Using Management Center for Firewalls 1.3 - Configuring VPN Settings [CiscoWorks Management Center for Firewalls]

Table Of Contents

Configuring VPN Settings

IPSec Tunnels

How Firewall MC Manages IPSec

About IPSec Device Settings

Understanding IPSec Tunnel Templates

Understanding IKE Tunnels Templates

Understanding the Default Tunnel Templates

Understanding IPSec Tunnels

Understanding Tunnel Rules

Important Notes about IPSec Support in Firewall MC 1.3

Configuring Site-to-Site Tunnels

Creating Site-to-Site Tunnels

Configuring IKE Options

Creating Site-to-Site Tunnels

Creating Dynamic Tunnels

Defining Tunnel Rules

Configuring Remote Access

Creating Remote User Tunnels

Defining IP Pools

Configuring Easy VPN Server

Configuring Easy VPN Remote

Configuring Easy VPN Management

Configuring VPN System Options

Configuring VPN Settings

You can use Firewall MC to configure and manage the IPSec features of Cisco PIX Firewalls. IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). It provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers"), such as Cisco routers.

IPSec provides the following network security services. These services are optional. In general, local security policy will dictate the use of one or more of these services:

•Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.

•Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

•Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.

•Anti-Replay—The IPSec receiver can detect and reject replayed packets.

With IPSec, data can be transmitted across a public network without fear of observation, modification, or spoofing. This enables applications such as virtual private networks (VPNs), including intranets, extranets, and remote user access.

This section provides an overview of IPSec, and describes the concepts and protocols used to create Virtual Private Networks (VPNs).

Topics to be discussed are:

• IPSec Tunnels

• How Firewall MC Manages IPSec

• Understanding IPSec Tunnel Templates

• Configuring Site-to-Site Tunnels

• Configuring Remote Access

• Configuring VPN System Options

IPSec Tunnels

You can use Firewall MC to configure and manage the IPSec features of Cisco PIX Firewalls. IPSec is a suite of protocols that seamlessly integrates security features, such as authentication, integrity, and confidentiality, into IP. Using the IPSec protocols, you can create an encrypted or authenticated communication path between two peers (endpoints), allowing IP traffic to safely cross public or untrusted networks.

The level of protection provided by the IPSec tunnel depends on the protocols used to form the tunnel. IPSec tunnels based on the Authentication Header (AH) protocol provide data integrity, data source authentication, and protection against replay attacks. IPSec tunnels based on the Encapsulating Security Payload (ESP) protocol can also provide data confidentiality in addition to data integrity, data source authentication, and protection against replay attacks.

You can apply both the AH and the ESP protocols to the data being protected, but with IPSec tunnels based on ESP, that is not always necessary. ESP provides an authentication algorithm, called the authenticator, which can be used for data source authentication. The authenticator, however, can be set to null, in which case, the ESP protocol does not provide data source authentication.

You can use Firewall MC to configure and manage IPSec tunnels in two basic configurations:

•Remote-User Tunnels—Allows remote users to connect securely to internal network resources from a public or untrusted network, such as the Internet. See Configuring Remote Access.

•Site-to-Site Tunnels—Enables you to securely transmit data between two managed devices across an untrusted or public network, such as the Internet, creating a VPN between two locations. See Configuring Site-to-Site Tunnels.

You can also use Firewall MC to configure some of the more advanced options of IPSec implemented in Cisco devices, such as tunnel failover. Additionally, Firewall MC facilitates the management of pre-shared keys (also known as pre-shared secrets) used during the negotiation of Internet Key Exchange (IKE) IPSec tunnels.

How Firewall MC Manages IPSec

You can configure and manage IPSec with Firewall MC from four main areas of the Firewall MC GUI:

•IKE Options—Specify that an object supports IPSec and define the level of cipher supported by the device. See About IPSec Device Settings.

•Tunnel Templates—Define the protocols and encryption algorithms that are used by the tunnel peers when you create an IPSec tunnel. See Understanding IPSec Tunnel Templates.

•Tunnels—Define the devices used as peers for a specific IPSec tunnel and the configuration of those peers. You define the tunnel settings for those peers in the tunnel template associated with the tunnel. See Understanding IPSec Tunnels.

•Tunnel Rules—Define what network traffic is sent in the clear and what traffic is sent through an IPSec tunnel. The particular tunnel the traffic uses is specified in the tunnel rule. See Understanding Tunnel Rules.

About IPSec Device Settings

IKE options enable you to configure Internet Key Exchange (IKE) policies used for establishing Phase 1 security associations (SAs).

IKE operates in two phases:

•Phase 1 negotiates the ISAKMP SAs used to establish a single, reusable secure tunnel between two IPSec peers.

•Phase 2 uses the Phase 1 tunnel to negotiate IPSec SAs and establish secure tunnels for transmitting user data.

To establish a secure tunnel, in either Phase 1 or Phase 2, both peers must agree on the encryption algorithm and other security parameters to use. After negotiations are completed, each peer establishes an SA that defines the security parameters to use with the other peer. An IKE policy defines the security parameters that you want a device to use in negotiation with a remote peer for creating a Phase 1 SA.

Pre-shared keys are one type of IKE option used during negotiation of the Phase 1 SA. These keys are used by two peers for authentication during IKE negotiations. They offer a simple, yet secure, solution for smaller networks because they do not require the support of a public key infrastructure (PKI). However, for larger, enterprise networks, the number of key pairs that you would have to maintain can become unwieldy. If you decide to implement IKE tunnels that use pre-shared keys, Firewall MC can assist you by generating pre-shared keys for tunnel peers.

Understanding IPSec Tunnel Templates

IPSec tunnel templates define the settings used to construct IPSec tunnels. You apply tunnel templates to tunnels to provide the peers in the tunnel with the security protocols used for key negotiation and tunnel creation. This ensures that each peer in the tunnel uses common protocols and algorithms when establishing a tunnel with another peer in the tunnel. Without common protocols and algorithms, the tunnel cannot be established.

You can apply the same tunnel template to multiple tunnels. This enables you to create a consistent level of security across your network. You also can create multiple templates, each with a different level of security, and apply them to different tunnels. This enables you, for example, to specify that tunnels created within an internal network use only basic encryption, while a tunnel created from a main office to a remote office across the Internet use the strongest possible encryption.

IKE tunnel templates contain the settings used to derive the primary key for IPSec tunnel sessions. Additionally, IKE tunnels can negotiate a common set of protocols and algorithms for creating tunnels.

Firewall MC provides several default tunnel templates. These templates serve as an example of how tunnel templates are configured for various security levels. You can also use them in your policy rules, with or without modification.

To learn more about IKE tunnel templates and the default tunnel templates provided by Firewall MC, see:

• Understanding IKE Tunnels Templates

• Understanding the Default Tunnel Templates

Understanding IKE Tunnels Templates

IKE tunnels use pre-shared keys, RSA signatures, and RSA encrypted nonces to negotiate authentication between tunnel peers. Firewall MC fully supports the use of pre-shared keys for authentication and partially supports the use of RSA signatures for authentication using a Certificate Authority (CA). You cannot configure CA commands using the Firewall MC GUI, but you can import CA commands or manually configure such commands using the Beginning and Ending Commands feature. Additionally, tunnel peers can negotiate the AH and/or ESP protocol algorithms used to create the tunnel.

IKE tunnels use the Diffie-Hellman algorithm to derive a symmetric key for the tunnel peers while the tunnel is being created. This key can be given a time-to-live (TTL) value, after which another key is negotiated, providing perfect forward secrecy (PFS) to the tunnel. During key negotiation, a hash algorithm is used to verify data integrity and either a digital certificate or a shared secret is used for data authentication. If a shared secret is used for authentication of the Diffie-Hellman exchange, the secret must be configured on the tunnel peers.

Firewall MC facilitates the configuration of IKE tunnel key negotiation and protocol algorithm proposals through the use of tunnel templates. The template enables you to specify the parameters of key negotiation (integrity and authentication algorithms and Diffie-Hellman group) and to create prioritized lists of AH and ESP proposals. You can then apply this template to a tunnel, which defines the tunnel peers, ensuring that all peers are configured with the same IKE configuration.

One benefit of IKE tunnels is that each time the tunnel is created, and each time the time-to-live value for a key is reached, a new key is generated. Even if one key is derived from the encrypted data, data protected by subsequent keys remains safe. It also prevents an observer from gaining a large amount of cipher text generated by the same key, which can potentially make the key that encrypted the text easier to decipher.

IKE tunnels are not limited to a single AH or ESP protocol, or both. You can create prioritized lists of proposals using different protocols in each proposal. These proposals are negotiated between the peers during the creation of the tunnel. For example, you can have a group of three tunnel peers, two of which support Triple DES (PeerA and PeerB) and one of which supports only DES (PeerC), that you want to connect with an ESP tunnel. In the tunnel template, you can create an initial proposal that uses ESP with Triple DES followed by a proposal that uses ESP with DES. Whenever PeerA negotiates a tunnel with PeerB, it uses the first proposal in the tunnel template (ESP with Triple DES). However, whenever PeerA or PeerB negotiates a tunnel with PeerC, the first proposal in the tunnel template will be rejected because PeerC does not support Triple DES. The second proposal will succeed, however, because devices that support Triple DES automatically support DES.

This negotiation is prioritized by the administrator who sets up the tunnels, not by any inherent property of the algorithms. In the previous example, the Triple DES and DES proposals could easily be reversed so that the peers try to use DES as the ESP encryption algorithm before trying Triple DES. In this case, PeerA and PeerB would have used DES when negotiating the tunnel.

Understanding the Default Tunnel Templates

Firewall MC comes with several default tunnel templates. These templates are configured with some common IPSec settings. You can modify these templates for your own use, without affecting Firewall MC, or you can use them in your IPSec implementation as is. The default templates are:

•Highly_Secure_3DES_Authenticate—Provides strong packet authentication using the AH protocol based on the HMAC-SHA algorithm.

•Highly_Secure_3DES_Encrypted—Provides strong packet encryption and authentication using the ESP protocol based on the HMAC-SHA and Triple DES algorithms.

•Highly_Secure_AES_Encrypted—Provides strong packet encryption and authentication using the ESP protocol based on the HMAC-SHA and AES algorithms.

•Highly_Secure_AES192_Encrypted—Provides strong packet encryption and authentication using the ESP protocol based on the HMAC-SHA and AES-192 algorithms.

•Secure_Authenticate—Provides basic packet authentication using the AH protocol based on the HMAC-MD5 algorithm.

•Secure_Encrypted—Provides basic packet encryption and authentication using the ESP protocol based on the HMAC-MD5 and DES-CBC algorithms.

Understanding IPSec Tunnels

You use IPSec tunnels to define the peers (endpoints) in an IPSec SA. When you create IPsec tunnels, you define the tunnels at one peer and select the other peer in the tunnel definition. When you create a simple site-to-site VPN between two peers, it does not matter which peer you define the tunnel at as long as both devices are represented in Firewall MC. When you define the tunnel at one device, Firewall MC automatically configures the information at the remote peer. If Firewall MC does not manage the device at one end of the tunnel, you must define the tunnel on the device that Firewall MC does manage.

You can create a hub-and-spoke configuration in Firewall MC by placing the spoke devices in a device group, then defining the tunnel at the device group and selecting the hub device as the managed peer. In a hub-and-spoke configuration, one tunnel peer acts as a hub and the remaining peers act as spokes on the hub. This enables you to create a one-to-one tunnel from the hub to each spoke, but it does not allow the spokes to create tunnels directly to other spokes. Use this configuration when you want a central-office managed device to communicate with various remote-office managed devices through tunnels created directly between the home and remote offices.

Using a combination of these two techniques, you can create even more complex configurations, like a mesh configuration or a combination configuration. In a mesh configuration, each peer is connected to every hub in the tunnel. In this configuration, no matter which peers are communicating with one another, they can communicate through an IPSec tunnel. Use this configuration if you have several remote offices that you want to interconnect with IPSec tunnels.

A combination configuration is a mix of hub-and-spoke and mesh configurations, where the hubs are connected in a mesh configuration with additional peers connected to the hubs as spokes. A mesh configuration provides flexibility for defining tunnel configurations. For example, you could have several regional offices connected to one another using IPSec tunnel in a mesh configuration. Each regional office could be connected to several local branch offices associated with the regional office. Each branch office could be connected to the associated regional office as a spoke.

Understanding Tunnel Rules

The final component in the Firewall MC implementation of IPSec configuration and management is your security policy. You use tunnel rules to enforce your security policy. Tunnel rules define the network traffic that you want tunneled. They also specify which tunnel to use for the traffic.

Tunnel rules are applied to the interface specified by the tunnel in the tunnel rule. Both inbound and outbound traffic on this interface is evaluated with the tunnel rule. If any unprotected inbound traffic on the interface matches a tunnel rule that specifies such traffic should be protected, the traffic is dropped. Similarly, inbound IPSec traffic matching a Do Not Protect tunnel rule is dropped.

We recommend that for every tunnel rule you define at the local peer for the specified tunnel, you define a "mirror image" tunnel rule at the remote peer. This ensures that traffic that has IPSec protection applied locally can be processed correctly at the remote peer. If a tunnel rule applies to traffic in which the service uses two different ports for communication, you must specify the correct service and port when "mirroring" the tunnel rule.

Note When you define a tunnel, be sure to exclude the management traffic between the CiscoWorks Server or the AUS server and the firewall devices from the tunnel.

Important Notes about IPSec Support in Firewall MC 1.3

Support for the following features and commands is not implemented in the current version of Firewall MC:

•Tunnel priority number consistency checking for all IPSec devices that are tunnel peers within Firewall MC is not supported.

•Creating an IKE policy with conflicting parameters is not supported, but may not result in a configuration warning or error.

•You cannot configure CA commands using the Firewall MC GUI, but you can import CA commands or manually configure such commands using the Beginning and Ending Commands feature.

•The command crypto map map-name seq-num set peer {ip_address | hostname} is not fully supported. Only the ip_address option is fully supported. To use the hostname option, you must import the command (with an accompanying names command to map the device hostname), and then after Firewall MC converts it from name to ip_address, you can generate and deploy back to the device using the ip_address and not the hostname.

•You can copy or cut tunnel rules, and then paste them into another Tunnel Rules table, or into a Translation Exemptions (NAT 0 ACL) rules table. You cannot, however, copy or cut translation exemption (NAT 0 ACL) rules, and then paste them into a Tunnel Rules table. Rules can be copied within the same device, to a different device, to a device group, or to the Global group.

Configuring Site-to-Site Tunnels

Site-to-site tunnels enable you to secure traffic that crosses a public or untrusted network. The traffic enters the IPSec tunnel as it crosses a network device, such as a router or firewall, that is typically located at the edge of the trusted network. The traffic leaves the tunnel as it crosses another network device, typically located at the edge of the receiving end's trusted network.

Site-to-site tunnels usually fall into one of two categories:

•Remote office/home office tunnels, where you manage all tunnel peers and the networks behind those peers.

•Home office/business partner tunnels, where you manage only one tunnel peer.

Although each type of tunnel is constructed in a similar manner, there are a few key differences that you should be aware of.

In remote office/home office tunnels, you control both ends of the tunnels and the networks behind those tunnels, including the IP address space. You can disable NAT for the tunneled traffic if, by doing so, you do not create duplicate internal IP addresses.

In business partner/home office tunnels, you usually do not manage the partner end of the tunnel. You can enable NAT to keep your internal IP address hidden. Additionally, you must include the IP address provided by the partner in the tunnel used for the partner traffic. You use the IP addresses provided by the partner in a policy rule as the source or destination of the tunneled traffic. Your partner must provide you with the information needed to model the unmanaged tunnel peer and IP addresses and to manually configure its end of the tunnel with the appropriate IPSec settings (manual keys, pre-shared keys, protocols, and so on).

Creating Site-to-Site Tunnels

The following checklist outlines the tasks required to create site-to-site IPSec tunnels between two devices that are connected by an untrusted or public network. Each task might contain several actions and should be performed in the order presented.

Task

1. Create an IPSec tunnel template.

IPSec tunnel templates enable you to define the tunnel policies that you use to create site-to-site tunnels. Transform sets are used to define IPSec tunnel templates. A transform set represents a certain combination of security protocols and algorithms. During the IPSec SA negotiation, the peers agree to use a particular transform set for protecting data flow.

Firewall MC provides several default tunnel templates. If an appropriate tunnel template does not exist, you must create one before proceeding.

For more information, see:

• Defining IPSec Transform Sets, page 10-39.

• Defining IPSec Tunnel Templates, page 10-45.

2. Create the tunnel.

Using the template defined in the previous task, create the site-to-site tunnel to use for VPN access. You can skip this step if you already have a tunnel to use.

Be sure to exclude the management traffic between the CiscoWorks Server or the AUS server and the firewall devices from the tunnel.

For more information, see Creating Site-to-Site Tunnels.

3. Create the tunnel rules.

Tunnel rules control the traffic that should be protected by the defined tunnel. The rules identify the devices and traffic that should use the specified tunnel.

For more information, see Defining Tunnel Rules.

4. Generate and deploy the configuration.

After making desired configuration changes, you must generate the new configuration files. After you generate the new configurations, you can deploy those files or save them, then deploy later.

For more information, see Generating Configurations for Modified Devices.

Configuring IKE Options

IKE options enable you to configure IKE policies used to establish Phase 1 SAs.

IKE operates in two phases:

•Phase 1 negotiates the ISAKMP SAs used to establish a single, reusable secure tunnel between two IPSec peers.

•Phase 2 uses the Phase 1 tunnel to negotiate IPSec SAs and establish secure tunnels for transmitting user data.

To establish a secure tunnel, either in Phase 1 or Phase 2, both peers must agree on the encryption algorithm and other security parameters to use. After negotiation is complete, each peer establishes an SA that defines the security parameters to use with the other peer. An IKE policy defines the security parameters for your firewall to use in negotiation with a remote peer for creating a Phase 1 SA.

Topics to be discussed are:

• Configuring IKE Settings

• Configuring IKE Policies

• Configuring IKE Interfaces

• Configuring Pre-shared Keys

• Configuring XAuth/Mode Config

• Configuring Fully Qualified Domain Name/IP Address Exceptions

Configuring IKE Settings

The IKE Settings feature enables you to define security parameters to use in negotiations with a remote peer for creating a Phase 1 SA. These parameters include Identity settings, Keepalive and Retry values, and NAT Transparency settings.

Step 1 Select Configuration > VPN > IKE Options > Settings.

The IKE Settings page appears.

Step 2 Click the radio button that corresponds to the method to use for identifying the firewall when establishing IPSec SAs using IKE.

Note The default identity is "Hostname." Hostname is recommended for ISAKMP policies using RSA signatures for authentication.

Step 3 If you selected Key-ID as the identity type, enter the ID that a headend VPN device uses to look up the pre-shared key for this device. This ID must be unique for each tunnel peer. The Key ID string will be passed to the headend VPN device using aggressive-mode negotiation. Key-ID is supported only in PIX Firewall version 6.3 and later.

Note If the Easy VPN Remote or Easy VPN Management feature is enabled on the firewall, the vpnclient group name takes precedence over the Key ID setting, and the firewall sends vpnclient group name as the Key ID.

Step 4 To define Keepalive and Retry values:

Note The Keepalive feature is used for Dead Peer Detection (DPD).

a. Select the Set Keepalive and Retry Values check box.

b. Enter a Keepalive lifetime interval. Values are 10-3600 seconds (1 hour). Default is 10. You can specify the Keepalive interval with or without specifying the Retry interval.

c. Enter the interval between retries after a Keepalive response has not been received. Values are 2-10 seconds. Default is 2. To specify a Retry interval, you must also specify the Keepalive interval.

Step 5 To enable NAT traversal:

Note NAT traversal is supported only in PIX Firewall 6.3 and later.

a. Select the Enable NAT Traversal check box.

b. Enter the time in seconds to keep alive NAT mappings. Tunnel peers use the NAT Keepalive value to determine how frequently to send NAT Keepalive packets. Values are 10-3600 seconds (1 hour). Default is 20.

Step 6 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-1 describes the elements on the IKE Settings page.

Table 17-1 IKE Settings

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Identity

Identifies whether the DNS hostname, IP address, or key ID is used to identify the firewall when establishing IPSec SAs using IKE. As a general rule, set the PIX Firewall and its peers' identities in the same way to avoid an IKE negotiation failure. This failure could be caused by either the PIX Firewall or its peer not recognizing its peer's identity.

The Key-ID option may be used for a DHCP enabled firewall at the remote site to interoperate with third-party VPN headend devices that do not support the Unity protocol. The headend VPN device uses the information in the Key ID field to look up the pre-shared key.

Key ID

Identifies the ID that a headend VPN device uses to look up the pre-shared key. This ID must be unique for each tunnel peer. Key-ID is supported only in PIX Firewall 6.3 and later.

The Key ID field is enabled when you select Key-ID as the Identity type. The Key ID string will be passed to the headend VPN device using aggressive mode negotiation.

Note If the Easy VPN Remote or Easy VPN Management feature is enabled on the firewall, the vpnclient group name takes precedence over the Key ID setting, and the firewall sends the vpnclient group name as the Key ID.

Set Keepalive and Retry Values

Enables you to modify Keepalive and Retry values. The Keepalive feature is used for Dead Peer Detection (DPD). Select this check box to enable entry on the Keepalive and Retry fields.

Keepalive

Identifies the Keepalive lifetime interval. Values are 10-3600 seconds (1 hour). Default is 10. You can specify the Keepalive interval with or without specifying the Retry interval.

Retry

Identifies the interval between retries after a Keepalive response has not been received. Values are 2-10 seconds. Default is 2. To specify a Retry interval, you must also specify the Keepalive interval.

Enable NAT Traversal

Select this check box to enable NAT traversal, which lets ESP packets pass through one or more NAT devices. NAT traversal is only supported in PIX Firewall 6.3 and later. NAT traversal is described by Version 2 and Version 3 of the draft IETF standard, "UDP Encapsulation of IPsec Packets," which is available at: http://www.ietf.org/html.charters/ipsec-charter.html

NAT Keepalive

Identifies the time in seconds to keep alive NAT mappings. Tunnel peers use the NAT Keepalive value to determine how frequently to send NAT Keepalive packets. Values are 10-3600 seconds (1 hour). Default is 20.

Configuring IKE Policies

The IKE Policies feature enables you to define security parameters that are used in negotiation with a remote peer for creating a Phase 1 SA.

Step 1 Select Configuration > VPN > IKE Options > Policies.

The IKE Policies page appears.

Step 2 Click Add.

The Create IKE Policy page appears.

Step 3 Enter the priority for this IKE policy.

Lower priority numbers have a greater priority. If the remote IPSec peer does not support the parameters selected in your first priority policy, the firewall tries to use the parameters defined in the policy with the next lowest priority number.

Step 4 Select the encryption algorithm to use to establish the Phase 1 SA for protecting Phase 2 negotiations. Options are DES, 3DES (Triple DES), AES, AES-192, and AES-256.

Note•To support Triple DES encryption, the firewall must have a Triple DES license. Otherwise, only DES is supported.

•To support AES encryption, the firewall must be running PIX OS version 6.3(x) or later.

Step 5 Select the hash algorithm to use for authentication and ensuring data integrity. Options are SHA and MD5.

Step 6 Select the method of authentication to use to establish the identity of each IPSec peer. See Authentication.

Step 7 Select the Diffie-Hellman group to use for deriving a shared secret between two IPSec peers without transmitting it to each other. See Diffie-Hellman Group.

Note Support for Diffie-Hellman Group 5 is introduced in PIX OS 6.3. PIX OS versions before 6.3 support only Diffie-Hellman Group 1 and 2.

The larger the modulus, the higher the security and the more processing time required.

Step 8 Enter the SA lifetime in seconds. Values are 60-86400 seconds (24 hours). Default is 86400. As a general rule, a shorter lifetime provides more secure IKE negotiations. However, with longer lifetimes, future IPSec SAs can be set up more quickly.

Step 9 Click OK.

The IKE policy is added to the list of policies on the Policies page. Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-2 describes the elements on the IKE Policies page.

Table 17-2 IKE Policies

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Priority

Identifies the priority of the IKE policy. Lower priority numbers have a greater priority. If the remote IPSec peer does not support the parameters selected in your first priority policy, the firewall tries to use the parameters defined in the policy with the next lowest priority number.

Encryption

Specifies the symmetric encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations. The encryption algorithms supported by the firewall are:

Note To support Triple DES encryption, the firewall must have a Triple DES license. Otherwise, only DES is supported. To support AES encryption, the firewall must be running PIX OS 6.3(x) or later.

•DES (Data Encryption Standard)—Performs encryption using 56-bit keys.

•3DES (Triple DES)—Performs encryption three times using 56-bit keys. Triple DES is more secure than DES but requires more processing for encryption and decryption.

•AES (Advanced Encryption Standard)—Performs encryption using 128-bit keys.

•AES-192 (192-bit Advanced Encryption Standard)—Performs encryption using 192-bit keys.

•AES-256 (256-bit Advanced Encryption Standard)—Performs encryption using 256-bit keys.

Hash

Specifies the hash algorithm used for authentication and ensuring data integrity.

•SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.

•MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than does SHA.

Note There was a demonstrated successful (but extremely difficult) attack against MD5. However, the Keyed-Hash Message Authentication Code (HMAC) version used by PIX Firewall prevents this attack.

Diffie-Hellman Group

Specifies the Diffie-Hellman group identifier, which is used by the two IPSec peers to derive a shared secret without transmitting it to each other.

To perform the Diffie-Hellman operation, both sides must agree to use a number or group for the mathematical calculation. PIX OS versions before 6.3 support Group 1 (768 bits) and Group 2 (1024 bits). PIX OS 6.3 and later adds support for Group 5 (1536 bits), which provides higher security for the Diffie-Hellman operation.

•Group 1 (default)—768-bit Diffie-Hellman. Requires less CPU time to execute but is less secure than Group 2 and Group 5.

•Group 2—1024-bit Diffie-Hellman.

•Group 5—1536-bit Diffie-Hellman. Group 5 is the most secure, and is recommended for use with AES.

Authentication

Specifies the method of authentication used to establish the identify of each IPSec peer:

•Pre-shared—Uses manually configured pre-shared keys for completing IKE Phase 1 negotiation. Pre-shared keys do not scale well with a growing network, but they are easier to set up in a smaller network with a limited and stable number of IPSec peers. Firewall MC fully supports the use of pre-shared keys for authentication.

•RSA-Sig—Uses digital certificates for managing the public keys required for completing IKE Phase 1 negotiation. Digital certificates scale well for large or growing networks with many IPSec peers. Digital certificates also establish non-repudiation for IKE negotiation, which means that you can prove to a third party that IKE negotiation was completed with a specific peer.

Firewall MC partially supports the use of RSA signatures for authentication using a CA. You cannot configure CA commands using the Firewall MC GUI, but you can import CA commands or manually configure such commands using the Beginning and Ending Commands feature.

Lifetime (sec)

Identifies the SA lifetime. Default is 86,400 seconds (24 hours). As a general rule, a shorter lifetime provides more secure IKE negotiations. However, with longer lifetimes, future IPSec SAs can be set up more quickly.

Configuring IKE Interfaces

The IKE Interfaces feature enables you to define which interfaces are enabled for IKE. You can also specify which of these interfaces also permit Easy VPN traffic.

Step 1 Select Configuration > VPN > IKE Options > Interfaces.

The IKE Interfaces page appears.

Step 2 To enable IKE on an interface, select the IKE Enabled check box for that interface.

Step 3 To permit Easy VPN traffic on an interface, select the Allow Easy VPN Traffic check box.

You must enable IKE on an interface before you can permit Easy VPN traffic on that interface.

Note Selecting the Allow Easy VPN Traffic option enables the crypto map map-name client configuration address initiate and crypto map map-name client configuration address respond commands on the interface. These commands are required to support Cisco VPN Clients before version 4.x and the Cisco Secure VPN Client (IRE). You do not need to select this option if you are using only Cisco VPN Client 4.x and later; however, enabling this option will not cause any problems to these clients.

Step 4 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-3 describes the elements on the IKE Interfaces page.

Table 17-3 IKE Interfaces

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface column

Identifies the interfaces on which you can enable IKE and Easy VPN traffic. The table lists all interfaces defined at the current scope.

Enabled column

Identifies whether the interface is enabled or not.

IKE Enabled column

Identifies whether IKE is enabled on the interface. To enable IKE on an interface, select the IKE Enabled check box for that interface.

Allow Easy VPN Traffic column

Identifies whether Easy VPN traffic is permitted on the interface. To permit Easy VPN traffic on an interface, select the Allow Easy VPN Traffic check box. You must enable IKE on an interface before you can permit Easy VPN traffic.

Note Selecting the Allow Easy VPN Traffic option enables the crypto map map-name client configuration address initiate and crypto map map-name client configuration address respond commands. These commands are required to support Cisco VPN Clients before version 4.x and the Cisco Secure VPN Client (IRE). You do not need to select this option if you are using only Cisco VPN Client 4.x and later; however, enabling this option will not cause any problems these clients.

Configuring Pre-shared Keys

The Pre-shared Keys feature lets you configure pre-shared keys for authenticating IPSec peers. You can also define a default pre-shared key policy for peers that do not have a pre-shared key explicitly defined.

Whenever you cannot use IKE to establish SAs between your firewall and a remote IPSec peer, you can manually configure the pre-shared key used for establishing the Phase 1 SA. This is practical only with a limited number of IPSec peers having known IP addresses (or DNS hostnames). This method of configuration is most practical for site-to-site VPNs. Whenever a new peer is added to the network, you must configure pre-shared keys for that peer and any PIX Firewall or other VPN headend using pre-shared keys. Also, you cannot use SA lifetimes or PFS when using pre-shared keys. To access this feature, select Configuration > VPN > IKE Options > Pre-shared Keys.

Topics to be discussed are:

• Defining the Default Pre-shared Key Policy

• Generating New Auto-generated Pre-shared Keys

• Viewing Auto-generated Pre-shared Keys

• Defining the Pre-shared Key for a Peer

Defining the Default Pre-shared Key Policy

You can define a default pre-shared key policy for peers that do not have a pre-shared key explicitly defined.

Note If you use the default pre-shared key policy to define the pre-shared keys used for authenticating peers, XAuth and Mode Config is disabled. To enable XAuth or Mode Config, you must explicitly define the pre-shared keys for the peers.

Step 1 Select Configuration > VPN > IKE Options > Pre-shared Keys.

The Pre-shared Keys page appears.

Step 2 To define the default pre-shared key policy to use for peers whose pre-shared key you are not explicitly defining, do one of the following:

•To have Firewall MC automatically generate pre-shared keys for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table, click the Auto-generate Keys radio button. This requires that both peers are managed within the site-to-site tunnel configuration (Configuration > VPN > Tunnels > Site-to-Site).

•To manually define a default key to use for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table, click the Use Default Key radio button, then enter the default key in the Default Key and Confirm Default Key fields.

•If you do not want to generate keys for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table, click the None radio button.

Step 3 Click Apply.

Table 17-4 describes the elements on the Default Pre-shared Key Policy page.

Table 17-4 Default Pre-shared Key Policy

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Auto-generate Pre-shared Keys

Specifies how Firewall MC should handle key generation for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table.

•Auto-generate Keys—Automatically generates keys for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table.

•Use Default Key—Allows you to specify a default key to use for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table.

•None—Does not generate keys for peers whose pre-shared keys are not explicitly defined in the User Specified Pre-shared Key table.

Regenerate Pre-shared Keys check box

When selected, enables pre-shared keys that are automatically generated to be regenerated the next time configuration files are generated. This check box is available only after you click the Auto-generate Keys radio button.

Default Key

Identifies the key to use for peers that are not explicitly defined in the User Specified Pre-shared Key table. This field is enabled when you click the Use Default Key radio button.

Confirm Default Key

Enables you to re-enter the Default Key entry.

Apply button

Saves current settings.

Reset button

Discards changes made to the Default Pre-shared Key Policy table and reverts the information displayed to the most recent saved information.

View Keys button

Displays a list of the auto-generated and default pre-shared keys that are created from the default pre-shared key policy for the selected device.

Generating New Auto-generated Pre-shared Keys

Step 1 Select Configuration > VPN > IKE Options > Pre-shared Keys.

The Pre-shared Keys page appears.

Step 2 Using the Object Selector, select the spoke device of the tunnel for which to generate new pre-shared keys. The devices in this tunnel must be configured to use auto-generated keys. For information, see Defining the Default Pre-shared Key Policy.

Step 3 Select the Regenerate Pre-shared Keys check box.

Step 4 Click Apply.

Step 5 Select Configuration > VPN > Tunnels > Site-to-Site.

Step 6 Select the check box for the tunnel for which to generate new pre-shared keys, then click Refresh Keys.

The Keys Status field for the selected tunnel changes to Keys Marked For Refresh. Firewall MC will generate new pre-shared keys for the IPSec tunnel peers the next time configuration files are generated.

Viewing Auto-generated Pre-shared Keys

Step 1 Select Configuration > VPN > IKE Options > Pre-shared Keys.

The Pre-shared Keys page appears.

Step 2 Using the Object Selector, select the device for which to view pre-shared keys.

Note The View Keys button is enabled only at the device level.

Step 3 Click View Keys.

The IKE Pre-shared Keys page appears.

Step 4 Click OK when you finish viewing the information.

Table 17-5 describes the elements on the IKE Pre-shared Keys page.

Table 17-5 IKE Pre-shared Keys

Element

Description

Type

Identifies the type of pre-shared key:

•Default

•Auto (Auto-generated)

Peer

Identifies the peer for which you are viewing pre-shared keys.

Interface

Identifies the interface on which the pre-shared key is defined.

Key

Displays the pre-shared authentication key for this peer.

Last Generation

Displays the date and time of the last configuration file generation for the device.

Regenerate

Indicates whether the pre-shared key is regenerated when the configuration file for the device is generated next. When Regenerate is enabled, shown as True. When disabled, shown as False.

XAuth

Identifies whether extended authentication (XAuth) is enabled (true) or disabled (false) for the specified peer. XAuth lets you deploy IPSec VPNs using TACACS+ or RADIUS as your user authentication method. This feature provides user authentication by prompting a user for a username and password and verifying these with information stored in a TACACS+ or RADIUS database.

Note XAuth is negotiated after IPSec Phase 1 (IKE device authentication phase) and before IPSec Phase 2 (IPSec SA negotiation phase). If XAuth authentication fails, the IPSec SA is not established and the IKE SA is deleted.

Mode Config

Identifies whether Mode Config is enabled (true) or disabled (false) for the specified peer. When enabled, allows a security gateway (in this case a PIX Firewall) to download an IP address and other network-level configurations to a VPN client peer as part of IKE (Phase 1) SA negotiation. Using this exchange, the firewall gives an IP address to the VPN client to be used as an "inner" IP address encapsulated in the IPSec packet. Provides a known IP address for the VPN client, which can be matched with the IPSec rules. For this feature to be implemented, it must also be supported by any routers handling the IPSec traffic.

Defining the Pre-shared Key for a Peer

Step 1 Select Configuration > VPN > IKE Options > Pre-shared Keys.

The Pre-shared Keys page appears.

Step 2 Click Add.

The Create IKE Pre-shared Key page appears.

Step 3 Enter the pre-shared key in the Key and Confirm Key fields.

Step 4 Do any of the following:

•To enable XAuth, select the XAuth check box.

•To enable Mode Config, select the Mode Config check box.

Step 5 If the IPSec tunnel peer is managed by Firewall MC:

a. Click the Managed Device Interface radio button.

b. Click Select to display the device hierarchy.

c. Navigate to and select the remote peer for this tunnel, then click OK.

d. Select the interface of the peer from the Peer Interface list.

e. Go to Step 7.

Step 6 If the IPSec tunnel peer is not managed by Firewall MC:

a. Click the IP Address/Netmask radio button.

b. Enter the IP address and netmask (in either bit count or dotted decimal format) separated by a forward slash (for example, 192.168.1.10/24 or 192.168.1.10/255.255.255.0).

Step 7 Click OK.

The pre-shared key is created and added to the User Specified Pre-shared Key Table.

Step 8 For a tunnel using this pre-shared key to be successfully established, you must configure the same key on the IPSec tunnel peer before you generate and deploy the configurations to the devices.

Table 17-6 describes the elements on the User Specified Pre-shared Key page.

Table 17-6 User Specified Pre-shared Keys

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Key

Identifies the pre-shared authentication key for this peer. You enter the pre-shared key in the Create IKE Pre-shared Key page. The key is masked in the Create IKE Pre-shared Key page and in the User Specified Pre-shared Key table using asterisks (*). To view the key in clear text, select View Config > Generate Config.

Confirm Key

Allows you to re-enter the pre-shared authentication key for this peer. The key is masked using asterisks (*). To view the key in clear text, select View Config > Generate Config.

XAuth check box

Identifies whether extended authentication (XAuth) is enabled or disabled for the specified peer. XAuth lets you deploy IPSec VPNs using a TACACS+, RADIUS, or LOCAL database as your user authentication method. This feature provides user authentication by prompting for a username and password and verifying these with information stored in a TACACS+, RADIUS, or LOCAL database.

Note XAuth is negotiated after IPSec Phase 1 (IKE device authentication phase) and before IPSec Phase 2 (IPSec SA negotiation phase). If XAuth authentication fails, the IPSec SA is not established and the IKE SA is deleted.

Mode Config check box

When selected, a security gateway (in this case a PIX Firewall) can download an IP address and other network level configuration to a VPN client peer as part of IKE (Phase 1) SA negotiation. Using this exchange, the firewall gives an IP address to the VPN client to be used as an "inner" IP address encapsulated in the IPSec packet. This provides a known IP address for the VPN client, which can be matched against the IPSec rules. To implement this feature, it must also be supported by any routers handling the IPSec traffic.

Peer Type

Identifies whether the peer for which you are defining a pre-shared key is managed by Firewall MC.

•IP Address/Netmask—Used if the peer for which you are defining a pre-shared key is not managed by Firewall MC. If you select this option, you must specify the IP address and netmask of the peer.

•Managed Device Interface—Used if the peer for which you are defining a pre-shared key is managed by Firewall MC. If you select this option, you must select the peer from a list of managed devices, then select the interface of the peer.

Peer

Identifies the peer for which you are defining a pre-shared key.

•If the peer is a managed device, click Select to display a list of managed devices. You must also select the peer interface.

•If the peer is not a managed device, enter the IP address and netmask (in either bit count or dotted decimal format) separated by a forward slash (for example, 192.168.1.10/24 or 192.168.1.10/255.255.255.0).

Peer Interface

Lists available interfaces. Used when the peer for which you are defining a pre-shared key is a managed device.

Configuring XAuth/Mode Config

The XAuth/Mode Config feature enables you to configure Extended Authentication (XAuth) and Mode Configuration (Mode Config) on a particular interface. To access this feature, select Configuration > VPN > IKE Options > XAuth/Mode Config.

XAuth enables you to use a TACACS+, RADIUS, or LOCAL database to authenticate a remote user of an IPSec VPN. XAuth, which is designed for VPN clients, provides authentication by prompting the user for a username and password. This information is verified against information stored in your TACACS+, RADIUS, or LOCAL database. XAuth is negotiated between IPSec Phase 1 (IKE device authentication phase) and IPSec Phase 2 (IPSec SA negotiation phase). If XAuth fails, the IPSec SA will not be established and the IKE security association will be deleted.

Note LOCAL authentication is only supported in PIX Firewall 6.3 and later.

Mode Config allows a security gateway (in this case a PIX Firewall) to download an IP address (and other IP-related settings) to a VPN client peer as part of SA negotiation. Using this exchange, the firewall gives an IP address to the VPN client to be used as an "inner" IP address encapsulated under IPSec. This provides a known IP address for a VPN client, which can be matched against the IPSec policy. To implement this feature, it must also be supported by any routers handling the IPSec traffic.

Note When Mode Config is used with XAuth, the XAuth authentication is performed first.

Before You Begin

•If using XAuth, you must define the AAA server group to be used for authentication. To define AAA server groups, select Configuration > Building Blocks > AAA Server Group. See Defining AAA Server Groups, page 10-31.

The LOCAL group is defined by default, but if you are using the LOCAL database, you must configure user accounts. See Configuring User Accounts, page 8-59.

•If using Mode Config, you must identify the pool of IP addresses that the device will draw from. To configure IP pools, select Configuration > VPN > Remote Access > IP Pools. See Defining IP Pools.

Step 1 Select Configuration > VPN > IKE Options > XAuth/Mode Config.

The XAuth/Mode Config page appears.

Step 2 Select the check box for the interface on which to configure XAuth or Mode Config, then click Edit.

The IKE XAuth/Mode Config page appears.

Step 3 To enable XAuth:

a. Select the XAuth radio button.

b. Select the AAA server group to use for XAuth from the XAuth Server list.

c. If the AAA server supports a user authentication system based on a hardware token, such as an ID card, that is physically verified by a hardware device on the client side, select the Server is Token-based check box.

Note This option is not valid when using the LOCAL database.

Step 4 To enable Mode Config:

a. Select the Mode Config check box.

b. Select the pool of IP addresses to be used for supplying addresses from the IP Pool list.

Step 5 Click OK.

The settings are saved. Changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-7 describes the elements on the XAuth/Mode Config page.

Table 17-7 XAuth/Mode Config

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface

Identifies the interface to which the XAuth and Mode Config settings apply.

XAuth check box

Enables the Extended Authentication (XAuth) feature within the IKE protocol. This allows you to use a TACACS+, RADIUS, or LOCAL database as your user authentication method for client-to-device VPN tunnels.

XAuth, which is designed for VPN clients, provides authentication by prompting the user for a username and password. This information is verified against information stored in your TACACS+, RADIUS, or LOCAL database. XAuth is negotiated between IPSec Phase 1 (IKE device authentication phase) and IPSec Phase 2 (IPSec SA negotiation phase). If XAuth fails, the IPSec SA will not be established and the IKE SA will be deleted.

Note When used in conjunction with the Mode Config option, XAuth is performed first.

XAuth Server

Use this list to select the AAA server group¹ to use for XAuth.

Token-based Server
(Server is Token-based check box)

Enable this option if the AAA server supports a user authentication system based on a hardware or software token. This option is not available when using the LOCAL database.

Note Not all token systems are compatible with PIX Firewall. See Cisco PIX Firewall and VPN Configuration Guide for more information.

Mode Config check box

Enables the Mode Config feature. Mode Config allows a security gateway (in this case a PIX Firewall) to download an IP address (and other IP-related settings) to a VPN client peer as part of SA negotiation. Using this exchange, the firewall gives an IP address to the VPN client to be used as an "inner" IP address encapsulated under IPSec. This provides a known IP address for a VPN client, which can be matched against the IPSec policy. To implement this feature, it must also be supported by any routers handling the IPSec traffic.

Note When used in conjunction with the XAuth option, XAuth is performed first.

IP Pool

Identifies the pool of IP addresses² to be used for supplying addresses when Mode Config is enabled.

IKE Enabled

Identifies whether IKE is enabled on the selected interface.

¹To define AAA server groups, select Configuration > Building Blocks > AAA Server Group. See Defining AAA Server Groups, page 10-31.

²To configure IP pools, select Configuration > VPN > Remote Access > IP Pools. See Defining IP Pools.

Configuring Fully Qualified Domain Name/IP Address Exceptions

The Fully Qualified Domain Name (FQDN)/IP Address Exceptions feature lets you configure multiple IPSec peers and enable or disable XAuth and Mode Config for each. You should configure the XAuth feature for the peer depending on the authentication method used within your IKE policies.

Step 1 Select Configuration > VPN > IKE Options > FQDN/IP Exceptions.

The FQDN/IP Exceptions page appears.

Step 2 Click Add.

The Create FQDN/IP Peer Exception page appears.

Step 3 Enter the fully qualified domain name or IP address of the VPN peer in the Peer FQDN/IP field.

Note If you are configuring FQDN/IP Address exceptions for a peer, you must disable XAuth, Mode Config, or both.

Step 4 Do one of the following:

•To disable the exchange of XAuth (username and password) information with the FQDN/IP peer, deselect the XAuth check box.

•To indicate that the device should use the default setting for XAuth when communicating with the FQDN/IP peer, select the XAuth check box.

Step 5 Do one of the following:

•To disable the exchange of Mode Config (dynamically assigned IP address) information with the FQDN/IP peer, deselect the Mode Config check box.

•To indicate that this device should use the default setting for Mode Config when communicating with the FQDN/IP peer, select the Mode Config check box.

Step 6 Click OK.

The peer is added to the list of peers on the FQDN/IP Exceptions page.

Table 17-8 describes the elements on the FQDN/IP Exceptions page.

Table 17-8 FQDN/IP Exceptions

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Peer
(Peer FQDN/IP)

Specifies the fully qualified domain name (FQDN) or IP address of the IPSec VPN peer for which you are configuring XAuth or Mode Config settings.

XAuth

If you have both a site-to-site VPN peer and VPN client peers terminating on the same interface, and have the XAuth feature configured, configure the firewall to make an exception to this feature for the site-to-site VPN peer. With this exception, the firewall will not challenge the site-to-site peer for a username and password. The command that you employ to make an exception to the XAuth feature depends on the authentication method you are using within your IKE policies.

To disable the exchange of XAuth (username and password) information with the FQDN/IP peer, deselect the XAuth check box. To indicate that this device should use the default setting for XAuth when communicating with the FQDN/IP peer, select the XAuth check box.

Mode Config

If you have both a site-to-site VPN peer and VPN clients terminating on the same interface, and have the IKE Mode Config feature configured, you should also configure the firewall to make an exception. With this exception, the firewall does not attempt to download an IP address to the peer for dynamic IP address assignment.

To disable the exchange of Mode Config (dynamically assigned IP address) information with the FQDN/IP peer, deselect the Mode Config check box. To indicate that this device should use the default setting for Mode Config when communicating with the FQDN/IP peer, select the Mode Config check box.

Creating Site-to-Site Tunnels

The Site-to-Site Tunnels feature enables you to create IPSec tunnels. When you create IPSec tunnels, you define the tunnels at one peer and select the other peer in the tunnel definition. When creating a simple site-to-site VPN between two peers it does not matter at which peer you define the tunnel as long as both devices are represented in Firewall MC. When you define the tunnel at one device, Firewall MC automatically configures the tunnel information at the remote peer. If the device at one end of the tunnel is not managed by Firewall MC, you must define the tunnel on the device that is.

You can create a hub-and-spoke configuration in Firewall MC by placing the spoke devices in a device group, and then defining the tunnel on the device group and selecting the hub device as the managed peer.

Step 1 Select Configuration > VPN > Tunnels > Site-to-Site.

The Site-to-Site Tunnels page appears.

Step 2 Using the Object Selector, select the scope (if not already selected) to identify the device or device groups to which the tunnel will apply. The Object bar displays the last scope that was selected on the Configuration tab.

Tip You can create a hub-and-spoke configuration in Firewall MC by placing the spoke devices in a device group, and then selecting the device group in the Object Selector when defining the tunnel.

Step 3 Click Add.

The Enter Site-to-Site Tunnel Data page appears.

Step 4 Enter a descriptive identifier for the site-to-site tunnel.

Step 5 Select the IPSec tunnel template associated with the tunnel. The tunnel template defines the IPSec policies to use with this tunnel. You can select the tunnel template from a list of templates available at the current scope.

Step 6 Select the interface to which the tunnel is applied from a list of interfaces for the device.

Step 7 Enter the priority of the tunnel. A lower priority number has a higher priority. Traffic is evaluated against tunnels in order based on the tunnel's priority.

Step 8 Optionally, you can enter a description for the site-to-site tunnel.

Step 9 To add an unmanaged peer:

a. Click Add Unmanaged Peer.

The Select Peer IP Address page appears.

b. Enter the IP address of the unmanaged peer.

c. Click OK.

The unmanaged peer is added to the list of peers.

Step 10 To add a managed peer:

a. Click Add Managed Peer.

The Select Hub page appears.

b. Select the managed peer from the list of devices. You only can select a device for the managed peer. You cannot select a device group or Global.

c. Click OK.

The managed peer is added to the list of peers.

d. From the Interface column of the Enter Remote Peer Selections table, select the interface on the managed peer on which the tunnel applies.

Step 11 Repeat Step 9 and Step 10 as necessary.

Note If you add more than one peer, the additional peers function as failover hubs, and not as separate VPN connections.

Step 12 To reorder the list of peers, select the row you want to move, then click Move Up or Move Down.

Step 13 Click OK.

The site-to-site tunnel is created, and changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-9 describes the elements on the Site-to-Site Tunnels page.

Table 17-9 Site-to-Site Tunnels

Element

Description

Site-to-Site Tunnels page

Defined At

Identifies the device or group at which the tunnel was defined.

Name

The descriptive named assigned to the site-to-site tunnel.

Priority

Identifies the priority of the tunnel. A lower priority number has a higher priority. Traffic is evaluated against tunnels in order based on the tunnel's priority.

Local Peers

Identifies the local peers for the tunnel.

Remote Peers

Identifies the remote peers for the tunnel.

Tunnel Template

Identifies the IPSec tunnel template associated with the tunnel. The tunnel template defines the IPSec policies to use with this tunnel.

Keys Status

Displays the status of the keys associated with this tunnel.

Consistency Check button

Verifies that pre-shared keys defined for this device are consistent with the pre-shared keys of the device's peers.

Refresh Keys button

Refreshes the status of the pre-shared keys. If the pre-shared keys are set to auto-generate, you can generate new keys by selecting the Regenerate check box on the VPN >IKE Options >Pre-shared Keys page, and then clicking Refresh Keys. The keys will be marked for regeneration, and will receive new keys the next time the device's configuration is generated.

View All button

Lists all site-to-site tunnels defined at the current scope, and at any encompassing groups.

Enter Site-to-Site Tunnel Data

Tunnel Name

User-defined name for the site-to-site tunnel.

Tunnel Template

IPSec tunnel template associated with the tunnel. The tunnel template defines the IPSec policies to use with this tunnel. You can select the tunnel template from a list of templates available at the current scope.

Interface

Interface to which the tunnel is applied. In the Enter Site-to-Site Tunnel Data dialog box, you can select the interface from a list of interfaces for the device.

Priority

Priority of the tunnel. A lower priority number has a higher priority. Traffic is evaluated against tunnels in order based on the tunnel's priority.

Description

Optional user-defined comment for the site-to-site tunnel.

Enter Remote Peer Selections

Peer

Lists the managed and unmanaged peers defined for this tunnel.

Interface

Lists the interfaces available on a managed peer. After adding a managed peer, you must select the interface that participates in the tunnel from the list.

Enable check box

When selected, enables the peer in this site-to-site tunnel.

Add Unmanaged Peer button

Allows you to add an unmanaged peer for this tunnel.

Add Managed Peer button

Allows you to add a managed peer for this tunnel.

Move Up button

Moves the selected peer up in the peer list.

Move Down button

Moves the selected peer down in the peer list.

Creating Dynamic Tunnels

The Dynamic Tunnels feature enables you to create tunnels to use for remote access. Dynamic tunnels do not require you to know the IP addresses of tunnel peers. You must create at least one dynamic tunnel before you can configure Easy VPN Servers.

Step 1 Select Configuration > VPN > Tunnels > Dynamic.

The Dynamic Tunnels page appears.

Step 2 Using the Object Selector, select the scope (if not already selected) to identify the device or device groups to which the tunnel will apply.

Note The Object bar displays the last scope that was selected on the Configuration tab.

Step 3 Click Add.

The Enter Dynamic Tunnel Data page appears.

Step 4 Enter a descriptive identifier for the dynamic tunnel.

Step 5 Select the IPSec tunnel template associated with this dynamic tunnel from the list of templates available at the current scope.

Step 6 Select the interface for the tunnel.

Step 7 Enter a priority number for the tunnel. A lower priority number has a higher priority. Traffic is evaluated against tunnels in order based on the tunnel's priority.

Step 8 Optionally, you can enter the IP addresses of any IPSec peers for this tunnel.

Note This field is not required, and in most cases is not used because the peer is unknown.

Step 9 Enter an optional description for the dynamic tunnel.

Step 10 Click OK.

The dynamic tunnel is created, and changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-10 describes the elements on the Dynamic Tunnels page.

Table 17-10 Dynamic Tunnels

Element

Description

Priority

Identifies the priority of the tunnel. A lower priority number has a higher priority. Traffic is evaluated against tunnels in order based on the tunnel's priority.

Name

A descriptive identifier for the dynamic tunnel.

Interface

Identifies the interface to which the dynamic tunnel is applied.

Note If you are using a wizard, you can select the interface for the device from a list.

Tunnel Template

Identifies the IPSec tunnel template associated with the dynamic tunnel.

Note If you are using a wizard, you can select the tunnel template from a list of templates available at the current scope.

Peers

Identifies the IP addresses of IPSec peers.

Note This field is not required, and in most cases is not used because the peer is unknown.

Scope

Identifies the scope at which the dynamic tunnel was created.

Description

Optional user-defined comment for the dynamic tunnel.

View All button

Lists all dynamic tunnels defined at the current scope, and at any encompassing groups.

Defining Tunnel Rules

The Tunnel Rules feature enables you to define policy rules that govern which traffic should be tunneled, and the tunnel to use for such traffic. To access this feature, select Configuration > VPN > Tunnel Rules.

The Tunnel Rules table supports the use of categories, coloring, filtering, and highlighting. These features make it much easier to work with large tables. For more information, see Configuring Access Rule Tables, page 11-16.

Step 1 Select Configuration > VPN > Tunnel Rules > [Mandatory or Default]. For a discussion of Mandatory versus Default rules, see How Rules Are Ordered and Inherited.

The Tunnel Rules page appears.

Step 2 Using the Object Selector, select the scope (if not already selected) to identify the device or device groups to which the rules apply.

Note The Object bar displays the last scope that was selected on the Configuration tab.

Step 3 Do one of the following:

•To insert the first row in the table, click Insert.

•To add another row, select the check box for the row above which to add a new row, then click Insert.

•To paste a row that has been cut or copied to the clipboard, select the row in the table above which to add a new row, then click Paste.

•To edit a row, select the appropriate check box, then click Edit.

•To view all Tunnel Rules from Global down to the current scope, click View All.

The Create IPSec Rule page appears.

Step 4 Select the Enable rule check box.

Step 5 Do one of the following:

•If you want the specified traffic to be tunneled, click the Protect radio button.

•If you do not want the specified traffic to be tunneled, click the Do Not Protect radio button.

Note•The tunnel rule you define will be applied to the interface specified by the tunnel you select to use for this traffic. Both inbound and outbound traffic on this interface will be evaluated against this tunnel rule. If any unprotected inbound traffic on the interface matches a tunnel rule that specifies such traffic should be protected, the traffic will be dropped. Similarly, inbound IPSec traffic matching a Do Not Protect tunnel rule will be dropped.

•When defining a tunnel rule on the same interface used by Firewall MC, avoid using IP or HTTPS as the service, or any as the network source and destination.

Step 6 Select the tunnel to use for protecting this traffic.

Note•We recommend that for every tunnel rule you define at the local peer for the specified tunnel, you define a "mirror image" tunnel rule at the remote peer. This ensures that traffic with IPSec protection applied locally can be processed correctly at the remote peer.

•If the tunnel referenced in a tunnel rule is deleted, the associated tunnel rule remains, but it is automatically disabled.

Step 7 Enter the addresses of the local networks or click Select to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. To create a network object to be used as a local network, click Add Network Object.

A popup window helps you define the network object. After you complete the definition, the new network object is added to the Selected Objects column. For more information, see Adding or Editing a Network Object, page 10-21.

c. Click OK.

Step 8 Enter the addresses of the remote networks or click Select, which opens a window to display a list of defined objects.

a. Select the available objects, then click Select =>.

The objects are moved to the Selected Objects column.

b. To create a network object to be used as a remote network, click Add Network Object.

A popup window helps you define the network object. For more information, see Defining Network Objects, page 10-9.

c. Click OK.

Step 9 To specify the services to which this rule applies:

a. Click Select to display a list of services.

b. Select the available services, then click Select =>.

The objects are moved to the Selected Services column.

c. To create a service definition, click Create Service.

A popup window helps you define the building block. After you complete the definition, the new building block is added to the Selected Services column. For more information, see Configuring Service Definitions, page 10-24.

d. To create a service group and define services for that group, click Create Service Group.

A popup window helps you define the building block. After you complete the definition, the new building block is added to the Selected Services column. For more information, see Defining Service Groups, page 10-28.

e. Click OK.

Note We recommend that for every tunnel rule you define at the local peer for the specified tunnel, you define a "mirror image" tunnel rule at the remote peer. This ensures that traffic that has IPSec protection applied locally can be processed correctly at the remote peer. If this tunnel rule applies to traffic in which the service uses two different ports for communication, you must specify the correct service and port when "mirroring" the tunnel rule.

Step 10 If there are multiple remote peers for the selected tunnel, you can specify the peers to which this rule should apply:

Note All peers are selected by default.

a. Click Select.

The Selecting Tunnel Peers dialog box appears.

b. Select the available peers, then click Select =>.

The objects are moved to the Selected Peers column.

c. Click OK.

Step 11 Select a category for this rule from the list.

Step 12 Enter an optional description.

Step 13 Click OK.

The tunnel rule is created, and changes are applied to the assigned firewall device configuration files when they are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-11 describes the elements on the Tunnel Rules page.

Table 17-11 Tunnel Rules

Element

Description

Action

Displays the action of the rules listed in the rules table. Valid actions for tunnel rules are:

•Protect—Specified traffic should be tunneled.

•Do Not Protect—Specified traffic should not be tunneled.

Note The tunnel rule applies to the interface specified by the tunnel used for this traffic. Both inbound and outbound traffic on this interface are evaluated against this tunnel rule. If any unprotected inbound traffic on the interface matches a tunnel rule that specifies such traffic should be protected, the traffic is dropped. Similarly, inbound IPSec traffic matching a Do Not Protect tunnel rule is dropped.

Tunnels

Identifies the tunnel to use for protecting this traffic.

Note We recommend that for every tunnel rule you define at the local peer for the specified tunnel, you define a "mirror image" tunnel rule at the remote peer. This ensures that traffic with IPSec protection applied locally can be processed correctly at the remote peer.

Remote Peers

Identifies remote peers to which this rule applies. If there are multiple remote peers for the selected tunnel, you can specify the peers to which a rule should apply.

Local Networks

Allows you to enter source network object¹ names or addresses of hosts for which the tunnel rule applies. Multiple entries are separated by commas.

Note If you are configuring a rule, click Select to open a popup window from which to make your selection.

Remote Networks

Allows you to enter destination network object 1 names or addresses of hosts for which the tunnel rule applies. Multiple entries are separated by commas.

Note If you are configuring a rule, click Select to open a popup window from which to make your selection.

Service

Allows you to enter the name of one or more services². Multiple entries are separated by commas.

We recommend that for every tunnel rule you define at the local peer for the specified tunnel, you define a "mirror image" tunnel rule at the remote peer. This ensures that traffic that has IPSec protection applied locally can be processed correctly at the remote peer. If this tunnel rule applies to traffic in which the service uses two different ports for communication, you must specify the correct service and port when "mirroring" the tunnel rule.

Note If you are configuring a rule, click Select to open a popup window from which to make your selection.

Enabled

Identifies whether the tunnel rule is enabled.

Category³

Element defined in Building Blocks to provide an intermediate level of detail to objects to help you categorize and readily identify rules and building blocks.

Description

Optional user-defined comment for the tunnel rule.

Insert button

Adds a row in an ordered table.

Edit button

Edits an existing row in a table.

View button

Shows information in read-only mode.

Copy button

Copies a row in a table.

Cut button

Removes a row in a table.

Paste button

Pastes a row that was copied or cut from a table.

Delete button

Removes a row from a table.

View All button

Displays all rules (mandatory and default) defined from Global down to the current scope.

¹For more information about network objects, see Defining Network Objects, page 10-9.

²For more information about services, see Configuring Service Definitions, page 10-24.

³Categories are defined in Building Blocks. Select Configuration > Building Blocks > Categories. See Using Categories and Color-Coding, page 10-5.

Cutting, Copying, or Pasting a Tunnel Rule

When configuring IPSec tunnel rules, you can use the following shortcuts to help you define your rules:

•Cut allows you to cut a rule from the table to be pasted elsewhere.

•Copy allows you to copy a rule in the table to be pasted elsewhere.

•Paste allows you to paste a rule that was copied or cut from a table.

Note You can copy or cut tunnel rules, and then paste them into another Tunnel Rules table, or into a Translation Exemptions (NAT 0 ACL) Rules table. You cannot, however, copy or cut translation exemption (NAT 0 ACL) rules and paste them in a Tunnel Rules table. Rules can be copied within the same device, to a different device, to a device group, or to the Global group.

Step 1 Select Configuration > VPN > Tunnel Rules > [Mandatory or Default]. For a discussion of mandatory versus default rules, see How Rules Are Ordered and Inherited.

The Tunnel Rules table appears.

Step 2 Using the Object Selector, select the scope (if not already selected) for the device or device groups to which the rules will apply.

Note The Object bar displays the last scope that was selected under the Configuration tab.

Step 3 Do one of the following:

•To copy a row in the table, select the appropriate check box, then click Copy.

•To cut a row, select the check box for the row, then click Cut.

•To paste a row, select the check box for the row above which to paste the rule, then click Paste.

Note If you are pasting a tunnel rule from another device, the tunnel that is specified in the rule must be available to the new device. If the tunnel that is referenced in a tunnel rule is deleted, the associated tunnel rule remains, but it is automatically disabled.

•To view all tunnel rules (mandatory and default) from Global down to the current scope, click View All.

Deleting a Tunnel Rule

Step 1 Select Configuration > VPN > Tunnel Rules > [Mandatory or Default]. For a discussion of mandatory versus default rules, see How Rules Are Ordered and Inherited.

The Tunnel Rules table appears.

Step 2 Using the Object Selector, select the scope to identify the device or device group at which the rule is defined.

Note The Object Selector displays the last scope that was selected under the Configuration tab.

Step 3 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 4 Click Yes.

The row is removed from the table.

Configuring Remote Access

Firewall MC provides the following features for configuring Easy VPN Remote (vpnclient command) on a PIX Firewall:

•IP Pools—Enables you to define pools of IP addresses that can be assigned to remote users using the Easy VPN Server feature. See Defining IP Pools.

•Easy VPN Server—Enables you to configure a PIX Firewall to operate as a Cisco Secure VPN server. See Configuring Easy VPN Server.

Note Be careful when enabling Easy VPN Server and Easy VPN Remote or Easy VPN Management on the same device. These features can co-exist on the same device, but they must be applied on different interfaces.

•Easy VPN Remote—Enables you to configure a PIX Firewall to operate as a Cisco Secure VPN client. See Configuring Easy VPN Remote.

•Easy VPN Management—Enables you to control remote management access to your PIX Firewall. See Configuring Easy VPN Management.

Creating Remote User Tunnels

You can create IPSec tunnels between a remote user and your internal network. This type of tunneling creates a VPN, whereby a remote user can be securely connected to a corporate intranet over the Internet or a shared network.

The following checklist outlines the tasks required to create IPSec tunnels between a remote user and your internal network. Each task should be performed in the order presented.

Before You Begin

•If you are using XAuth, you must configure the AAA server to use with XAuth before you create a remote-user tunnel.

•When Easy VPN is enabled, you cannot modify many firewall device settings, including:

–userauth timeout settings

–global pools on the outside interface

–nat 0 acl on the outside interface

–policy-nat acls on the outside interface

–crypto maps on the outside interface

–IKE keys for VPN-client servers

–virtual HTTP

Task

1. Create an IKE tunnel template.

IPSec tunnel templates enable you to define tunnel policies that are used to create dynamic tunnels. Transform sets are used to define IPSec tunnel templates. A transform set represents a certain combination of security protocols and algorithms. During the IPSec SA negotiation, the peers agree to use a particular transform set for protecting data flow.

Firewall MC provides several default tunnel templates. If an appropriate tunnel template does not exist, you must create one before proceeding.

For more information, see:

• Defining IPSec Transform Sets, page 10-39.

• Defining IPSec Tunnel Templates, page 10-45.

2. Create the tunnel.

Using the template defined in the previous task, you must create the dynamic tunnel to use for remote access. The tunnel must be available at the same scope at which you are configuring an Easy VPN Server. You can skip this step if you already have a tunnel that you want to use.

For more information, see Creating Dynamic Tunnels.

3. Define an IP pool.

The IP Pools feature lets you create a named pool of local IP addresses that can be used for dynamically assigning IP addresses to remote VPN clients.

For more information, see Defining IP Pools.

4. Configure the Easy VPN Server.

You must configure the PIX Firewall that is acting as an Easy VPN Server in order to provide access to VPN clients.

For more information, see Configuring Easy VPN Server.

5. Configure Easy VPN Remote.

You must configure the Easy VPN Remote feature on PIX Firewalls that will be operating as Cisco Secure VPN Clients. Also, you can enable the Easy VPN Management feature for Cisco Secure VPN Clients.

For more information, see:

• Configuring Easy VPN Remote.

• Configuring Easy VPN Management.

6. Create the security policy.

The security policy identifies the devices and controls the traffic that should be protected by the defined tunnel.

For more information, see Defining Tunnel Rules.

7. Generate and deploy the configuration.

After making desired configuration changes, you must generate the new configuration files. After you generate the new configurations, you can deploy those files or save them and deploy them later.

For more information, see Generating Configurations for Modified Devices.

Defining IP Pools

The IP Pools feature lets you create a named pool of local IP addresses. A pool can be used for dynamically assigning IP addresses to remote VPN clients.

Step 1 Select Configuration > VPN > Remote Access > IP Pools.

The IP Pools page appears.

Step 2 Click Add.

The Create VPN IP Pool page appears.

Step 3 Enter a name for the IP pool in the Name field.

Step 4 Enter the address range for the pool using the Start Address and End Address fields.

Step 5 Click OK.

The IP pool is created and added to the list of pools available on the IP Pools page.

Table 17-12 describes the elements on the IP Pools page.

Table 17-12 IP Pools

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Name

A descriptive identifier for the address pool.

Range Start (Start Address)

The starting IP address of the IP pool.

Note To specify a single address for the IP pool, enter the same address in both the Start Address and End Address fields.

Range End (End Address)

The ending IP address of the IP pool.

Configuring Easy VPN Server

The Easy VPN Server feature enables you to configure a PIX Firewall to operate as an Easy VPN Server. When used as an Easy VPN Server, the firewall can push VPN configuration to any Easy VPN Remote device, which greatly simplifies configuration and administration. To access this feature, select Configuration > VPN > Remote Access > Easy VPN Servers.

Note The Easy VPN Server feature is available with PIX Firewall OS 6.2 and later; however, PIX Firewall OS 6.2 supports only a subset of the vpngroup commands. Full support is available in PIX Firewall OS 6.3 and later.

The following are some of the different types of Easy VPN Remote devices you can use with a PIX Firewall configured as an Easy VPN Server:

•Software clients—Connect directly to the Easy VPN Server but require prior installation and configuration of client software on each host computer. The software clients include:

–Cisco VPN Client version 4.x.

–Cisco VPN Client version 3.x.

•Hardware clients—Allow multiple hosts on a remote network to access a network protected by an Easy VPN Server without any special configuration or software installation on the remote hosts. The hardware clients include:

–PIX 501 or PIX 506/506E.

–Cisco VPN 3002 Hardware Client.

–Cisco IOS-based Easy VPN Remote devices (for example, Cisco 800 series and Cisco 1700 series routers).

Step 1 Select Configuration > VPN > Remote Access > Easy VPN Servers.

The Easy VPN Servers page appears.

Step 2 Click Add.

The Enter Easy VPN Server Data page appears.

Step 3 Enter a descriptive name to be used for this Cisco Easy VPN Server group.

Step 4 Enter the pre-shared key to be used for IKE authentication by the Cisco Easy VPN Server group in the Password and Confirm Password fields. This must be at least eight alphanumeric (U.S. English) characters with no special (non-alphanumeric) characters.

Step 5 Select the pool used to assign IP addresses to Cisco VPN Clients. To define IP pools, select Configuration > VPN > Remote Access > IP Pools. See Defining IP Pools.

Step 6 Enter the inactivity timeout for a client in seconds. When the inactivity timeout for all IPSec SAs has expired for a Cisco VPN Client, the tunnel is terminated. Default is 1800 seconds (30 minutes).

Step 7 Enter the maximum connection time for a client in seconds. When the maximum connection time is reached for a Cisco VPN Client, the tunnel is terminated. This means the connection between the client and the firewall will have to be reestablished. Default is 31536000 seconds (365 days).

Step 8 Enter the local domain name that will be passed to the Cisco VPN client.

Step 9 To enable perfect forward secrecy, select the Enable PFS check box.

Step 10 Enter the IP address of the primary and, optionally, the secondary DNS servers on your local network that will be passed to the Cisco VPN client.

Step 11 Enter the IP address of the primary and, optionally, the secondary WINS servers on your local network that will be passed to the Cisco VPN client.

Step 12 Click Next.

The Enter Managed Split DNS/Tunneling Data page appears.

Step 13 Enter a list of up to eight domain names, separated by a space or comma. Requests to these domain names are tunneled if split tunneling is enabled.

Step 14 Enter a list of networks or network objects, separated by a comma, for which traffic will be subject to split tunneling. Split tunneling allows a remote Cisco VPN Client simultaneous encrypted access to the corporate network and clear access to the Internet. You can enter the network IP address and netmask (in either bit count or dotted decimal format) separated by a forward slash (for example, 192.168.1.10/24 or 192.168.1.10/255.255.255.0), or click Select to display a list of network objects.

Step 15 Click Next.

The Enter Authentication Data page appears.

Step 16 To enable Secure Unit Authentication (SUA) for the group, select the Enable Secure Unit Authentication check box.

Step 17 To enable Individual User Authentication (IUA) for the group:

a. Select the Enable Individual User Authentication check box.

b. Enter the number of seconds of inactivity before the tunnel is torn down. Default is 1800 seconds (30 minutes).

c. Select the AAA server that VPN clients will use to authenticate. Only RADIUS and TACACS+ servers are supported.

d. To enable device pass through for the group, select the Enable Device Pass Through check box. If certain devices on the inside interface of the Easy VPN Remote Device are incapable of authentication, such as IP phones, this option lets them bypass authentication when IUA is enabled.

Step 18 Click Next.

The Enter Backup Servers Data page appears.

Step 19 To configure a list of up to 10 backup Easy VPN Servers to use if the primary Easy VPN Server is not available:

a. Select the Enable Backup Server Configuration check box.

b. Enter the IP addresses of the backup Easy VPN Servers separated by a comma.

Step 20 To clear the local list of backup Easy VPN Servers from the device configuration, select the Clear Current Client Backup Server(s) List check box.

Note You cannot configure a list of backup Easy VPN Servers and clear the current backup server list within the same configuration.

Step 21 Click Next.

The Summary page appears.

Step 22 Verify the information, then click Finish.

The Easy VPN Server is added to the list of servers on the Easy VPN Servers page. Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-13 describes the elements on the Easy VPN Servers page.

Table 17-13 Easy VPN Servers

Element

Description

Easy VPN Servers

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Name

Descriptive group name for the Cisco VPN Client 3.x client group.

Pool

Pool used to assign IP addresses to Cisco VPN Clients. IP pools are defined at Configuration > VPN > Remote Access > IP Pools. See Defining IP Pools.

Primary DNS

IP address of the primary DNS server on your local network that will be passed to the Cisco VPN Client 3.x.

Primary WINS

IP address of the primary WINS server on your local network that will be passed to the Cisco VPN Client v3.x.

Domain

Local domain name that will be passed to the Cisco VPN client v3.x.

Create Easy VPN Server Wizard—Enter Easy VPN Server Data

VPN Server Information

Name

Descriptive group name to be used for this Cisco VPN Client 3.x client group.

Password

The group pre-shared key to be used for IKE authentication by the Cisco VPN Client 3.x client group. This must be at least eight alphanumeric (U.S. English) characters with no special (non-alphanumeric) characters.

Confirm Password

Re-enter the group password.

IP Pool Information

IP Pool

Select the pool used to assign IP addresses to Cisco VPN Clients. IP pools are defined at Configuration > VPN > Remote Access > IP Pools. See Defining IP Pools.

General Information

Idle Timeout

Sets the inactivity timeout for a client in seconds. When the inactivity timeout for all IPSec SAs have expired for a Cisco VPN Client, the tunnel is terminated. Default is 1800 seconds (30 minutes).

Max Time

Sets the maximum connection time for a client in seconds. When the maximum connection time is reached for a Cisco VPN Client, the tunnel is terminated. This means the connection between the client and the firewall will have to be reestablished. Default is 365 days.

Domain

Local domain name that will be passed to the Cisco VPN client v3.x.

Enable PFS

When selected, enables perfect forward secrecy.

DNS Servers

IP address of the primary and secondary DNS servers on your local network that will be passed to the Cisco VPN Client 3.x.

WINS Servers

IP address of the primary and secondary WINS servers on your local network that will be passed to the Cisco VPN Client 3.x or 4.x.

Create Easy VPN Server Wizard—Enter Managed Split DNS and Tunneling Data

Manage Split DNS

Domain(s)

List of up to eight domain names, separated by a space or a comma. Requests to these domain names will be tunneled if split tunneling is enabled.

Manage Split Tunneling

Network(s)

List of networks or network object building blocks, separated by a comma, for which traffic will be subject to split tunneling. Split tunneling allows a remote Cisco VPN Client simultaneous encrypted access to the corporate network and clear access to the Internet.

You can enter the network IP address and netmask (in either bit count or dotted decimal format) separated by a forward slash (for example, 192.168.1.10/24 or 192.168.1.10/255.255.255.0), or click Select to display a list of network objects.

Create Easy VPN Server Wizard—Enter Authentication Data

Unit Authentication

Enable Secure Unit Authentication check box

When this check box is selected, Secure Unit Authentication (SUA) is enabled for the group.

User Authentication

Enable Individual User Authentication check box

When selected, Individual User Authentication (IUA) is enabled for the group. IUA lets you individually authenticate users based on IP address on your inside network. IUA is independent of SUA and all combinations of their configurations are supported.

Idle Timeout

Number of seconds of inactivity before the tunnel is torn down. Default is 1800 seconds (30 minutes).

AAA Server Group

Select the AAA server that VPN clients will use to authenticate from the list.

Note Only RADIUS and TACACS+ servers are supported.

Enable Device Pass Through check box

When selected, enables device pass through for the group. If certain devices on the inside interface of the Easy VPN Remote Device are incapable of authentication, such as IP phones, this option lets them bypass authentication when IUA is enabled. This feature must be enabled on the Easy VPN Server.

Create Easy VPN Server Wizard—Enter Backup Servers Data

Backup Servers

Enable Backup Server Configuration check box

When selected, you can configure a list of backup Easy VPN Servers. If the primary Easy VPN Server is not available, you can specify a list of backup Easy VPN Servers to connect to.

IP Address(es)

IP addresses of the backup Easy VPN Servers separated by a comma. You can list up to 10 backup servers.

Clear Current Client Backup Server(s) List check box

When selected, clears the local list of backup Easy VPN Servers from the configuration.

Note You cannot configure a list of backup Easy VPN Servers and clear the current backup server list within the same configuration.

Configuring Easy VPN Remote

The Easy VPN Remote feature enables you to configure a PIX Firewall to operate as a Cisco Secure VPN client, thus providing a VPN connection to an Easy VPN Server.

Step 1 Select Configuration > VPN > Remote Access > Easy VPN Remote.

The Easy VPN Remote page appears.

Step 2 Select the Enable Easy VPN Remote check box to instruct the PIX Firewall to operate as a Cisco Secure VPN client.

Step 3 Enter the primary Cisco Easy VPN Server (concentrator) IP address to which the VPN client connects.

Step 4 Enter one or more secondary Cisco Easy VPN Server (concentrator) IP addresses to which the VPN client connects when the primary Cisco Easy VPN Server is unavailable.

Step 5 Enter the name of the VPN group that is configured on the Cisco Easy VPN Server. Maximum length is 63 alphanumeric (U.S. English) characters.

Step 6 Enter the group password, which is an arbitrary string of characters used to prevent unauthorized access to a group of associated resources.

Step 7 Re-enter the group password in the Confirm Group Password field.

Step 8 Enter the username to use for authentication. Maximum length is 127 characters.

Step 9 Enter the user password.

Step 10 Re-enter the user password in the Confirm User Password field.

Step 11 Select the mode by clicking the appropriate radio button. See Table 17-14.

Step 12 To exempt certain devices from user authentication, enter the MAC address and mask for those devices in the MAC Exempt Addresses and Masks field.

Enter MAC addresses and their respective masks in pairs. Use a space to separate the MAC address and the mask and a comma to separate information for multiple devices. Use one of the following formats:

•xx:xx:xx:xx:xx:xx

•xx-xx-xx-xx-xx-xx

•xx xx xx xx xx xx

•xxxx.xxxx.xxxx

For example, 0090.0C7A.0050 ffff.ffff.ffff, 00:72:34:a3:09:c4 ff:ff:ff:ff:ff:ff.

Note If you enter a MAC address or mask using any of the formats other than xxxx.xxxx.xxxx, Firewall MC converts the MAC address or mask to the xxxx.xxxx.xxxx format when you click Apply.

Step 13 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-14 describes the elements on the Easy VPN Remote page.

Table 17-14 Easy VPN Remote

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable easy VPN remote check box

Instructs firewall device to operate as a Cisco Secure VPN client.

Primary easy VPN server IP address

Server (concentrator) IP address to which VPN client connects.

Note Also known as headend address.

Secondary easy VPN server IP address

IP address of failover server (concentrator) to which VPN client connects.

Group name

Name of VPN group configured on Cisco Easy VPN Server. Maximum length is 63 alphanumeric (U.S. English) characters.

Note The group name and password can be omitted in PIX Firewall versions 6.3 and later if a CA is specified, and the default ISAKMP policy is configured.

A group name and password is required for PIX Firewall version 6.2 and earlier.

Group password

Arbitrary string of characters used to prevent unauthorized access to a group of associated resources.

Confirm group password

Group password is re-entered.

Username

Unique name to be used for user authorization. Maximum length is 127 characters.

Note The username and user password are optional for PIX Firewall versions 6.2 and 6.3, and are used only for XAuth (extended authentication).

User password

Arbitrary string of characters, chosen by a user or system administrator, used to prevent unauthorized access to a user's account. Maximum length is 127 characters.

Confirm user password

User password is re-entered.

Mode radio buttons

Mode of operation for the Easy VPN Remote device. Options are:

•Client—DHCP server on firewall device (hardware VPN client) is configured to issue IP addresses to hosts on inside network. A default DHCP pool is configured for nodes on private network. Inside interface IP address should be configured as address of DHCP server for all nodes on private network. Port Address Translation (PAT) address for traffic traversing VPN tunnel is obtained via MODECFG (INTERNAL_IPV4_ADDRESS). PAT is applied to all traffic traversing VPN tunnel.

•Network Extension—Hosts on inside network are configured with static IP addresses. An IP address belonging to inside network is assigned to inside interface. PAT is not applied to VPN traffic when in this mode. Nodes on inside network are accessible from enterprise network. DNS servers on enterprise network are required to be configured for hostnames that resolve to hardware client IP address and its inside nodes' IP addresses. Per-client VPN configuration is not required, as opposed to LAN-to-LAN (site-to-site) setup.

Note When used in conjunction with the management-access command and Network Extension Mode (NEM), a tunnel interface can be extended from the outside interface to an internal interface.

MAC exempt addresses and masks

List of MAC addresses and masks of devices that are exempt from user authentication. MAC addresses and their respective masks are entered in pairs separated by commas, and must use one of the following formats:

•xx:xx:xx:xx:xx:xx

•xx-xx-xx-xx-xx-xx

•xx xx xx xx xx xx

•xxxx.xxxx.xxxx

For example, 0090.0C7A.0050 ffff.ffff.ffff, 00:72:34:a3:09:c4 ff:ff:ff:ff:ff:ff.

Configuring Easy VPN Management

PIX Firewall OS 6.3 introduces a feature that improves administrative security by letting you identify the networks from which your PIX Firewall can be managed remotely or by preventing remote management. The Easy VPN Management feature allows you to control remote management access to your PIX Firewall.

Note Only the default setting is supported for PIX Firewall OS 6.2 and earlier.

Step 1 Select Configuration > VPN > Remote Access > Easy VPN Management.

The Easy VPN Management page appears.

Step 2 Select the Enable Easy VPN Remote check box to instruct the firewall device to operate as a Cisco Secure VPN client.

Step 3 To select the Management Access Configuration mode, click the appropriate radio button. See Table 17-15.

•To allow only hosts that have access to the outside interface of your firewall device through a VPN tunnel to manage the firewall device remotely, click the Allow Access Via Tunnel Only radio button. This is the default setting.

Note If you click the Allow Access Via Tunnel Only radio button, the vpnclient management command will not exist in the configuration. This setting must be used for versions of the PIX Firewall OS that do not support the vpnclient management command.

•To allow specific hosts to manage this device remotely without using a VPN tunnel and any host to manage this device remotely by using a VPN tunnel:

–Click the Allow These Hosts to Remote Manage radio button.

–Enter the IP address and subnet mask of the hosts that can manage this device remotely. Use a slash (/) to separate the IP address and subnet mask and a comma to separate information for multiple hosts (for example, 192.168.1.1/255.255.255.0, 192.168.2.1/24). If you do not specify a subnet mask, Firewall MC applies a host mask (/32).

•To not require a VPN tunnel for management access to this device, click the Allow Clear Management Access radio button.

Step 4 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 17-15 describes the elements on the Easy VPN Management page.

Table 17-15 Easy VPN Management

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable Easy VPN remote check box

Instructs firewall device to operate as a Cisco Secure VPN client.

Management access configuration radio buttons

•Allow Access Via Tunnel Only—Allows only hosts that have access to the outside interface of your firewall device through a VPN tunnel to manage the firewall device remotely. This is the default setting.

Note If you select the Allow Access Via Tunnel Only radio button, the vpnclient management command will not exist in the configuration. This setting must be used for versions of the PIX Firewall OS that do not support the vpnclient management command.

•Allow These Hosts To Remote Manage—Allows specific hosts to manage this device remotely without using a VPN tunnel and any host to manage this device remotely by using a VPN tunnel. Enter the IP address and subnet mask of the hosts that can manage this device remotely in the field provided. Use a slash (/) to separate the IP address and subnet mask and a comma to separate information for multiple hosts (for example, 192.168.1.1/255.255.255.0, 192.168.2.1/24). If you do not specify a subnet mask, Firewall MC applies a host mask (/32).

•Allow Clear Management Access—Do not require a VPN tunnel for management access to this device.

Configuring VPN System Options

The Sysopt feature lets you configure the firewall to allow IPSec traffic through it without the need for access rules. This means you will not have to configure specific access rules to permit this type of traffic. These system options are not enabled by default and must be explicitly enabled.

Step 1 Select Configuration > VPN > Sysopt.

The Sysopt page appears.

Step 2 To allow IPSec traffic through the firewall without the need for access rules, select the Bypass Access Check for IPSec Traffic check box.

Step 3 Click Apply.

Table 17-16 describes the elements on the Sysopt page.

Table 17-16 Sysopt

Element

Description

Inherit settings check box

When selected, the subgroups or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.)

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Bypass Access Check for IPSec Traffic

When selected, enables IPSec authenticated/cipher inbound sessions to always be permitted. This permits IPSec traffic to pass through the firewall without a check of the conduit or access-list command statements. The sysopt connection permit-ipsec command is written to the firewall. Because L2TP traffic can only come from IPSec, the sysopt connection permit-ipsec command allows L2TP traffic to pass as well.