About Easy VPN
Cisco Ezvpn greatly simplifies configuration and deployment of VPN for remote offices and mobile workers. Cisco Easy VPN offers flexibility, scalability, and ease of use for site-to-site and remote-access VPNs. It implements the Cisco Unity Client protocol, allowing administrators to define most VPN parameters on the Easy VPN Server, simplifying the Easy VPN Remote configuration.
The Cisco ASA with FirePOWER models 5506-X, 5506W-X, 5506H-X, and 5508-X support Easy VPN Remote as a hardware client that initiates the VPN tunnel to an Easy VPN Server. The Easy VPN server can be another ASA (any model), or a Cisco IOS-based router. An ASA cannot function as both an Easy VPN Remote and an Easy VPN Server simultaneously.
The Cisco ASA 5506-X, 5506W-X, 5506H-X and 5508-X models support L3 switching not L2 switching. Use an external switch when using Easy VPN Remote with multiple hosts or devices on the inside network. A switch is not required if a single host is on the inside network of the ASA.
The following sections describe Easy VPN options and settings.
Easy VPN Interfaces
Upon system startup, the Easy VPN external and internal interfaces are determined by their security level. The physical interface with the lowest security level is used for the external connection to an Easy VPN server. The physical or virtual interface with the highest security level is used for the internal connection to secure resources. If Easy VPN determines that there are two or more interfaces with the same highest security level, Easy VPN is disabled.
You can change the internal secure interface using the vpnclient secure interface command if desired, to or from, a physical or virtual interface. You cannot change the external interface from the automatically selected default, physical interface.
For example, on an ASA5506 platform, the factory configuration has a BVI with the highest security level interface set to 100 (with its member interfaces also at level 100), and an external interface with security level zero. By default, Easy VPN selects these interfaces.
When a virtual interface (a Bridged Virtual Interface or BVI) is selected upon startup or assigned by the administrator as the internal secure interface, the following applies:
All BVI member interfaces are considered Internal Secured interfaces irrespective of their own security levels.
ACL and NAT rules need to be added on all the member interfaces. AAA rules are added on the BVI interface alone.
Easy VPN Connections
Easy VPN uses IPsec IKEv1 tunnels. The Easy VPN Remote hardware client's configuration must be compatible with the VPN configuration on the Easy VPN Server headend. If using secondary servers, their configuration must be identical to the primary server.
The ASA Easy VPN Remote configures the IP address of the primary Easy VPN Server and optionally, up to 10 secondary (backup) servers. Use the vpnclient server command in global configuration mode to configure these servers. If unable to set up the tunnel to the primary server, the client tries the connection to the first secondary VPN server, and then sequentially down the list of VPN servers at 8 second intervals. If the setup tunnel to the first secondary server fails, and the primary server comes online during this time, the client will proceed to set up the tunnel to the second secondary VPN server.
By default, the Easy VPN hardware client and server encapsulate IPsec in User Datagram Protocol (UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to encapsulate IPsec within TCP packets to enable secure tunneling. Use the vpnclient ipsec-over-tcp command to configure this. If your environment allows UDP, however, configuring IPsec over TCP adds unnecessary overhead.
Easy VPN Tunnel Groups
Upon tunnel establishment, the Easy VPN Remote specifies the tunnel group, configured on the Easy VPN Server, that will be used for the connection. The Easy VPN Server pushes group policy or user attributes to the Easy VPN Remote hardware client determining tunnel behavior. To change certain attributes, you must modify them on the ASAs configured as primary or secondary Easy VPN Servers.
The Easy VPN Remote client specifies the group policy using the vpnclient vpngroup command to configure its name and pre-shared key, or the vpnclient trustpoint command to identify a pre-configured trustpoint.
Easy VPN Mode of Operation
The mode determines whether the hosts behind the Easy VPN Remote are accessible or not from the enterprise network over the tunnel:
Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN Remote private network from those on the enterprise network. The Easy VPN Remote performs Port Address Translation (PAT) for all VPN traffic for its inside hosts. The network and addresses on the private side of the Easy VPN Remote are hidden, and cannot be accessed directly. IP address management is not required for the Easy VPN Client inside interface or the inside hosts.
Network Extension Mode (NEM) makes the inside interface and all inside hosts route-able across the enterprise network over the tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does not require a VPN configuration or tunnel for each host on the inside network, the Easy VPN Remote provides tunneling for all of the hosts.
The Easy VPN Server defaults to Client mode. To configure NEM mode use the nem enable command in group policy configuration mode. Specifying one of the modes of operation on the Easy VPN Remote is mandatory before establishing a tunnel because it does not have a default mode. On the Easy VPN Remote use the vpnclient mode command to configure PAT or NEM.
The Easy VPN Remote ASA configured for NEM mode supports automatic tunnel initiation. Automatic initiation requires the configuration and storage of credentials used to set up the tunnel. Automatic tunnel initiation is disabled if secure unit authentication is enabled.
An Easy VPN Remote in Network Extension Mode with multiple interfaces configured builds a tunnel for locally encrypted traffic only from the interface with the highest security level.
Easy VPN User Authentication
The ASA Easy VPN Remote can store the username and password for automatic login using the vpnclient username command..
For additional security, the Easy VPN Server can require:
Secure unit authentication (SUA)—ignores the configured username and password requiring a user to manually authenticate. By default, SUA is disabled, enable SUA on the Easy VPN Serverusing the secure-unit-authentication enable command .
Individual user authentication (IUA)—requires users behind the Easy VPN Remote to authenticate before receiving access to the enterprise VPN network. By default, IUA is disabled, enable IUA on the Easy VPN Serverusing the user-authentication enable command .
When using IUA, specific devices, such as Cisco IP Phones or printers, behind the hardware client will need to bypass individual user authentication. To configure this, specify IP phone bypass, using the ip-phone-bypass command, on the Easy VPN Server and MAC address exemption, using the mac-exempt command, on the Easy VPN Remote.
Additionally, the Easy VPN Server can set or remove the idle timeout period after which the Easy VPN Server terminates the client’s access using the user-authentication-idle-timeout command on the Easy VPN Server.
The Cisco Easy VPN server intercepts HTTP traffic and redirects the user to a login page if the user name and password is not configured, or SUA is disabled, or IUA is enabled. HTTP redirection is automatic and does not require configuration on the Easy VPN Server.
The ASA operating as an Easy VPN Remote hardware client supports management access using SSH or HTTPS, with or without additional IPsec encryption.
By default, management tunnels use IPsec encryption within SSH or HTTPS encryption. You can clear the IPsec encryption layer allowing management access outside of the VPN tunnel using the vpnclient management clear command. Clearing tunnel management merely removes the IPsec encryption level and does not affect any other encryption, such as SSH or HTTPS, that exists on the connection.
For additional security, the Easy VPN Remote can require the IPsec encryption and limit administrative access to specific hosts or networks on the corporate side using the vpnclient management tunnel command in global configuration mode.
Use no vpnclient management to return to default remote management operation.
Do not configure a management tunnel on a ASA Easy VPN Remote if a NAT device is operating between it and the Internet. In that configuration, clear remote management using the vpnclient management clear command.
Regardless of your configuration, DHCP requests (including renew messages) should not flow over IPsec tunnels. Even with a vpnclient management tunnel, DHCP traffic is prohibited.