modify. The Manager opens the Configuration | Policy Management | Network Admission Control | Exception List | Add, Modify, or Copy screen.
•Copy — To copy a configured exception list entry, select the entry in the Exception List Entries list and click Copy. The Manager opens the Configuration | Policy Management | Network Admission Control | Exception List | Add, Modify, or Copy screen.
•Delete — To delete a configured exception list entry, select the entry in the Exception List Entries list and click Delete.
Network Admission Control | Exception List | Add, Modify, or Copy
These screens let you:
•Add: Configure and add a new exception list entry.
•Modify: Modify a previously configured exception list entry.
•Copy: Copy a configured exception list entry, modify its operating system name, save it, and add it to the configured exception list entries.
To configure filters, go to the Configuration | Policy Management | Traffic Management | Filters screen.
Figure 14-35 Configuration | Policy Management | Network Admission Control | Exception List | Add Screen
Screen Elements
•Enable — Check this box to activate this exception list entry. Clear this box to disable it.
•Operating System — Type the name of the operating system that you are exempting from posture validation. Peers running Cisco VPN Client software report their operating system, and it is matched against the entries you configure here. The syntax must match exactly the syntax for operating systems listed in the Client Type column of the Remote Access Sessions table on the Monitoring | Sessions screen.
•Apply Filter — Choose a filter to apply to this exception list entry from the drop-down list box. For more information about filters, see Configuration | Policy Management | Traffic Management | Filters.
Note The VPN Concentrator includes default filters for NAC, named EAPoUDP In and EAPoUDP Out. Modify these filters to replace the 0.0.0.0/0 mask value with an actual IP address and subnet mask for your remote internal host.
