Configuring Remote-Access VPNs via ASDM Created by Bob Eckhoff This white paper discusses the Cisco Easy Virtual Private Network (VPN) components, modes of operation, and how it works This document also gives an overview of the Cisco VPN Client and explains how it is configured for Cisco Easy VPN In addition, this white paper explains how to configure remote-access VPNs via the Cisco Adaptive Security Device Manager (ASDM) Introduction to Cisco Easy VPN This topic discusses Cisco Easy VPN, its two components, and its modes of operation Cisco Easy VPN Cisco Easy VPN Clients Cisco VPN Client > 3.x Cisco Easy VPN Servers Cisco 800 and uBR900 Series Router Cisco IOS Release > 12.2(8)T Router Cisco 1700 and 1800 Series Router Cisco 2800 and 3800 Series Router Cisco PIX Firewall Software Version > 6.2 Cisco PIX 501 and 506E Security Appliance Cisco ASA 5500 Series Cisco ASA 5505 Security Appliance © 2008 Cisco Systems, Inc All rights reserved Cisco Easy VPN greatly simplifies virtual private network (VPN) deployment for remote offices and teleworkers Based on the Cisco Unified Client Framework, Cisco Easy VPN centralizes VPN management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments Cisco Easy VPN consists of two components: the Cisco Easy VPN server and the Cisco Easy VPN client The Cisco Easy VPN Server feature enables Cisco IOS routers and security appliances to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature In addition, a Cisco IOS router or security appliance with Cisco Easy VPN Server feature can terminate IP Security (IPsec) tunnels initiated by mobile remote workers who are running Cisco VPN Client software on PCs This flexibility makes it possible for mobile and remote workers, such as salespeople on the road or teleworkers, to access the company intranet, where critical data and applications exist Centrally managed IPsec policies are pushed to the clients by the server, minimizing configuration by the end users and ensuring that those connections have up-to-date policies set before the connection is established Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc The Cisco Easy VPN Remote feature enables Cisco security appliances and Cisco IOS routers to act as Cisco Easy VPN clients As such, these devices can receive security policies from a Cisco Easy VPN server, minimizing VPN configuration requirements at the remote location This costeffective solution is ideal for remote offices with little IT support or large customer premises equipment (CPE) deployments where it is impractical to individually configure multiple remote devices This feature makes VPN configuration as easy as entering a password, which increases productivity and lowers costs as the need for local IT support is minimized Cisco Easy VPN Connection Process Step 1: The Easy VPN client initiates the IKE Phase process Step 2: The Easy VPN client proposes IKE SAs Step 3: The Easy VPN server accepts the SA proposal Step 4: The Easy VPN server initiates a username/password challenge Step 5: The mode configuration process is initiated Step 6: IKE quick mode completes the connection © 2008 Cisco Systems, Inc All rights reserved The Cisco Easy VPN connection process consists of the following steps: Step The Cisco Easy VPN client initiates the Internet Key Exchange (IKE) Phase process Step The Cisco Easy VPN client proposes IKE security associations (SAs) Step The Cisco Easy VPN server accepts the SA proposal, and device (group level) authentication is complete Step If user authentication using IKE Extended Authentication (XAUTH) is configured, the Cisco Easy VPN Server initiates a username and password challenge Step The IKE Mode Configuration process, which enables a VPN gateway to download an IP address and other network configuration parameters to the client, is initiated Step An IPsec SA is created, and IKE quick mode completes the connection Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Step 1: Cisco Easy VPN Client Initiates IKE Phase Process Remote PC with Cisco VPN Client (Easy VPN client) Cisco ASA (Easy VPN server) ƒ Using Pre-shared Keys (PSKs)? Initiate aggressive mode ƒ Using digital certificates? Initiate main mode © 2008 Cisco Systems, Inc All rights reserved The Cisco Easy VPN Remote feature supports a two-stage process for authenticating to the Cisco Easy VPN Server The first step is Group Level Authentication and is part of the control channel creation In this first stage, two types of authentication credentials can be used: either preshared keys (PSK) or digital certificates The second authentication step is called Extended Authentication or XAUTH In this step, the remote side (in this case, the Cisco VPN software client) submits a username and password to the Cisco Easy VPN Server Because there are two ways to perform the group level authentication, the Cisco Easy VPN client must consider the following when initiating this phase: „ If a PSK is to be used for authentication, the Cisco Easy VPN client initiates aggressive mode „ If digital certificates are to be used for authentication, the Cisco Easy VPN client initiates main mode Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Step 2: Cisco Easy VPN Client Proposes IKE SAs Remote PC with Cisco VPN Client (Easy VPN client) Cisco ASA (Easy VPN server) Proposal 1, Proposal 2, Proposal ƒ The Cisco Easy VPN client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Cisco Easy VPN server ƒ To reduce manual configuration on the Cisco Easy VPN client, these IKE proposals include several combinations of the following: – Encryption and hash algorithms – Authentication methods – DH group sizes © 2008 Cisco Systems, Inc All rights reserved To reduce the amount of manual configuration on the Cisco Easy VPN client, a fixed combination of encryption, hash algorithms, authentication methods (preshared key or digital certificate), and Diffie-Hellman (DH) group sizes is proposed by the Cisco Easy VPN client Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Step 3: Cisco Easy VPN Server Accepts SA Proposal Remote PC with Cisco VPN Client (Easy VPN client) Cisco ASA (Easy VPN server) Proposal Proposal checking finds proposal match ƒ The Cisco Easy VPN server searches for a match: – Starting with its highest priority policy and continuing in order of priority, the server compares its own policies to the policies received from the client until a match is found – The first proposal to match the server list is accepted ƒ The IKE SA is successfully established ƒ Device authentication ends and user authentication begins © 2008 Cisco Systems, Inc All rights reserved IKE policy is global for the Cisco Easy VPN server and can consist of several proposals Starting with its highest priority policy and continuing in order of priority, the server compares its own policies to the policies received from the client until it finds a match The server accepts the first proposal that matches one of its own After an IKE proposal is accepted, the IKE SA is established At that point, device (group level) authentication ends and user authentication begins Note Because the Cisco Easy VPN server uses the first match, you should always assign the highest priorities to your most secure IKE policies Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Step 4: Cisco Easy VPN Server Initiates a Username/Password Challenge Remote PC with Cisco VPN Client (Easy VPN client) Cisco ASA (Easy VPN server) Username/Password Challenge Username/Password ƒ If the Cisco Easy VPN server is configured for XAUTH, the Easy VPN client waits for a username/password challenge: – The user enters a username/password combination – The username/password information is checked against authentication entities ƒ All Cisco Easy VPN servers should be configured to enforce user authentication © 2008 Cisco Systems, Inc All rights reserved After the IKE SA is successfully established, and if the Cisco Easy VPN server is configured for XAUTH, the client waits for a username and password challenge When prompted, the user must enter a valid username and password pair The Cisco Easy VPN server checks the username and password pair against authentication entities using authentication, authorization, and accounting (AAA) protocols such as RADIUS and TACACS+ Token cards may also be used via AAA proxy Note VPN devices that are configured to handle remote Cisco VPN Clients should always be configured to enforce user authentication Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Step 5: Mode Configuration Process Is Initiated Remote PC with Cisco VPN Client (Easy VPN client) Cisco ASA (Easy VPN server) Client Requests Parameters System Parameters via Mode Configuration ƒ If the Cisco Easy VPN server indicates successful authentication, the Cisco Easy VPN client requests the remaining configuration parameters from the Cisco Easy VPN server: – Mode configuration starts – The remaining system parameters, such as IP address, DNS, split tunneling information, are downloaded to the Cisco Easy VPN client ƒ The IP address is the only parameter that must be downloaded to the Cisco Easy VPN client from the Cisco Easy VPN server; all other parameters are optional © 2008 Cisco Systems, Inc All rights reserved If the Cisco Easy VPN server indicates that authentication was successful, the client requests further configuration parameters from the Cisco Easy VPN server The remaining system parameters, such as IP address, Domain Name System (DNS), and split tunnel attributes, are pushed to the client at this time using mode configuration The IP address is the only required parameter; all other parameters are optional Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Step 6: IKE Quick Mode Completes Connection Remote PC with Cisco VPN Client (Easy VPN client) Quick Mode IPsec SA Establishment Cisco ASA (Easy VPN server) VPN Tunnel ƒ After the configuration parameters have been successfully received by the Cisco Easy VPN client, IKE quick mode is initiated to negotiate IPsec SA establishment ƒ After IPsec SA establishment, the VPN connection is complete © 2008 Cisco Systems, Inc All rights reserved After IPsec SAs are created, the connection is complete Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Overview of Cisco VPN Client This topic introduces you to Cisco VPN Client, software that enables customers to establish secure, end-to-end encrypted tunnels to any Cisco Easy VPN server This thin client design, which is an IPsec-compliant implementation, is available at Cisco.com Cisco VPN Software Client for Windows © 2008 Cisco Systems, Inc All rights reserved 10 This figure displays the Cisco VPN Client window You can preconfigure the connection entry (name of connection) and hostname or IP address of remote Cisco VPN device such as the Cisco ASA Adaptive Security Appliance Clicking Connect initiates IKE Phase The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require very little user intervention VPN access policies and configurations are downloaded from the Cisco Easy VPN Server and pushed to the Cisco VPN Client when a connection is established, allowing simple deployment and management The Cisco VPN Client provides support for the following operating systems: „ Microsoft Windows 2000, XP, and Vista (x86/32-bit only) „ Linux (Intel) „ Solaris UltraSPARC 32-bit and -64 bit „ MAC OS X 10.4 The Cisco VPN Client is compatible with the following Cisco products: „ Cisco IOS software-based platforms Release 12.2(8)T and later releases „ Cisco ASA 5500 Series Adaptive Security Appliance Version 7.0 and later versions „ Cisco PIX Security Appliance Software Version 6.0 and later versions „ Cisco 7600/6500 IPsec VPN Services Module and VPN Shared Port Adapter (SPA) with Cisco IOS Software Release 12.2SX and later releases Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Cisco VPN Client as Cisco Easy VPN Client The following general tasks are used to configure Cisco VPN Client as Cisco Easy VPN client: Task 1: Install Cisco VPN Client Task 2: Create a new connection entry Task 3: (Optional) Configure Cisco VPN Client transport properties Task 4: (Optional) Configure Cisco VPN Client backup servers properties Task 5: (Optional) Configure dialup properties © 2008 Cisco Systems, Inc All rights reserved 12 Complete the following tasks to install and configure the Cisco VPN Client: 10 Task Install Cisco VPN Client Task Create a new connection entry Task (Optional) Configure Cisco VPN Client transport properties Task (Optional) Configure properties of Cisco VPN Client backup servers Task (Optional) Configure dialup properties Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc The security appliance includes a default group policy named DfltGrpPolicy This group policy always exists on the security appliance, but it does not take effect unless you configure the security appliance to use it When you configure other group policies, any attribute that you not explicitly specify takes its value from the default group policy You cannot delete the default group policy, but you can modify it You can also create one or more group policies specific to your environment You can configure internal and external group policies Internal groups are configured on the security appliance's internal database External groups are configured on an external authentication server, such as RADIUS Group policies include the following attributes: „ Identity „ Server definitions „ Client firewall settings „ Tunneling protocols „ IPsec settings „ Hardware client settings „ Filters „ Client configuration settings „ Connection settings In the figure, there are three VPN group policies configured: Engineering, Marketing, and Training Each Cisco VPN Client belongs to one group As they establish VPN tunnels, they identify which VPN group they belong to The central site security appliance pushes a specific policy to each remote user 31 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Groups and Users DfltGrpPolicy Group: Corporate Groups: Departments MIS /DfltGrpPolicy/MIS Customer Service /DfltGrpPolicy/Service Finance /DfltGrpPolicy/Finance © 2008 Cisco Systems, Inc All rights reserved Users: Individuals UNIX Systems Administrator Customer Support Engineer Comptroller 38 By default, users inherit all user attributes from the assigned group policy The security appliance also lets you assign individual attributes at the user level, overriding values in the group policy that applies to that user For example, you can specify a group policy giving all users access during business hours, but give a specific user 24-hour access To assign attributes to an individual user, the user account must already exist on the security appliance For an existing user account, you can use the username attributes command to enter the configuration mode for username attributes and configure the attributes Any attributes that you not specify are inherited from the group policy User specific attributes always take precedence over group specific attributes By default, VPN users that you add with the username command have no attributes or group policy association You must explicitly configure all values You can use the CLI to configure the following attributes for a specific user: „ „ „ „ „ „ „ „ „ „ 32 group-lock: Name an existing connection profile with which the user is required to connect password-storage: Enables or disables storage of the login password on the client system vpn-access-hours: Specifies the name of a configured time-range policy vpn-filter: Specifies the name of a user-specific ACL vpn-framed-ip-address: Specifies the IP address and the net mask to be assigned to the client vpn-group-policy: Specifies the name of a group-policy from which to inherit attributes vpn-idle-timeout: Specifies the idle timeout period in minutes, or none to disable vpn-session-timeout: Specifies the maximum user connection time in minutes, or none for unlimited time vpn-simultaneous-logins: Specifies the maximum number of simultaneous logins allowed vpn-tunnel-protocol: Specifies permitted tunneling protocols Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Group Policies Configuration Network (Client) Access Group Policies Remote Access VPN © 2008 Cisco Systems, Inc All rights reserved 39 To modify the default group policy or create a new internal group policy, complete the following steps: Step Click the Configuration button in the Cisco ASDM toolbar Step Choose Remote Access VPN from the navigation pane Step Expand the Network (Client) Access menu Step Choose Group Policies The Group Policies panel is displayed Step To modify the default group policy, select it in the table in the Group Policies panel and click Edit To create a new group policy, click Add and choose Internal Group Policy from the drop-down list The Edit Internal Group Policy: DfltGrpPolicy window opens if you are editing the default group policy The Add Internal Group Policy window opens if you are adding a new policy Note 33 The default group policy is always internal You cannot change it to external Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Internal Group Policies Add Internal Group Policy General Servers Advanced © 2008 Cisco Systems, Inc All rights reserved 34 40 Step Verify that General is selected in the navigation pane Step Enter a name for the group policy in the Name field In the figure, the name MYGROUP is entered Step Deselect the Inherit check boxes for the attributes you not want the group to inherit from the default group policy You can use the fields and buttons that become active to configure the attributes In the figure, the Inherit check box for Access Hours is deselected, so the corresponding field and the Manage button are active For this example, click the Manage button This opens a separate window for configuring a time range for the group policy as shown in the next slide Step If you want to specify DNS servers, WINS servers, or a default domain for the group policy, click Servers in the navigation pane Then deselect the Inherit check boxes for the attributes you not want the group policy to inherit from the default group policy, and use the fields and buttons that become active to configure the attributes Step 10 If you want to configure Advanced options such as split tunneling for the group policy, expand the Advanced menu in the navigation pane Make your selection from the Advanced menu, and configure the settings as described in Steps and above Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Internal Group Policies (Cont.) Browse Time Range Add © 2008 Cisco Systems, Inc All rights reserved 41 Step 11 When you have completed your configuration, click OK until you return to the Group Policies panel Step 12 Click Apply in the Group Policies panel This figure shows the Browse Time Range window that opens as a result of clicking the Manage button for the Access Hours attribute In this example, the Browse Time Range window and the Add Time Range and Recurring Time Range windows, which are accessible from it, are used to specify a time range that starts immediately and never ends The time range is named OFFICE_HOURS and allows access only Monday through Friday from 7:00 a.m to 6:00 p.m (0700 to 1800) 35 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Applying a Group Policy to a User Account Configuration AAA Setup Local Users Edit Remote Access VPN © 2008 Cisco Systems, Inc All rights reserved 42 To apply a new group policy to a specific user, complete the following steps: 36 Step Click Configuration in the Cisco ASDM toolbar Step Click Remote Access VPN in the navigation pane Step Expand the AAA Setup menu Step Click Local Users The Local Users panel is displayed Step Select the user account to which you want to apply the group policy Step Click Edit The Edit User Account window opens Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Applying a Group Policy to a User Account (Cont.) Edit User Account Group Policy Tunneling Protocols Connection Settings Filter Tunnel Group Lock Dedicated IP Address Store Password on Client System © 2008 Cisco Systems, Inc All rights reserved 43 Step Click VPN Policy Step Deselect the Group Policy: Inherit check box Step Select the new group policy from the Group Policy drop-down list Step 10 Click OK Step 11 Click Apply in the Local Users panel If the other check boxes in this window remain checked, the corresponding settings take their values from the group policy To specify a different value for any setting, deselect the check box for the setting and use the activated fields, drop-down lists, check boxes, or radio buttons to specify the value You can configure the following VPN policy settings for the user: 37 „ Tunneling protocols: Specify one or more tunneling protocols that this user can use The choices are IPsec, clientless SSL VPN, SSL VPN client, and L2TP over IPsec „ Filter: Specify a filter to use for the policy Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol „ Tunnel group lock: Specify whether the user is restricted to a specific tunnel group for remote-access VPN connections „ Store password on client system: Specify whether the login password is stored on the client system If you select the No radio button, the user is required to enter the password with each connection For maximum security, it is recommended that you accept this default setting to prohibit password storage This parameter has no bearing on interactive hardware client authentication or individual user authentication for a VPN 3002 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc In the Connection Settings area, you can configure the following settings: „ Access hours: If the Inherit check box is not selected, you can select the name of an existing access hours policy, if any, or create a new access hours policy The default value is Inherit, or, if the Inherit check box is not selected, the default value is Unrestricted „ Simultaneous logins: If the Inherit check box is not selected, this parameter specifies the maximum number of simultaneous logins allowed for the user The default value is The minimum value is 0, which disables login and prevents user access „ Maximum connect time: If the Inherit check box is not selected, this parameter specifies the maximum user connection time in minutes At the end of this time, the system terminates the connection The minimum is minute, and the maximum is 2147483647 minutes (over 4000 years) To allow unlimited connection time, select the Unlimited check box (the default) „ Idle timeout: If the Inherit check box is not selected, this parameter specifies this user's idle timeout period in minutes If there is no communication activity on the user's connection in this period, the system terminates the connection The minimum time is minute, and the maximum time is 10080 minutes This value does not apply to users of clientless SSL VPN connections You can also specify an IP address for the user To so, enter the IP address in the IP address field, and choose the corresponding subnet mask from the Subnet Mask drop-down list 38 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring External Group Policies Add External Group Policy Name Server Group Password © 2008 Cisco Systems, Inc All rights reserved 45 External group policies take their attribute values from the external server that you specify For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name duplication between them Note External group names on the security appliance refer to user names on the RADIUS server In other words, if you configure external group X on the security appliance, the RADIUS server sees the query as an authentication request for user X Therefore, external groups are really just user accounts on the RADIUS server that have special meaning to the security appliance If your external group attributes exist in the same RADIUS server as the users that you plan to authenticate, there must be no name duplication between them To configure an external group policy, complete the following steps: 39 Step Click Add in the Group Policies panel (not shown) Step Choose External Group Policy from the drop-down list The Add External Group Policy window opens Step Enter a name for the group policy in the Name field Step Choose a server group from the Server Group drop-down list, or click New to create a new server group The new external group policy will get its attributes from the external server group you specify If you click New to create a new server group, choose New RADIUS Server Group from the drop-down list For an external group policy, RADIUS is the only supported AAA server type Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc 40 Step In the Password field, enter the password to use when retrieving the attributes Step Click OK Step Click Apply in the Group Policies panel Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Monitoring and Verifying Remote-Access VPN This topic provides an overview of monitoring and verifying your remote-access VPN Using ASDM to Monitor the VPN Monitoring VPN Connection Graphs ƒ IPsec Tunnels VPN Statistics ƒ Crypto Statistics ƒ Encryption Statistics ƒ Global IKE/IPsec Statistics ƒ Protocol Statistics ƒ Sessions VPN © 2008 Cisco Systems, Inc All rights reserved 31 To verify and monitor your remote-access VPN, click the Monitoring button in the Cisco ASDM toolbar and choose VPN from the navigation pane Three submenus are displayed The following two can be used for monitoring your IPsec remote-access VPN: 41 „ VPN Connection Graphs: Contains the IPsec Tunnels option, which enables you to display IPsec VPN connection data in graphical or tabular form „ VPN Statistics: Contains the following options that are useful for monitoring your remote-access VPN: — Crypto Statistics: Crypto statistics for IPsec and IKE — Encryption Statistics: Encryption statistics for tunnel groups — Global IKE/IPsec Statistics: Global IKE and IPsec statistics — Protocol Statistics: Protocol statistics for tunnel groups — Sessions: Total number of remote-access VPN sessions and details on each session Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc VPN Statistics: Encryption Statistics VPN Statistics Encryption Statistics Show Statistics For: TRAINING Refresh © 2008 Cisco Systems, Inc All rights reserved 32 The figure shows the Encryption Statistics panel displaying encryption statistics for tunnel group TRAINING 42 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc VPN Statistics: Sessions VPN Statistics Sessions Filter Details Logout Ping Logout Sessions Refresh © 2008 Cisco Systems, Inc All rights reserved 33 The Sessions panel lists the number of currently active remote-access sessions In the figure, there is one active remote-access VPN session The Sessions panel also contains a table that displays information about currently active sessions You can use the Filter By drop-down list to specify the type of session that the statistics in the table represent The column headings in the table vary depending upon the type of session you choose from the Filter By drop-down list You can also use the Filter button along with the unlabeled drop-down lists to the right of the Filter By drop-down list to filter on encryption, IP address, or protocol In the figure, Remote Access is selected from the Filter By drop-down list; therefore, the table contains the following columns: „ Username: Shows the username for the session „ Group Policy Connection: Shows the group policy being used for the session „ Assigned IP Address: Shows both the private IP address assigned by the Cisco Easy VPN server to the remote client for this session and the public IP address of the remote client „ Protocol/Encryption: Shows the protocol and the data encryption algorithm this session is using, if any „ Login Time/Duration: Shows the date and time that the session logged in and the length of the session Time is displayed in 24-hour notation You can view details for a session by selecting it in the Session table and clicking the Details button The session details are displayed in a separate window To terminate a specific session, select it in the Session table and click the Logout button If you want to terminate all sessions or groups of sessions, use the Logout By drop-down lists and fields to specify the sessions you want to terminate, and then click the Logout Sessions button The Ping button in the Sessions panel opens a window that enables you to send an ICMP ping packet to test network connectivity The Refresh button updates the screen and its data 43 Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Using the CLI to Test and Verify Remote Access VPN Configuration ƒ Verify ACLs and interesting traffic – show run access-list ƒ Verify correct IKE configuration – show run isakmp – show run tunnel-group ƒ Verify IPsec and ISAKMP SAs – show crypto ipsec sa – show crypto isakmp sa © 2008 Cisco Systems, Inc All rights reserved 34 You can also use the CLI as follows to test and verify that you have correctly configured the VPN on the security appliance: 44 „ Verify ACLs that designate interesting traffic with the show run access-list command „ Verify correct IKE configuration with the show run isakmp and show run tunnelgroup commands „ Verify IPsec and ISAKMP SAs have occurred with the show crypto ipsec sa and show crypto isakmp sa commands Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc Test and Verify VPN Configuration (Cont.) ƒ Verify correct crypto map configuration – show run crypto map ƒ Clear IPsec SA – clear crypto ipsec sa ƒ Clear IKE SA – clear crypto isakmp sa ƒ Debug IKE and IPsec traffic through the security appliance – debug crypto ipsec – debug crypto isakmp © 2008 Cisco Systems, Inc All rights reserved 45 35 „ Verify the correct crypto map configuration with the show run crypto map command „ Clear IPsec SAs with the clear crypto ipsec sa command „ Clear IKE SAs with the clear crypto isakmp sa command „ Debug IKE and IPsec traffic through the security appliance with the debug crypto ipsec and debug crypto isakmp commands Configuring Remote-Access VPNs via ASDM © 2008 Cisco Systems, Inc [...]... information about the firewall configuration of the Cisco VPN Client 18 Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Remote- Access VPNs This topic explains how to use the Cisco Adaptive Security Device Manager (ASDM) IPsec VPN Wizard to configure remote- access VPNs Company XYZ Need: Secure Connectivity for Remote Workers Home Office Internet Web FTP Corporate DMZ 10.0.1.0/24... Type Remote access IPsec VPN VPN Tunnel Type: Remote Access VPN Tunnel Interface © 2008 Cisco Systems, Inc All rights reserved 19 Use the IPsec VPN Wizard to create a remote access to the Cisco VPN Client On this wizard page, configure the VPN tunnel type: 20 Step 1 Click Wizards in the Cisco ASDM menu bar (not shown) Step 2 Choose IPsec VPN Wizard The VPN Wizard window opens Step 3 Choose the Remote Access. .. VPN Tunnel Type options Step 4 Verify that outside is displayed in the VPN Tunnel Interface drop-down list Step 5 Verify that the Enable Inbound IPsec Sessions to Bypass Interface Access Lists check box is checked Step 6 Click Next The Remote Access Client page is displayed Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Specifying the Remote Access Client Type Cisco VPN Client Remote. .. employs remote workers in various locations who need access to resources at corporate headquarters The network security administrator for Company XYZ configures the corporate Cisco ASA security appliance to accept remote- access VPN connections to give these remote workers secure connectivity to headquarters 19 Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Specifying the Tunnel Type VPN. .. connection time in minutes, or none for unlimited time vpn- simultaneous-logins: Specifies the maximum number of simultaneous logins allowed vpn- tunnel-protocol: Specifies permitted tunneling protocols Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Group Policies Configuration Network (Client) Access Group Policies Remote Access VPN © 2008 Cisco Systems, Inc All rights reserved... Click Next The Summary page is displayed Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Reviewing the Remote Access VPN Configuration Summary Home Office Internet Corporate DMZ 10.0.1.0/24 Headquarters © 2008 Cisco Systems, Inc All rights reserved 28 Review your configuration The Summary panel displays all of the attributes of your remote- access VPN as configured If you need to make... configuration, click Finish After you click Finish, you can no longer use the VPN wizard to make changes to this configuration Use the Remote Access VPN menu items to edit and configure advanced features Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Users and Groups This topic provides an overview of configuring users and groups Group Policy Push to Client Engineering Policy... spilt tunnel policy for remoteaccess users or groups Step 12 Click Next The Client Authentication page is displayed Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Configuring Client Authentication Cisco VPN Client Client Authentication XAUTH AAA server 10.0.1.10 MYRADIUS © 2008 Cisco Systems, Inc All rights reserved 22 On this VPN Wizard page, configure the remote user authentication... allow a finance group to access one part of a private network, a customer support group to access another part, and a management information systems (MIS) group to access other parts In addition, you might allow specific users within MIS to access systems that other MIS users cannot access Group policies provide the flexibility to do so securely 30 Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems,... Connection settings In the figure, there are three VPN group policies configured: Engineering, Marketing, and Training Each Cisco VPN Client belongs to one group As they establish VPN tunnels, they identify which VPN group they belong to The central site security appliance pushes a specific policy to each remote user 31 Configuring Remote- Access VPNs via ASDM © 2008 Cisco Systems, Inc Groups and Users