© 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 6 : VPN client Configuration APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Overview of Software Client’s Firewall Feature © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow VPN Client Firewall Application Client and Firewall Encrypted tunnel traffic Internet traffic Local LAN www.cisco.com Split tunneling • Split tunneling • Encrypted tunnel traffic • Local LAN traffic • Internet traffic © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Windows-Based Software Client—Firewall Features • Required Firewall—Are You There (AYT) • Stateful Firewall • Central Protection Policy (CPP) • Cisco Integrated Client Firewall (CIC) © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Software Client’s Are You There Feature © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Are You There Feature MS Windows PC VPN Client software Stateful Firewall driver AYT © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Configuring AYT Feature © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Configuring Optional or Required Firewall © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Configuring Firewall Type Selection © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Custom Firewall [...]... reserved VPN Roadshow Concentrator Configuration IPSec Over UDP Client Internet Hash Data VPN Concentrator IP ESP UDP IP © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Software Client Configuration IPSec Over UDP Client Internet © 2003, Cisco Systems, Inc All rights reserved VPN Concentrator VPV Roadshow Configuring IPSec Over TCP © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow. .. 10.0.1.5 192. 168 .1 .6 - Port 10000 205.151.254.10 – Port 60 1 10.0.1.5 © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Port Address Translation (PAT) (cont.) Corporate office Application server Remote office Internet PAT Source Address Port # Source Address Port # 192. 168 .1.5 10000 205.151.254.10 60 0 192. 168 .1 .6 10000 205.151.254.10 60 1 © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow. .. Inc All rights reserved VPN Roadshow Concentrator—IPSec Over TCP Configuration Client VPN Concentrator Internet Hash Data IP ESP TCP IP © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow VPN 3002—IPSec Over TCP Configuration SOHO Internet Hash Data © 2003, Cisco Systems, Inc All rights reserved VPN Concentrator IP ESP TCP IP VPV Roadshow ... 10.0.1.5 VPV Roadshow Network Address Translation (NAT) (cont.) Corporate office Application server Remote office Internet NAT 192. 168 .1.5 192. 168 .1 .6 205.151.254.10 ? © 2003, Cisco Systems, Inc All rights reserved 10.0.1.5 205.151.254.10 10.0.1.5 VPV Roadshow Port Address Translation (PAT) Corporate office Application server Remote office Internet PAT 192. 168 .1.5 - Port 10000 205.151.254.10 – Port 60 0 10.0.1.5... Cisco Systems, Inc All rights reserved VPV Roadshow How the Are You There Feature Works Zone Labs ZoneAlarm 2 Firewall is operational 3 Internet 1 AYT Firewall VPN Client OK—Tunnel will be 4 established now © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Firewall Optional Warning © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Software Client s Stateful Firewall Feature © 2003,... reserved VPN Roadshow Stateful Firewall MS Windows PC Tunneled traffic Stateful Firewall (always on) enabled © 2003, Cisco Systems, Inc All rights reserved Non-tunneled traffic VPV Roadshow Enabling the Stateful Firewall Feature © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Software Client s Central Policy Protection Feature © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow. .. Internet VPN Client Push policy © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow CPP Supported Firewalls Firewall CPP Cisco Integrated Client Firewall X Network ICE BlackICE Defender Zone Labs ZoneAlarm X Zone Labs ZoneAlarm Pro X © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Configure CPP © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Summary Software client supports... always on, even when no VPN tunnels are established • CPP enables an administrator to push firewall policy to software clients © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Overview of Port Address Translation © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Network Address Translation (NAT) Corporate office Application server Remote office Internet NAT 192. 168 .1.5 © 2003, Cisco... VPV Roadshow IKE and UDP Issue VPN Concentrator Internet NAT IKE IPSec Dropped © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow Release 3.0 NAT Support Release 3.0 IPSec over UDP IPSec client NAT device Internet 10.0.1.5 Hash Data © 2003, Cisco Systems, Inc All rights reserved 205.151.254.10 IP ESP UDP IP VPV Roadshow Release 3.5 IPSec Over TCP Enhancement IPSec client IPSec Over UDP Internet... either/or IPSec client IPSec Over TCP PAT device Internet (System wide) 10.0.1.5 Hash © 2003, Cisco Systems, Inc All rights reserved Data 205.151.254.10 IP ESP TCP IP VPV Roadshow IPSec Through PAT Mode Client VPN Concentrator Internet PAT Data IP Hash Data IP ESP IP Hash Data IP ESP UDP IP either/or Hash Data IP ESP TCP IP IPSec through NAT mode © 2003, Cisco Systems, Inc All rights reserved VPV Roadshow . reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 6 : VPN client Configuration APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Overview. rights reserved. VPN Roadshow Software Client s Are You There Feature © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow Are You There Feature MS Windows PC VPN Client software Stateful. rights reserved. VPN Roadshow Software Client s Central Policy Protection Feature © 2003, Cisco Systems, Inc. All rights reserved. VPV Roadshow How Central Policy Protection Works VPN Client Firewall Internet Forward policy Administrator defines