SNAA Securing Networks with Cisco ASA Advanced Volume 2 Version 1.0 Student Guide ‘Text Part Number: 97-2730-02atfutlee ieee Sete, cisco. ee [DISCLAIMER WARRANTY. THI CONTENT IS BEING PROVIDED"AS IS" CISCO MAKES AND YOU RECEIVE NO WARRANIIES IN JCONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF Iris CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR [PURPOSE OR ARISING FROM A COURSE OF DEALING, LISAGE OR TRADE PRACTICE. This learning pode! my contain ety release content. and whl Ciseo believes io be surat, it falls subject wth disclaimer above Printed in CanadaTable of Contents Volume 2 IPsec VPNs Overview ‘Module Objectives, Understanding IPsec and Di Overview ‘Objectives 43 What Is IPsec? 44 IPsec Operation 48 Digital Certificates and Public-Key Cryptography 418 Certificates and Scalability 424 Certificate Enrollment Process 425 Validating the Certificate 431 Certificate Revocation Lists 4.38 Security Appliance Certificate Enrollment Support 4-40 Root Certificate Enrollment 442 Identity Cerificate Enrollment 442 Key Pairs and Trustpoints, 444 Key Pairs 444 Trustpoints 4-45 Summary 4-48 Overview 447 Objectives 4-47 Site-to-Site VPNs 4-48 Configuring CA Certificates 453 Installing an Identity Certficate 4-60 Site-to-Site IPsec Connection Profiles 4-70 Modifying Certificate to Connection Mapping 481 Hub and Spoke 4-86 Site-to-Site Redundancy 4-90 Verifying Site-to-Site VPNs 41 Troubleshooting Site-to-Site VPNs 4-102 Summary 4-106 Configuring the Cisco VPN Client 4-407 Overview 4-107 Objectives 4-107 Cisco VPN Client 4-108 Cisco VPN Ciient Installation 4a Digital Certifcates with Cisco VPN Client 4117 Connection Entry 4-123 Advanced Options 4-130 Verity and Troubleshoot Client Configuration 4.137 ‘Summary 4447Overview Objectives Remote-Access VPNS Configuring a Cisco ASA for Remote Access. Instaling Cisco ASA Certificates Installing a CA Certificate Enrolling with a CA Installing an Identity Certificate Defining a Remote-Access Address Poo! User Policy Attribute Inheritance Configuring an IPsec Connection Profile Configuring the Certificate to Connection Profile Policy Verifying Remote-Access VPNs Using Cisco ASDM Troubleshooting Remote-Access VPNs Summary Configuring Advanced Remote-Access Features and Policy Configuring Overview Objectives Load Balancing Reverse Route Injection Backup Servers Intra-Interface VPN Traffic NAT Transparency Client Update Split Tunneling Personal Firewalls ‘Summary co ASA 5505 as a Cisco Easy VPN Hardware Client Overview Objectives Introduction to Cisco Easy VPN Cisco Easy VPN Server Policy Cisco Easy VPN Hardware Client Summary Configuring QoS for IPsec VPNs Overview ‘Objectives Q0S Overview Cisco ASA QoS Configuring QoS for VPNs Verifying Qos Summary Module Summary ‘Securing Networks with ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neModule 4| IPsec VPNs Overview Internal corporate networks have increasingly become geographically diverse, wit ons, remote-office connections, and remote and mobile workers needing act company network assets. The Cisco ASA adaptive security appliance can provide IP security (IPsec) connections to enable these connections into the company network. This module discusses the Cisco ASA configuration of IPsec virtual private networks (VPNs). partner 88 t0 Module Objectives Upon completing this module, you will be able to explain the IPsec VPN features and capabilities of the security appliance. This ability includes being able to meet these objectives: ‘= Explain the components and the funetionality of IPsec and explain what digital verti are and how they are used tes = Identify the steps needed to configure the Cisco security appliance to establish LAN-to- LAN tunnels with the digital certificate = Identify the necessary steps to configure the IPsec VPN client, using digital certificates fy the necessary steps to configure the security appliance for remote access, using certificates = Explain the advanced remote-access features of the Ciseo ASA = Determine the necessary configuration for the Cisco ASA 5505 to be a VPN hardware client Identify the steps to configure quality of service (QoS) for VPN traffic42 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, ncLesson 1 | Understanding IPsec and Digital Certificates Overview In the current business environment, itis critical that corporate networks that ate connected t0 the Internet offer flexible and secure virtual private network (VPN) access with IP Security (1Psec). Connecting remote sites over the Intemet provides a great cost-saving opportunity when compared to the traditional WAN access such as Frame Relay or ATM. With IPs technology, customers now can build VPN tunnels through the public Internet with the security of encryption protection against wire taping or intruding on the private communication. In this lesson, you will be introduced to REC 240 (de (PK), security Architecture for the Internet Protocol ing IPsec), some of the underlying protocols used by IPsec, and public key infrastructure Objectives Upon completing this lesson, you will be able to explain the funet of IPsec and explain what digital cert being able to meet these objectives: nnality and the components, tes are and how they are used. This ability includes Describe IPs and the components that define IPsec Describe how IPsec works = Describe how digital certificates and public-key eryptography work Describe the scalability that is achieved by using certificates be the purpose of CRLs and the protocols used for CRLs be key pairs and trustpointsWhat Is IPsec? This topic describes IPsec and the components that define IPsec. IP Security * RFC 2401 * Combines three protocols into a cohesive security framework IPsec combines three protocols into a cohesive security framework. IPsec is designed to provide interoperable, high-quality, and cryptographically based security, IPsec is defined in RFC 2401. The set of security services offered includes access control, conneetionless intezrity, data origin authentication, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and upper-layer protocols. Because these services are provided at the IP laver, they can be used by any higher-layer protocol (for example TCP, User Datagram Protocol [UDP], and Border Gateway Protocol [BGP)). IPsee combines the following security protocols: = Authentication Header (AH) = Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) AH and ESP can be used independently or together, although for most applications, just one of them is sufficient. For both of these protocols, IPsec does not define the specit algorithms to use but, rather, provides an open framework for implementing industry-standard algorithms. Initially, most implementations of IPsec support Message Digest 5 (MDS) from RSA Security (“RSA” stands for Rivest, Shamir, and Adleman, the three inventors) or the Secure Hash Algorithm (SHA) as defined by the U.S. government for integrity and authentication. “44 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncIPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm (or algorithms) to use for the service (or services), and put in place any cryptographic keys required to provide the requested services. IPsee can be used to protect one or more paths between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. Note ‘The term “security gateway" is predominantly used to refer to an intermediate system that implements 'Psec protocols (for example, a router ora firewall implementing IPsec). The IPsec protocol provides IP network-layer encryption and defines a new set of headers to be added to IP datagrams. These new headers are placed after the IP header and before the Layer 4 protocol (typically TCP or UDP). They provide information for securing the payload of the IP packet Simply put, IPsec provides secure tunnels between two peers, such as two routers. You define which packets are considered sensitive and should be sent through these secure tunnels, and by specifying the characteristics of these tunnels, you define the parameters that should be used to protect these sensitive packets. Then, when the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. ‘These tunnels are sets of security associations (SAS) that are established between two IPsec peers. The SAS define which protocols and algorithms should be applied to sensitive packets, and also specify the keying material to be used by the two peers. SAS are unidirectional and are established per security protocol (AH or ESP), Note IFIKE is used to establish the SAS, the SAs will have lifetimes so that they will periodically expire and require renegotiation, Multiple IPsec tunnels can exist between two peers to secure different data streams, with each tunnel using a separate set of SAs, For example, some data streams migl ‘while other data streams must be both encrypted and authenticated. only be authenticated Access control lists (ACLs) that are associated with IPsec erypto map entries repr traffic the router requires to be protected by IPsec. Inbound traffic is processed against the crypto map entries: fan unprotected packet matches a permit entry in a particular ACL that is associated with an IPsec erypto map entry, that packet is dropped because it was not sent as an 1Psee-protected packet. esent which Crypto map entries also include transform sets. A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPsec-protected traffic. During the IPsec SA negotiation, the peers agree to use a particular transform set when protecting @ particular data flow. Because these security services use shared-secret values (cryptographic keys), IPsec relies on a separate set of mechanisms for putting these keys in place (© 2008 Cisco Systems, Ine Paec VPNe 45IPsec Protocols and Terminology ‘Symmetric encryption * Public key infrastructure ee ~ Certificates, a Certificate authorities oe Certificate revocation lists ~ 3DES + IPsec terms ‘Asymmetric encryption and key Cie hoes exchange algorithms eae es an fect forward secrecy aan Transform sets Hashing algorithms and technologies Mos SHAS ~ HMAC Cisco security appliances support the following IPsec and related standards: Listed here are some other protocols and terms used with IPsec. = Advanced Encryption Standard (AES): AES was finalized as a Federal Information Processing Standard (FIPS)-approved cryptographic algorithm to be used to protect electronic data transmission (FIPS PUB 197). AES is based on the Rijndael algorithm, which specifies how to use keys with a length of 128, 192, oF 256 bits to encrypt blocks with a length of 128, 192, or 256 bits (all 9 combinations of key length and block length are possible), = Data Eneryption Standard (DES): The DES was published in 1977 by the National Bureau of Standards (NBS) (the former name of the National Institute of Standards and Technology [NIST]) and is a secret-key encryption scheme based on the Lucifer algorithm from IBM. The contrast of DES is public key. Cisco uses DES in classic eryptozraphy, IPsec cryptography, and on the Cisco ASA adaptive security appliance = Triple DES (3DES): This is a mode of the DES eneryption algorithm that encrypts data three times. Three 64-bit keys are used, instead of one 64-bit key, for an overall key length of 192 bits, The first encryption is encrypted with a second key, and the resulting cipher text is again encrypted with a third key ® Diffie Hellman (DH): This is a method of establishing a shared key over an ‘medium. DH is a component of Oakley protocol. wecure RSA: RSA is a public key cryptographic algorithm with a variable key length. The main weakness of RSA is that itis significantly slow to compute compared to popular secret-key algorithms, such as DES. The Cisco IKE implementation uses a DH exchange to get the secret keys, This exchange can be authenticated with RSA (or pre-shared key’). With the DH exchange, the DES key never crosses the network (not even in enerypted form), which is not the case with the RSA encrypt and sign technique. RSA is not a public domain and must be licensed from RSA Security 45 Securing Networks wth Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, ncHash: This is @ one-way function that takes an input message of arbitrary length and produces a fixed-length digest. Cisco uses both SHA and MDS hashes within its implementation of the 1Psce framework = MDS: MDS is a one-way hashing algorithm that produces a 128-bit hash. Both MDS and. SHA are variations on Message Digest 4 (MD4), which is designed to strengthen the security of this hashing algorithm. SHA is more secure than MD4 and MDS. = SHA-1: This is a one-way hash put forth by the NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, itis more re: to brute-force attacks than 128-bit hashes (such as MDS), but itis slower. = Hashed Message Authentication Code (HMAC): HMAC is a mechanism for message authentication using cryptographic hashes such as SHA and MDS. = Certificate: A certificate is a eryptographically si a public key associated with this identity. nt ied object that contains an identity and = Certificate authority (CA): A CA isa third-party entity with the responsibility to issue and revoke certificates. Each device that has its own certificate and public key of the CA can authenticate every other device within the domain ofa given CA. This term also applies to server sofware that provides these services, = Certificate revocation list (CRL): A CRL is a digitally signed message that lists all of the current but revoked certificates listed by a given CA, = Crypto map: A crypto map is a Cisco 10S software configuration entity that performs two primary functions, Fits, it selects data flows that need security processing, Second, it defines the policy for these flows and the erypto peer that traffic needs to go to. A crypto, map is applied to an interface. = Perfect forward secrecy (PFS): PFS ensures that a given IPsee SA key was not derived from any other secret (like some other keys). In other words, if someone breaks a key, PFS ensures that the attacker is not able to derive any other key. If PFS is not enabled, someone 1n potentially break the IKE SA secret key, copy all the IPsec protected data, and then use knowledge of the IKE SA seeret to compromise the IPsec SA that is set up by this IKE SA. ng IKE does not give an attacker immediate access to IPsec, The attacker needs to break each IPsec SA individually. The Cisco IOS 1Psec implementation uses PFS. group | (DH 768 bit) by default Transform sets: A transform describes a security protocol (AH or ESP) with its corresponding algorithms (for example, ESP with the DES cipher algorithm and HMAC and SHA for authentication). {© 2008 Cisco Systems, Ine TPsec VPNs 47IPsec Operation This topic describes IPsec operation. iPsec Operation Hosta Cisco Securty Cisco Securty Host 8 ‘Appliance A ‘Applance B ‘g a ' e 2 2g Interesting trafic is detected: The VPN devices recognize the traffic to protect defined in crypto access control lst, IKE establishes security associations for secure communications: IKE Phase 1: The VPN devices negotiate an IKE secuity policy and establish a secure channel IKE Phase 2: The VPN devices negotiate an IPsec security policy to protect IPsec data, Data transfer: The VPN devices apply secunty services to trafic, then ymit the traffic. ‘Tunnel terminated: The tunnel is torn down, ‘The goal of IPsec is to protect the desired data with the needed security services. [Pse operation can be broken down into five primary steps: = Interesting traffic is detected: Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected. ACLs are used to detine traffic that is to be deemed interesting (data to be encrypted), = IKE negotiates SAs two phases: — IKE Phase 1: A basic set of security services are negotiated and agreed upon between peers. These security services protect all subsequent communications. between the peers. IKE Phase | sets up a secure communicat IKE peers. on channel between — IKE Phase 2: IKE negotiates IPsee SA parameters and sets up ma im the peers. These security parameters are used to protect data and n exchanged between endpoints, 1s IPsec SAS essages that are = Data transfer: Data is transferred between I keys that are stored in the SA database. c peers, based on the IPsec parameters and IPsec SAs ter ate through deletion or by timing out. 48 Securing Networks wth Gisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, Incinteresting Traffic Hosta i 4 I5cO ASA Enerypte ryt ¥ y ti Se 10013 = ci ~~ 2 ‘sccenstsl ASA_A exended perma P T0010 =e wow paper.com Send in Gieartext + Host A is sending traffic bound for Intranet (Host B) ~ Defined by the crypto ACL; is deemed interesting and encrypted * Host A is sending trafic bound for Internet (www. paper.com), Not defined by crypto ACL; sent as cleartext Determining which traffic needs to be protected is a part of formulating a security policy foi corporate VPN. The VPN security policy determines which traffic needs to be protected and which traffic ean be sent in the clear and not protected. For every inbound and outbound datagram, there are two choices: apply IPsec or bypass IPsec and send the datagram in cleartext Using IPsee, you will configure ACL to define which traffic should be protected between two IPsec peers. Therefore, traffic may be selected based on source and destination address and, optionally, Layer 4 protocol and port. Note The ACLs used for IPsec (crypto ACLs) are used only to determine which traffic should be protected by IPsec, not which traffic should be blocked or permitted through the interface ‘Separate ACLs define blocking and permitting at the interface. Simply put, 1Psee provides secure tunnels between two peers. ACLs are configured to de which packets are considered sensitive and should be sent through these secure tunnels. Then, when the IPsec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. For example, in the figure, Host A is sending outbound traffic to Branch B Since the packet matches the outbound traffic defined by the erypto ACL to be interesting,” the packet will be encrypted by Cisco ASA security appliance A and forwarded, Host A is sending outbound traffic to the Internet (www.paper.com). = Since the packet does not match the outbound traffic defined by the erypto ACL, the packet will be forwarded as cleartext by Cisco ASA security appliance A. {© 2008 Cisco Systems, Ine IPsec VPNs 49Internet Key Exchange Internet Key Exchange (IKE) ~ RFC 2409 * A hybrid protocol consisting of: Skeme * A mechanism for using public key encryption for authentication Oakley » Amodes-based mechanism for arriving at an encryption key between two peers ISAKMP (Internet Security Association Key Management Protocol) * An architecture for message exchange including packet formats, and state transitions between two peers + Phase-based IKE is a hybrid protocol that uses part Oakley and part of another protocol suite called Skeme inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. IKE is used to establish a shared security policy and authenticated keys for services (such as Psec) that require keys. Before any IPsec traffic ean be passed, each router, firewall, and host must be able to verify the idemtity of its peer. Identity verification can be done by manually entering pre-shared keys of both hosts or by a certificate authority (CA) service. IKE is the protocol formerly known as ISAKMP/Oakley. and is defined in RFC 2409. IKE is a hybrid solut = Skeme: Describes a versatile key exchange technique that provides anonymity reputability, and quick key refreshment n that uses the following: Oakley: Describes a series of key exchanges called “modes” and details the services provided by each (for example, perfect forward secrecy for key’, identity protection, and authentication) = ISAKMP: Provides a framework for authent them; designed to support many different key exch: n and key exchange but does not det wes = Diffie-Hellman (DH): IKE us whi cs a DH key exchange to set up a shared session secret, from h cryptographic keys are derived. ‘Secunng Networks wih Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, InePeers negotiate a sect Sesto hannel IKE Tunnel. * SAT » bi i IKE is a two-phase protocol. Oakley and Skeme each define a method to establish an authenticated key exchange. This includes the construction of payloads, the information that payloads carry, the order in which payloads are processed, and how they are used. While Oakley defines modes, ISAKMP defines phases. The relationship between the two is very straightforward, and IKE presents different exchanges as modes that operate in one of two phases. IKE Phase 1 The basic purpose of IKE Phase | is to negotiate IKE policy sets, authent up a secure channel between the peers. IKE Phase I occurs in two modes: main mode or aggressive mode. Aggressive mode is faster, but it does not provide identity protection for the communicating parties like the slower main mode does. Therefore, the peers must exchange identification information prior to establishing a secure SA. Aggressive mode is enabled by default on the Cisco ASA security appliance. te the peers, and set © Main mode has three two-way exchanges between the initiator and receiver: — First exchange: The algorithms and hashes that are used to secure the IKE communications are negotiated and agreed upon between peers. — Second exchange: This exchange uses a DH exchange to generate shared-secret keys and pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity. The shared-secret key is used to generate all the ther encryption and authentication keys. — Third exchange: This exchange verifies the identity of the other side. tis used to ‘authenticate the remote peer. The main outcome of my ‘communication path for subsequent exchanges between the peers. Without proper authentication, you might establish a secure communication channel with @ hacker ‘who could be stealing all your sen n mode is a secure ‘© 2008 cisco Systems, Inc IPsec VPNe 4-11= Aggressive mode has two two-way exchanges between the initiator and receiver: — First exchange: Almost all of the IKE policy-set negotiation happens. The DH public-key generation; a nonce, which the other party signs; and an identity packet, Which can be used to verify the identity of the other party through a third party are all exchanged. The receiver sends everything back that is needed to complete the exchange, Second exchange: Initiator confirms the exchange: IKE Phase 2 ‘The purpose of IKE Phase gotiate IPsec SA parameters and set up matchi unidirectional IPsec SAs between the peers. These security parameters are used to proteet data and messages that are exchanged between endpoints by performing the following functions: & Negotiate IPsce security parameters and IPsec transform sets = Establish IPsec SAs. = Periodically renegotiate IPsce SAS to ensure security ‘= (Optional) Perform an additional DH exchange IKE Phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in Phase 1. It negotiates a shared IPsec transform, derives shared-secret keying material used for the IPsec security algorithms, and establishes IPsec SAs. Quick mode ‘exchanges nonces that are used to generate new shared-secret-key material and prevent replay attacks from generating invalid SAs. Quick mode accomplishes an IKE Phase 2 exchange. Quick mode is also used to renegotiate a new IPsec SA when the IPsec SA lifetime expires, Quick mode also refreshes the keying material that is used to create the shared-secret key that is based on the keying material detived from the DH exchange in Phase 1. The ultim: goal of IKE Phase 2 is to establish a secure IPsec session between endpoints Before that can happen, each pair of endpoints negotiates the level of security required (for ‘example, encryption and authentication algorithms for the session). Rather than negotiate each protocol individually, the protocols are grouped into sets, called IPsec transform sets. IPsec transform sets are exchanged between peers during quick mode. Ifa match is found between sets, IPsec session-establishment continues. IFno match is found, the ession is halted, a2 ‘Securing Nelworks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneIPsec Session wan et ces as shy OH J +——{_ Pec Session = SAs are exchanged between peers. ® The negotiated security services are applied to the traffic, ‘Afier IKE Phase 2 is complete and quick mode has established IPsec SAS, traffic is exchanged between hosts A and B through a secure tunnel. Interesting traffic is encrypted and decrypted according to the security services specified in the IPsec SA. © 2008 Cisco Systems, inc. eee VPNs 13DH Exchange Alice Private Value, X, Private Value, Xp Public Value, ¥, Public Value, ¥, 90” y “= mod p = Y,* mod p=zz Y,° mod p = zz XX, Alice-Calculated zz=g “"" modp —Bob-Calculated (Shared Seéret) DI key exchange is a public-key exchange method that provides a way for two peers to ‘establish a shared-secret key over an insecure communication path. In order to start a DH exchange, the two parties must agree on two nonsecret numbers. The first number is g. the xgenerator, and the second number is p, the modulus. These numbers ean be made public and are usually chosen from a table of known values. The g is usually a yery small number, such as 2. and p is a very large prime number. Nest, every party generates its own secret value, Then, based on g, p, and the secret value of each party, each party calculates its public value. The public value is computed according to the following formula mod p In this formula x is the secret value of the entity, and Y is the public value of the entity. After computing the public values, the two parties exchange their public values. Each party then exponentiates the received public value with its secret value to comput secret value, When the algorithm completes, both parties have the same shared secret, which they have computed from their secret value and the public value of the other party a common sha No one listening on the channel can compute the secret value, because only gp, ¥ and Yyare known, at least one secret value is needed to calculate the shared secret. Unless the attacker can compute the discrete algorithm of the above equation to recover Xx or Xs, they cannot obtain the shared secret. With DH, there are several different DH algorithms and groups de! 7. A group number defines an algorithm ned: DH groups | through nd unique values. For instance, group | defines a prime modular exponential (MODP) algorithm with a 768-bit prime number. Group 2 detines an MODP algorithm with a 1024-bit prime number. Group 7 uses an elliptic curve cryptography (ECC) algorithm. During IKE Phase 1. the group is negotiated betw Between Ciseo VPN devices, groups |, 2.5, and 7 are supported. 14 Securing Networks with Gisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems. IneAfter the group negotiations are completed, the shared-secret key is calculated. The sh secret key, SKEYID, is used in the derivation of three other keys: SKEYID_a, SKEYID_d, and SKEYID e. Each key has a separate purpose. SKEYID_a is the keying material used during the authentication process. SKEYID_d is the keying material used to derive keys for non-ISAKMP SAs. SKEYID_¢ is the keying material used in the encryption process. All four keys are calculated during IKE Phase 1. Authenticate Peer Identity Corporate Office ‘Authentication Peer authentication methods = Pre-shared keys + RSA signature When you are conducting business over the Internet, you must know who is at the other end of the tunnel. The device on the other end of the VPN tunnel! must be authenticated before the communications path is considered secure, The last exchange of IKE Phase | is used to authenticate the remote peer. ISAKMP provides VPN peer authentication and is also used to set up the secure tunnels, ISAKMP defines the procedures for authentication of'a communicating peer, creation and ‘management of Security Associations, key generation techniques, and threat mitigation (for example, denial of service and replay attacks). The Cisco ASA security appliance supports two data origin authentication methods: = Pre-shared keys: IKE can use pre-shared keys that are manually input by th istrators on both ends of the connection. The same IKE “shared-secret” password is ured on both security appliances for IKE authentication. Pre-shared keys are easy to configure manually, but do not scale well. Each IPsee peer must be configured with the pre-shared key of every other peer with which it communicates. m= RSA Signature: IKE can also use digital signatures for peer authentication, Certificate Authority (CA)-signed certificates are exchanged in the IKE tunnel. Routers and s appliances communicate with the CA using the Simple Certification Enrollment Protocol (SCEP) protocol, which is an extension to the ITU-T X.509 standard for public key ructure (PKI), (© 2008 Cisco Systems, Inc IPsec VPNG 415,Security Associations + SAD ~ Destination IP agarose SPI Protocol SPD Encryption algonthm: Agorthm ‘authentication Mode Key Ifetime 5 7 Internet WF satgas2s ‘SP esepesnos ~~] Tunnel ae oy 2000 The concept of a security association (SA) is fundamental to IPsec. Both AH and ESP make use of SAs, and a major function of IKE is the establishment and maintenance of SAs. All implementations of AH or ESP must support the concept of an SA. An SA is a simplex connection that affords security services to the traffic carried by it, Security services are afforded to an SA by the use of AH, or ESP, but not both. If both AH and ESP protection is applied to a traffic stream, two (or more) SAs are created to alford protection to the traffic stream, To secure typical, bidirectional communication between two hosts, of between two security gateways, two SAS (one in each direction) are required ‘When the security services are agreed upon between peers, each VPN peer device enters the information in a security policy database (SPD). The information includes the encryption and authentication algorithm, destination IP address, transport mode, Key lifetime, and so on. This information is referred to as the SA. An SA is a one-way logical connection that provides security to all traffic traversing the conneetion. Because most traffic is bidirectional, two SAs, are required: one for inbound traffic and one for outbound traffic. The VPN device indexes the SA with a number, a security parameter index (SPI). Rather than send the individual parameters of the SA across the tunnel, the source gateway (or host) inserts the SPI into the ESP header. When the IPsee peer receives the packet, it looks up the destination IP address, IPsec protocol, and SPI in its SA database (SAD), then processes the packet according to the algorithms listed under the SPD. The IPsee SA is a compilation of the SAD and the SPD. The SAD jis used to identify the SA destination IP address, IPsee protocol, and SPI number. The SPD defines the security services applied to the SA, eneryption and authentication algorithms, and mode and key lifetime. For example, in the corporate-to-bank connection, the security policy provides a very secure tu using 3DES, SHA, tunnel mode, and a key lifetime of 28800. The SAD value is 192.168.2.1, ESP, and SPI-12, For the remote user accessing e-mail, a less secure policy is negotiated using DES, MDS, tunnel mode, and a key lifetime of 28800. The SAD values are a destination IP address of 192.168.12.1, ESP, and SPI-39. 416 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Ine‘The longer you keep a password on your company PC, the more vulnerable it becomes. The same is true of keys and SAs. For good security, the SA and keys should be changed periodically. There are two parameters to consider: lifetime type and duration. ‘The first parameter, lifetime type, defines how the lifetime is measured, by the number of bytes transmitted or the amount of time transpired. The second parameter, the duration, is expressed in either kilobytes of data or seconds of time. For example, you might specify a lifetime based ‘on 10,000 KB of data transmitted or 28,800 seconds of time expired. The keys and SAs remain active until their lifetime expires or until some external event—the client drops the tunnel— causes them to be deleted. Tunnel Termination wa Sails ase Hon Sees see Meenas! Hest JH * A tunnels terminated By an SA lifetime timeout ~ Ifthe packet counter is exceeded ~ By peer = Removes IPsec SA IPsee SAs terminate through deletion or by timing out. An SA ean time out when a specified number of seconds has elapsed or when a specified number of bytes has passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent [Psec SAs are needed for a flow, IKE performs a new Phase 2 negotiation and, if necessary, a new Phase | hegotiation. A successful negotiation results in new SAs and new keys. New SAS are usually established before the existing SAs expire so that a given flow can continue uninterrupted. (© 2008 Cisco Systems, ne Peec VPNs 4.17Digital Certificates and Public-Key Cryptography This topic describes how digital certifieates and public ey cryptography work. EAN TARA RE ARN SRAM ERE Public-Key Cryptography © Users have a key pair Private Public = Anything encrypted by one key can be decrypted by the other key * Asymmetric cryptography Traditional cryptography has usually involved the creation and sharing of a “secret” key for the neryption and decryption of messages, This secret or “private” key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, “public” key cryptography and the public key infrastructure (PKI) is the preferred approach on the Internet. The private key system is sometimes know, symmetric cryptography because the encryption keys are the same, and the public key system is sometimes known as asymmetric cryptography because the keys for encryption and decryption are different tabled by public-key cryptography, provide a means to authent devices and users. In public-key cryptography, such as the RSA encryption system, each user has a key pair containing both a public and a private key. The keys act as complements, and anything encrypted with one of the keys can be decrypted with the other. ‘A signature is formed when data is encrypted wit the data and sent to the receiver. The rivate key. The signature is attached to ipplies the public key of the sender to the data. If the signature sent with the data matches the result of applying the public key to the data, the validity of the message is established. This process relies on the receiver having a copy of the public key of the sender and having a h degree of certainty that this key belongs to the sender, not to someone pretending to be the sender 418 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 '© 2008 Cisco Systems, IneObtaining the public key of a sender is normally handled out-of-band or through an operation done at installation, For instance, most web browsers are configured with the root certificates of several CAs by default. For VPN, the IKE protocol can use digital signatures to authenticate peer devices before setting up security associations Public-key eryptography is used by the PKI. (© 2008 cisco Systems, ne. IPsec VPNs 4-19Digital Signature Local toon eee cee tet = ‘The digital signature provides a form of digital credentials that authenticate the identity of the sending party, whoever that may be. In other words, digital signatures are used to Tink data with the holder of a specific private key and consists of the following: m= Atthe local end, a message is run through a hash algorithm, A private key is used to ‘encrypt the hash only. The encrypted hash is appended to the message and sent to the remote end, © At the remote end: — Running the original message through a hash algorithm produces the hash — The public key of the sender decrypts t was appended. original message of the hash to which it Ifthe hashes match, the private key of the local user signs the message. Only a specific private key could have produced the digital signature. 420 Securing Networks wih Cisco ASA Advanced (SNAA) v1 0 (© 2008 Gisea Systems, neCertificates and Scalability ‘This topic explains the scalability that is achieved by using certificates. No. of Certificates [No. of Pre-Shared Keys 10 45 100 4950 When you are conducting business over the Internet, you must know who is at the other e the tunnel, The device on the other end of the VPN tunnel must be authenticated before t communications path is considered secure. ISAKMP is used to provide VPN peer authentication as well as to set up the secure tunnels. The Cisco ASA security appliance supports two data origin authentication methods: red keys: IKE can use pre-shared keys that are manually input by the istrators on both ends of the connection. The same IKE “shared-secret” password is configured on both security appliances for IKE authen shared keys are easy {0 configure manually but do not scale well. Each pair of communicating IPsec pee be using a unique pre-shared key. No two pairs should have the same pre-shared key. To communicate with multiple peers, each IPsec device must be configured with the unique pre-shared key of every other peer with which it communicates, should RSA Signature: IKE can also use digital signatures for peer authentication, Each device has its own “unique” certificate that it exchanges with its peer device, Each device exchanges the same unique certificate with each remote peer that it communicates with, If the each device's certificate is authenticated by the other end, the t wn continue. nel setup, ‘© 2008 Giseo Systems, Inc (sec VPNS 421With a network using pre-shared keys, each pair of devices should have its own unique pre- shared key to exchange. In a network of 10 devices, the administrator would have to configure 45 unique pre-shared keys, (N (N-1)) / 2. For a network of 100 device pairs, the administrator ‘would have to configure 4950 unique pre-shared keys. Pre-shared key designs do not scale well. With certificates, each device only requires its own certificate. Certificates are unique to a device. Ina network in which 10 devices must establish tunnels between devices, 10 cenificates are required, one certificate per device. Certificates allow scalability in very large networks. Without certificates, every new device added to the network would require a configuration change on every other device with which it communicates securely CA Server Fulfilling Requests from IPsec Peers Each IPsec peer individually enrolls with the CA server. Authority er Server With a certificate authority, you do not need to configure keys between all of the enerypting IPsec peers. Instead, you individually enroll each participating peer with the CA and request a certificate. When this has been accomplished, each participating peer can dynamically authenticate all of the other participating peers. To add a new IPsec peer to the network, you need to configure only that new peer to request a certificate from the CA, instead of making multiple key configurations with all the other existing IPsec peers. ‘Securing Networks wih Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, nePublic Key Infrastructure Hierarchical Central Subordinate cA. Headquarters Public key infrastructure (PKI) is the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates, PKI makes it possible to generate and distribute keys within a secure domain and enables CAS 10 issue keys, associated certificates, and CRLs in a secure manner. The two PKI models are central and hierarchical authorities: = Central: A flat network desi ngle authority, root CA, signs all certificates. Each device that needs a certificate sends a request to the root CA. Small companies with several hundred employees or devices can use central CA. In the central CA example, there is a small company with only a few sites. Each site, Boston and Headquarters, enrolls with the same CA. = Hierarchical authority: A tiered approach. The ability to sign a certificate is delegated through a hierarchy. The top of the hierarchy is the root CA. It signs certificates for subordinate authorities, also known as a registration authority (RA), Subordinate CAs sin certificates for lower-level CAs or employees. Large, geographically dispersed corporations (for example, Cisco Systems) use hierarchical CAs, The root CA is located in San Jose, the company headquarters. Rather than having thousands of devices making, certificate requests back to San Jose, subordinate CAS are placed strategically around the world, Devices request a CA from the local subordinate CA, such as the devices in Boston, New York, and London. Each of these devices has the same root certificate that was distributed by two different subordinate CAs. Note Registration authority (RA) is responsible for communicating with clients requesting Certificates. RA is used to offioad the enrollment process overhead from the CA and offers better security since clients have no direct access to the CA. When using SCEP. the CA wi retun both a CA and RA certificate to the Cisco ASA security appliance (© 2008 Cisco Systems, Inc IPsec VPNs 4.23Certificate Authority RSA CA responsibilities: secuntTy = Create certificates Entrust = Administer certificates sNeveateetemer = Revoke invalid certificates Certificate authorities (CAs) hold the key to the PKI. A CA is a trusted third party whose job is to certify the authenticity of users to ensu that you are who you say that you are. The CA digital signature, created with the CA private key, guarantees authenticity. You can verify a digital signature using the CA public key. Only the CA public key can decrypt the digital certificate, The CA creates, administers, and revokes invalid certificates The CA can be a corporate network administrator or a recognized third party. Trusted sources supported by the Cisco ASA security appliance include the following: = Cisco CA = Entrust RSA Keon Netscape CMS Baltimore Technologies Microsoft Certificate Services VeriSign 424 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneCertificate Enrollment Process In the next section, the generic certificate enrollment process is discussed. Certificate Generation Proces: QDeasoner Process request Generate conticate Fame) Generate J request Instat ceritcate cetiicate An end user (or end entity) must obtain a digital certificate from the CA to participate in a certificate exchange. This is known as the enrol nt process. It requires four steps 1. Each user generates a private and public key pair The requestor generates a certificate request and sends it to the CA. The CA transforms the certificate request into a digital certificate and returns both a root and identity digital certificate to the requestor. 4, The requestor installs the root cer the i sate into the security appliance first. While installing ity certificate, the Cisco ASA security appliance uses the public key fro fe to validate the signature of the identity certificate the root (© 2008 Cisco Systems, Ine eee VPNE 425,In the certificate generation process, first you generate a certificate request known as a Public~ Key Cryptography Standard #10 (PKCS #10). User information stich as a common name, organizational unit, organization, locality, state, country, and public key can be requested. After the information is supplied, the Cisco ASA security appliance generates a certificate request: a PKCS #10, The request is formatted as an Abstract Syntax Notation One (ASN.1) message and. sent to the CA, 425 Securing Networks wit Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems, IncThe figure shows a sample certificate request form completed on the Cisco ASA security appliance, In the example, the administrator supplies the common name and organizational Unit. The additional subject attributes that could also be defined on the request form are as follows: = Common Name (CN) field: A unique name for the subject. = Organizational Unit (OU) field: The Security appliance uses the organizational unit as the ‘group name. By default, the OU field of the certifi based in the security appliance. ile must match the group attribute data = Organization (0) field: The company name. © Locality (L): City or town where the company resides. State/Province (SP): State or province where the company resides. = Country (©): Country where the company resides. (© 2008 Cisco Systems, ne IPsec VPNs 427PC or Cisco ASA Digital conificate = When a certificate is sent between a CA and a security appliance, the ASN.1 formatted me is encoded. The digital certificate encoding can be one of two types: Distinguished Encoding Rules (DER) data (raw binary format) or Privacy Enhanced Mail (PEM) format (binary converted to base 64 format). Typically when you request a certificate, the CA prompts you for the encoding type: DER or base 64 encoding, This may be an issue if the sender or receiver can support only one encoding type. The Cisco ASA security appliance can support both types. #7, PKCS #7 is a message syntax that allows multiple certificates to be enveloped within one message (the same concept as PKZip storing ‘multiple files in a zip file) 48 ‘Seeuring Networks wih Cisco ASA Advanced (SNAA) v1.0 1© 2008 Cisco Systems. IncUpon receipt of the PKCS #10, the CA verifies the authenticity of the PKCS #10. The CA decrypts the digital signature with the requestor’s public key to validate it. If valid, PKCS #10 is transformed into an identity certificate. The idemtty certificate is a composite of information supplied from the PKCS #10 and by the CA. For security, a hash algorithm is performed on the ‘combined attributes. The hash value is encrypted using the C’s private key, and is attached to the certificate. The identity certificate is then sent to the security appliance as an ASN. | formatted message. {© 2008 Cisco Systems, Inc IPsec VPNs 4.29Digital Certificates on ah . Digital certificates contain: c"} ae = + Serial number Bios Validity dates + Issuer's name + Subjects name * Subjects public Key information © CA signature Boone Borcc cate re shows a sample digital certificate that was issued by the CA. The X.509 certificate consists of specific fields and values. The certificate information displays the following: m= Certificate format version: urrently, is X.509 version 1, 2, or 3 = Certificate serial number: Unique certificate numerical identifier in the CA domain, When a certificate is revoked, itis the certificate number that is listed on the CRL Signature algorithm: Ident ies the public key of the CA and the hashing algorithm, issu ay: The distinguished name of the CA. period: Specifies the start and expiration dates for the certificate, m= Subject X.500 name: The distinguished name of the entity holding the private key = Subject public key information: Specifies the public key of the subject and the hi algorithm. hing Extensions: Extends the certificate to allow additional information. CRL-DPs (distribut = CA signature: The CA p a hash funtion on the eertifiate contents: the hash is then signed with the private key of the CA to ensure authenticity points): Location of the CRI. list for this certificate, ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neValidating the Certificate ‘This topic discusses the validation of certificates. Verifying the Certificate Digital pee Cisco ASA * Identity certificate validation: Can the identity certificate be verified with the CA public key? Has the identity certificate expired? Has the identity certfcate been revoked? Before an identity certificate is installed, the security appliance must validate it. The Cisco ASA security appliance checks the following to validate the identity certiticate: key of the CA? Is the identity certificate verified with the publi = Has the identity cert Has the identity cert Once validated, the certificate is installed on the security appliance. The now be exchanged with a peer during the IKE authentication phase (© 2008 Cisco Systems, Inc IPsec VPNs 4.31Peer Certificate Validation Headquarters Boston Branch Validate the identity certificate of the peer. + Exchange the identity certificates during IKE negotiations. * Very the identity certificate signature through the stored root certificate. * Verity that the certificate validity period has not expired. * Verify thatthe identity certificate has not been revoked During Intemet Key Exchange (IKE) negotiations, identity certificates are exchanged to authenticate peers. When an identity certificate is received from an IKE peer, the Cisco ASA security appliance attempts to validate the peer’s certificate, In the example in the figure, the Headquarters Security Appliance sends its identity certificate to the Boston Branch se appliance. The Boston Branch security appliance attempts to validate th = Validate the signature, The security appliance uses the public key stored on its root certificate to decrypt the hash of the identity certificates. The security appliance also re- computes a hash of the received identity certificate. Ifthe decrypted and re-computed hashes match, the certificate is vali. Note Before IKE exchange can begin, a valid identity and root certificate must be installed on ‘each security appliance, Notice that the identity certificates were both issued by an Entrust A. Also notice that an Entrust root certificate was installed on each security appliance. To validate an incoming identity certificate, the receiving securty appliance must have a copy of both its and its peers CAs root certificate resident on the device. If the remote peer was enrolled by @ Microsoft CA and the local peer was enrolled through an Entrust CA, each security appliance must have both an Entrust and a Microsoft Root Certificate resident on the devices, m= Check the validity period of the certificate against the system clock of the security appliance. If the system clock of the security appliance falls within the validity period of the identity certificate, the testis successful. The validity range can be found on the identity certificate = (Optional,) Ifenabled, the security appliance locates the CRL and determines ifthe identity certificate serial number is on the list. present, the certificate is revoked. HPabsent the certificate is valid. 432 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IneIfthe received identity certificate passes the validation process, the Boston Branch security appliance authenticates the Headquarters security appliance. In turn, the Boston Branch security appliance sends its identity certificate to the Headquarters security appliance. The Headquarters security appliance performs the same validation process for the identity certificate of the Boston Branch security appliance. ‘gor ot ee Geitioste Key The first step in validating a digital certificate is to validate the signature. Signature validation bewins at the CA, where the original identity certificate is put through a hash algorithm, the ‘output hash is encrypted by the private key of the CA, and the hash is appended to the end of the certificate. At the remote end, there is a two-step process: Step1 ‘The receiver uses the public key of the CA to decrypt the original hash value. hash. The result is the Step2 The received message is sent through the hash algorithm to produce a second hash, The CA-generated hash and security appliance-generated hash are compared ‘= [Fthey match, the identity certificate is ger m= [fthey do not match, the cert identity certificate, te is invalid; there is an invalid signature or {© 2008 Cisco Systems, ne sec VPNs 4.33)Certification Chain Hierarchical conineate re cet ity cottene Subrtnate CA ety Certiicate New York London Previously, it was stated that the security appliance needs a copy of the public key of the CA to decrypt the hash. The question is where does the security appliance find a copy of that key? The answer is, it depends on the CA environment, central or hierarchical. In a central, or flat. CA, the root CA signs the identity certificate. The root certificate must be installed before trying to install the identity certificate so that the security appliance has access to the root's public key. One of the root CA fields is a copy of the public key of the CA. In the example in the figure, the public key of the root certificate is used to validate the signature of the certificate of Boston Ina hierarchical environment, the ability to sign is delegated through the hierarchy. ‘The top is the root CA; it signs certificates for subordinate CAS. The subordinate CA signs certificates for lower level CAs. Ultimately, a subordinate CA will sign the user's identity certificate. The certificate must be validated up the chain of authority. In the example in the figure, the public key of the subordinate CA validates London’s certificate. The public key of the root CA validates the subordinate CA +4 ‘Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systeme, neValidity Period Bee The next step is to check the validation period. A certificate is valid for a specific period of time, The validity period (range) is set by the CA and consists of “Valid from” and “Valid to” fields. On the Cisco ASA security appliance, when you try to adda certificate, the validity range is compared against the system clock, Ifthe system clock is not within the validity range—either too early or too late—you receive an error message. In the example, the system clock on the security appliance must be between January 23, 2008, and January 22, 2009, for the certificate to be valid {© 2008 Cisco Systems, Ine [Psec VPNs 435Certificate Revocation Lists This topic describes the purpose of CRLs and the protocols used for CRLs Certificate Revocation L = Away to determine whether a certificate has been revoked by its issuing CA * May be retrieved using: HTTP SCEP LDAP = CRL is stored for a period of time after which it is considered “stale”. When a certificate is issued, itis valid fora fixed period of time. Sometimes a CA revokes a certificate before this time period expires; for example, due to sect inge of name or association. CAs periodically issue a signed list of revoked certificates. Certificate Revocation Lists provide the security appliance with one means of determining whether a certificate is within its valid time range or has been revoked by its issuing CA. As certificates are revoked, they are published in the certificate revocation list (CRL). The CA signs the CRL, ind a validity date period is embedded in the CRL. You can configure the security appliance to make CRL. checks mandatory when authe certificate, The security appliance can retrieve CRLs from CAs using HTTP, Simple Certificate Enrollment Protocol (SCEP), or Lightweight Directory Access Protocol (LDAP) You can also make the CRL check optional, which allows the eertifieate authentication to suceeed when the CA is unavailable to provide updated CRL data, CRLs retrieved for ea trustpoint are cached for a length of time configurable for each trust point ‘Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, ineAll PK-participating peers should be able to access the CRL. The default behavior of the security appliance is to retrieve the certficate's CRL. from the Certificate Distribution Point location, which is embedded in the presented certificate. Once a security appliance retrieves the CRL, it keeps the CRL in its cache until the CRL reaches the expiration date/time, The security appliance will retrieve the CRL again when the certificate linked with the CRL is presented. The security appliance may have several CRLs in its cache simultaneously, depending on CRL granularity, While CRL checking is enabled by default, it can be disabled if certificate status is hot an issue. OF course, CRL checking should be enabled when the network requires a high degree of security. A shorter period should be set for CRL expiration in an environment that meets these conditions © There will be a significant amount of certificate revocation, © [tis critical that security peers in the PKI are aware of certificate revocation a Certificate Revocation List (Cont.) * List of revoked certificates signed by the CA (@. ) ®» Stored on the CA or CRL distribution point | Revoked No requirement on devices to Cert 12345 ensure that the CRL is current Cert 12241 | Cert 22333 eee Checking the certificate revocation list (CRL) isthe last validation step. A CRLL is a list issued by the CA that contains certificates that are no longer valid. CRLs are signed by the CA an are released periodically or on demand. CRLs are valid for a specific amo the CA vendor used. Some reasons a certificate might be invalidated a nt of time, depending on as follows: User data changes (for example, the username). A key is compromised. = Anemployee leaves the organization. The CRL must be consulted by anyone using a certificate, to ensure that itis still valid. There is no requirement on devices to ensure that the CRL. is current. {© 2008 Cisco Systems, Inc IPsec VPNs 4.57438) CRL: General ‘The figure contains an example of a CRL, The CRL has two tabs: General and Revocation List The general tab includes information about the CRL itself, such as the name of the CA that issued the list, the date the list was issued, and the date of the next public next publication could be hourly, daily, weekly, and so on, as defined by th Which includes all the revoked certificates. The certificates are listed by cert number and revocation date jon. The date of revocation list, ficate serial The figure contains an example of the CRL. The certificate serial number and revocation date and time are listed. ‘Seauring Networks wih Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, ncCRL Distribution Point Location A number of certificate revocation list-distribution points (CRL-DPs) are accessible from the web. Because the web is a large place, itis difficult for the security appliance to check a particular certificate to see if it is valid or revoked. As part of the identity certificate, the CRI extension includes the CRL-DP. The CRL-DP information is included in the identity extension fields. If you double-click the CRL-DP icon in the certificate, the URL of the CRL~ DP is included. In the example in the figure, the CRL is located at: htip:/asal xyz.com/+CSCOCA+Iasa_ca.cr. (© 2008 Gisco Systems, Inc eee VPNE 439,Security Appliance Certificate Enrollment Support This topic provides a brief overview of the Cisco ASA security appliance certificate enrollment support Security Appliance Enrollment Support File Network (Manual) (Automated) Centiicate Certicate Generate : Generate tet PKCS #10, oes PKCS #10 a Download PKCS #10, For the Cisco ASA security appliance to participate in the certificate exchange, a cert needs to be loaded on the security applia pports two types of certificate enrollment: The security applianc = File-based enrollment: This is a manual process. You can enroll by creating a request file, PKCS #10. When you have created a request file, you can either e-mail it to the CA and. receive a certificate back, or you can access the CA web site and eut and paste the enrollment request in the area that the CA provides. When generated by the CA, identity and root certificates are downloaded to the PC. The certificates must then be imported onto the security appliance. m= Network-based enrollment: This is an automated process that enables you to connect directly 10 a CA through Si rollment Protocol (SCEP). Complete the enrollment form to connect to a CA through SCEP. The security appliance contacts the CA through SCEP, and the CA retums a CA certificate. When the CA certificate is veri security appliance uses SCEP to send the enrollment request to the CA, where the CA issues an identity certificate, The CA then retums the identity to the security applian network-based enrollment to work, both the security appliance and the CA must support SCEP. There will be further discussion of SCEP-based enrollment later in this module. “40 Securing Networks with Cisco ASA Advanced (SNA) v1.0 {© 2008 Cisco Systems, IncSecurity Appliance Certificate Manual Loading Process Generate t paces 0 xc f sre" |- Uses il pxésio ae cerieae request | od led = esd e wot eee cerca Sea Danan ie retard ent cae Load enty ‘orice The Cisco ASA security appliance certificate manual loading process consists of the following: ‘= Generate the certificate request and upload it to a CA, m= The CA generates the ident and root certificates, Each is downloaded to a PC. = Both the root and identity certificates are loaded onto the security appliance ‘© 2008 Giseo Systems, Inc IPsec VPNs 441Network-Based Enrollment: SCEP Handshake Regina | leeitese oy aoe Reoquest CA or celta RA Cerificate Return CA or RA Cerificate Verity CA 0: RA, Catiicate Fite-based enrollment is a file transfer-intensive process. Network-based enrollment is an automated process, which enables the Cisco ASA security appliance to connect directly to a CA through SCEP. The SCEP operates between the security appliance and the certificate server The certificate request process is always the same, but the approval process varies, depending upon whether the identity certificate is automatically or manually approved. The approval process varies between CAs, In a private network where the corporation owns the CA, the: approval process can be set to automatic: the device makes a request, the CA approves the request, and an identity certificate is generated. If the device is making the request of a public CA, the request may be delayed pending a manual approval process. The Following is the SCEP process: Root Certificate Enrollment To enroll with a CA or RA, you must complet . the Following steps Send the CA or RA certificate request to the CA. m The CA returns a CA or RA certifi = The requesting device: — Verifies the CA or RA. Identity Certificate Enrollment To retrieve an idemtity following steps: ificate when enrolled with a CA or RA, you must complete the = The reque ing device takes the following actions: Generates keys. Generates the certificate request Sends the certificate request to the CA. “42 Securing Networks with Cisco ASA Advanced (SNA) v1.0 {© 2008 Cisco Systems. IneThe CA processes the request, wenerates an identity certificate, and returns the identity certificate to the requesting device. Ifthe CA does not process the request, the CA places the request in a pending (approval) file and returns the pending message to the requesting device — If the request is still pending, the requesting device will periodically send a poll to the CA Ifthe identity certificate is approved, the CA sends it to the requesting device. (© 2008 Cisco Systems, ine IPsec VPNS 43Key Pairs and Trustpoints This topic describes key pairs and trustpoints. Key Pairs and Trustpoints Key Pair Key pairs and trustpoints are required when cor establishing VPN connections. jguring a security appliance for accepting and Key Pairs Each peer has a key pair containing both a public and a private key. These keys act as complements; any communication encrypted with one can be decrypted with the other. Key pairs are RSA keys. RSA keys can be used for IPsec, Secure Sockets Layer (SSL), and Secure Shell (SSH). = SCEP enrollment supports the certification of RSA keys, = For the purposes of generating keys, the maximum key modulus for RSA keys is 2048. The default size is 1024. ‘& For signature operations, the supported maximum key size is 4096 bits. You can generate a general purpose RSA key pair, used for both sign ‘you can generate separate RSA key pairs for each purpose. and encryption, or Separate signing and encryption keys help reduce exposure of the keys. This is beca SSL uses a key for eneryption but not signing, but IKE uses a key for signing but not encryption, By using separate keys for each, exposure of the keys is minimized. To configure a hey pair fora certificate, you specify the labels to identify the key pair to be generated. aaa ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncTrustpoints ‘Trustpoints let you manage and track CAS and certificates. A trustpoint isa representation of a CA or identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. After you have defined a trustpoint, you can reference it by name in commands that require a CA, You can configure many trustpoints Note If security apphance has multiple trustpoints that share the same CA, only one of these ‘rustpoints that share the CA can be used to validate user certificates. Use the support- user-cert-validation command to control the trustpoint of the shared CA that is validating user certificates that are issued by that CA, For automatic enrollment, a trustpoint must be configured with an enrollment URL and the CA that the trustpoint represents must be available on the network and must support SCEP. ‘You can export and import the key pair and issue certificates associated with a trustpoint in PKCS #12 format, This is useful if you want to manually duplicate a trustpoint configuration ‘on a different security appliance. 1© 2008 Cisco Systems, ne (sec VPNs 445Summary This topic summarizes the key poit s that were discussed in this lesson, Summary + IPsec combines three protocols into a cohesive security framework * IPsec operation can be summanzed into a few primary steps. ® PKI provides a means to authenticate peer devices and users * A digital certificate contains information to identify a user or device. Certificates allow scalability in very large networks. * Key pairs and trustpoints are required when configuring a security appliance for accepting and establishing VPN connections. Certificate revocation lists provide the security appliance with one means of determining whether a certificate that is within its valid time range has been revoked by its issuing CA, * The security appliance supports several CA servers. 448 Securing Networks with Clo ASA Advanced (SNAA) v1 0 {© 2008 Cisco Syetems, IncLesson 2| ‘Implementing Site-to-Site VPNs with Digital Certificates Overview IP Security (IPsec) virtual private networks (VPNs) can be configured for various types of authentication, One such method is using pre-shared keys. In that case, each client shares a common key. That method is not very scalable, especially in an enterprise network. Another ‘more sealable method would incorporate the public PK uses digital certificates to authenticate endpoints for the VPN tunnel. This lesson guides ‘you through the process of configuring an IPsec site-to-site VPN using digital certificates, Objectives Upon completing this lesson, you will be able to configure the Cisco ASA adaptive secu appliance to establish site-to-site tunnels, using digital certificates. This ability includes being able to meet these objectives: = Describe the components of site-to-site VPNs = Explain the steps necessary to configure the Cisco ASA security appliance to wse di centficates © Define interesting traffic with ACLS ‘= List the steps needed to configure an ISAKMP policy for site-to-site VPNs m= List the steps necessary to define IPsec transform set m= Explain the steps needed to configure a site-to-site VPN using digital certificates, Configure a erypto map for site-to-site VPNs. = Configure the Cisco ASA security appliance for hub-and-spoke site-to-site connections = Configure site-to-site redundan Use show commands to verify the configuration of site-to-site VPNs Use debug commands to verify that the configuration of site-to-site VPNs is working properlySite-to-Site VPNs This topic describes the components of site-to-site VPNs, ite-to-Site VPNs Remote Site In the figure, a corporation wants to tie remote sites together by way of a VPN. Each remote site has 500 people. One option is to run a remote VPN where the VPN Client is installed on every PC. This is a logistical and administrative nightmare. The better option is to use the VPN capabilities of the security appliance. One security appliance is installed at each site, a VPN gateway, and all remote PC traffic is routed to the security appliance. The security appliances encrypt and encapsulate the traffic. The security appliances perform all IPsec functionality, and route all interoffice VPN traffic through the Internet. ‘This option requires that no additional software be installed on the PCs. This application is referred to as a site-to-site VPN. When conducting business over a site-to-site VPN tunnel, you must “know” who is atthe other end of the tunnel. The VPN gateway on the other end of the VPN tunnel! must be authenticated before the communications path is considered secure. The last exchange of Internet Key Exchange (IKE) Phase | is used to authenticate the remote VPN gateway peer. In large networks, the use of a pre-shared key (o authenticate a remote peer does not scale well. The preferred method is the exchange of digital vetificates to jeate remote peers “448 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Gisco Systems, IneCA Server Fulfilling Requests from IPsec Peers Each IPsec peer individually enrolls with the CA server With a certificate authority (CA), you do not need to configure keys between all of the ‘encrypting IPsee peers. Instead, you individually enroll each participating peer with the CA and request a certificate, When this has been accomplished, each participating peer can dynamically authenticate all of the other participating peers. To add a new IPsec peer to the network. you need to configure only that new peer to request a certfieate from the CA, instead of making multiple key configurations with all the other existing IPsec peers. With a CA, you do not need to configure keys between all of the encrypting IPsec peers Instead, each individual peer enrolls with the CA and requests a certificate. When this has been accomplished, the peers can exchange certificates during tunnel establishment {© 2008 Cisco Systems, ne (sec VPNs 449Peer Certificate Authentication Headquarters Fae tenet = Fe ] Boston Branch Validate the peer identity certificate + Exchange the Wentty certificates during IKE negotiations + Very the identity certificate signature via the stored root omtficate + Verfy thatthe contfeatevatdity period has not expired = Verfy thatthe ently certificate has not been revoked. During IKE negotiations, identity certificates are exchanged to authenticate VPN gateway peers. When an identity certificate is received from an IKE peer, the security applian attempts to validate the peer’s certificate. In the example in the figure, the Headquarters security appliance sends its identity certificate to the Boston Branch security appliance. The Boston Branch security appliance attempts to validate the received certificate as follows: Validate the signature. The security appliance uses the public key stored on its root centficate (the CA certificate) to decrypt the identity certificates hash. The security appliance also re-computes a hash of the received identity certificate, If the decrypted and re-computed hashes match, the certificate is valid, = Check the validity period of the certifieate against the system clock of the security appliance. Ifthe security appliance’s system clock falls within the validity period of the identity certificate, the testis successful. The validity range can be found on the identity certificate, = Optional.) If enabled, the security appliance locates the certificate revocation list (CRL) and determines if the identity certificate serial number is on the revocation list. If present, the certificate is revoked. If absent, the certificate is valid IP'the received identity certificate passes the validation process, the Boston Branch security appliance authenticates the Headquarters security appliance. In turn, the Boston Branch security appliance sends its identity certificate to the Headquarters security appliance. The Headquarters security appliance performs the same validation process for the Boston Branch security appliance’ identity certificate “50 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IneSCEP-Based Enrollment Certificate Server Public key technology is becoming more widely deployed. With the use of public hey certificates in network security protocols, comes the need for a certificate management protocol that PKI clients and CA servers can use to support automated certificate enrollment, The goal of the Simple Certificate Enrollment Protocol (SCEP) is to support the secure issuance of certificates to network devices in a scalable, more streamlined manner. SCEP supports automated CA public key distribution and certificate enrollment. (SCEP is a secure messaging protocol that requires minimal user intervention.) This method is quicker and allows you to enroll and install certificates using only the security appliance, but is only available if you are enrolling both with a CA that supports SCEP and enrolling through the web. If your CA does not support SCEP or if you do not have network connectivity to your CA, then you cannot use the automatic method; you must use the manual method, (© 2008 Cisco Systems, Ine WPeec VPNs 451Whether you use the automatic or the manual method, you follow t SCEP Enrollment Process Certificate vy Server j af Load root certificate through SCEP Load identity certificate through SCEP_ same overall certificate ‘management procedure: Stop 1 Stop 2 Step 3 Step 4 Install CA (root) certificate(s). (Optional.) Enable CRL el Enroll and install identity cert Enable digital ce icates on the security appliance. 482 ‘Securing Nelworks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems, IncConfiguring CA Certificates This topic describes the steps necessary to configure the Cisco ASA security applia request, download, and verily a CA certificate through Cisco Adaptive Security Device Manager (ASDM). SCEP Handshake: CA Certificate Enrollment Requesting ‘Device CA Certificate Enraliment —— eae Request CA or RA coniicate Return CA or RA certificate Verity CA oF RA, caricate To participat certificates. The SCEP process first enrolls with the CA and downloads a CA certificate, The security appliance performs a second procedure. A successful second exchange results in the downloading of an identity certificate. In the figure, the CA and identity certificate handshake exchange are displayed. In the next section of this lesson, only the CA certificate enrollment is discussed. (The identity certificate enrollment will be discussed later in the lesson.) The process for installing a CA certificate through SCEP is as follows: in the digital certificate exchange, the security appliance requires two Step1 The security appliance sends a Get CA message to the CA. Step2 ‘The CA returns a CA certificate to the security appliance. Step3 After the security appliance receives the CA (root) certificate, the security appli authenticates the CA (root) certificate. The administrator can also verify the CA (root) certificate out-of-band by comparing the root certificate hash of the security appliance with the root certificate hash registered with the CA administrator. When ‘comparing the two hashes, they should match. Note Registration authority (RA) is responsible for communicating with cents requesting certificates. RA is used to offload the enrollment process overhead from the CA and otfers better security since clients have no direct access to the CA. When using SCEP, the CA wi retun both a GA and RA certificate to the security appliance, (© 2008 Cisco Systems, ine IPsec VPNs 4.53CA Certificates Panel Site-to-site VPN certificates configurations can be added, edited and displayed under Configuration>Site-to-Site VPN> Certificate Management, Notice in the navigation pane that = CA Certificat m Identity Certificates: Used to manage identity certifi 1% Code Signer Certificates: Special certificates used to create digital signatures to sign code, with the signed code itself revealing the certificate origin. ‘To add, edit, and display CA certificates, choose CA Certificates under the navigation pane. To the right of the navigation pane is the CA Certificates field. The CA Certificates field displays a list of the certificates available, identified by “Issued To,” “Issued By,” the date the certificate expires, and the certificate’s usage or purpose. You can ind edit its configuration, or you ean add a new certifi te in the list Step1 To adda new certificate to the list, click the Add button. The Add a Certificate window opens. 454 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. IncCA Certificate: SCEP Enroliment Option eras There are three options for installing a CA certificate. The CA Certificate pane lets you add a new certificate configuration from an existing file by manually pasting in a certificate or by SCEP automatic enrollment. Click the appropriate option to activate one of the following: © Install from a file: To add a certificate configuration from an e3 1 file, Paste certificate in PEM format: For manual enrollment, copy and paste the PEM format certificate (base 64 or hexadecimal format) into the pane: = Use SCEP: For automatic enrollment, the security appliance contacts the CA by using SCEP protocol, obtains the certificates, and installs them on the deviee. To add a CA certificate by using SCEP, complete the following tasks: step2 Click the Use SCEP radio button. To use SCEP, you must supports SCEP, and you must enroll through the Internet. nroll with a CA that Step3 In the SCEP URL: HTTP:/ field, enter the path and filename of the certificate to be automatically installed. In the example, boston/certsrv/mscep/mscep. dll is entere cld where “boston” is the name of the server and “certsrv/mscep/mscep dll” required to access a Microsoft CA server through SCEP. Step4 Inthe Retry Period field, specify the maximum m a te. The default is one n nber of minutes to retry install Step5 Inthe Retry Count field, specify the number of retries for installing a cert default is 0, which indicates unlimited retries within the retry period, jeate, The Step6 Click the More Options button. The Configuration Options for CA Certificate ‘window opens. This displays configuration options for new and existing CA certificates. {© 2008 Cisco Systems, ne IPsec VPNs 4-55Revocation check Do nat check = Check RL distribution point — Certificate defined Static URL RL retrieval methoa —| LDAP. ‘ScEP HTTP ‘nine Certfcate Status Protocol (OCSP) rules Rules for obtaining a revocation list ‘Advanced OCSP and CRL options ble, whether wg an existing CA, The following panes are the tab- selectable displays that address certificate revocation configuration specifics. Fach tabbed. display is summarized in the following list To an administrator, additional CA certificate configuration options are adding a new CA certificate or modi |= Revocation Check: The Revocation Check pane lets you chose or reject revocation checking, specify a method of revocation checking (CRL or Online Certificate Status Protocol [OCSP}) and allows you to ignore revocation-checking errors when validating a certificate, = CRI Retrieval Policy: The CRL. Retrieval Policy pane lets you configure the use of the CRL distribution point and static CRL URLs, with capabilities to add, edit, and delete status CRL URLs, = CRI Retrieval Method: The CRL Retrieval Method pane lets you chose from the following list: — Lightweight Directory Access Protocol (LDAP) — Simple Ce tc Enrollment Protocol (SCEP) — HTTP ‘These three methods can be used for CRE retrieval. = OCSP Rules: OCSP is used for obtaining revocation status of an X.509 digital certificate and is an alternative to CRLs. Cisco ASA adaptive security appliance release 7.2 introduced OCSP as a certificate revocation option. m= Advanced: The Advanced pane allows you to set up CRL update parameters, OCSP parameters, and certificate acceptance and validation parameters. After configuring the options and clicking the Okay button in the Configuration Options for CA Certificate window, the Add a Certificate window opens. Click the Install Certi button to start the SCEP automatic enrollment process, 4:55 Securing Networks wth Cisco ASA Advanced (SNAA) v1.0, {© 2008 Cisco Systems, IncSuccessfully Enrolled CA Certificate the automatic enrollment process, the security appliance contacts the CA by using the SCEP protocol, obtains the CA certificates, and then installs them on the Cisco ASA security appliance. Upon successful completion, the “CA certificate installed successfully” popup window opens. Each installed CA certificate is displayed in the CA Certificates pane, The certificates are identified by “Issued To,” “Issued By,” the date the certificate expires, and the certificate usage oF purpose {© 2008 Cisco Systems, Ine IPsec VPNE 4.57Verifying CA Certificate Installation Using ASDM A Ht see 7 Betas CA certificates ean be verified through command-line interface (C1) and Cisco ASDM. Through Cisco ASDM, you can view installed CA certificates, Use this Cisco ASDM procedure to verify CA certificate installation: Step Open the Configur: Certificates pane. Site-to-Site VPN > Certificate Management > CA Step2 Choose CA Certificates. Step 3 Click the Show Details button on the right side of the pane, Step 4 From the popup CA Certificates, choose from the followin information tabs CA Certificates General: Displays the values for type, serial number, statu . public key type, CRL distribution point, the times within which the certificate is valid, and associated certificates, = Issued to: Displays the distinguished name (DN) of the client or host that the certificate is being issued to (in X.500 format). X.500 is an ISO standard distributed directory system. ‘Issued by: Displays the DN of the CA server that issued the certificate in X.500 format. Step 5 Click the Close button. This figure shows the newly installed CA certificate, Notice the three tabs on the certificate: General, Issued to, and Issued by. In the General tab, notice the following fields = Type: CA Status: Available Valid from and to Dates: 18:12:33 May 19, 2008 to 18:20:59 May 19, 2010 458 Securing Networks with Gisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneYou can use the show crypto ea certificates command to view the newly installed CA certificate through the CLI. This figure shows the output of the show erypto ca certificates ‘command. Some important information displayed includes the following = The status of the certificate = The certificate serial number = The certificate usage . key type . une of the certificate = The subject name of the certificate m= The CRI distribution points = Validity dates Any associated trustpoint created on the Cisco ASA security appliance (© 2008 Cisco Systems, ine IPsec VPNs 459)Installing an Identity Certificate After the CA certificate is successfully installed, you can request an identity cert cA e cenicate ‘Server RA cettiieate - Reta CA or Ra centicate ery CA oF RA Ganerate keys Process request enerteconfcate eect a oa wt Send request : sensi conte Stove cetfcate oe = If pending approval Request pending Send poling request penis Store certificate The first part, CA certificate enrollment, is complete, the grayed out section in the figure. ACA certificate was requested. The CA retuned a CA certificate. The CA certificate was validated and stored on the security appliance. The next step is to request, download, validate, and store an identity certificate for the security appliance. The procedure for requesting an identity certificate is as follows: The requesting deviee (the Cisco ASA security appliance, in this example) takes these actions: — Generates the RSA keys — Generates the certificate request — Sends the certifi ie request to the CA m The CA processes the request, generates an identity ce jcate, and returns the identity certificate to the security appliance. = If there is no approval, the CA places the request in a pending (approval) file and returns the pending message to the security appliance. — The security appliance will periodically send a poll to the CA. Ifthe identity certificate is approved, the CA sends it to the security appliance. This section covers how identity certificates are generated and tr the security appliance through SCEP. isferred between a CA and 460 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, neNavigate to the Configuration > Site-to-Site VPN > Certificate Management > Identity Certi to manage the identity certificates used in a site-to-site VPN application. An te is used to authenticate with remote VPN gateways peers. To the right of the navigation pane is the Identity Certificates pane. The Identity Certificate pane displ the certificates available identified by “Issued to,” “Issued by,” the date that the certificate expires, and the certificate’s usage or purpose. You can click a certificate in the list and edit its, configuration, or you can add a new certificate to the displayed list. Currently there are no idemtity certificates stored on the security appliance. alist of In the next few seetions, this lesson discusses the procedure required to add an identity centfieate through SCEP. To begin the process of adding a new cert following step te, perform the Step1 Click the Add button. The Add a Certificate window opens, (© 2006 Cisco Systems, Ine IPsec VPN 4.61Generate Key Pair ett peta acc, Cortincale P+ kanes: Key Pa ——pomenre Corteate —f—ecatersemcn eS! ~ ‘antes eee eae ey None j ocean ae ae From the Add Identity Certificate window, an administrator can import an existing identity certificate from a file or add a new certificate configuration through SCEP. To add @ new identity certificate through SCEP, the administrator needs to generate the Rivest, Shamir, and ‘Adleman (RSA) keys, add optional distinguishing attributes such as a department name, a company name, a city, and so on, and change enrollment parameters. In the Add Identity Certificate window, the following parameters are available: = To import an identity certificate from an existing file, choose Import the identity certificate from a file and enter the following information: Decryption Pass Phrase: Specify the pass phrase used to decrypt the PKCS #12 file. — File to Import From: You can type the pathname of the file in the box or you can click Browse and search for the file = Toadd a new identity certificate requires the following information: Key Pair: RSA key pair ASA security appliance are required to enroll for identity jpports multiple key pairs. ificates. The Cisco — Certificate Subject DN: Specify the certificate subject-name DN to form the DN in the Identity Certificate, and click the Select button to add DN attributes in the Certificate Subject DN pane. RSA key pairs are required to enroll for identity certificates. To add a new RSA key, complete the Following steps: Step2 Inthe Add Identity Certificate pane, choose the Add a new identity certificate radio button. Stop3 Choosing the Key Pair drop-down menu, verify that an RSA key pair is resident on the security appliance. In the example, None is the value of the Key Pair field. A key pair is required before performing SCEP enrollment “462 Seauring Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systoms, IneStep 4 Step 5 step 6 step7 Step 8 To generate a key pair, click the New button. The Add Key window opens. In the Name field, choose the Enter new key pair name radio button to name the new key you will be generati From the Size drop-down menu, choose the default key pair size: 512, 788, 1024 or 2048, The default is a key size of 1024. From the Usage field, specify the key pair usage by choosing either the General purpose or Special radio button, There are two types of usage for RSA keys general purpose (the default) and special. If you use general-purpose RSA keys, the security appliance generates one key for both signing and encryption, When you choose Special, the Cisco ASA security appliance generates two key pais, one for signature use and one for encryption use. Click the Generate Now button, The security appliance will generate an RSA key based on your inputs, (© 2008 Cisco Systems, Inc. IPsec VPNs 463,Add Attributes to the Certificate feet | Bae Altre po comentetn. fincas! (Creme Ina large, corporate environment, there may be many site-to-site VPN tunnels, both intranet and extranet based, For all intranet-based VPN tunnels, you might want to apply one group policy and a different group policy for the extranet-based tunnels, You can have one policy for partners, another policy for subsidiaries, and so on. One way to differentiate between remote peer types isto parse the fields of an inbound identity certificate. You can categorize remote peers based on their certficate’s department name (OU) field, their company name (O) field, and so on. This discussion deseribes how to add certificate attributes to an identity certificate ‘The mapping of the identity certificate field and a policy is explained later in the lesson. In the Add Identity Certificate pane, the following Cert fe Subject DN f ® Certificate Subject DN: Specify the certificate subject-name DN to form the DN in the Identity certificate, and click the Select button to add additional DN attributes in the Certificate Subject DN pane. In the figure, the identity certificate subject DN is set to “boston.” lds are available: |= Attribute: Choose one or more DN attributes from the drop-down, these X.500 fields of attributes for the Certificate Subject DN: cN nu, You can choose ‘ommon name OU = Department — O= Company name C= Country ST-= State or Province L EA ‘cation -mail address 56 ‘Seounng Networks with Cisco ASA Ravanced (SNA) v1‘0 {© 2008 Cisco Systems, IncTo add attributes to an identity certificate, perform the following steps: jow, click the Select button, The Certifi Step Inthe Add Identity Certificate Subject DN window opens. Step 10 From the Attribute drop-down menu, choose the desired attribute. In the example, company name (0) was chosen. Step 11 Inthe Value field, enter the desired company name. In the example, Cisco was entered Step 12. After the attribute and value are entered, click the Add button to save the attribute. In the example, the company name of “Cisco” and a department of “training” are specified. ‘When the identity certificate is generated, the department and organization (company name) fields of the new identity certificate will be populated with “training” and “Cisco” respectively. (© 2008 Cisco Systems, Ine (Peec VPNE 465.Identity Certificate: Advanced Settings ERNEST » ponclelinnyntnanrrsycanpaiasan Erwol URL —} + trait ti fs a Retry Perod—[—e tinea = a iS Retry Count-—[—>rercat #7 omnes cot |_| ‘The last step is to configure the SCEP parameters for the identity certificate enrollment. The Advanced > Enrollment Mode allows you to choose either manual enrollment (Request by manual enrollment) or enrollment by CA (Request from a CA) through SCEP, which requires the following information: = Enrollment URL (SCEP): HTTP://: Enter the path and filename of the cert automatically installed te to be = Retry Period: Specify the maximum number of minutes to retry installing an Identity Certificate. The default is one minute. = Retry Count: Specify the number of retries for installing an Identity Certificate, The default is 0, which indicates unlimited retries within the retry period. To add the SCEP parameters, perform the following steps; Step1 Inthe Add Identity Certificate window, click the Advanced button. The Advanced Options window opens Step 2 Choose the Enrollment Mode tab, The Enrollment Mode tab opens. Step 3 Choose the Request from a CA radio button. Step4 Inthe Enrollment URL (SCEP): http:/ field, enter the CA server SCEP address information. In the example, 10.0.2.10/eertsrv/mscep/mscep.dll was entered. The address of the SCEP CA server is 10.0.2.10, The Microsoft CA server information is, ccertsrv/mscep/mscep ll. Step § Inthe Retry Period field, specify the maximum number of minutes to retry installing an Identity Certificate, The default is one minute. Step6 In the Retry Count field, specify the number of retries for installing an Identity Certificate, The default is 0, which indicates unlimited retries within the retry period. 465 Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, IneStep7 Click Okay to accept the new values. The Add Identity Certificate window opens. Step 8 —_ In the Add Identity Certificate window, click the Add Certifieate button to start the SCEP enrollment process, (© 2008 Cisco Systems, Inc IPsec VPNs 4.67Verifying CA Certificate Installation Using ASDM Ifthe SCEP enrollment process was successful, a new identity certificate should appear in the Identity Certificate pane. The example displays a newly installed identity certificate, using Cisco ASDM. Use this Ciseo ASDM procedure to verify identity certificate installation Step1 Open the Configu Certificates pane. ite-to-Site VPN > Certificate Management > Ider Step2 Choose Identity Certificates. ‘Step3 Click the Show Details button on the right side of the pane. An Identity Certfi popup opens. From the top of the Identity Cert following tabs: te, choose from. = General: Displays the values for type, serial number, status, usage, public key type, CRL distribution point, the times within which the certificate is valid, and associated certificates Issued to: Displays the distinguished name (DN) of the elient or host that the certificate is being issued to (in X.500 format) = Issued by: Displays the DN of the CA server that issued the certificate in X.500 format. Step4 Click the Close button. 468 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems, IncVerifying ID Certificate Installation Using cL fublic key Type: RMA (2034 bite) ‘You can also use the show erypto ca certifieates CLI command to view the newly installed figure shows the identity certificate returned by the CA server. This figure shows the output of the show erypto ca certificates con information displayed includes the following: nand. Some important = The status of the certificate = The certificate serial number = The certificate usage m= The public key type = The issuer name of the certificate = The subject name of the certificate = CRL distribution points = Any associated trustpoint created on the Cisco ASA security appliance {© 2008 Cisco Systems, Ine IPsec VPNs 4-69Site-to-Site IPsec Connection Profiles This topic describes how to configure a site-to-site VPN tunnel, ising a connection profile, Connection Profiles: Getting Started Connection Proties Group Potos hv Steto Ste vPN——f Afier the CA certificate and identity certificates are stored on the security appliance, the site-to- site VPN tunnel can be configured. There are three basic ways to add a site-to-site IPsec VPN tunnel. You can use the IPsce VPN Wizard to add a site-to-site VPN. You can use the Site-to- Site VPN > Advanced menus to add or modify a site-to-site VPN configuration, or you can use the Site-to-Site VPN > Conneetion Profiles menus to add or modify a site-to-site VPN. This section discusses how to configure a site-to-site tunnel using the connection profiles, ration button in the Ciseo (o-Site menus pane, click the Conf fe VPN from the navigat = Connection Profiles: Enables you to add, edit, and delete connection profiles. = Group Policies: Enables you to manage VPN group policies. = Certificate Management: nables you to manage digital certificates. Advanced: Enables you to ess the following configuration panes: ‘Tunnel Groups: Enables you to add, edit, and delete tunnel groups. Enables you to add, edit, and detete erypto maps. In addition to configuring basie and required crypto map parameters, you can configure optional settings such as Reverse Route Injection (RD), which can improve the reliability and performance of your sit e VPN by enabling the security appliance to learn routing information for connected clients. You can also enable Network Address Translation Transparency (NAT-T), which enables IPsec peers to establish a connection through a NAT device. 10-5 — _ IKE Policies: Enables you to add, edit, and delete IKE policies. 470 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems, Inc— IKE Parameters: Enables you to enable and disable IKE on security appliance interfaces, specify the method by which IPsec peers identify themselves to each other, and configure other optional IKE parameters — IPsec Transform Sets: nables you to add, edit, and delete t — IPsec Prefragmentation Policies: Enables you (o set the IPsec prefragmentati policy and the Don’t Fragment (DE) bit policy for a security appliance interface Prefragmentation for IPsec VPNs enables an enerypting device to predetermine the encapsulated packet size from information available in transform sets. Ifthe device predetermines that the packet will exceed the maximum transmission unit (MTU) of the output interface, the device fragments the packet before encrypting it, This avoids process level reassembly before decryption and helps improve decryption performance and overall IPsec traffic throughput. The DF bit policy specifies ‘whether the security appliance can clear, set, or copy the DF bit from the encapsulated header. The DF bit within the IP header determines if'a device is allowed to fragment a packet, mn Profile Maps: ure the policy for certificate group matching and define rules to map certificates to connection profiles. — System Options: Enables you to specify if inbound IPsec sessions can bypass terface ACLs, limit the number of active IPsec VPN sessions, and reclassify existing VPN flows. Reclassifying existing VPN flows ensures that flows that need eneryption are torn down and recreated. — ACL Manager: Enables you to add, edit, and delete access control lists (ACLs). To start building a connection profile, you enable IPsec access on select security appliance interfaces and then add a connection profile. Complete the following steps: Step Open the Configuration > {e-to-Site VPN > Connection Profiles pane. Step2 Inthe Access Interface pane, next to the interface on which you want to allow IPsec access, check the check box. In the illustration, the Outside interface check box was checked. Step3 Inthe Connection Profiles pane, cl connection profile. The Add IPsec (shown next). A the Add button to begin configuring the (o-Site Connection Profile window opens {© 2008 Cisco Systems, Inc (eee VPNe 471Connection Profile: Add Connection Remote |§ Branch Offce By choosing the Basie option in the Add IPsec Site-to-Site Connection Profile window navigation pane, the Add IPsec Site-to-Site Connection Profile—Basic dialog box opens. The dialog boxes within the Add IPsec Site-to-Site Connection Profile—Basic window enables you to specify the peer IP address, specify a connection name, choose an interface, specify IKE authentication parameters, specify protected networks, and specify encryption algorithms. Over the next few examples, each section of the Add IPsec Site-to-Site Connection Profile—Basic window is discussed, ‘The top section of the Add IPsec Site-to-Site Connection Profile—Basic window enables you to define the IPsec site-to-site remote peer. To configure the remote peer, complete the following steps: Stop 4 Neat to the Peer IP Adress, check the Statie check box. In the following field, enter the IP Address of the interface on the remote peer where the tunnel terminates Step5 By checking the Same as IP Address check box, you can speciy that the connection name is the same as the IP address specified in the Peer IP Address fied. Step6 In the Interface field, define the local security appliance interface to use for this connection. In the example in the figure, the IP address of the remote peer [Psec tunnel interface is 192.168.1.10. The tunnel will terminate on the remote security appliance outside interface. “4-72 Securing Networks with Cisco ASA Aavanced (SNA) vi 0 (© 2008 Cisco Systems, IneIKE Authentication: Identity Certificate raosoze Remote ‘ranch Offce site 2 ation use when authenticating an IKE peer. In authenticate site-to-site IPsec peers. is scenario, digital certificates are used to From the IKE Authentication > Identity Certificate drop-down men name of the identity certificate to use for auth previously added identity certificate is chose choose the the example, the tication, '© 2008 Cisco Systems, Inc IPsec VPNS 4.73Protected Networks rooraze Remote }— “4 Branch oftce 1w260110 f it RRR EA = ‘The protected network parameters define which traffic the IPsec VPN tunnel, the traffic flow source, . and the destination IP addresses will protect. In the protected network section of the pane, choose or specify the local and remote networks protected by this tunel, Stop 8 Step 1 Inthe networ work, Or click the you can choose a In the Local Network field, specify the IP address of the local _ button. It opens the Browse Local Network dialog box on w previously defined local network 10 Inthe Remote Network field, specify the IP address of the remote network. Or click . button. It opens the Browse Remote Network dialog box, on which you can choose a remote network. ‘example in the figure, the local protected network is 10.0.2.0/24. The remote protected rk is 10.0.1.0/24. The IPsec site-to-site tunnel will protect any traffic transmitted between these two networks. 474 ‘Securing Networks wit Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neIKE Proposal 1001024 emote “Branch Office ko ae » Outte To create a custom IKE policy, click the Manage button in the IPsec Site-to-Site Connection Profile window. The Add IKE Policy window opens. In the Add IKE Policy window, you can create a new IKE policy. This Add IKE Policy window enables you to add the IKE policy as follows: Step1 Use the Priority field to designate a priority number. Step2 Use the Encryption drop-down list to choose the eneryption method that protects the data transmitted between the IPsec peers Step 3 Use the Hash drop-down menu to choose the hash algorithm that ensures data integrity Step 4 Use the Authentication drop-down list to choose the authentication method that the security appliance uses to establish the identity of each IPsec peer. In this example, digital certificates provide IKE thentication. To accomplish this, “rsa-siz” was chosen in the Authentication drop-down menu, Step Use the D-H Group drop-down list to choose the Diffie-Hellman group identifier that the IPsec peers use to derive a shared secret without transmitting it to each other. Step Use the Lifetime radio buttons and fields to specify the lifetime for the IKE security association. Step7 Click OK. In the example in the figure, an IKE policy using 3DES digital certificates for authentication, D_H Group 1, and defined. \eryption, SHA Hash, and RSA lifetime of 86400 seconds was {© 2008 Cisco Systems, Inc (sec VPNs 475,IPsec Proposals 1001024 emete ~ “Branch Ofice Ste? 121001110 4 ‘Qe ees ees This figure shows the Select Transform Sets window, which is displayed if you click the Select button in the Add IPsec Site-to-Site Connection Profile window. Here you can add, edit, or delete transform sets for your site-to-site VPN. You cannot edit or delete the preconfigured transform sets. The Select Transform Sets window also allows you to create new transform sets. You might ‘ant to create new transform sets if you want to customize the names of the transform sets that ‘you se in your configuration. To create a new transform set, complete the following steps: Step 1 Click the Add button in the Select Transform Sets window. The Add Transfoi window opens. ets, Step2 Inthe Add Transform § ‘Set Name field. indow, enter a name for the new transform set in the Step 3 Verify that the Tunnel radio button is chosen pane contains the follo n the Properties pane. The Properties ing Mode radio buttons: = Tunnel: Applies ESP encryption and authentication to the entire original IP packet (IP header and data), thus hiding the ultimate source and destination addresses. This is the default mode. = Transport: Applies ESP encryption and authentication only to the data in the IP packet. The security appliance uses transport mode only when communicating, with a Windows 2000 L2TP/IPsec client Step4 From the ESP Encryption drop-down list, choose the ESP en the transform set. ption algorithm for 476 ‘Securing Networks wih Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. IncStep From the ESP Authentication drop-down list, choose the ESP authentication algorithm for the transform set. In the example in the figure, tunnel mode with DES eneryption and no authentication is chosen Step6 Click OK. The Select Transform Sets window becomes active. (© 2008 Cisoo Systems, Ine (sec VPNS 47182108 110 | eteet Osi j= ‘You can use the Advanced menu items in the IPsec Site-to-Site Connection Profile window to make changes to your site-to-site VPN. By choosing the Crypto Map option, you can make the following changes: © Priority: A unique priority (1 through 65,543, with | the highest priority). When IKE. negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order. Perfect Forward Scerecy (PFS): Ensures that the key fora given IPsec security association (SA) was not derived from any other seeret (like some other keys). With PES, every time a new SA is negotiated, a new Diffie-Hellman exchange occurs, PFS adds another level of security because ifn attacker ever cracks one key, only the data sent with that key is compromised. Ifa peer initiates the negotiation and the locale specifies PFS, the peers must perform a PPS exchange for the negotiation to succeed. someone were to break a key, PFS ensures that the attacker would not be able to derive a other key. If you enable PFS, the Diffie-Hellman Group list becomes active. In the figu PFS is disabled. Note Enabling PFS is optional. PFS provides additional security for DH key exchanges al the cost of additional processing, = Enable NAT-T: Enables NAT Transparenicy (NAT-1) for this polie peers to establish both remote-access and site-to-site connections thr the figure, NAT-T is disabled. which enables IPsec a NAT device. In = Enable Reverse Route Injection: Provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint, In the figure, RRI is disabled. 478 Securng Networks with Gisco ASA Advanced (SNAA) v1.0, {© 2008 Cisco Systems, nc= Security Association Lifetime: Configures the duration of an SA, Security associations have two lifetimes, a timed lifetime and a traffic volume lifetime. The securi expires afier the first of these lifetimes is reached. In the figure, the traffic volume lifetime for this VPN connection is 4,608,000 kilobytes. The security association expires when traffic passing between the IPsec peers using the security association exceeds 4,608,000 kilobytes, or when the security association lifetime exceeds the default setting of 8 hours, Whichever happens first. This parameter specifies how to measure the lifetime of the IPsec ‘SA keys by time and traffic volume. ime: Specifies the SA lifetime in terms of hours (hh), 1 (ss), ies (mm,) and seconds — Traffic Volume: Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of kilobytes of payload data after which the IPsec SA expires. Minimum is, 100 KB, default is 10,000 KB, and maximum is 2,147,483,647 KB. — Override the global lifetime value for security associations. Static Crypto Map Entry Parameters: Configure these additional parameters when the Peer IP Address is specified as St — Connection Type: Specify the allowed negotiation as bidirectional, originate-only. Send ID Cert. Chain: Enables trar m= IKE Negotiation Mode: Sets the mode for ex key information for setting up the SAs, Main or Aggressive. It also sets the mode that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it does not protect the identity of the communicating parties. Main Mode is slower, using more packets and more exchanges, but it protects the identities of the ‘communicating parties. This mode is more secure and itis the default selection. If you choose Aggressive, the Diffie-Hellman Group list becomes active. inswer-only, or ission of the entire certificate chain. {© 2008 Cisco Systems, ne sec VPNs 479,Advanced Connection Profiles: Tunnel Group rere mane soe ens 10 $ See Ho ane beg, By choosing the Advanced > Tu nel group opt you can make the following changes: = Certificate Settings: Sets the following certificate chain and IKE peer validation attributes: : Enables or disables sending the entire certificate chain. This n includes the root certificate and any subordinate CA certificates in the transmission, IKE Peer ID Validation: Choose whether IKE peer ID validation required, or checked only if supported by a certificate. = IKE Keepalive: Enables and configures IKE (ISAKMP) keepalive monitor jored, Disable Keepalives: Enables or disables IKE keepalives, — Monitor Keepalives: Enables or disables IKE keepalive monitoring. Choosing this, option makes available the Confidence Interval and Retry Interval Confidence Interval: Specifies the IKE keepalive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring, The minimum is 10 seconds; the maximum is 300 seconds, The default for a remote access group is 300 seconds. — Retry Interval: Specifies the number of seconds to wait between IKE keepative retries. The default is 2 seconds. Headend Will Never Initiate Keepalive Monitoring: Specifies that the central-site security appliance never initiates keepalive monitoring. = Default Group Policy: Specifies the following group-policy attributes ~ Group Policy: Choose a group policy to use as the default group policy. ‘The default value is DiltGrpPolicy Manage: Opens the Configure Group Policies dialog box IPsec Protocol: Enables or disables IPsec protocol use for this connection profile. “£80 Secunng Networks with Cisco ASA Advanced (SNA) vi.0 {© 2008 cisco Systems, IncModifying Certificate to Connection Mapping ‘This topic describes how to map a certificate to a connection profile. In a previous section, this lesson discussed a company with a number of remote sites with both. intranet and extranet site-to-site VPN tunnels. The company wants to define different policies for the different groups: intranet, less restrictive and extranet, more restrictive potiey. Under the Identity Certificates section, the administrator was able to define attributes within a certificate, the *O” and “OU,” for instance. The administrator can use these fields to differentiate among oups: an intranet group, a partner, or an extranet group. Certificate group matching enables. ‘you match a certificate to a tunnel group, using defined attributes within a certificate To mateh site-to-site VPN tunnels to tunnel groups based on attributes within a certificate, you must first create rules that define attribute-matching criteria, and then associate each rule with the desired tunnel group. Complete the following steps to start mapping a certificate to a specifi tunnel connection Step1 Open the Configuration > Site-to-Site VPN > Advanced > Certificate to Connection Profile Maps > Policy pane Stop2 Check Use the Configured Rules to Match a Certificate to a Gi up check box. Note ‘Another option is to check the Use the Certificate OU Field to Determine the Group check box. OU indicates that if a tunnel group is not determined, based on a rule lookup (previous step), then use the single value of the OU field to detern the tunnel group, Step3 Check the Default to Group check box. Step From the drop-down list, choose the Default2LGroup tunnel group. (© 2008 Cisco Systems, ne IPsec VPNs 481Step 5 Click Apply from the bottom of the pane. When the Cisco ASA security appliance receives an IKE tunnel connection request with a digital certificate, it uses a set of rules t0 evaluate the attributes of the certificate until it finds a ‘match. When it finds a match, it assigns the connection profile associated with the matched rule to the connection. If the security appliance fails to find a match, it assigns the default DefaultL2L.Group profile to the connection. 482 Securing Networks wih Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Incria Name: i Group The administrator defines a rule name, a priority, and a tunnel group. The admi configures a rule and associates it with a connection profile (formerly called tunnel group), ‘The following parameters are available in the Add/Edit Certificate Matching Rule dialog box. Map: Choose one of the following: — Existing: Choose an existing map name, — New: Enter a new map name for a rule. In the example, Boston was chosen {ype a number to specify the sequence with which the Cisco ASA security appliance evaluates the map when it receives a connection request. The security appliance evaluates each connection against the map with the lowest priority number first. The default priority is 10 = Mapped to Connection Profile: Choose the connection profile t map to this rule. In the example, a predefined connection profile, TunnelGroup!, was chosen as the tunnel group, tion Profi To configure a Certificate to Conn ¢ Map, complete the following steps: Step1 Open the Configuration > Site-to-Site VPN > Advanced > Certificate to Connection Profile Maps > Rules pane. Step2 _ In the Certificate to Connection Profile Maps pane, click the Add button. The Add Certificate Matching Rule window opens. Step3 Choose the New radio button, Enter “boston” was entered name into the Name field. In the example, 1©.2008 Cisco Systems, Ine IPsec VPNs 4-83Step4 In the Priority field, enter a number to specify the sequence with which the appliance evaluates the map when it receives a connection request, The default of 10 was entered. Step5 From the Mapped to Connection Profile drop-down menu, choose a predefined tunnel group. In the example, a predefined tunnel group, tunnelgroup], was chosen as the tunnel group. Certificate Matching Criteria ern rR RT Rane RR a —— ee In the top half of the pane, the administrator defines a nan sociated group. In the bottom half of the pane, the adh attribute eriter priority, and an a strator defines the matching ru certificate The following parameters are available on the Add Certificate Matching Rule Criterion pane: © Rule Priority: (Display only). Previously configured sequence number with which the security appliance evaluates the map when it receives a connection request. The Cisco ASA security appliance evaluates each connection against the map with the lowest priority number first. = Mapped to Connection Profile: (Display only). Previously con to which the rule is mapped. igured connection profile Field: Choose the part of the certificate to be evaluated from the drop-down lis. — Subject: The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same tive Subject: The subject alternative names extension allows additional to be bound to the subject of the certificate. Issuer: The CA or other entity (jurisdiction) that issued the certificate. ponent: (Applies only if Subject of Issuer is chosen.) Choose the certificate attribute used in the rule. oo ‘Securing Networks with Gisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Incor Choose the operator used in the rule: Equals: The distinguished name field must exactly match the value. Contains: The distinguished name field must include the value within it Does Not Equal: The distinguished name field must not match the value — Does Not Contain: The distinguished name field must not include the value within it Value: Enter up to 255 characters to specify the object of the operator Note multiple criteria are entered, the erterion operation is a logical “and.” To configure a Certificate Matching Rule Criterion, complete the following steps: Step1 Open the Configuration > Site-to-Site VPN > Advanced > Certificate to Connection Profile Maps > Rules pane. Step 2 In the Mapping Criteria pane, click the Add button. The Add Certificate Mat. Rule Criterion window opens. ‘Step 3 From the Field drop-down menu, choose the part of the certificate to be evaluated: Subject, Alternate Subject, or Issuer Step4 From the Component drop-down menu, choose the component of the certificate to be evaluated. In the example, the “O” component was chosen. Step5 From the Operator drop-down menu, choose the operator. In the example, Equals” was chosen Step6 From the Vs example we drop-down menu, enter the component values in the field, In the isco” was entered, Step7 Click OK, In the example, certificates with an “O” field value of TunnelGroupl profile. All other nonmatet L2Lgroup profile. isco” are assigned to the certificates are assigned to the default (© 2008 Cisco Systems, Ine IPsec VPNe 4.85Hub and Spoke This topic describes how to configure the Cisco ASA security appliance for hu Hub and Spoke Traffic Flow 192 1681 40 + HOW BRA cave, Branch A = HOtERS % + BRAWERE 192168112 Branch B In the illustration, the customer has a central-site headquarters and two remote-branch sites, ‘The majority of the traffic flows from headquarters to the branch sites. The customer also has a small amount of branch-to-branch traffie; not enough branch-to-branch traffic to require a dedicated branch-to-branch VPN tunnel. All traffic from the branches, the spokes, will flow through headquarters, the hub, This application is referred to asa hub-and-spoke network. There are three traffic flows: between Headquarters and Branch A, between Headquarters and Branch B, and between Branch A and Branch B. 405 ‘Securing Networks with Cisco ASA Advanced (SNA) v1.0 {© 2008 Cisco Systems, IneHub and Spoke (Cont.) Pam tare Teaer 91001 024 ous erect sea + Understand te atc How Use onsing $25 tanos A actenal yp acess Its Ase soci ac ern inners” at he bad she To configure a hub-and-spoke network, the administrator must understand the traffic flow between HQ and Branch A, between HQ and Branch B, and between branch A and Branch B. The administrator needs to understand what traffic flows are currently supported by the corporate VPN tunnels network, In the illustration, headquarters has one IPsec tunnel to eae the branch sites. The headquarters security appliance is configured to protect data between. headquarters and each of the remote sites. At each branch site, there is one IPsec tunnel between the branch site and headquarters. The branch security appliance is configured to protect branch-to-headquarters and branch-to-branch traffic, Because there is no ded IPsec tunnel between the branches, all branch-to-branch traffic is routed through the headquarters security appliance. By default, a security appliance does not allow traffic to flow in and out of the same interface. To allow this kind of traffic on an interface, enable the “same- security-traffic intra-interface” traffic, d This example illustrates a hub-and-spoke VPN architecture. All communication from a branch goes to the VPN erypto headend—even traffie destined for another VPN branch. Hub-and-spoke configuration is accomplished by creating a different “Connection Profile” for each “spoke” connecting to the hub-and-spoke network. [n the illustration, atthe h security appliance, two IPsec tunnels were configured: one to Brarich A and one to Br ‘© 2008 Cisco Systems, Inc IPsec VPNS 487micosrnt ite Each of the traffic flows needs to be protected. In the illustration, the traffic from the headquarters inside network to the Branch A and Branch B inside networks will be protected by SHA transform set “488 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, {© 2008 Cisco Systems. IncEnable ni Imtertace Tate 290 In order for traffic to flow between branches, it must transit the headquarters security appliance. ample, traffic from Branch A to Branch B. At the headquarters security applianee, the fic enters the outside interface from the Branch A tunnel, The security appliance does route lookup and determines that the traffic is destined for Branch B. The security appliance sends the traffic back out the outside interface. The traffic flows down the other tunnel to Branch B. Follow this procedure to permit intra-interface traffic on the outside interface Step1 Navigate to the Configuration > Device Setup > Interfaces pane Step 2 Choose the “outside” interface 1m the pane. Step3 Check the box that says, “Enable traffic between two or more hosts connected to the same interface. Step4 Click Apply. (© 2008 Cisco Systems, Inc IPsec VPNs 4.89)Site-to-Site Redundancy This topic describes how to configure site-to-site redundancy. Site-to-Site Redundancy L Tune! Poey (crypto Wap) Bane Site-to-site redundancy configuration is useful for site-to-site VPNs. You can define multiple peers in a crypto map to provide redundancy from the Add >> button. fone peer fails, the security appliance establishes a tunnel to the next peer that is associated with the erypto map. It sends data to the peer that it has successfully negotiated with, and that peer becomes the "active" peer. The "active" peer is the peer that the Cisco ASA security appliance keeps trying first for follow-on negotiations until a negotiation fails. At that point, the security appliance goes on to the next peer. The security appliance cycles back to the first peer ‘when all peers associated with the crypto map have failed. Follow this procedure to de ne multiple peers in a erypto map. Step 1 Navigate to the Configuration > Site-to-Site VPN > Advanced > Crypto Maps pane, ‘Step 2 Choose Crypto Maps from the pane and click Add. The Create IPsec Rule window opens. Step 3 Choose the Tunnel Policy (Crypto Map) ~ Basic tab. In the IP Address of Peer to Be Added field, enter the IP address of the remote peer Step4 Click the Add button. In the example in the figure, two peers are defined (192.168.1.10 and 192,168.1.11), 490 ‘Securing Networks with Cisco ASA Advanced (SNAA] vi 0 {© 2008 Cisco Systeme, neVerifying Site-to-Site VPNs This topic describes how to verify the configuration of site-to-site VPNs, ‘You can use the Monitoring>VPN>VPN Connection Graphs to verify and monitor your VPN connections from wit 0 ASDM. Click the Add button to move IPsec and IKE Active Tunnels from the “Available Graphs” to the “Selected Graphs.” (© 2008 isco Systems, Ine. IPsec VPNs 491Verifying Site-to-Site VPNs (Cont.) isn zu The graphs show the active IKE and IPsec tunnels after a connection has been made to a remote peer: ven: Staitios Use the Monitoring > VPN > VPN Statistics > Crypto Statisties pane to view VPN statistics from within Cisco ASDM. The figure shows IKE statistis. 452 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, {© 2008 Cisco Systems, IncVerifying Site-to-Site VPNs ven—+] Statistics topa— IKenPsce The Global IKE/Psee Statistics pane offers more information on IKE and IPsec operation. {© 2008 Cisco Systems, Ine. IPsec VPNs 4.93show crypto isakmp sa Command so Y ‘iscoasef show crypto isokmp sa Active SA 1 Rekey SA:0(A tunnel wil report 1 Active and 1 Rekey SA during rekey) Total IKE SA 1 Type Lal Role responder Rekey :no State MM_ACTIVE Use the show crypto isakmp sa and show erypto isakmp stats commands to view ISAKMP information, including active ISAKMP security associations and IKE peer address. This fig shows the output of the show crypto isakmp sa command, The peer address for this ISAKMP. SA for the site-to-site (S2S) IPsec tunnel is 192.168. 1.10 in this example. 4-94 Securing Networks with Cisco ASA Advanced (SNAA) vt © {© 2008 Gisco Systems, IncThis figure shows the output of the show erypto isakmp stats command. Using this command, you can verify the following information: = Active tunnels Input packets Incoming IKE Phase 2 exchanges Output packets Outgoing IKE Phase 2 exchanges Dropped packets Authentication failures Decryption failures (© 2008 Cisco Systems, ne (sec VPNs 405,Use the show erypto IPsec sa command to view IPsec security associations, erypto ACLs, transform sets, and packet information. This figure shows the output of the show crypto IPsee ssa command. ‘The figure shows the following ‘The interface and its address used for the VPN tunnel = outside The name of the erypto map = outside_map Any access lists associated with th plo map The local network to encrypt The remote network to deerypt Packet information, including encrypted packets Local and remote endpoints 496 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, Incshow crypto ipsec sa Command (Cont.) IPsec transforms used for the tunnel = Tunnel mode = L2L, tunnel {© 2006 Cisco Systems, Inc IPeec VPNs 497show crypto ipsec stats Command Use the show crypto IPsee stats command to view active IPsec tunnels and other IPsce statistics. This figure shows the output of the show erypto IPsec stats command. With this command, you ean verify this information Active IPsec tunnels = Inbound: Bytes — Packets — Dropped packets — Authentication failures — Decryption failures 498 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncThis figure shows the output continu show crypto ipsec stats Command (Cont.) yet ity tattures: 0 ‘command you can verify this information: Outbound — Bytes — Packets — Dropped packets — Authentication failures — _Eneryption failures Protocol fai Missing SA failures System capacity failures jon of the show erypto IPsec stats command, With this {© 2008 Cisco Systems, ne IPsec VPNs 499show vpn-sessiondb 121 Command y Connection; 192,160.1.10¢4—— Index 5 IP nade ‘Encryption; 30S Mashing Bytes Tx 1400 Bytee Re Login Time; 09:19:23 cst Mon Feb 18 2008 aration 08: 208.528 ‘The show vpn-sessiondb 121 command displays VEN site-to-site session information. You can display this information for all groups or you can filter it by using the following filter and sort options: name, ipaddress, protocol, and encryption. The figure shows the output of the show. Ypn-sessiondb 121 command. With this command you can verify this information: Session type Tunnel group Remote network IP address Protocol of tunnel Encryption and hash algorithms Login time and duration of VPN session 4-100 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, ncFor more extended details about a site-to-site session show vpn-sessiondb detail 12) Command A8:9-3.0/288.298.258.293/0/0 78 So'ine tH): 9 Sec Eov"Age tt)”: S438 Second: Roa’ teft) ny! 8 Seconds Fonte Toke Beitests uit such as these: IKE encryption and hashing algorithm Authentication mode IPsec local and remote addresses IPsec encryption algorithm, Packets transmitted and received use the show vpn-sessi example, using the detail option for an IPsec session displays additional details (© 2008 Cisco Systems, ne IPsec VPNs “401Troubleshooting Site-to-Site VPNs This topic describes how to use the debug com VPNs. and to v. the configuration of sit = Big Money Banking Corporation has added another branch * According to federal regulations, any data sent across the WAN must be encrypted. * IT discovers that the data is coming across the WAN unencrypted In this troubleshooting scenario, Big Money Bank has added another remote branch to its network, According to federal regulations, all data traffic crossing the Internet between the headquarters and a remote branch must be encrypted to ensure the privacy and security of its ‘customer information, ‘The Network IT Department for Big Money Bank is testing the remote connection and has noticed that the data coming aeross the WAN is not being encrypted because the VPN tunnel will not come up. 4102 ‘Securing Networks with Cisco ASA Advanced (SNA) v1 0 (© 2008 Cisco Systoms, IneTroubleshooting Site-to-Site VPNs (Cont.) debug cxypto isakmp yy GASAT T0006: ESP requ ea ‘RASAT-T10006. ESP request cacarded Wom 182 168 141 to outade:102 168.14 ‘RASAT-T10006, ESP request dscarded rom 182 168 11 to outade 192 68 14 844 ‘HASAT-T10006: ESP request cacarded rom 192 16811 to outade 18216 EASAT.110006: ESP request clacarded trom 182.168111 (o outsie: 482 * An encryption request was discarded * Usual cause is a misconfigured encryption algorithm in the ISAKMP policy. we. After applying the debug erypto isakmp command on the security appliance, IT noticed that the security appliance was discarding ESP requests from the branch site {© 2008 Cisco Systems, Inc WPeee VPNE 4-103,show crypto isakmp policy Command ‘Branch show crypto Taakrap policy Giobal IKE potey Protection suite of prot 10 ‘encryption algorithm: DES - Data Encryption Standard (56 bit keys). hhash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Difie-Helman group: #2 (1024 bi) etme: £86400 seconds, no vokume ht Default protection suite encryption algonthm: DES -Data Encryption Standard (56 bit keys) hash algorthm: Secure Hash Standard ‘authentication method: Rivest-Shami-Adleman Signature Difte-Helmnan group: #1 (768 bt) Meum: 86400 seconds, no volume lit IT checked the ISAKMP policy at the remote router, using the show erypto isakmp policy command ‘The ISAKMP policy on the remote router is as follows: = Encryption = DES Hash = SHA Authentication = Pre-shared key Dir -Hellman Group = 2 SA Lifetime = 86,400 seconds with no volume limit Notice that the remote site is using DES for the IKE Phase | policy. The next step would be to check the IKE proposal on the Cisco ASA security appliance. 4104 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IneHasn= SHA . une Snes Pre shared key Because the Cisco ASA security appliance does not have a show erypt command, IT checks the Cisco ASDM Configuration>Site-to-Site VPN> Advanced>IKE Policies pane. ‘The ISAKMP policy on the Cisco ASA security appliance is as follows: . DES . = Authentication = Pre-shared key Diffie-Hellman Group SA Lifetime = 86,400 seconds with no volume limit Notice that the encryption algorithm on the security appliance is set to 3DES. The solution for this problem would be to change the IKE encryption policy on either the security appliance or the remote branch router. {© 2008 cisco Systems, Ine. IPsec VPNS 4-105,Summary This topic summarizes the key points that were discussed in this lesson. | >_i Summary * Site-to-Site VPN configurations are between two IPSec security gateways, " For authentication using digital certificates, there must be at least ‘one identity certificate and its issuing CA certificate on a Cisco ASA security appliance. * The security appliance uses access lists to define interesting traffic. “ IKE policies include an authentication method, encryption algorithm, hash algorithm, Diffie-Hellman group, and SA lifetime. = A transform set combines an encryption method and an ‘authentication method AT] Summary (Cont.) Crypto map entries pull together the various elements of IPSec security associations, Hub-and-spoke configuration is accomplished by creating a different connection profile for each spoke connecting to the Cisco ASA security appliance. You can define multiple peers in a crypto map to provide redundancy \VPN connection graphs and show commands are used to verify VPN connectivity Several debug commands are available to troubleshoot VPN connections. 4-106 Securing Networks with Cisco ASA Advanced (SNAA) vi (© 2008 Cisco Systems, ncLesson 3 Configuring the Cisco VPN Client Overview The Cisco VPN Client is software that runs on a PC. The Cisco VPN Client on a remote PC communicating with a virtual private network (VPN) server on an enterprise network or with a service provider, creates a secure connection over the Internet. In this lesson, you will learn how to install and configure the Cisco VPN Client on a Windows PC Objectives Upon completing this lesson, you will be able to cor digi igure the Cisco VPN Client by using certificates for authentication. This ability inclucles being able to meet these objectives: = Describe the key features and benefits of the Cisco VPN Client = Describe the steps necessary to install the Ciseo VPN Client = Describe the steps needed to configure and install di Client certificates on the Ciseo VPN '& List the connection entry configuration options available on the Cisco VPN Client = List the advanced configuration options available on the Cisco VPN Client = Describe the setting and options that would verify and troubleshoot the Cisco VPN Client configurationCisco VPN Client This topic describes the key features and benefits of the Cisco VPN client. Cisco VPN Toocmmuies § ee xo Corporate HO The Cisco VPN Client allows organizations to establish end-to-end, enerypted VPN tunnels for secure connectivity for mobile employees or teleworkers. This thin design, IP Security (IPsec) implementation is compatible with all Cisco VPN products. ‘The Cisco VPN Client can be preconfigured for mass deployments, and initial logins require litle user intervention. It supports the innovative Ciseo VPN capabilities, delivering a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN architecture that eliminates the operational costs associated with maintaining a consistent policy and key management method. The Cisco VPN feature allows the Cisco VPN Client to receive security policies upon a VPN tunnel connection from the central-site VPN device (VPN server), 1g configuration requirements at the remote location. This simple and highly scalable solution iy ideal for large Femote-access deployments where it is impractical to individually configure policies for ultiple remote PCs, The Cisco VPN Client supports the following operating systems: | Windows 2000, XP, and Vis x86/32-bit only) = Linux (Intel) Mac OS X 10.4 = Solaris UltraSpare (32 and 64-bit) 4108) Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systoms, ncCisco VPN Client Selected Features = Support for Windows 98, ME, NT 4.0, 2000, and XP (limited ‘support for 32-bit Vista); Linux (Intel): Solaris (UltraSparc 32- and 64-bit); and Mac OS X 10.2, 10.3, and 10.4 ‘Automatic software updates (Windows 2000 and XP) MSI available for Windows NT, 2000, and XP Intelligent peer availabilty detection or dead peer detection (DPD) ‘SCEP DNS, including DDNS and DHCP, Split DNS, Microsoft WINS, and IP address assignment Load balancing and backup server support Integrated personal firewall (stateful firewall): Zone Labs technology—Windows only Personal firewall enforcement—Windows only The Cisco VPN Client provides the following selected features: = Support for Windows 98, ME, NTT 4.0, 2000, and XP (limited support for 32-bit Vista); Linux (Intel); Solaris (UltraSpare 32- and 64-bit); and Mac OS X 10.2, 10.3, and 104 = Automatic software Client versions eas lates (Windows 2000 and XP) that make deploy’ the new version 4.6 new Ciseo VPN = VPN Virtual Interface Adapter present on Windows 2000 and XP = Application programming interface (API) to control operation of the Cisco VPN Client from another application System coexistence with Microsoft L2TP/IPsee client MSI (Windows Installer) package available for NT, 2000, and XP Intelligent peer availability detection or dead peer detection (DPD) Simple Certification Enrollment Protocol (SCEP) Data compression (LZS) ‘Command-line options for connecting, disconnecting, and con! ion status Configuration file with option locking Support for Microsoft network login (all platforms) Domain Name System (DNS), including Dynamic DNS (DDNSYDHCP comput population, Split DNS Windows Internet Name Serviee (WINS) and IP address assignment Load balancing and backup server support Centrally controlled policies (including backup server list) Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only) (© 2008 Cisco Systems, ne IPsec VPNs 4108Personal firewall enforcement: Cisco Security Agent, Sygate, Zone Alarm (Windows only) Integration with the iPass remote-access client software, including one-click (single sign- 6on), VPN auto-teardown, and Windows pre-login support (Windows only) Client connection autoinitiation for wireless LAN environments. Please note that the Cisco VPN Client may support more features than the Cisco Fasy VPN Server can accommodate, Always compare the Cisco VPN Client specifications against the Cisco Easy VPN Server supported and unsupported features list. This information can be found at Cisco.com. #110 ‘Securing Networks with Cisco ASA Advanced (SNA) vi‘ (© 2008 Cisco Systems, IncCisco VPN Client Installation This topic describes the steps necessary to install the Cisco VPN Client Cisco VPN Client installation The following general tasks are used to configure Cisco VPN Client: * Install Cisco VPN Client. * Create a new connection entry * (Optional) Configure Cisco VPN Client transport properties. = (Optional) Configure Cisco VPN Client backup servers properties = (Optional) Configure dialup properties A basic installation of the Cisco VPN Client requires installing the client one connection. Advanced options may also be configured on the Cisco VPN Clier following tasks are used to install and configure the Cisco VPN Client: ‘= Install Cisco VPN Client 1g at least The Create a new connection entry. (Optional) Configure Cisco VPN Client transport properties. (Optional) Configure properties of Cisco VPN Client backup servers (Optional) Configure dialup properties ‘© 2008 isco Systems, nc IPsec VPNs 4-111=) Welcome to the Cisco Systems © YPN Client 50.02.0090 Installation Wizard Installation of the Cisco VPN Client varies slightly based on the type of operating system, Always review the installat ‘tructions that come with the Cisco VPN Client before attempting any installation, Generally, installation of the Cisco VPN Client involves the following steps (this example is based on installing the Cisco VPN Client on a Windows XP PC): Step 1 Stop 2 Step 3 Step 4 step 5 Step 6 ‘Step 7 Double-click the setup.exe file. If this is the first time that the Cisco VPN Client is being installed on this PC, a window opens and displays the following message: Do ‘you want the installer to disable the IPsec Policy Agent? Ifthe disable IPsec Policy Agent message appears, click Ves. The Welcome window opens, Read the Welcome window and click Next. The License Agreement window opens. fion Folder Location window Read the license agreement and click Yes. The Dest opens Accept the defaults by clicking Next. The Program Folders window opens Accept the defaults by clicking Next. The Updating Systems window opens. ‘The files are copied to the hard disk drive of the PC, and the Cisco VPN Client Setup window opens. It should say, “Cisco Systems VPN Client X.X.X has been successfully installed.” Click Finish 4112 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems, IncVPN Client Modes Smple Mode Dn eens ‘Advanced Mode You can run the Cisco VPN Client in simple mode or in advanced mode. The default is advanced mode, although your network administrator might have configured simple mode as the default Use simple mode if you want only to start the Cisco VPN Client application and connect to a VPN device using the default connection entry. In simple mode, you work with a sealed- down version of the VPN Client user interface. The VPN Client main window shows the version information, the current connection entry, the connect button, and the status bar. = Use advanced mode for the following tasks: — Managing the Cisco VPN C! nt — Configuring connection entries Enrolling for and managing certificates — Viewing and managing event logging — Viewing tunnel routing data ‘To toggle between advanced mode and simple mode, press Ctrl-M. Alternatively, you can choose a mode from the Options menu. (© 2008 Cisco Systems, inc [Psec VPNS 4.113,VPN Client (Advanced Mode) Main Windows aro —— Se pane! The figure represents the main window of the Cisco VPN remote-aecess client. There are three tabs as well as menu options that can be used to configure the Cisco VPN software cliett There are three sections to the VPN Client GUI: main menu, toolbar action buttons, and tabs. ‘The actions buttons will change depending on which tab is currently selected. Main menu options inelude these: . ions: Use the Connection Entries menu as a shorteut to frequently used connection ject to a VPN device using the selected connection entry. Ifthe Connections tab is not selected, a submenu, which lists all available connection catries, is displayed — Disconnect: End your current VPN session. ~ Create Shorteut: Create a shortcut on your desktop for the current connection entry Modify: Edit the current connection entry. — Delet Remove the current connection entry. — Duplicate: Make a copy of the selected connection entry. This menu choice lets you create a new connection entry, using the configuration from a current connection entry as a template — Set as Default Connection Entry: Make the current connection entry the default — New: Create ew connection entry. — Import: Bring in a new connection entry profile from a file — Exit VPN Client: Close the Cisco VPN Client application ani ‘Securing Networks wit Cisco ASA Advanced (SNAA) v1.0 (© 2008 isco Systems, IneStatus: Use to view routes and notifi Certificates: Use the Cert tions, and to reset the statistics display Statisties: used to view statistics such as tunnel details, route details, and any firewall properties Notifications: allow an administrator to notify VPN users of upcoming events. Reset Stats: Clear the statistics from the statisties display's and start over. tes menu to enroll and manage certificates, View: Display the properties of the selected certificate Import: ng in a certificate file from a specified file location, Export: Send the selected cert ate to a specified file location, Enroll: Sign up with a certificate authority (CA) to obtain a certificate Verify: Make sure that a certificate is still valid Delete: Remove the selected certificate. Change Certificate Password: Update the password that protects the selected certificate in the Cisco VPN Client certificate store. Retry Certificate Enrollment: Try a previously attempted certificate enrollment again. Show CA/RA Certificat registration authority (RA). Display digital certificates issued by either a CA or a = Log: Use the Log menu to manage the log. Enable/Disabl tart collecting events (Enable): stop collecting events (Disable) ‘Clear: Erase the events displayed on the log tab (and log window). Log Settings: Change the logging levels of event classes. Log Window: Bring up a separate window that displays events. From this window you can save the display, edit logging levels by event class, and clear both log displays. The window shows more events than the display area of the main advanced mode window Search Log: Bring up a dialog box into which you enter the exact string to be matched. The search string is not case-sensitive, and wildeards are not supported Matched instances are highlighted on the log tab, not the log window Save: Store the current log in a sp log file © Options: Use to perform various actions such as launching an application, ‘The Application Launcher Windows Logon Properties The Stateful Firewall Switching between Advanced and Simple Mode User Preferences {© 2008 Cisco Systems, ne IPsec VPNS 4115‘The toolbar action buttons at the top of the Cisco VPN Client window vary depending on which tab is forward, | Ifthe Connection Entries tab is forward, the Connect, New, Import, Modify, and Delete buttons control operations for the selected connection entry = Ifthe Certificates tab is forward, the View, Import, Export, Enroll, Verify buttons control operations for the selected certificate. and Delete Ifthe Log tab is forward, the Disable, Clear, Log Settings, and Log Window buttons control the logging operations, Following is a brief description of each tab option in the VPN client main window: = Connection Entries: Displays the list of current connection entries, the host, whieh is the VPN device each connection entry uses to gain access to the private network, and the {transport properties that are set for each connection entry. Use this tab to add or modify VPN connections "Certificates: Displays the list of certificates in the Cisco VPN Client certificate store. Use this tab to manage certificates = Log: Displays event messages from all processes that contribute to the client-peer connection: enabling logging, clearing the event log, viewing the event log in an external window, and setting logging levels, a6 ‘Securing Networks wih Cisco ASA Advanced (SNA) vi 0 {© 2008 Cisco Systems, ineDigital Certificates with Cisco VPN Client This topic deseribes the steps needed to configure and install digital certifi VPN Client. tes on the Cisco Certificate Enrollment ST Ontos —e Saas anaes [SS — CAURL —e. cum: fen cADoman — em Challenge —> thar hannt Passed ay ‘Your system administrator may have already set up your Cisco VPN Client with digital certificates. If not, or if you want to add certificates, you can obtain a certificate by enrolling, with a CA over the network or by creating a file request. There are two methods supported by the VPN client: online and file-based. This section will cover the online process only. Refer to the latest Cisco documentation for the file-based method When you enroll for a personal certificate, either you go through a CA from which your system already has a root certificate or you obtain a root certificate from the CA as part of the enrollment process. The CA Certificates tab displays the current list of CA certificates. In the example, there are no certificates displayed in the certificates panel, To enroll online for a certificate with a CA over the network, follow this procedure: = In advanced mode, either click the Enroll icon on the toolbar above the Certificates tab or display the Certificates menu and choose Enroll = Click Online as the cert cate type. The VPN Client Certificate Enrollment window opens = Inthe VPN Client Certificate Enrollment form fill inthe fields as follows: — CA URL: The URL or network address of the CA. This parameter is required. In the example, 10,0.2.10 is the address of the CA server. The CA server requires the certsrv/mscep/mscep dll phrase. — CA Domain: The CA don domain is cisco.com. ne. This parameter is required. In the example, the (© 2008 Cisco Systems, ine IPsec VPN 4-117— Challenge Password: Some CAs require a password to access their site. IF such is the case with this CA, enter the password in the Challenge Password field. To find ‘out the password, contact the CA or your network administrator. In the example, no password was required. In a live network, a strong password is advised. “lick the Next buttor The isco VPN Client certificate enrollment form opens. In the certificate enrolment forn in the certificate as follows: elds, you can fill the various attribute valu to be included = Common Name: Your common name (CN), which is the unique name for this certificate This field is required. The CN can be the name of a person, system, or other e isthe ‘most specific level in the identification hierarchy. The CN becomes the name of the certificate; for example, David L. = Department: The name of the department to which you belong; for example, training. This field correlates to the organizational unit (OU). The OU is the same as the group name configured in a security appliance; for example, training |= Company: The name of the company or organization (0) to which you belong; for example, cisco. i = State: The name of your state (ST); for example, Massachusetts. * Country: The two-letter country code for your country (C); for example, US. This two- letter country code must conform to ISO 3166 country abbreviations. Email: Your e-mail address (e); for example, David_L@ ng.cisco.com. IP Address: The IP address of your system, for example, 10.10.10.1 Domain: The fully qualified domain name (FQDN) of the host for your system. Next, click the Enroll button. The SCEP enrollment process takes place. a8 ‘Securing Networks with Cisco ASA Advanced (SNA) vi.0 (© 2008 Cisco Systems, Incldentity Certificate Successfully Added a After you click the Enroll button, what happens next depends on the configuration of the CA, immediate approval or approval required. | Some CAs provide immediate response. If so, you see a message that your enrollment succeeded. You can view and manage the certificate under the Certificates tab. Ifthe enrollment status is Request pending, your CA does not immediately approve your Tequest. You see a Status Pending pop-up window = While you are waiting for the CA to issue the certific request appears in the certificates list under the Certificates tab as a request. (The Store column shows Request.) = When the CA issues your certificate, choose the certificate and then choose Retry Certificate Enrollment from the Certificates menu to complete the enrollment = After you have obtained the certificate, you see a message that your enrollment succeeded. the ID and CA ty certificates by = Inthe example, only the ID certificate is visible, even though bo certificates were downloaded. You can display both the CA and I choosing Certificates > Show CA/RA Certificates. (© 2008 Cisco Systems, Inc IPsec VPNS 4-119To verify whether a certificate is valid, follow these steps. Step 1 Choose the certificate from the certificate store under the Certificates tab. Step2 Display the Certificates men toolbar above the Certif the certificate is still vali, Step3— Click OK. ‘This table shows the messages you might see when you check the validity of a c Verification Messages und choose Verify or click the Verify icon on the ates tab. The VPN Client displays a message indicating if ate, Message Certificate Certificate Certificate valid Certificate is not valid yet has expired signature is not is valid Description The current date is prior o the certificate’ valid start date. You must wait until the certificate becomes val. ‘The current date is after the cortiicate’s valid end date. You need to enroll for a new certificate, ‘You do not have the CA certificate, or the CA Certificate that you have may have expired. You ‘might need to download or import the CA certificate You have a working certificate enrolled 4120 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems. IncTo display a certificate, choose it in the certificate store; then do one of he following: = Open the Certificates menu and choose View © Click View on the toolbar above the Certificates tab = Double-click the cert In the example is a sample certificate from a Microsoft certificate service provider. This is only ‘an example. Not all certificates are guaranteed to look like this one A typical certificate such as that shown in the example cont the following information. = Common Name: The name of the owner, usually the first name and last name. This field identifies the owner within the public key infrastructure (PKI organization). = Department: The name of the owner's department, which is same as the organizational tunit (OU), Note that when conneeting to a Ciseo VPN 3000 Concentrator, the OU should generally match the group name configured for the owner in the Cisco VPN 3000 Concentrator. = Company: The organization where the owner is using the certificate. State: The state where the owner is using the certificate = Country: The two-character country code where the owner's system is located = Email: The e-mail address of the owner of the certificate © Thumbprint: The Message Digest 5 (MDS) and Secure Hash Algorithm (SHA)-I hash to plete contents. This identifier provides a way to validate the (e's authenticity. For example, if you contact the issuing CA, you ean use this to verity that this is the correct certificate to use ‘The size of the signing key pair in bits; for example, 1024. (© 2008 Cisco Systems, Inc. IPsec VPNs 4-121= Subject: The fully qualified distinguished name (DN) of the certificate’s owner. This specific example includes the following parts. Other items may be included, depending on the certificate type. However, these fields are fairly standard. — _ enis the common name. — wis the organizational unit (de tment) — isthe organization — Lis the locality (city or town) — tis the state or province of the owner — cis the country, and e is the email address of the owner. = Issuer: The fully qualified distinguished name (FQDN) of the source that provided the certificate. The fields in this example are the same as for Subject ® Serial Number: A unique ident certificate revocation lists (CRLs). = Not Before: The begini used for tracking the validity of the certificate on ng date that the certificate is vali. = Not After: The end date beyond which the certificate is no longer valid 45122 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IncConnection Entry This topie lists the connection entry configuration options available on the Cisco VPN Client. ick nest create a To use the Cisco VPN Client, you must create at least one connection entry Required information for a connection would include these items: = The connection name = The security appliance (the remote server) to access = The authentication method to use The transport properties Optional information for a connection might include these items: = Any backup servers © Dial-up connections A description of the connection ‘You can create multiple connection entries if you use your Cisco VPN Client to connect to multiple networks (though not simultaneously) or if you belong to more than one VPN remote- access uroup, {© 2008 Cisco Systems, in. IPsec VPNS 4-123The figure shows the new connection dialog box. The administrator is creating a connection between a small office or home office and headquarters, IP address 192.168.2.2. The de will authenticate, using digital certificates. The end user may also need to supply a usernan and password, depending upon his or her group's extended authenti Use the following procedure to create the new connection, using digital certificates. Step 1 Start the Cisco VPN Client by choosing Start > Programs > Cisco Systems VPN Client > VPN Client. The Cisco VPN Client application starts and displays the advanced mode main window Step 2 Choose New from the toolbar or the Connection Entries menu. The Create New VPN Connection Entry window opens. Step3 Enter unique name for this new connection. You can use any name to identify this connection; for example, Headquarters. This name can contain spaces, and itis not case-sensitive Step4 Enter a description of this connection. This field is optio identify this connection; for example, SOHO to HQ. but it helps further Step S Enter the hostname or IP address of the remote VPN device that you want to access; for example 192.168.2.2. ‘Step6 In this example, digital certificates are used for authentication. Click the Certificate Authentication radio button Step7 From the Name drop-down menu, choose the name of the certificate that you are ng from the menu; for example I-David L (Cisco), Note It the field is empty, you must enroll fora certificate before you can use this feature, The instructions for obtaining a certificate are in the next section. e128 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. Ine(Optional) Configure Cisco VPN Client Transport Properties men oo Ena Yarmpuene _ Stu TREE [sab | at | Tera) —e 9 tathepersimas Precera TO? map PORE Is fT Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure gateway through a router serving as a firewall, which may also be performing Network Address Translation (NAT) or Port Address Translations (PAT). Transparent i Protocol 50 Encapsulating Security Payload (ESP) traffic within User Datagram Protocol (UDP) packets and can allow for both Internet Key Exchange (IKE) (UDP 500) and Protocol 50 to be encapsulated in TCP packets before they are sent through the NAT or PAT devices or firewalls. The most common application for transparent tunneling is behind a home router performing PAT. This parameter is enabled by default. To disable this parameter, uncheck the Enable ansparent Tunneling check box. We recommend that you always keep this parameter checked. Then choose a mode of transparent tunneling, over UDP or over TCP. The mode you uuse must match that used by the security appliance to which you are connecting, Either mode ‘operates properly through a PAT device. Multiple simultaneous connections might work better with TCP, and if you are in an extranet environment, then, in general, TCP mode is preferable UDP does not operate with stateful firewalls, so in this ease, you should use TCP. In the example, the remote worker's PC is situated behind a wireless router configured for PAT. The remote worker has decided (o use IPsec over UDP to support the worker's VPN tunnel. The following transport tunneling options are available: = IPsec over UDP (NAT/PAT): Choose this radio button to enable IPsec over UDP (NATIPAT). With UDP, the port number is negotiated. UDP is the default mode. = IPsec over TCP (NAT/PAT/Firewall): Choose this radio button to enable IPsec over TCP. When using TCP, you must also enter the port number for TCP in the TCP port field This port number must match the port number configured on the secure gateway. The «default port number is 10000. (© 2008 Cisco Systems, Ine IPsec VPNs 4.125,Local LAN Option ‘Without local LAN option + Wie VPN tunnels up * Eventing sentsonn he turn + Noles LAN, eg, pir ‘With local LAN option: vi VPN anne up * Everyting sat down he turn EXCEPT local LAN access, 9 pre ‘Must be enabled at both: Secu applance + VPN lent {In a multiple-network-interface-card (NIC) configuration, local LAN access pertains only to network traffic on the interface on which the tunnel was established, Allow Local LAN Access gives you access to the resources on your local LAN (printer, fax, shared files, and other systems) when you are connected through a secure gateway to a central-site VPN device, When this parameter is enabled and your central site is configured to permit it, you can access local resources while connected. When this parameter is disabled, all traffic from your Cisco VPN Client system goes through the IPsec connection to the secure gateway To enable this feature, choose the Allow Local LAN Access check box; to disable it, deselect the check box. Ifthe local LAN that you are using is not seeure, you should disable this Feature. For example, you would disable this Feature when you are using a local LAN in a hotel or airport A network administrator at the central site configures a list of networks at the Cisco VPN Client side that you can access, You ean access up to ten networks when this feature is enabled When local LAN access is allowed and you are connected to a central site, all trafic from your system goes through the IPsec tunnel except trafic to the networks excluded from doing so Cin the network lst). When this feature is enabled and configured on the Cisco VPN Client and permitted on the central-site VPN device, you can see a list of the local LANS available by looking at the Routes table, In the example, the remote worker wants to print to a printer that is situated on the local LAN While the VPN tunnel is connected. The remote worker checked the Allow Local LAN Access check box to enable the application at the remote site. The administrator has to enable the feature on the headquarters security appliance to make the feature operational +126 ‘Securing Networks wit Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IncClient aya DPD message (R-U-There ACK) The Cisco VPN Client uses a keepalive mechanism, dead peer detection (DPD). to check the availability of the VPN device on the other side of an IPsec tunnel (for example, reboot one device and lose an Internet connection), If the network is unusually busy or unreliable, you might need to increase the number of seconds to wait before the Cisco VPN Client decides that the peer is no longer active. The default number of seconds to wait before terminating a connection is 90 seconds. The minimum number you can configure is 30 seconds, and the maximum is 480 seconds. To adjust the setting, enter the number of seconds in the Peer Response Timeout (Seconds) field. The Cisco VPN Client continues to send DPD requests every 5 seconds until it reaches the number of seconds specified by the peer response timeout value. {Ifyou are configuring a group of mixed peers, and some of those peers support IKE heepalives while others do not, enable IKE keepalives for the entire group. During IKE negotiation, each of the Software Clients will identify whether DPD messages are supported. To be enabled, both ‘ends must support the feature. The feature will have no effeet on the peers that do not support it Note ‘To teduce connectivity costs, disable IKE keepalives i his group includes any Sofware Clients connecting through ISDN lines. ISDN connections normally disconnect idle, but the IKE keepalive mechanism prevents connections from iding out and, therefore, from disconnecting (© 2008 Cisco Systems, nc IPsec VPNs 4.127(Optional) Configure Cisco VPN Client Backup Servers Properties EEE in fo seman |r | [ome The private network may include one or more backup security appliance VPN servers to use if the primary server is not available. Your system administrator tells you whether to enable backup servers. Information on backup servers can download automatically from the security appliance if so configured, oF you can manually enter this information, In the example, two backup server addresses were added to the backup servers list. Ifthe security appliance at 192.168.2.2 is unavailable, the Cisco VPN Client will attempt a connection to backup servers at 192.168.2.3 and then 192.168.3.2 4128 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Sysiems, IncDo a ewan amt | med [Sen 3, waar {i To enable and configure a connection to the Internet through dialup networking, choose the Connect to Internet via dial-up check box. This feature is not selected by default ‘You can connect to the Internet using the Cisco VPN Cli following ways: nt application in either of the = Microsoft Dial-Up Networking (DUN): If you have DUN phonebook entries and have enabled the Connect to Internet via dial-up feature, DUN is enabled by default. To link your Cisco VPN Client connection entry to a DUN entry. click the Phonebook Entry drop- down arrow and choose an entry from the menu. The Cisco VPN Client then uses this UN entry to automatically dial into the Microsoft network before making the VPN connection to the private network, = Third-party dialup application: If you have no DUN phonebook entries and have enabled the Connect to Internet via dial-up feature, then the third-party dialup application is enabled by default. Click Browse fo enter the name of the program in the Application field. This application launches the connection to the Internet. The string that you enter in this field is the path name to the command that starts the application and the name of the command For example: “e:\isp\ispdialer.cxe dialEngincering” would activate the ISP dialer, using the script dialEngineering, which would contain the required dial information, (© 2008 Cisco Systems, ine IPsec VPNs 4.129Advanced Options This topic sts the advanced configuration options available on the VPN Client Stateful Firewail Se ‘The Cisco VPN Client contains an integrated stateful firewall module licensed from Zone Labs called the CIC firewall. Components of this feature include a dynamic link library (DLL) combined with a Zone Labs stateful firewall module driver. The DLL acts as ant interface between the traditional Software Client and the firewall driver. A default stateful firewall policy is loaded on the CIC firewall, The stateful CIC firewall blocks all inbound traf not related to an outbound session, There are two exceptions to this rule: = DHCP: Sends requests to the DHCP server out one port but receives responses from DHCP through a different port. For DHCP, the stateful firewall allows inbound traffic. ‘= ESP: The stateful firewall allows ESP traffic from the secure gateway, because ESP rules are packet filters and not session-based filters. The firewall is active for both tunneled and nontunneled traffic. The remote client controls the stateful firewall feature. By defaul, the stateful firewall feature is disabled, or unchecked, on the client. There are two ways to enable the stateful firewall feature. From the main client window, remote users ean click the Options button and choose Stateful Firewall, They can also access the stateful firewall option by right-clicking the lock icon from the system tray. When cnabled, the stateful firewall feature filters both tunneled and nontunneled traffic, Ifa firewall does not exist on the remote user's PC, enabling the firewall feature is a viable option 4130 ‘Securing Networks with Gisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncSetting MTU Size cree CAUTION TU changes en ates yu FC oan on the ree Natok Ade Sec) ecsWtiAderer (dipheontry Reais, MTU Opens Select Tu pay ‘See ‘The Set MTU option is used primarily for troubleshooting connectivity problems. For specific applications where fragmentation is an issue, Set MTU ean change the MTU size to fit the specific scenario, The Cisco VPN Client automatically adjusts the MTU size to suit your environment, so running this application should not be necessary ‘To implement a different MTU size, the default is 1420 bytes, choose Start Menu > All Programs > Cisco Systems VPN Client > Set MTU and run the program. The figure displays the Set MTU Size window, which is where you set the MIU size. Set the MTU option size by clicking the appropriate radio button. You must reboot for MTU changes to take effect (© 2008 Cisco Systems, ine IPsec VPNS 4-131Split DNS Se Split DNS is used in split-tunneting connections. The Cisco VPN Client will resolve whether a DNS query packet is sent in cleartext, or encrypted and sent down the tunnel. If the packet is ‘encrypted and sent down the tunnel, a corporate DNS server resolves the DNS query. ISP- assigned DNS servers resolve cleartext DNS. Split DNS is configured on the security appliance. ‘The client will receive a comma-delimited list of Split DNS names from the security appliance through mode-config. When the client receives a DNS query packet, the domain name is compared and sequentially checked against the Split DNS names. Case-insensitive domain name comparison will start at the end of each domain name string and continue toward the beginning of each string resulting in a match, oF ‘no match, Query packets passing the comparison will have their destination IP address rewritten and tunneled, using the primary DNS IP address that is configured on the security appliance. As an example, the query bob.cisco.com when compared against the Split DNS ame of cisco.com results in a match, The cisco.com of bob.cisco.com matches the split DNS string of cisco.com, The bob.cisco.com DNS query is encrypted and sent to the primary DNS. server. The primary DNS server will resolve the IP address of bob cisco.com. Failover in the case of an unreachable primary Split DNS server will result in the secondary Split DNS server being used to resolve further queties. Packets not matching the Split DNS list will pass through the client untouched and transmitted in cleartext. For example, the query news.com when compared against the Split DNS name of cisco.com results in a mismatch. The news.com DNS query is sent in cleartext, The ISP-assigned DNS servers will resolve the IP address, 4-132 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncFCs oof Hosiname DNS servers were origi lly used in a static environment. As a new host was added to the network, an administrator would add the host to the DNS database. With remote hosts dynamically attaching and detaching from the network, static remot toa DNS database became impossible. The Dynamic DNS (DDNS) feature is often used in networks to coordinate hostname information between DHCP and DNS servers in an attempt to accurately reflect the current network configuration, DHCP clients and servers us updates to send updated remote hostname information from the DHCP client to the DHCP server. The DHCP server forwards the hostname to the DNS server. The DDNS feature enables DNS servers to accept hostnames and IP addresses updating information e-host information updates ‘The client was modified to send its hostname to the security appliance as part of mode contig messages, Security appliance forwarded the Software Client hostname to the DHCP server. The DHCP server forwarded the information to the DNS server. This enabled the DNS server to dynamically populate its records. The DDNS feature only applies to client connections when a DHCP server assigns the Software Client IP address. (© 2008 Cisco Systems, ne Psec VPNS 4133,starrer nade clentio | Utena cde indenter npxteaN dan adomen tes Fs lane Vnscors The Windows Logon Properties option allows you to customize how the Cisco VPN Client interacts with the Windows logon procedure. Options for Windows logon include these: = Enable start before logon: On a Windows platform, you ean connect to the private network before you log on to your system. This feature is called start before logon and its purpose is primarily to let you log in to the domain and run login scripts, |= Allow launching of applications before logon: Your system administrator determines if ‘you can launch applications and third-party dialers before you log on to a Windows, platform. To protect system and network security, your system administrator might have disabled this feature. If this feature is dimmed, you cannot launch applications and third- party dialers before logging on to a Windows platform. You must have system administrator privileges to change this parameter. = Disconnecting VPN connection when logging off: This parameter controls whether or not your Ciseo VPN Client connection automatically disconnects when you log off your Windows system. Disabling this parameter allows your connection to remain up durin after logoff, which allows profiles or folders to be Synchronized during logoff. You would disable this parameter when using the Windows roaming profiles fea Note With this feature disabled, you must completely shut down your system to disconnect your Cisco VPN Client connection, To set Windows logon options, use the Options > Window Logon Properties dialog box. 4-134 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IncPreferences Sees i or aig tsesgen cera, Esti ostos 1 raion cla nal ccna ete rable cpt ocean Preferences are configured in the Options > Preferences window. Preference options inelude these: Save window settings: Save any changes you make to the Cisco VPN Client window = Hide upon connect: Place the VPN Client window in the dock when the VPN connection is established © Enable tooltips: Enable tool tips for the toolbar action buttons. = Enable connect story display: Enable the display of connection history information = Enable accessibility options: Activate accessibility features on the Cisco VPN Client sgraphical user interface = Enable connect on open: Causes the Cisco VPN Client to connect to the default profile when it activates (© 2008 Cisco Systems, ne IPsec VPNS 4-135Preconfigure Client for Remote Users vpnelient ini ‘An administrator ean preconfigure VPN clients by placing a folder on the remote user’s PC Inside the folder is a copy of the VPN software plus two additional files: = ypnclient.ini: A global profile that you use to set certa file is bundled with the client software when itis first installed, it automatically cor the elient global parameters during installation. To mask the configuration option from the ‘end user, add an exclamation point (!) to the beginning of the confi ypnelient.ini field standards for all profiles. If this = .pef: Creates connection entries within the dialer application. If this file is bundled with the client software when iti first installed, it automatically configures the Cisco VPN CI connection parameters during installation, Each connection has its own .pef file. It ean be Viewed and edited in Notepad. To make a parameter read-only so that the client user cannot change it within the GUI, put an exclamation mark (!) before the parameter name. — The remote user creates connection entries through the new connection wizard. The ‘output of the new connection wizard is a .pef fle — The administrator creates .pef files using a text editor and places them in the local file system of the remote user: C:\ProgramFiles\CiscoSystems\VPN Client\Profiles directory. Note The easiest way to create a profile for the Windows platforms isto run the Cisco VPN Client and use the VPN Client GUI to configure the parameters. When you have created a profile in this way, you can copy the pc fle toa distribution disk for your remote users. This ‘approach eliminates errors that you might introduce by typing the parameters, and the group password gets automaticaly converted to an encrypted format. 45136 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 {© 2008 isco Systems, neVerify and Troubleshoot Client Configuration This topic describes how to use the appropriate commands on the host machine to verify that the configuration is working properly Verifying Client Configuration an Ff a One way to make sure that the configuration is correct is to make a connection. The figure shows a completed VPN connection between the Cisco VPN Client and the Cisco ASA. adaptive security appliance. Notice the yellow lock on the left side of the eonneetion entries panel. The lock indicates a secure connection. Notice the message “Connected to "Headquarters" in the lower-left corner of the VPN Client window. (© 2008 Cisco Systems, ne IPsec VPNearns TresiOsatt | Reneoeat | Adres Inova Chet arose et 100120 ance Sever 19256811 dogs an 59 nese tes Recoved 1560 Encypton taabaaes Ecygtn nd Sen st ‘Aerteion MACHA eres Tronsoot renee 129 Theat Timelngnace expan Dace ocala Desens ‘a Decor 72 Cngiesen None Bypae at To display information about your IPsec tunnel, choose Statisties from the drop-down Status menu. The Cisco VPN Client Statistics menu provides information regarding the current status of a VPN connection, Three tabs contain details on the tunnel, route, and firewall parameters in The figure shows the Tunnel Details tab: Client address VPN server address = Encryption statistics = Encryption and authentication algorithm In this example, the connection is using 128-bit Advanced Encryption Standard (AES) encryption and has been authenticated through Hashed Message Authentication Code (HIMAC)-SHAL to the VPN server at 192.168.1.1 4-138 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 isco Systems, IncLog Settings erermeneyaniy Chachalaalot die cictenesiy and canehe cnet HE (Vie =) poomey Soremcen Marae |T-Lae — >) 1060) Dovrentogeat [T-Uie =) Os cyPND | Une Asmeteson [Y Lan) 1LOG AUTH Cater. Lon MOG CERT ‘See ASE -| (LooHPSEC Goomirdlie Tle +) (toma UL tow +) (u06 eT eet Brot iow =! 106-FF1 ne) ox | came ‘You can change the logging levels, using the Log Settings window. To control the amount of information collected in the log, use the following procedure: Step 1 For each of the logs that you want to change, elick the Down arrow and choose from the following options that the Log Settings dialog box displays: | Disabled: Inhibits event reporting for the chosen class, ™ Low: Provides the least amount of inform: levels I through 3 (all fa fon, This choice includes severity = Medium: Includes severity levels informational events, wh Note that a first level inf display as Info’ 1 through 4; all in Low plus the first level ch provide general information about the connection, ;mational event is level 4 and appears in the event High: Includes severity levels | through 6, thus adding two levels of informational events (Into/S and Info/6). Caution This setting can lower the performance ot all applications on your system, so use it only when your network administrator or a support engineer suggests that you do so Step2 Click OK to save or click Caneel to. eel your changes, The following table defines th Client rate events for the Cisco VPN lasses (modules) that a (© 2008 cisco Systems. nc (Peec VPNs 4.139)Classes That Generate Events in the VPN Client Class Name | Definition sss CERT | Certificate management process (CERT), which handles getting, validating, and renewing Certificates from certificate authorities, CERT also displays errors that occur {as you use the application cu Command-line Interface, which lets managers start and end connections, get status information, and so on, through a command line rather than using the Cisco VPN Client graphical user interface, cM Connection manager (CM), which drives VPN connections. (CM dials a PPP device, Configures IKE for establishing secure connections, and manages connection states CVPND | Cisco VPN Daemon (main daemon), which initializes cient service and controis ‘messaging process and flow. Gul ‘Windows-only component, which handles configuring a profile, initiating a connection, and monitoring it ' FIREWALL | Firewall component, which generates events related to connections through @ firewall tke Intemet Key Exchange (IKE) module, which manages secure associations IPSEC _| IPsec module, which obtains network trafic and applies IPsec rules to it PPP Point-to-Point Protocol. XAUTH __| Extended authorization application, which validates a remote user's credentials, One way to see what is happening during tunnel negotiation between the Cisco VPN Client and the Cisco VPN Concentrator is to examine messages in the IPsec Logon the VPN Client. You can use the Log Viewer appl 4140 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systoms, ineTroubleshooting Scenario User ot ="© ‘Big Money Bank Authentication failed! In this scenario, a connection attempt was made from a remote worker's home to the headquarters of Big Money Bank. The security appliance failed to set up security associations for the IKE and IPsec tunnels. Big Money’s IT department needed to set up logging levels to troubleshoot this problem from the host side of the connection, Mutual authentication, using a digital certificate, is used for this scenario. (© 2008 Cisco Systems, ne IPsec VPNs 4.141Troubleshooting—Setting IKE Log Levels erat Charo eons ae tect mer connect rece KE Sette eR) Loc ne | Servant [ki 06 Remontonnd [T-taw =) Loe CN] sede |3-idh =) 1LOGSAUTH coristes : Setioteves teoscemt) IPsec Seto Serer ‘eves hos osu) ose) Ms Ame o Because the IKE exchange and capabilities exchange are the first things that happen when a VPN connection is being set up, this lesson will examine them first. Set the log levels to High for IKE, User Authentication, Certificates, and IPsec. This should let you know of any problems with initiating the security associations needed for the VPN tunnel. [i AAT] Troubleshoo ig—Log Window This figure shows the output from a connection attempt with the new logging levels. Click Save to save this log file locally for further inspection, The following figure shows a more detailed output of the captured log. 4-142, Securing Networks with Cisoo ASA Advanced (SNAA) v1 0 (© 2008 isco Systems, IncTroubleshooting—tog File Taye aeRO ID, CREP, $10) trom 192.168.2. 26:15147,052 01/24/08 Sevetofo/s SERT/0x63600008 tscarding ROOT Ch cart vant from peers 582 16125+47.082. 01/24/00 Sevtaratng/? Te/oxssoo007e ~~ D8 een Failed to varity sigature 553 26115:47-052" 01/24/00 Sev-naraing/? 1RE/0xE3000099. S54 26115147.052. 01/24/08 Sov-Tnto/4 _1k8/0x63000032 SmAD1mG 35> ISAEND OAK 040 NOPIFYSIHVALID SIGNATURE) to 192.268,2.3 S56 26:15:47.052 01/24/08 Sevenarning/2 —IhF/Ox830000A7 557 16v15s47-082 03/24/08 Baveinfo/4 _txz/0463000017 Marking IKE A for deletion (1 Cookies 4¥21787373c00402 26:15:47.013 01/24/00 severnto/Ank/Oxs9000088 a sen ce Notice that the client receives an ISAKMP (IP, CERT, SIG) from the VPN server at 192.168.1.1. Immediately it discards the CA certificate sent from the peer. The reason given in the next message was that it “Failed to verify signature.” The rest of the message shows the client sending notifications back to the security appliance, explaining why itis terminating the VPN connection. You will want to check the certificates that the Cisco VPN Client has installed. {© 2008 Cisco Systems, ne IPsec VPNs 4-143S822 8s as eel The window shows that there is a valid CA certificate installed in the VPN elient Follow this procedure to verify the installed CA certificate. Step 1 Choose the Certificates tab of the main window. Step2 Choose the certificate that is stored in the CA Store. Step3 Click the Verify toolbar uetion button. Step4 ‘The VPN Client dialog box should say “Certificate xxs.xyz.com is valid.” Click OK. This procedure showed that the CA certificate that is verifying this client's identity is valid. ‘The security appliance serving as the VPN server should also trust that same CA. 4-144 Securing Networks wah Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IneCA Certificate Details Siar SS To find out which CA server signed the CA certificate, you need to view the CA certificate details. This figure shows the details of the CA certificate on the VPN client machine. Note that the issuer name is eiseoasa.cisco.com. This is the CA server that should be signing the Ciseo ASA identity certificate also. The next step would be to find out whieh CA is signing the Cisco ASA identity certifieate (© 2008 cisco Systems, Inc IPsec VPNs 4-145‘This figure displays the CA that signed the Cisco ASA identity certificate. Follow these steps to view the identity certificate details for the Cisco ASA security appliance, using the ASDM. Step1 Expand the Configuration > Remote Access VPN > Certificate Management > Identity Certificates panel. Step2 Choose Identity Certificates. Step3 Click the Show Details button on the right side of the panel Step4 Choose the Issued by tab of the Certificate Details dialog box Step5 Note the name of the CA server that s ned the Cisco ASA identity certificate Solution In this case, the problem turned out to be two diflerent CA certificates being presented between the VPN server (Cisco ASA) and the VPN client that was attempting to establish a secure tunnel, The client’s certificate was signed by the CA server ciscoasa.cisco.com. 45148 Securing Networks with Gisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneSummary This topic summarizes the key points that were discussed in this lesson, Summary ® The Cisco VPN Client provides many features and benefits allowing organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. ‘A basic installation of the Cisco VPN Client requires installing the client and creating at least one connection Client configuration includes configuring authentication, transport, backup servers, and dial-up, * Advanced client configuration includes configuring options such {as application launcher and Windows logon, logging, and preferences. = The Cisco VPN Client Statistics menu provides information regarding the current status of the VPN connection, ® Setting log levels and saving log files help to troubleshoot from the client viewpoint of the connection. {© 2008 Cisco Systems, ine. sec VPN 4-1474-148 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neLesson 4| Implementing Remote-Access VPNs with Digital Certificates Overview Establishing a virtual private network (VPN) conneetion between a remote VPN user and the central site can be complicated and typically requires tedious coordination b work administrators to configure the VPN parameters of both ends. The Cisco Remote-Access VPN feature eliminates much of this work by implementing the Cisco VPN Client client/server protocol, which allows most VPN parameters to be defined at a Cisco VPN Server—typically a security appliance or router running a secure Cisco 10S Software. After the Cisco VPN Server has been configured, a VPN connection can be created with minimal configuration on a Cisco VPN Remote client. This lesson guides you through the configuration of Cisco Remote-Access VPN on the security appliance, using digital certificates for authentication Objectives Upon completing this lesson, you will be able to configure the se, ess, using digital certifi rity appliance for remote es. This ability includes being able to meet these objectives: ™ Describe the components of remote-access VPNS. = Describe the general tasks for configuring a Cisco ASA adaptive sei support Cisco VPN Remote Client access appliance to = Configure the Cisco ASA security appliance to use digital certificates manually = Defi ¢ an address poo! for remote-access VPN connections = Explain the user policy inh tance that is determined by the Cisco ASA appliance = Configure an IPsec connection profile to support digital certificates Use Cisco ASDM graphs and show commands to verify the operation of remote-access VPNs = Use logging and debug commands to troubleshoot remote-access VPNsRemote-Access VPNs This topic describes the components of re Remote-Access VPNs Central Site ana Fe ss % i ‘PH Sean Anytance VPN Tunnet Yeminahen = ‘Telecommuter Mictosot WintowsiMac OS X (L2TPaPace) ‘$8 "Cienilees"AnyConnct Paes oF ‘SSL VPN Cher SVG) Eeranet Remote-aecess VPNs let single users connect to a central site through a secure connection over a TCP/IP network such as the Internet, Remote-access VPNs are typically composed of a cl and a VPN server, although external authentication and authorization servers can be used in ‘more complex networks. The VPN client is usually a mobil extranet partner that needs remote access. worker, a home teleworker, or an Lypically, a security appliance is used as the VPN server with which the various clients will establish secure tunnels, Clients will need minimum configuration because the server will be used to push the secure parameters down to the clients as they establish a secure tunnel 4-180 Securing Networks with Ciseo ASA Advanced (SNAA) vt 0 ‘© 2008 Cisco Systeme, ncConfiguring a Cisco ASA for Remote Access This topic describes the general tasks for configuri support Cisco VPN Remote Client access, Cisco ASA security appliance ng digital certificates Configu Access ng a Cisco ASA for Remote |. Install certificates on the Cisco ASA to use for remote-access clients, 2. Create an address pool to assign remote users for local access. 3. Create an IPsec connection profile 4. Configure a certificate-to-connection profile policy, 1a security appliance for remote acess requires the following procedures: 1. Install cer ificates on the Cisco ASA to use with remote-aecess VPN clients, 2. Create an IP address pool to be used for remote-access VPN clients, 3. Create an IPsec profile to use with IPsec remote-access VPN clients, 4. Configure the certificate-to-connection profile policy to map the certificate to the new connection profile. The following sections guide you through the process of conti uring the Ciseo ASA se appliance for remote access (© 2008 Cisco Systems, Ine IPsec VPNs 4.151Installing Cisco ASA Certificates This topic describes how to manually configure the Cisco ASA to use digital certificates. Installing Cisco ASA Certificates Retrieve and install a CA certificate Enroll with the CA whose certificate was retrieved Retrieve and install the identity certificate issued by the CA, The identity certificate installation process is virtually the same for the security appliance as it was for the VPN client, There are three processes to complete as follows: 1. Retrieve and install a CA certificate, Enroll with the CA whose certificate you installed. 3. Retrieve and install the identity certificate issued by the CA The next few sections will take you through the complete process of configuring the Cisco ASA security appliance for digital certificates. 4152 Securing Networks wih Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems, neInstalling a CA Certificate This topic describes how to install a CA certificate. The process for installing a CA certificate is the same as for the Cisco VPN Client. Comple these steps to install a CA certifieate in the Cisco ASA security appliance, using a Microsoft CA server Step1 Bring up the CA certificate main page by entering http:/name or ip- caddressieertsry. The main window should appear as in the figure. Step2 Click the Download a CA Certificate, Certificate Chain, or CRL link. The Download a CA Certificate pane should appear as in the next figure. (© 2008 isco Systems, nc IPsec VPNs 4-153Coneate This window lets you download a CA certit latest CRL, ate, download a certificate chain, download the ind chioose the content-transfer-encoding method, Offered are two methods of transfer-eneoding: = DER: A message transfer syntax that is specified by the ITU in X,690, It is encoding a data object, such as an X.509 public key infrastructure (PKI) cer digitally signed or to have its signature verified. = Base 64: A specific Multipurpose Internet Mail Extensions (MIME) content transfer encoding, Base 64 encoding encodes binary data by treating it numerically and translating, it into a base 64 representation. The MIME specification, defined in RFC 2045, lists ‘base64” as one of several binary-to-text encoding schemes. The MIME base64 encoding is based on that of the RFC 1421 version of Privacy Enhanced Mail (PEM). It uses the same 64-character alphabet and encoding mechanism as PEM and uses the "=" symbol for output padding. method for c, to be Step3 Because the Cisco ASA security appliance does not have a DER option when installing a certificate, check the Base 64 radio button. Step4 Click the Download CA certificate link. The File Download window will appear. 4-154 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems, IneSaving the CA Certificate Once you retrieve the verti icate, you must save it to the local machine. Step5 Click Save in the ke download window. The Save As window will appear Step6 — Give the file a unique na 1e and save it to the local machine. Afier retrieving the CA certificate and storing it on the local mach Adaptive Security Device Manager (Cisco ASDM) and install the CA certficat ie. you must open the Cisco © 2008 Cisco Systems, Inc IPsec VPN 155Use the CA Certificates pane to install a new CA certificate, Complete the following steps to install a new CA certificate. Step1 Navigate to Configuration > Remote Access VPN > Certificate Management > CA Certificates Step2 Click the Add button on the right side of the pane. The Install Certificate window will appear as in the next figure. 4-156 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems. IncInstalling a CA Certificate To finish installing the CA certificate, complete the following steps: Step3 Click the Install from a File radio button. Step4 Use the Browse button or input the name of the CA certificate file that was previously saved to the local machine. In this figure, the filename is MS_CA.cer. Step $ Click the Install Certificate button, You should receive a “CA certificate successfully” message in the CA Certificate Installation window stalled (© 2008 isco Systems, Ine. TPsec VPNE 4.157The newly installed CA certificate should be visible in the DA Certificates pane. Information displayed in the CA Certificate \eludes these items: © Issued to = Issued By = Expiry Date = Usage After the CA certificate has been installed, the next step in the process is enrolling with the CA. The procedure for enrolling with the CA follows. 4150 Securing Networks wth Cisco ASA Advanced (SNAA) vt 0 1© 2008 Cisco Systems, IneEnrolling with a CA This topic describes how to submit a Cisco ASA certificate request to a Microsoft CA server. Enrolling with a CA: Creating a Certificate Request Complete these steps to create a certificate request. step 1 Stop 2 {© 2008 Cisco Systems, Inc Open the Configuration > Remote Access VPN > Certific Identity Certificates pane. The pane should apy Management > the figure. Click the Add button on the right side of the pane, The Advai should appear as in the next figure. Options window WPsec VPNs 4-159Advanced Options ODN To create a certificate request, you must set the proper parameters. The Advanced Options window allows you to set the proper parameters for a certificate request from a CA. The ‘Advanced Options window has three tabs: = Cert ate Parameters Enrollment Mode = SCEP Challenge Password Complete these steps to set the parameters for the certificate request Step Choose the Certificate Parameters tab. Step2 Input the fully qualified domain name (FODN) for this certificate Step Choose the Enrolment Mode tab. Step4 Check the Request by manual enrollment radio button, Step5 Click OK. The Iden ity Certificate Request opens a in the next figure, 4 the preceding example, the FQDN is eiscoasa.cisco.com and the enrollment mode is manual 4-160 Securing Networks with Cisco ASA Advanced (SNAA) v1 © (© 2008 Cisco Systems, nc(Cat ‘The Public-Key Cryptography Standard #10 (PKCS #10) certificate request will be saved to the local machine so that it can be pasted into the web page of the CA when performing a manual enrollment for the Cisco ASA security appliance. Complete the following steps to save the identity certificate request to your desktop: Step6 Use the Browse button to choose or input the name of the PKCS #10 file, Note Save the file as a text fe Step7 Click OK. You should see the certificate as “pending,” as in the next figure ‘The preceding example shows that the name of the saved file will be iscoasa.txt.” (© 2008 Cisco Systems, Ine sec VPNs 4-161This figure shows the pending cert following attributes for the certificate: m Issued t ite request. The Identity Certificates pane now shows the isername.domain m= Issued by = Not Available = Expiry Date = Pending = Usage = Unknown The PKCS #10 certificate request has been saved and now must be presented to the CA for ‘manual enrollment. 4-162 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, neRequesting a Certificate This subtopic describes how to request a certificate. Requesting a certificate from the CA requires the same procedui Roqesta Sarr Ceca ‘SraPendng ‘nica when requesting the Cisco VPN Client certificate, The procedure is summarized here: Step 1 Step 2 Step 3 step 4 Step 5 Stop 6 Step7 Step @ Step Step 10 Bring up the CA certificate main page by entering http://nam address/eertsry, The main window should appear as or ip- in this figure. Click the Request a Certificate link. The Request a Certificate window will open. Choose the Advanced Certificate Request link. The Advanced Certificate Request page opens, Click the Submit a Certificate Request by Using a Base-64-Encoded CMC or PKCS#I0 File or the Submit 1 Renewal Request by Using a Base-64-Encoded PKCS#7 File link. The Submit a Certificate or Renewal Request window opens. Paste the contents of the PKCS #10 nto the Saved Request pane. Click the 8 buiton, The Certificate Pending window will open The administrator should issue the certificate at this point fier the appropriate amount of time, return to the CA server web page and check the status of the certificate. Bring up the CA certificate main page by address/certsry again ntering http://name or ip- Click the View the Status of Pending Certificate Request link from the main window. The Pending Certificate Request window should appear (© 2008 Cisco Systems. Inc IPsec VPNs 4-105This example shows links for submitting and viewing the status of a request. The figure also shows the message that you receive when you make a request and before a certificate has been issued. Retrieving a Request This subtopic describes how to retrieve a certificate request. Retrieving and Installing an Identity Certificate ‘The pending request must be retrieved in the proper format. Complete the following steps to retrieve the pending request. Step1 Click the Saved Request link. The Certificate Issued window will appear. Stop2 Click the Base 64 Encoded radio button. Step3__ Click the Download Certificate link. The File Download security wai appear as in the next figure. ing will {In the preceding figures, you sec the saved certificate request link and the choice of DER or Base 64 encoding for the file MIME content-transfer-encoding. When you click the Download Certificate link, the file download process begins, 4-164 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IncSaving the Certificate File Give the certificate file a unique name and make a note of where you save the file. Complete the following steps to save the certificate file to the local mac Step4 Click the Save button in the File Download ~ Security Warning window. The Save As window will open. Step Give the file a unique name and click the Save button in the Save As window. The only procedure left to do is toi procedure follows. In the exa desktop. II the retrieved certificate on the security appliance. That ple in the figure, the file named ciscoasa.cer will be saved to the {© 2008 Cisco Systems, Inc IPsec VPNs 4.165Installing an Identity Certificate This topic describes how to install a newly retrieved identity cert security appliance. a Lat cl enahanel (ES) ice Ceraeate ek OK Return to the Idzntity Certificates pane to finish installing the idemtity certificate. Complete these steps to install a Step 1 Step 2 Step 3 Step 4 Step 5 lentity certificate. Open the Identity Certificates pane. You should see the Pending request. Click the Install button on the right side of the pane, The Install Identity Certificate window opens. Use the Browse button or input the name of the certificate file that was previously saved, Click the Install Certificate button. You should receive a “Certificate import succeeded” message in the Information dialog box. Click OK in the Information dialog box. You should see the newly installed identity certificate as in the next figure. 45166 Securing Networks wan Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, Ineity certificate now has the following parameters: Issued (o = username.domain Issued by = PA server Expiry Date = Valid date and time You have now installed both a CA certificate and an identity certificate for the Cisco ASA Usage ~ General purpose security appliance to use when allo addresses assigned because they to be assigned (0 i ing remote VPN client access. Those clients will need Il be located on remote networks. Local addresses will need coming VPN users requesting access to the corporate network (© 2008 Cisco Systems, Inc (Psec VPNs 4-167Defining a Remote-Access Address Pool This topic describes how to define an address poo! for remote- Creating an Address Pool for Remote Access — Name of Aciess Poot 1 aaa Fange er Clens }— suonet mask coess VPN connections. The security appliance requires a method for assigning IP addresses to users. A common method is to use address pools. The alternatives are having a DHCP server assign address or having an authentication, authorization, and accounting (AAA) server assign them The Address Pools window lets you add local address pools for remote users. The figure shows the Address Pool pane. Complete the following steps to create a local address pool for remote VPN clients. "Open the Configuration > Remote Access VPN > Network (Client) Aecess > Address Assignment > Address Pools pane. Click the Add button in the Address Pools window. The Add IP Pool window appears Give the poo! a unique name. In the ex: nple, the name given is RA_Clients. Specify a starting address. In the example, the starting address is 10.0.1.20. = Specify an ending address. In the example, the ending address is 10.01.50. Specify the subnet mask for the addresses. In the example, the subnet mask is 255.255.255.0. = Click OK in the Add IP Pool window. Click Apply in the Address Pools pane. The newly created address poo! will appear in the Address Pools pane as in the next figure. 4168 Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, ine‘This figure shows the newly created address pool with the information previously configured. ‘This pool can be used to assign addresses to remote-access VPN clients who are connecting to the Cisco ASA security appliance, (© 2008 Cisco Systems, Inc IPsec VPNE 4-169User Policy Attribute Inheritance This topie describes how user policy attributes are determined. Policy Objects = Tunnel Group and Connection Profile Pre-login attributes = Group Policy (Internal and External) Post-login attributes * User Attributes and Policy (Intemal and External) User-specific attributes * Dynamic Access Policy Dynamically created policies based on multiple input sources ocation, directory allbutes, PC attributes) Policy attributes can reside locally, as defined on the Cisco ASA (internal), or reside as value returned from queries to external AAA servers such as, RADIUS and LDAP. The Cisco ASA security appliance has different poliey objects that an administrator can use to define policy for a user or a group of users. Within each policy object, user policy attributes ean be configured by the administrator, or user policy attributes can be inherited from less specific policy Here isa list of policy objects that are configurable on the Cisco ASA security appliance: = Tunnel Group/Conncetion Profile: A tunnel group or connection profile consists of a set of records that determines tunnel connection policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connection information is sent. They also identify a default group policy for the connection, and they contain protocol-spec ction parameters. Connection profiles include a small number of attributes that pertain to creating the tunnel itself. Connection profiles include a pointer toa group policy that defines user-oriented attributes, = Group Policy: A group policy is set of user-oriented attribute or value pairs for VPN connections that are stored either locally (intemal) on the device or on a AAA server (external) such as RADIUS or Lightweight Directory Access Protocol (LDAP). The connection profile uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user. = User Attributes/Policy: By default, users inherit all user attributes from the assigned group policy. The security appliance also lets you assign individual attributes at the user level, overriding values in the group policy that applies to that user. As with group policy, User attributes and policy can be configured either locally ( AAA server (external) such as RADIUS or LDAP. jernal) on the device or on a 4170 ‘Securing Networks wih Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, Inc= Dynamic Access Policy: Dynamic Access Policies (DAP) are complementary to and work. n conjunction with the AAA system. DAP provides a configurable set of authorization attributes that can override the authorization attributes obtained from the AAA system This ability to override is very useful in situations where the connecting endpoint is not static ‘and its circumstances may have changed in terms of location and security posture. Configured DAP records contain attributes that are aggregated to provide a policy diet that the access that an endpoint specified within the record is permitted, based on its AAA. authorization or endpoint assessment. These attributes also address issues of multiple group membership. DAP not only supports Clientless Secure Sockets Layer (SSI.) and the new Cisco AnyConnect VPN Client, but also IPsec remote access. (© 2008 Cisco Systems, Ine IPsec VPNE 4.171User Attribute Specification vos Speatc. —+ [DAP ints RANG [Gaerne ara eed | External/Mapped User Policy “Altbutes + ExteralfMapped Group Policy | ‘Altibutes | [ “aSeemie aa | + be + [ DmOpPainy nase Srmem |] The security appliance can apply policy attribute values from a variety of policy objects. It applies them according to the following hierarchy: 1 DAP attributes 2. User Attributes 3. External/Mapped User Policy Attributes 4, External/Mapped Group Policy Attributes, 5. Group Policy Attributes trom the Connection Profile 6. Default group policy ‘Therefore, DAP attributes have a higher priority than those attributes con figured for a user User attributes have a higher priority than those from a group policy, and so on. Ifthe attribute ured at any of the higher levels, the DfltGrpPolicy for that attribute is applied. 417 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, InePolicy Application Internal User wih Internal Poicy XConfgued || + ihertes iste otgnores || x congures tnbetoa ees ia 1 orreres |} 0 tgnoes XConfguree [erm | Te ogni ti a ib nto nw cnt cing ana ce nc ay In this example, an internal user with an internal policy has feature A, B, C, and D configured at various levels of policy objects. The example shows that when feature A is configured at user level (highest in this example) all lower-level configurations for this attribute are ignored because the user level takes precedenice over the lower levels, The example also shows that features not configured at a higher level are inherited until they are configured at a lower level. Afier the feature is configured at a particular level, the subsequent lower-level configurations are ignored because the higher-level configuration takes precedence {© 2008 Cisco Systems, ne IPsec VPNE 4-173Configuring an IPsec Connection Profile This topic describes how to configure an IPsec connection profile to support digital certificates. Configuring RA Using IPsec Connection Profiles Ccormecton Proies 2 an pote or DetmnAcio" = Remote Access VPN The parameters in the IPsec Connection Profiles window let you configure IPsec remote-access connections. Most of the parameters in this section were previously configured under tunel groups. An IPsec connection profile represents a conneetion-specific record for IPsec. Complete the following tasks to configure a security appliance for remote access with Cisco VPN Remote clients, using digital certificates. Step 1 Open the Configuration>Remote Aceess VPN > Network (Client) Access IPsec Connection Profile window Step2 Check the Allow Access box for the outside interface Step 3 Click the Add button in the Connection Profiles pane, The Add IPsec Remote Access Connection Profile window appears as in the next figure. 4174 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, neAdding a Profile oo ees Codtome oe ne ae ni SS Basic profile configuration can be accomplished from the Add IPsec Remote Access Connection Profile configuration pane, Complete the following steps to configu profile to use digital certificates Step 4 Give the connection profile a unique name. Step5 For IKE Peer Authentication, select the identity securit ficate for the Cisco ASA, Step6 For previous topic. , select the address pool that was defined in the Step7 Click OK at the bottom of the profile configuration window. The figure shows a connection prof IKE peer authenticatio protocol named RA_Clients that uses an identity cert se8 a local client address pool, and allows IPsec as the cli (© 2008 Cisco Systems, Inc. IPsec VPNe 4.175Access toe ouside ‘era w atone ‘The newly created IPsec connection profile (tunnel group) will now be viewable in the IP: Connection Profiles pane. Notice that the certificate is displayed in the Identity Certificate column, Also notice that access to the “outside” interface has been enabled. The only thing left to do is assign the certificate to the correct connection policy. The next section describes that process. 4-178 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, neConfiguring the Certificate to Connection Profile Policy This topic describes how to modify the cer certificate of the proper group. ate 10 connection policy to map the identity Certificate to Connection Profile Policy contest | ‘Connecten. | rote naps To apply the identity certificate to the proper connection, you must modify the certificate to connection policy. You will need to map the certificate used for authentication to a connection profile. The Certificate to Connection Protile Maps Policy pane allows you to define the parameters for certificate to connection profile matching, Complete the following steps to map the certificate to the appropriate tunnel group, Step1 Navigate to the Configuration > Remote Access VPN > Network (Cli > Advanced > as in the figure. 1) Access sec > Certificate to Connection Profile Maps > Policy window Step2 Check Use the Configured Rules to Match a Certi the Cisco ASA security appliance to rules to match th profiles. cate to a Group to contigure cert tes to conneetion (© 2008 Cisco Systems, Inc. WPeec VPN 4.177Ccrterion The Rules pane allows you to configure rules that will be used to match certificates to connection profiles based on matching criterion, The following parameters are available in the Add/Edit Certificate Matching Rule dialog box. Map: Choose one of the following: — Existing: Choose an existing map name. — New: Enter a new n p name for a rule. In the example, Boston was chosen, |= Priority: Type a number to specify the sequence with which the security appliance evaluates the map when it receives a connection request. The security appliance evaluates each connection against the map with the lowest priority number first. The default priority is 10. = Mapped to Connection Profile: Choose the connection profile to map to this rule. In the nple, a predefined connection profile, RA_Clients was chosen as the tunnel group. To configure a certificate to connection profile map, complete the following steps: Step! Open the Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Certificate to Connection Profile Maps > Rules pane. Step2 Inthe Cert Cert ite to Connection Profile Maps pane, click the Add button. The Add 1g Rule window opens. step3— Choos RA 1e New radio button. Enter a name into the Name field. In the example, Step 4 In the Priority field, enter a number to specify the sequence with which the security appliance evaluates the map when it receives a connection request. The default of 10 ‘was entered. 4-178 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inestop 5 1m the Mapped to Connection Profile drop-down menu, select a predetined 1 group. In the example, a predefined tunnel group, RA_Clients, was chosen as the tunnel group. Steps Click OK. After a rule has been defined, you must ereate a matching criterion for the rule The followin parameters are available on the Add Certificate Matching Rule Criterion pane: = Rule Priority: (Display only). Previously configured sequence number with which the security appliance evaluates the map when it receives a connection request. The security appliance evaluates each connection against the map with the lowest priority number first '& Mapped to Group: (Display only). Previously configured connection profi rule is mapped. to which the Field Choose the part of the certificate to be evaluated from the drop-down list — Subject: The person or system that uses the certificate. For a CA root certi Subject and Issuer are the sam cate, the — Alternative Subjects The subject alternative names extension allows additional identities to be bound to the subject of the certificate. — Issuer: The CA or other entity (jurisdiction) that issued the te, % Component: (Applies only if Subject of Issuer is selected.) Choose the certificat used in the rule, attribute Operator: Choose the operator used in the rule: — Equals: The distinguished name field must exactly math the value. Contains: The distinguished name field must include the value within it ;qual: The distinguished name field must not match the value Contain: The distinguished name field must not include the value within Value: Enter up to 255 characters to specify the object of the operator To configure a certificate matching rule criterion, complete the following steps Step7 Inthe Mapping Criteria pane, click the Add button. The Add certificate matching criterion window opens, Step 8 From the Field drop-down menu, select the part of the certi subject, alternate subject, or issuer. In this example, “Subje sate to be evaluated, ‘was chosen, Step 9 From the Component drop-down menu, select the component of the certificate to be ‘evaluated. In the example, the “O” component was selected, Step 10 From the Operator drop-down menu, select the operator. In the example, “Equals” Step 11. From the Value drop-down menus enter the component values in the example is entered. id. In the Step 12 Click OK. (© 2008 Cisco Systems, Inc IPsec VPNE 4179In the example, certificates with an “O” field value of “trai connection profile. All other nonmatching remot RAGroup profile are assigned to the RA_Clients les are assigned to the Default Certificate to Connection Profile Complete The IPsec connection profile, address pool, and certificate to group matching are now complete, and the Cisco ASA security appliance should be ready to accept incoming requests from remote VPN clients. 4180 Securing Networks with G'sco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems. IneVerifying Remote-Access VPNs This topic describes how to verify the configuration of remote-access VPNs. You can use Cisco ASDM and command-line inter (CLI) commands to verily remote- access VPN operation. Using Cisco ASDM The IPsec ‘Tunnels window can be used to verify the operation of a remote-access VPN Step 1 Step 2 step 3 Step 4 ection. Complete the follo\ 1g steps to monitor IPsec VPN tunnels, (Open the Monitoring > VPN > VPN Connection Graphs > IPsec Tunnels window. Move IPsec Tunnels, IPsec Active Tunnels and IPsec Tunnels, IKE Active Tunnels from the Available Graphs column to the Selected Graphs column, Click the Show Graphs button at the bottom of the pane to view the graphs, Start a co ion to the Cisco ASA security appliance, usi installed on a remote computer. he Cisco VPN Client (© 2008 Gisco Systems, Inc. IPsec VPNs 4181erifying Remote-Access VPNs (Cont.) The graphs should show an IPsec tunnel session that has been started by a remote client. The re shows the session count jumping from zero to one. 4-182 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 D 2008 Cisco Systems, ncshow crypto isakmp sa Active sat Rekey 5a: uring rekey) ‘Total IKE SA 2 IKE Peers Tre: A asa.269, veer Role +: responder tno Stace «WL ACTIVE To display the IKE run-time SA database, use the show crypt akmp sa command, show crypto isakmp sa [detail] Syntax Description detail Information from the show erypto isakmp sa command may include the following: ™ Active SAs = Total IKE SAS IKE peer addresses = State of the connection Displays detailed output about the SA database, (© 2008 Cisco Systems, nc IPsec VPNs 183show crypto ipsec sa inertice cuties ae woes S saa, £05" STON DEFAULT OHYFTO 997, neq num 65535, toca addr Local ident (adde/maek/prot/port): (0.6.0.0/0.0.0.0/0/0) Fesove Sdent (addr/aask/prot/port)« (30-0,1.20/285.255.255.255/0/0) ‘current peer? 192.100.1.6, wserauees davidl,ctsc0.com Packet Gmnanic allocated peer ip! 10.0.4.28 stotates paces acre ere =... To display a list of IPSee SAS, use the show erypto ipsee sa command. The figure displays the ‘output of this command, show crypto ipsec sa [entry | identity | map map-name | peer peer-addr] (detail) Syntax Description detail (Optional) Displays detaiied error information on what is displayed entry (Optional Displays IPSec SAs sorted by peer address identity ma (Optional) Displays IPSec SAs for sorted by identity, not including i Encapsulating Security Payloads (ESPs). This is a Condensed form. map nap-namne (Optionah Dispiays IPSec SAS forthe speciied crypto map. Peer peer-addr | (Oplional) Displays IPSec SAs for specified peer iP adresses Information in the output of this command includes the following Interface used for the tunnel = Crypto map & Current peer = Username of current peer & Packet stati '® Local and remote crypto endpoints +104 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, Ineshow vpn-sessiondb remote Seneton Type: Tees Aestgnad XP + 10.0.1.20 public tps 192.268.2.6 neryption ¢ 30ES AESZ8 sma bytes Te Bytes fe Group Policy ‘runael Group + BA,citanee opin ine 90 To display information about VPN sessions, use the show ypn-sessiondb command. The command includes options for displaying information in full or in detail, lets you specify type of sessions to display, and provides options to filter and sort the information, show vpn-seasiondb [detail] [full] (remote | 121 | index indexnunber | webvpn | email-proxy} (filter (name usernane | ipaddress 1paddr | a-ipaddress 1Paddr | p-ipaddress IPadar | tunnel-group groupnane | protecel protocol-nane | encryption encryption-algo}] (sort {name | ipaddress | a-ipaddress | p-ip address | tunnel-group | protocol | encryption)] The figure displays the output of the show vpn-sessiondb remote command. This command displays remote-access sessions. You can display this information for all groups or you can filter it by using the following filter options: name, a-ipaddress, p-ipaddress, tunnel-group. protocol, and eneryption. Information from the show ypn-sessiondb remote command includes the following: Session type = Username (the tunnel group created by the IPsec Connection Profile) m= Assigned address of client Public address of client = Encryption algorit Hash algorithm = Tunnel group = Login time of client (© 2008 Cisco Systems, ne. IPsec VPNs 4-105Troubleshooting Remote-Access VPNs This topic describes how to troubleshoot remote-access VPNs, Scenario: Troubleshooting Remote- Access VPNs Mobile Worker Headquarters Several tools are available to troubleshoot remote-access VPNs when connectivity problems ‘occur. When troubleshooting remote-access client connectivity issues, you will use a combination of the following: © Cisco VPN Client logging-level settings = Cisco VPN Client log window debug commands Syslog server Cisco ASA intemal log butter = Cisco ASDM log window In this scenario, a mobile worker is trying to establish a secure tunnel back to corporate headquarters, using the Cisco VPN Client The client gets the error message in the following figure. 4186 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, ineScenario: Client E anes Sisco time mtb Cs enn a Reson This figure shows the client error message and the log window of the client. The client error message shows that the security appliance is not responding. Notice that the elient is actually responding but the client is receiving unencrypted packets from the Cisco ASA security appliance. This could be due to a number of reasons, but it does look like itis on the security appliance side of the connection. Some reasons could include these: IKE Phase | could not complete. IKE Phase 2 could not complete. |= Crypto map on the Cisco ASA security appliance may be misconfigured. = Tunnel group may be misconfigured. = Certificate to connection profile policy may be incorrect. ‘The next thing to do would be to set up a syslog server, security appliance, and enable th rough this process, configure logging on the C appropriate debug commiands. The next sections (© 2008 Cisco Systems, Ine. TPsec VPNs 6187Scenario: Syslog Output Ti Sli a SEMA oat ath SEER AEE: 2 5 Soups ‘The figure displays the messages sent to the syslog server from the Cisco ASA security appliance. The error oceurs as follows: 1. The Cisco ASA is trying to match a group with the incoming IPsec request. 2. The connection lands on the default remote-access group. 3. The Cisco ASA finds that there is “No valid authentication type found for the ‘group. 4. There is “no trust-point defined” for the default tunnel group. ‘You need to check why the connection “landed” on the default group instead of on the RA Clients tunnel group that you created 4188 ‘Soeuring Networks with Cisco ASA Advanced (GNAA) v1.0 {© 2008 Cisco Systems, neSolution: Certificate to Connection Profile Mapping n Profile Maps >Policy pane is used to specify the parameters for the certificate to connection profile policy when receiving requests from remote clients. Notice that in the figure, the Use the Configured Rules to Match Certificate to a Group check box is not checked. This parameter should be checked in order for the configured rules to be applied to the certifi the remote- requesting a connection. In this example, the rules were previ configured but the administrator failed to select this check box. ate of nisly steps to cnable matching rules for certificate to connection profile, using Cisco Step 1 Check the Use the Configured Rules to Match Certificate to a Group check bos. Step2 Click Apply at the bottom of the pane, Now you can try the connection again. This time the connection sueceeds. (See the next figure.) (© 2008 Cisco Systems, nc. IPsec VPNs 4-189Verify correct operation of the remote-access VPN by using the same displays and commands that you used when verifying remote-access VPNs. 4190 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems, neSummary This topic summarizes the key points that were di Summary = Remote-access VPNS let single users connect to a central site through @ ‘secu connection over a TCP/IP network such as the Intemet, = Configuring a Cisco ASA security appliance for remote access using Aigital ceritcates includes these processes: Installing certificates Creating address pools Creating an IPsec connection profile Mapping certificates to connection profiles * Installing Cisco ASA security appliance certificates includes these processes: Installing a CA certificate Enroliing with the CA Installing an identity certificate ‘= A.common method for assigning IP addresses to users is using address pools, Summary (Cont.) * Creating an IPsec connection profile includes the following basic configuration parameters ‘Tunnel group name ~ IKE peer authentication Client address assignment Group policy = To apply the identity certificate to the proper connect ‘modify the certificate to connection profile policy. = You may use ASDM and CLI commands to verify remote-access VPN operation * Several tools are available to troubleshoot remote-access VPNs ‘when connectivity problems occur. n, you must {© 2008 Cisco Systems, Ine Ieee VPNS: 41014192 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems, IncLesson 5 Configuring Advanced Remote-Access Features and Policy Overview This lesson will examine popular, advanced remote-access features and policy for IPsec VPN clients of the Cisco ASA 5500 Series Adaptive Security Appliance. It will describe these features and policies and how they are configured, Objectives Upon completing this lesson, confi ou will be able to explain these remote-access features re the Cisco ASA security appliance to use them. This ability includes bein; meet these objectives: Use Cisco ASDM to configure advanced policy features of load balancing, = Use Cisco ASDM to configure reverse route injection for VPN connections, = Use Cisco ASDM to configure a backup server for the VPN connections Use Cisco ASDM to configure intra security appliance face VPN traffic forwarding on the Cisco ASA Use Cisco ASDM to configure NAT transpare device for VPN connection behind a NAT m= Use Cisco ASDM to configure IPsec over TCP for VPN connection behind a NAT device Use Cisco ASDM to configure certificate group mapping for IPsec connections, using, certificates = Use Cisco ASDM to con igure client updates for VPN software and hardware clients Use Cisco ASDM to configure the tunnel poli for personal firewalls and split tunneliLoad Balancing This topic describes how to configure load balancing on the Cisco ASA security appliance when there are multiple security appliances used as virtual private network (VPN) servers on a given subnet What Is Load Balancing? * Virtual VPN cluster with one IP address for remote-access clients to connect * Real Cisco ASA security appliances in master/slave configuration servicing virtual headend remote-access connections * Round-robin balancing with frst slave given connections until load limit Teached, then the next slave until load limit reached, then the master. (Repeated after master load limit has been reached) * Supports IPsec and WebVPN in a homogeneous device environment * Supports only IPsec in a heterogeneous device environment (Cisco ASA, \VPN3K, and PIX) VPN load balancing can be configured when two or more security appliances are ured as VPN headends or when servers are attached to the same public and private network segments. When this condition exists, each VPN headend can be configured to share or load balance VPN connections to optimize system resources, To implement load balancing, the VPN headend security appliances are configured in a master-slave model, and they appear as a single virtual IP address to all VPN clients When a client attempts a VPN connection, the master server accepts the connections for the virtual IP and passes them to the slave servers or to itself for processing in a round-robin fashion, The master server is elected by having the highest priority among the VPN headends. The master server maintains a list of slave servers sorted in ascending order, based on the inside IP address of the slave servers, As connection attempts are made, the master server passes connections to the first slave server until the slave server reaches an incremental load of 1% After it reaches this incremental load, the master server will then pass connection attempts to the next slave server in its list. Afterall the slave servers have their incremental load limit, the ‘master server will service the connections until its incremental load limit is reached. Afier this happens, the round-robin process starts again with a higher incremental load. 4-194 Securing Networks with Cisco ASA Advanced (SNAA) v1'0 (© 2008 Cisco Systems, Ineformed in a homogeneous or heterogeneous solution of security ss The preferred method for load balancing is a homogeneous solution of security appliances because there are fewer limitations in a homogeneous environment. The following list contains the security appliances that can be configured into a load-balancing cluster 1B ASA ‘5510 Adaptive Security Appliance (with a Plus license) = ASA 5520 Adaptive Security Appliance model and above Only Cisco VPN software and hardware clients support load balancing. All other VPN clients should connect directly in the appropriate VPN headend. The following list contains the VPN clients that support load balancing: = Cisco AnyConnect VPN Client (Rel = Cisco VPN Client (Release 3.0 and wse 2.0 and later) er) = Cisco ASA $505 Adaptive Security Appliance (when acting as a Cisco Easy VPN client) ™ Cisco PIX 501/506E Sec ty Appliance (when ai 1g as a Cisco Easy VPN client) {© 2008 Cisco Systems, inc. IPsec VPNs 4.195,Load-Balancing Connection Process Ifyou have a security appliance configuration in which you are using two or more security appliances that are connected on the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least-loaded device, thus distributing the load among all devices. It makes efficient use of system resources and provides increased performance and igh availability. In load balancing, a group of security appliances work together as a single entity, a cluster. The cluster is known by one IP address, a virtual address, to the outside client space. This virtual IP address is not tied to a specific physical device in the VPN cluster but will be serviced by the luster virtual cluster master. The virtual IP address is valid, routable address. When remote Clients attempt to establish a tunnel, the clients route the Internet Key Exchange (IKE) messages to the IP address of the cluster—the virtual IP address. The virtual cluster master responds to the messages with the physical IP address of the least-loaded security appli The client then attempts to establish a connection with the least-loaded security appli Connect ns to the load-balancing cluster are based on the load. The designated virtual cluster tet security appliance maintains load information from all secondary security appliances in the cluster. Each secondary security appliance periodically sends load information in a keepalive message exchange to the master security appliance. Load is calculated as a percentage of current active sessions divided by the configured maximum-allowed connections. When a Cisco VPN Client makes a connection request, the master security appliance checks t load list for the least-loaded security appliance. The master security appliance directs the Ci VPN Client toward the least-loaded s appliance terminates the new tunnel. 0 ice in the cluster. The least-loaded security 4196 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Gisco Systems, IncIn this example, when a Cisco VPN Client is launchied, it will attempt to establish an IKE tunnel to the VPN virtual cluster IP address: 192.168. 1.254. The cluster master responds to the IKE messages by g.a redirect message to the Cisco VPN Client. In the redirect message is the physical IP address of the least-loaded Cisco ASA security appliance within the cluster. ‘The cluster master determines the least-loaded security appliance by consulting its load t The load table is continuously updated with the secondary Cisco ASA security appliance’. current load information. At the IKE tunnel connection time, the cluster master consults its load table and picks the least-loaded secondary security appliance at that time. The cluster master security appliance forwards the IP address of the least-loaded secondary security appliance to the remote client. In the example, the IP address of the least-loaded security appliance within the cluster is 192.168.1.6. The Cisco VPN Client, in turn, attempts to establish a new tunnel to the least-loaded security appliance: 192.168.1.6. The original tunnel to the cluster master’s Virtual IP address is tom down, le. Note Load balancing is only performed during tunnel establishment. (© 2008 Cisco Systems, Ine. IPsec VPNs 4-197For load balancing to operate, the Virtual Cluster appliance when the security appliance begins part Virtual Cluster 6837 int (VCA) is started on each security tion in the virtual cluster. VA is responsible for the Following: Joining and exiting the virtual cluster Establishing IPsec connections between peers in the cluster Calculating the load ‘Sending periodie load and health check information to the cluster master Determining a failed cluster master Participating in a virtwal master election process In order for the VCA messages to flow between cluster security appliances, the public and private interfaces must be configured and added to the virtual cluster 4198 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneVPN Software Client Load- Balancing Configuration ‘To configure load balancing on the Cisco VPN Client, in the Software Client, go to the Start > Programs > Ciseo Systems VPN Client > VPN Client window. In the Host Name or IP Address of the Remote Server field, add the cluster virtual IP address. In the example in the figure, the cluster virtual IP address is 192,168.1.254. {© 2008 Cisco Systems, Ine IPsec VPNs 4-199“er aes 190.140.1254 a etn patopne There are two parts to the configuration: cluster and server configuration. Cluster configuration tus be the same for all security appliances in the cluster. Server configuration parameters can vary across the cluster. The device parameters are security appliance-specific. To configure load balancing on the Cisco ASA security appliance, go to the Configuration > Remote Access VPN > Load Balancing window and complete the following parameters: = Participate in Load Balancing Cluster: Check this check box to include this security appliance in the virtual cluster. = VPN Virtual Cluster IP Address: Enter the single IP address that represents the enti Virtual cluster. Choose an IP address that is within the public subnet address range shared by all the security appliances in the virtual cluster = VPN Virtual Cluster UDP Port: The default UDP port address is 9023. If another application is using this port, enter the UDP destination port number that you want to use for load balancing. = Enable IPsec Encryption: The security appliances in the virtual cluster communicate through LAN-10-LAN tunnels, using IPsec. Check this check box to ensure that all load balancing information that is communicated between the security appliances is enerypted IPsec Shared Seeret: This option is available only if you have selected the Enable IPsec ‘encryption check box. Enter the 1Psec shared secret for the virtual cluster. The shared secret isa common password that authenticates inembers of the chister. IPsec uses the shared secret as a pre-shared key to establish secure tunnels between virtual cluster peers. jecret: Re-enter the IPsec shared s + Enter a priority for this VPN security appliance within the virtual cluster, The isa number from I to 10 that indicates the likelihood of this device becoming the cluster master either at startup or when an existing cluster master fails. The higher you set the priority (for example 10), the more likely that this device becomes the cluster master, If ‘your cluster includes different models of security appliances, itis recommended that you choose the device with the greatest load capacity to be the cluster master, 4200 Securing Networks with Cisco RSA Advanced (SNAA) v1 0 (© 2008 Cieco Systems, IneConfiguring load balancing varies depending on the type of security appliance that is participating in the load-balancing cluster. In this example, the load-balancing cluster is a homogeneous mixture of Cisco ASA appliances with software version 8.0 (2). The example shows the commands sent to the security appliance, based on its configuration, In this example, VPN load-balancing participation is enabled, and the virtual IP of the VPN load- balancing cluster is 192.168.1.254, IPsec communications between cluster members is enabled with a pre-shared key of “training,” The priority is set to 10, which increases the chances of this, security appliance being elected as the master. {© 2008 Cisco Systems, Inc IPsec VPNs 4.201,Reverse Route Injection This topie describes how to configure reverse route injection for VPN client connections, What Is Reverse Route Injection? eH Static routes for the VPN-connected hosts or networks are added to the Cisco ASA security appliance routing table, Dynamic routing on the Cisco ASA security appliance must be enabled, and static routes redistributed into the routing process. Internal routers are allowed to know the route to remote-access VPN clients, Internal routers are allowed to know the route to protected networks that are part of Site-to-Site VPNs When the VPN tunnel is closed, static routes for VPN-connected clients or networks are removed from the Cisco ASA security appliance routing table Reverse Route Injection (RRI) is a feature that the Cisco ASA security appliance uses to advertise routes to networks or hosts that are atthe distant end of the VPN tunnel. These routes are added to the Cisco ASA security appliance as static routes and are present in the security appliance routing table while the VPN connection is up. To enable other routing devices to know these routes, the security appliance must redistribute these static routes into a running, dynamic routing protocol process. The security appliance can then advertise them. The Cisco ASA security appliance supports Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol (EIGRP) routing protocols. The configuration of these routing protocols is discussed in detail in Module 3: Lesson 4 of this Each time the Cisco VPN Client connects or a Site-to-Site VPN is established with the security appliance, the security appliance advertises the IP address or network that is behind the distant end. When the tunnel is disconnected, the security appliance will remove the route and cease to advertise it. RRI enables a central-site device to connect to the distant end of the VPN tunnel, regardless of which security appliance is used. 4-202 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IneConfiguring RRI conmanas —e To configure RRI on the Cisco ASA appliance, choose the Configuration > Sit > Advanced > Crypto Maps pane for Site-to Site IPsec VPNs or choose the Configurati Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps pane for Remote Access IPsec VPNS. Click the Add or Edit button within pane. When the Add/Edit ‘windows appears, check the Enable Reverse Route check box on the Tunnel Policy (Cyrpto Map}—Advaneed tab. ‘The example shows the check box for RI being chosen. It also shows the command sent to the Cisco ASA security appliance, based on the Cisco ASDM configuration. {© 2008 Cisco Systems, Inc. [Psec VPNs 4.209,Learn Route from RRI The example shows the static route that was learned through RRI from the distant end of a Sit to-Site VPN tunnel, The route to the network 172.26.18.0/24 is displayed in the Cisco ASA security appliance routing table. When the tunnel is disconnected, this route will be removed from the routing table. 4-204 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systeme. IneBackup Servers This topic describes how to configure backup servers for VPN client connections. Using Backup Servers Provide VPN clients access to central site when primary server is unavaiiable Backup servers do not exist until they are configured Configured on primary server and pushed to the client, which overwrites any backup server lst that is configured on the client Can be configured on the client as well as within the Cisco VPN Client application IPsec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable. When you configure backup servers, the security appliance pushes the server list to the client as the IPsec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary security appliance. Configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, this action pushes the backup server policy to the clients in the group, thus replacing the backup server list on the client list is configured yackup server if you are using hostnames, 's wise to have backup Domain Name System (DNS) and, Windows Intemet Name Service (WINS) servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client through DHCP, and the connection to the primary server is lost, and if the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur. (© 2008 Gisco Systems, Ine. IPsec VPNs 4205Fee RT RTT Goepaawmtarers ci Tacpsovon ae eee a 02172 2..10 a ea Commands —e Backup severs are configured within each specific group policy. Choose the appropriate policy within the Configuration > Remote Access VPN > Network (Client) Access > Group Policies pane. Click the Edit button to edit the desired policy. Within the Edit window, choose Advanced > IPsec Client, remove the check from the Inherit check box that is associated with IPsec Backup Servers, and complete the following parameters: Server Configuration: Specifies the appropriate server configuration from the drop-down menu, The choices are as follows ~ Use the Backup Servers Below: The security appliance sends the list of backup servers to the client in the group, replacing the backup server list on the client ifa backup server list is configured, — Keep Client Configuration: The security appliance sends no backup server information to the client. The client uses its own backup server list, if configured, This is the default — Clear Client Configuration: The client uses no backup servers. The se appliance pushes a null server list. Server Addresses: Specifies the IP address of the backup servers. In this example, the server configuration of Use the Backup Servers Below is chosen, and the server IP addresses of 192.168.5.2, 192.168.10.2, and 172.26.26.10 are entered. These backup server addresses are pushed to members of this group as they connect. The example also shows the command-line interface (CLI) commands sent to the Cisco ASA security appliance, based ‘on the Cisco ASDM configuration 4.206 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems IncIntra-Interface VPN Traffic This topic describes how to configure the Cisco ASA security appliance to allow VPN traffic to flow between VPN connections from the terminating interface. + VPN traffic thats terminated on an interface can be sent back out ofthe same interface (hairpinning) + Cisco VPN Client to VPN Client communication is allowed without interruption of normal VPN cent to internal network communication + It halrpinning from an encrypted source to an unencrypted destination, NAT must be enabled to allow a public, outable address to replace internal private address space. You can configure the Cisco ASA security applian protected traffic to another VPN user, and both VPN connections same interface. By allowing such traffic in and out of the same interface, or tion is essentially hub and spoke technology, with the VPNs as spokes connecting through a security appliance that is acting as a VPN hub. This configuration can also be used to redirect incoming VPN traffic out through the same interface as unencrypted traffic. This would be useful, for example, to a VPN client that does not have split tunneling enabled but needs to access the intemal corporate network through a VPN and browse to an Internet web site. If internal private address space is being used and unencrypted traffic is allowed back out the same interface where it arrived as encrypted VPN traffic, NAT must be used to allow a public routable address to replace internal private address space. (© 2008 Cisco Systems, nc Psec VPNs 4207Allowing intra-Interface VPN Traffic To enable intra-interface VPN traffic communication, open the Configuration > Device Setup > Interfaces pane. After the Interface pane is displayed, check the Enable traffic between two or more hosts connected to the same interface check box. In this example, the check box is selected and VPN traffic between VPN hosts terminated on the same interface will be allowed. The example also shows the command sent to the Cisco ASA security appliance, based on the Cisco ASDM configuration. The same-security-traffie permit intra-interface CLI command is sent to the Cisco ASA appliance 4208 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IneNAT Transparency This topic describes how to configure Network Address Translation (NAT) transparency to allow IPsec traffic to pass through a NAT device that is within the path of the VPN traffie. NAT Transparency * IKE and ESP are broken by NAT devices when standard VPNs are used. ~ PAT changes packet header information, which invalidates the packet when received by a VPN server, * NAT-T encapsulates the packet within a UDP packet so that NAT devices become transparent. * Cisco ASA security appliance supports both NAT-T and the Cisco proprietary UDP and TCP encapsulation. NAT was invented as a solution to help with the shortage of publicly available IP address space and the increasing demand for these addresses. Using NAT allows companies not to be constrained by their external public address space. NAT has become increasingly popular with hhome-network and small-office-network users who only receive a single IP address from their Internet service provider (ISP). Because NAT has become ubiquitous within home and company network connections, it has created a problem for IPsec VPN users and connections. NAT essentially changes source IP address within the header of the IP packet to the IP address of the NAT address pool or the NAT device (when Port Address Translation [PAT] is used). During normal IPsec VPN negotiation, the changes to the packet by PAT invalidate the packet. When PAT changes the packet, the integrity cannot be verified because the checksums do not match. And when ‘multiple hosts are behind a single NAT IP, Encapsulating Security Payload (ESP) communications eannot flow because NAT (PAT) is looking for TCP or User Datagr Protocol (UDP) ports, and ESP does not use them. In this case, the packet is dropped. To counter the problem with PAT, NAT-Transpareney (NAT-T) was introduced. NAT-T is a mechanism in which each IPsec packet is encapsulated within a UDP packet, so that any NAT device between VPN server and VPN client becomes transparent and VPN comm flow. When NAT-T is configured, it sends a NAT discovery to detect any NAT device between the VPN server and VPN client. Ifo NAT devices are detected, NAT-T is not used. However, ifa NAT device is detected, NAT-T is used. {© 2008 Cisco Systems, ine IPsec VPNs 4209IPsec VPN and NAT/PAT Transparency * Allows clients to operate behind a NAT PAT device * Uses a UDP or TCP header with a configurable port number to bypass PAT devices (default port 10,000) * Provides the security of IPsec ESP * Requires no user intervention, as administrator centrally controls, IPsec UDP through group policies + IPsec TCP is configured through global IKE parameters IPsec UDP Packet NAT device. (wr) ‘map Pesci GP Packet NAT device, (rer) ‘map. To allow IPsec VPN functionality with a NAT device between the VPN client and the VPN hheadend, the Cisco ASA security appliance can also be configured to encapsulate IPsec packets within UDP or TCP. By encapsulating the IPsec packet with a UDP or TCP packet, the NAT device can translate the IPsec packet to Internet-routable packets. When UDP or TCP ‘encapsulation is configured, the administrator of the VPN headend security appliance controls which ports are used. The default port used for UDP and TCP encapsulation is 10,000, No user intervention is needed, as the VPN client is configured with the appropriate UDP or TCP port for encapsulation. UDP 1Psec encapsulation is configured within the IPsec group policy, and TCP encapsulation is configured within the global IKE policy. UDP encapsulation is used when the NAT-T is not available. TCP encapsulation allows administrators more functionality when UDP packets are not permitted, such as a firewall blocking all UDP traff Using TCP is preferred over UDP through firewalls because state can be maintained for TCP packets, resulting in higher security. 4210 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneNAT Transparency (NAT-T) = NAT discovery payload is used to discover the existence or location of a NAT device during IKE phase 1 ® If there is NAT, encapsulate ESP packet as UDP payload (UDP 4500) = IKE NAT keepalive is sent to keep translations from timeout Type! Broadband Hospot ‘wreess Computer aero ‘an Caco Vn ue PAT hie RFC 1918 arestos mt EN /! ee) ‘See RFCs 9947 ara 3048 or more deta Network Address Translation Transparency (NA'T-T) is a standards-based IPsec over UDP solution. NAT-T performs two tasks: It detects if both ends support NAT-T, and it detects intermediate NAT devices along the transmission path, During IKE phase 1, the client and IPsec gateway exchange vendor identification (VID) packets. A NAT-T VID must be sent and received by both ends in order for the NAT-T negotiations to continue. Next, NAT-discovery (NAT-D) payloads are exchanged. The second task of NAT-T is to determine if there are any NAT devices along the transmission path. Intervening NAT devi will change the IP address or port numbers of the data packets. NAT-D payloads are exchanged to determine if there are any IP address or port number changes. ‘Two NAT-D payload packets are sent in each direction, Each NAT-D payload is a hash of the original IP address and port number: one NAT-D packet for the source IP address and port number, and another for destination IP address and port number. After receiving the NAT-D packets, both ends compare the received address and port number with the hashed NAT-D payloads. If they match, there are no NAT devices along the transmission path. If they do not match, a NAT device translated either the IP address or port address. NAT-T should be performed. The IPsec packet is wrapped in a UDP packet with a port address of 4500. Periodically, IKE NAT keepalives are sent out to keep the translations from timing out. {© 2008 Cisco Systems, ne iPsec VPNs 4.211NAT Transparency—-UDP Encapsulation IPsec Client VPN Security Appliance NAT Ti rtered over legacy Psec over UDP Commands NATT aways uss UOP 400 | IPeac ove UDP ves sdmnisrotee-etned pon | Saat nn, (Pte ovr UDP ia cng gn potey Cisco created a proprietary fix to solve the IPsec NAT translation issue, IPsec over UDP encapsulation. This was the predecessor to NAT-T. NAT-T is now the preferred method for IPsec over UDP encapsulation. The Cisco proprietary IPsec over UDP allows the administrator to configure the UDP port to be used. When NAT-T and IPsec over UDP encapsulation are both configured, NAT-T takes precedence. IPsec over UDP is negotiated during tunnel establishment, During tunnel negotiations, if enabled on both the Cisco VPN Client and the Cisco ASA security appliance, IPsec is wrapped in UDP for the duration of the tunnel. This is configured with the group policy on the security appliance. Those groups whose frames traverse a NAT device can be configured to support IPsec over UDP. In this example, the Cisco VPN Client is configured for IPsee over UDP under the Transport tab of the Connection Profile. The Cisco ASA security appliance is configured for both NAT-T and [Psec over UDP encapsulation, With the group policy for this example, the IPsec of UDP inherited check box is unchecked and IPsec over UDP is enabled. The IPsec over UDP Port inhetited check box is unchecked, and the UDP port is configured for UDP port 10000. The figure also shows the commands sent to the security appliance for this configuration. 4212 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IneNAT Transparency—TCP Encapsulation IPsec Client VPN Security Appliance + Select upto 10 administrator-defined ports Command = Select one port value from this set on client eapersee ete a) = Do not use TCP 443 if SSL VPN is to be used A third type of transparent tunneling that is supported by the security appliance is IPsec over TCP. With IPsec over TCP, there is no negotiation like there is in IPsec over UDP. From the very beginning of tunnel establishment, all traffic to the security appliance is encapsulated in TCP. At the point in which IKE would normally negotiate the use of IPsee over UDP, IPsec over TCP is already active. IPsec over TCP takes precedence over both NAT-T and IPsec over ube. ‘The goal of IPsee over TCP is to allow the Cisco VPN Clients to operate in environments that have NAT devices present by using TCP to encapsulate both IKE and ESP. This encapsul: takes advantage of the known fact that most firewalls allow outgoing TCP traffic and that the inbound packets are associated with the outbound connections. Using TCP is preferred over UDP through firewalls, because state can be maintained for TCP packets, resulting in higher security. The TCP implementation defaults to port 10000 but does not restrict the ability of the administrator to configure the Cisco VPN Client to listen on up to 10 different port. Note Do not use TCP port 443 if SSL VPNs are used or will be used. Although TCP will be used to encapsulate IKE and IPsec, itis not intended to provide the reliability that is found in a fully deployed TCP implementation. The application layer (IKE) already provides much of the reliability needed. In this example, the Cisco VPN Client is configured for IPsec over TCP encapsulation, using TCP port 10000 from the Transport tab of the Connection Profiles. From the IKE Parameters, pane on the security appliance, the Enable IPsec over TCP check box is check and the TCP port 1000 is entered in the field. The example also shows the commands that are sent to the Cisco ASA security appliance, based on the Cisco ASDM configuration, 1© 2008 Cisco Systems. Ine (PeecVPNS 4.213,Client Update This topic describes how to configure client update not who are using a VPN client that is not at the correct revision. ion for Ciseo VPN Client users Client Update * Administrators can inform Cisco VPN Client users to update to a newer version of Cisco VPN Client software upon connection * Notification is based on the Cisco VPN Client version and operating system, = Users are provided URL to install new Cisco VPN Client sofware Client update allows an administrator to inform VPN client users that the software that they are currently using is not the correct revision of the software. This is based on the Cisco VPN Client software version that is currently installed on the computer with which the user is connecting. The notification for the VPN client version can be based on a specific version of an ‘operating system such as Linux, Mac OS X, Windows NT/2000/XP, or a general version of an ‘operating system such as all Microsoft Windows. After an incorrect version of the VPN client software is determined during VPN connection setup, a message is sent notifying the client. A notification is also sent to the URL of the site to install the newer version. 4214 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneSepia cae deepdtetyp Wdone lbtiettrecertepecent ean. To configure client software update, choose the Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Upload Software > Client Software pane and complete the following parameters: The Enable Client Update check box enables client updates. = Client Type specifies the operating systems of remote PCs. These are the available remote PC types: — finux: A Linux client — mae: MAC OS X client — Windows: all windows-based platforms. — _ WINSX: Windows 95, Windows 98, and Windows ME platforms — WinNT: Windows NT 4.0, Windows 2000, and Windows XP platforms = Clicking the Edit button for the selected Client Type allows the follow: tobe parameter VPN Client Revisions specifies the client revision to be used, — Image URL specifies the URL that the VPN software client should use to update the VPN software client. In this example, the VPN client Revisions is set to 4.8 and the URL is defined to hhtip://software-center/vpnelient. The example also shows the CLI commands that are sent to the Cisco ASA security appliance, based on the Cisco ASDM configuration. {© 2008 Gisco Systems, Ine IPsec VPNs 4215,Configuring Hardware Client Update To configure client device update, choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Upload Software > System Software and complete the following parameters: = The Enable Client Update check box enables client updates. Client devices ean be identified by the following, for example: Device ID, Cisco PIX Security Appli ASA security applian Security Appliance, e, Cisco family, or by a device type such as an ASA $510 or 5502 Adaptive The Add button enables a specific device to be updated. Device Identification specifies how the device is identified. Device identification is, based on one of the following parameters: = Device ID: Ifthe client is configured to identify itself with a unique string, specify the same string that the client uses, The maximum length is 63 characters. = Device Family: If Device Family configures the Auto Update client to identify itself, specify the same Device Family that the client uses. It can be asa, pix, of a text string with a maximum length of 7 characters. = Devi pe: Used! to specify the specific type of security appliances to notify ofa client update. The list comprises the following: — _asaS50S: Cisco 505 Adaptive Security Appliance — asa5510: Cisco 5510 Adaptive Security Appliance — _ sa5520: Cisco 5520 Adaptiv — — asaSs40. Security Appliance isco 5540 Adaptive Security Appliance — _pix-S1S: Cisco PIX 515 Firewall = pix-S1Se: Cisco PIX 515E Firewall 25: Cisco PIX 525 Firewall ae oe 4216 Securing Networks with C:sca ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systeme. Inc— _pix-835: Cisco PIX 535 Firewall — _vpn3002: VPN 3002 hardware client — — Atext string of up to 15 characters Image Type: Specifies software component for the client, Client Revision: Specifies the software or firmware images for this client Image URL: Specifies the URL for the software or firmware image. This URL must point to a file appropriate for this client. The maximum string length is 255 characters, In this example, the ASA 5305 security appliances that are used should be running version 8.0(2) of Cisco ASA security applia image is not up-to- 1c software and 6.0(2) of Cisco ASDM software. The c. The 8.0(2) image can be retrieved from the URL https://10.0.1.10/asa- updates. The example also shows the CLI commands sent to the security appliance, based on the Cisco ASDM configuration. (© 2008 cisco Systems, Inc IPsec VPNs 4.217Split Tunneling This topic describes how to configure split tunnels for remote-access VPNs, Split Tunne! Tunnel altafic —_Encyet everthing Tunnel everthing except listed networs — Encrypted Tunnel listed networks — | g eee | “4 Clare Split tunneling lets a remote-aecess IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in cleartext form. With split tun enabled, packets that are not bound for destinations on the other side of the IPsee hhave to be encrypted, sent across the tunnel, deerypted, 1 There are three tunneling options available to the network administrator: tunnel everythin tunnel everything except local LAN traffic, and split tunneling. The administrator must decide which option is correct for each group of remote clients: 4% Tunnel all: Specifies that no traffic will go in the clear or to any other destination other than the security appliance. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option and, in effect, disables split tunneling, = Exclude Network List Below: Defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN Client, = Tunnel Network List Below: Tunnels all trafic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's ISP. 4-218 Securing Networks with Cisco ASA Advanced (SNAA} vt 0 {© 2008 Cisco Systems, IncCommands —e | “eittsentony tarebectnd ‘Drea et ke Se In this example, the administrator is defining a split tunnel so that only traffic bound for the inside of the security appliance is tunneled. All other traffic is not tunneled. To configure this, choose the appropriate policy within the Configurat (Client) Access > Group Policies pane. Click the Edit button to edit the desired poliey. In the Edit window, choose Advanced > Split Tunneling menu, Remove the check from the Inherit check box that is associated with Policy and Network List. ‘The administrator then d following parameters: fines a list for those networks that must be tunneled with the = From the Policy drop-down menu, choose Tunnel Network List Below, which tunnels all traffic from oF to the specified networks. This option enables split tunneling and lets you create a network list of addresses to tunnel, Data to all other addresses travels in the clear and is routed by the remote user's ISP. = Inthe Network List field, enter the name of the tunnel list. Click the Manage button to view a list of predefined access control lists (ACLs) or to create a new one. Choose the networks to which to apply split-tunneling policy. The network list is defined by a standard orextended ACL. In this example, the policy of Tunnel Network List Below is chose! network list is chosen. Traffic destined for network 10.0.0,0/8 is e other traffic is sent in the clear. The example also shows the con Cisco ASA se |, and the Split_tunnel crypted and tunneled. All ancls that are sent to the ity appliance, based on the Cisco ASDM configuration, Note Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, do not enable spit tunneling {© 2006 Cisco Systems, Ine. (Psec VPNs 4.219Personal Firewalls note-aecess VPNs. This topic describes how to configure a personal firewall policy for r eet Aces Remote-access policy check to verity that the VPN client host is running a personal firewall MS Windows-only client check (not available for non-Windows operating systems). ‘Sends “are you there” packets to monitor firewall application on VPN client host Firewall rule set can be pushed to a personal firewall through the VPN client if central protection policy is in place. A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this ease, the rewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN, Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option. 20 ‘Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, ineConfiguring Personal Firewall Policy Personal firewall policy is configured within each specific group policy. Choose the appropriate policy within the Configuration > Remote Access VPN > Network (Client) Ac Policies pane. Click the Edit button to edit the desired policy. Within the Edit window, choose the Advanced > Client Firewall menu and remove the check from the Inherit from default ‘2roup policy check box. The firewall settings configuration options are configured, based on the following options firewall is required. With this setting, no the remaining fields on this window are active. = Firewall Optional: Specifies that all the users in the group to connect may or may not have a firewall, Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not. = Firewall Req Specifies that all users in this group must use the designated firewall ‘The security appliance drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match. Firewall Required was selected. Note {you require a firewall for a group, make sure that the group does not include any clients other than Windows VPN clients, Any other clients in the group (including ASA 5505 Adaptive Security Appliance in client mode) are unable to connect The Firewall Type field lists all of the supported firewalls from several vendors, including Cisco, The list of supported firewalls is as follows: = Cisco Integrated firewall that is part of the Cisco VPN Client = Cisco Security Agent the Cisco Intrusion Preventi n System = Custom (© 2008 Cisco Systems, Ine IPsec VPNs 4221= Network ICE Black ICE Sygate Personal Sygate Personal Pro = Sygate Security Agent = Zone Labs Integrity Server = Zone Labs Zone Alarm = Zone Labs Zone Alarm Pro If you choose Custom Firewall for a firewall type, the fields under Custom Firewall become active, For this selection you must specify the vendor ID, product ID, and description for the custom firewall, The firewall that you designate must correlate with the firewall policies available, The specific firewall that you configure determines which firewall policy options are supported. There are two firewall policies. The follow list describes each configuration = Policy Defined by Remote Firewall (AYT): The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and ru designated firewall is not running, the connection fails. After the connection is established, the VPN client polls the firewall every 30 seconds (Are You There) to make sure t still running. Ifthe firewall stops running, the VPN client ends the session, | Policy Pushed (CPP): Specifies that the poliey is pushed from the peer. If you choose this option, the Inbound Traffic Policy, the Outbound Traffic Policy, and the Manage button become active. The security appliance enforces on the VPN clients in this group the traffie management rules that are defined by the ACL filters that you choose from the Policy Pushed (CPP) drop-down menu, The choices available on the menu are ACL filters defined on this security appliance. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, “in” and “out” refer to traffic coming into the VPN client or going outbound from the VPN client. Ifthe VPN client also has a local fewall, the policy pushed from the security appliance works with the policy of the loc firewall. Any packet that is blocked by the rules of either firewall is dropped. The following list describes the traffic policies available with the Policy Push: Inbound Traffic Poli — Outbound Traftie Pe Lists the available push policies for inbound trafic s for outbound traf Lists the available push pol = Manage: Displays the ACL Manager window, on which you can configure ACLs. {In the example, the firewall setting is set to require firewalls and the firewall type is set to Ciseo Integrated Client Firewall. This is the firewall that is built into the Cisco VPN Client. Because the Cisco Integrated Client Firewall is selected, a Policy Pushed is chosen. The inbound traf policy is defined by the Client_FW_Policy ACL, and the outbound traffic policy is defined by the FW_policy ACL. The example also shows the commands sent to the Cisco ASA security appliance, based on the Cisco ASDM configuration. 422 ‘Secuting Networks with Cisco ASA Advanced (SNA) vi 0 (© 2008 Cisco Systems, IneSummary This topic summarizes the key points that were discussed in this lesson Summary ‘The Cisco ASA security appliance can be configured to participate in a load-balancing cluster and to allow inra.interface VPN trafic. using advanced VPN features from within Cisco ASDM. NAT transparency allows a VPN client to overcome the issues caused by {NAT device within the path to the VPN server by configuring NAT transparency for IPsec over UDP and TCP. Certificate group mapping allows tunnel groups to be assigned to users, based on the certificate the user uses during IPsec setup. The Cisco ASA security appliance, when configured as @ VPN server, ‘can issue notification to VPN clients to update the VPN software and device system and the Cisco ASDM software. ‘Configuring a backup server for the VPN connections allows the VPN. client an alternative VPN server if the primary server is unavailable. Tunnel group polices can be configured to allow a VPN client to use split tunnels and enforce the use of personal firewalls. ‘© 2008 Cisco Systems, Inc. IPsec VPNs 4.2234224 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneLesson 6 Configuring Cisco ASA 5505 as a Cisco Easy VPN Hardware Client Overview This lesson discusses the Cisco E its modes of operation, It then how to configure the Cisco ASA 5505 Adaptive Se Client, and how to the AS) with a look at specific hardware client features and policies and how they are configured, Virtual Private Network (VPN), its two components, and The lesson thei Objectives Upon completing this lesson, you will be able to cot remote access, This includes being able to meet these objes curity appliances for secure = Describe Cisco Easy VPN and its two components = Describe how group policy is determined on the VPN hardware client = Configure the Cisco ASA 5505 Adaptive Security Appliance as a Ciseo Easy VPN RemoteIntroduction to Cisco Easy VPN This topic discusses Cisco Easy VPN and its two components. Cisco Easy VPN Cisco Easy VPN Remote (isco VPM cient = 3 (isco 800 and $00 Seis Rover - @ aco 108 Reease > ‘227 Rouer (eo 1700 and 1800 Series Router aa Cisco 2800 and 300 Sens Router a co Pk Frewat stare Verson® 82 ooo y ‘iso ASA 55s Asagove Sacunty ae aaa Salen ‘eplence Cisco Easy VPN greatly simplifies VPN deployment for remote offices and teleworkers. Based ‘on the Cisco Unified Client Framework, Ciseo Easy VPN centralizes VPN management across all Cisco VPN devices, greatly reducing the complexity of VPN deployments. Cisco Easy VPN ‘enables an integration of Cisco Easy VPN Remotes—Cisco VPN Client 3.x and later, Cisco. routers, and Cisco Adaptive Security Appliances—within a single deployment with a consistent policy- and key-management method that greatly simplifies remote-side administration, Cisco Easy VPN consists of two components: the Cisco Easy VPN Server and the Cisco Easy VPN Remote client In addition, a Cisco IOS router or security appliance with the Easy VPN Server feature can terminate IP Security (IPsec) tunnels initiated by mobile remote workers who are runni VPN Client software on PCs. This flexibility makes it possible for mobile and remote w: such as salespeople on the road or teleworkers, to access the company intranet, where critical data and applications exist The Cisco Easy VPN Remote feature requires that the destination peer be a VPN gateway that supports the Easy VPN Server. This includes the following platforms when you are running the indicated software releases: Cisco ASA 5500 Se release co PIX 500 Series Security Appliances: Cisco PIX Security Appliance Software Version 6.2 or later version Adaptive Security Appliances: Software Release 7.0 or later 4226 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systoms, Ine= Cisco routing platforms: — Cisco 800 Series Routers: Cisco [OS Release 12.2(8)T oF later release — Cisco 1700 Series Modular Access Routers and Cisco 1800 Series Integrated Services Routers: Cisco 10S Release 12.2(8)T of later release — Cisco 2800 Series Integrated Services Routers and IOS Release 12.2(8)T or later release 20 3800 Series Routers: Cisco — Cisco 7100 Series VPN Routers: Cisco 1OS Release 12.2(8)T or later release — Cisco 7200 Series Routers: Cisco IOS Release 12.2(8)F of later release — Cisco 7500 Series Routers: Cisco IOS Rel — Cisco uBR900 Series Cable Access Rout release ise 12.2(8)T or later release Cisco IOS Release 12.2(8)T or later The Cisco Easy VPN Remote feature enables Cisco 1OS routers and adaptive security appliances to act as remote Cisco VPN Clients. As such, these devices can receive security policies from a Cisco Easy VPN Server, minimizing VPN configuration requirements atthe remote location. This cost-effective solution is ideal for remote offices with little IT support or large customer premises equipment (CPE) deployments where itis impractical to individually configure multiple remote devices. This feature makes VPN configuration as easy as entering a password, which increases productivity and lowers costs as the need for local IT support is minimized. ‘The following list details the Cisco VPN Clients that support the Cisco Easy VPN Remote feature: = Cisco VPN Software Client Version 3.x or later = Cisco ASA 5505 Adaptive Security Appliance © Cisco PIX 501, 506, or S06E. VPN Client Version 6.2 or later Cisco Easy VPN Remote routers — Cisco 800 and 900 Series — Cisco 1700 and 1800 § isco 2800 and 3800 Series ries See Ciseo.com for the latest listing of Cisco Easy VPN Remote devices and sofiware clients. {© 2008 Cisco Systems, inc. IPsec VPNs 4227Features of Cisco Easy VPN Server * Server support for Cisco Easy VPN Remote clients was introduced with the release of the Cisco PIX Security Appliance Software version 6.2, Cisco Adaptive Security Appliance Software version 7.0, and Cisco 10S 12.2(8)T. * Itallows remote end users to communicate using IPsec with Supported adaptive security appliance VPN gateways. = Centrally managed IPsec policies are pushed to the clients by the server, minimizing configuration by the end users, The Cisco Easy VPN Server enables Cisco IOS routers, PIX security appliances, and Cisco ASA security appliances to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote-office devices are using the Cisco Easy VPN Remote feature. Using this feature, security policies defined at the headend are pushed to the remote VPN device, insuring that those connections have up-to-date policies in place before the connection is established 4-228 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IneCisco Easy VPN Server Policy This topic describes how group policy is derived during Cisco Easy VPN tunnel conn) Policy Push (Cisco Easy VPN (Cisco Easy VPN Remote) Server) Group Poiey * Upon tunnel connection, the Cisco Easy VPN Server pushes group policy and user attributes to the Cisco Easy VPN Remote * Conflicting policies or attributes on the Cisco Easy VPN Remote are overwritten by policies and attributes pushed from the Cisco Easy VPN Server * Changes to Cisco Easy VPN Remote policy must be made from the Cisco Easy VPN Server while itis configured as a VPN hardware client When a tunnel is established, the Cisco Easy VPN Server pushes the group policy or user attributes stored in its configuration to the Ciseo Easy VPN hardware client. These values within the group policy or user attributes overwrite any conflicting values that are within the local group policy or user attributes on the Cisco Easy VPN Remote. The following is a partial list of these policy or u and a description for each, = backup-servers: Sets up backup servers on the client in ease the primary server fails to respond, = banner: Sends a banner to the jent after establishing a tunnel, client-aceess- client-firewall Sets up the firewall parameters on the VPN client. = default-domain: Sends a domain name to the client. = dns-server: Specifies the IP address of the primary and secondary Domain Name System (DNS) servers, or prohibits the use of DNS servers. = dhep-network-scope: Specifies the IP subnets to which the DHCP server assigns. addresses to users within this group. = group-lock: Specifies a tunnel group to ensure that users conneet to that group. = ipsee-udp: Uses User Da tunnels, am Protocol (UDP) encapsulation for the IP Sec (IPsec) ‘= ipsec-udp-port: Specifies the port number for IPsec over UDP. ‘nem: Enables or disables network extension mode (© 2008 Cisco Systems, Inc. IPsec VPN 42229© password-storage: Lets the VPN user save a password in the user profile. pfs: Commands the VPN client to use Perfect Forward Secrecy (PFS). = re-xauth: Requires Extended Authentication (XAUTH) authentication when tnte Exchange (IKE) rekeys. Note Disable re-xauth if secure unit authentication is enabled. © secure-unit-authentication: Enables interactive authentication for VPN hardware clients, = splitcdns: Pushes a list of domains for name resolution = spli (-tunnel-network-list: Specifies one of the following: No access list exists for split tunneling. All traffic travels across the tunnel. ~ Identifies the access list that the security appliance uses to distinguish networks that require tunneling and those that do not Split tunneling lets a remote-access IPsec client conditionally direct packets over IPsec tunne! in encrypted form, or to a network interface in cleartext form. With split-tunneling enabled, packets not bound for destinations on the other side of the IPsec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination, = split-tunnel-policy: Lets a remote-access IPsec client conditionally direct packets over an |Psec tunnel in encrypted form, of to a network interface in cleartext form. Options include the following: — Exclude specified: Defines a list of networks to which traffic goes in the clear ~ Tunnel all: Specifies that no traffic will go in the clear or to any destination other than the Cisco Easy VPN Server. Remote users reach Internet networks through the ‘corporate network and do not have access to local networks, — Tunnel specified: Tunnels all traffic from or to the specified networks. This option enables split tunneling, It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear, and is routed by the remote users Internet service provider (ISP) = user-authentication: clients. Enables individual user authentication for hardware-based VPN 's VPN access hou = ypn-access-hours: Restri = ypn-filter: Applies a filter to VPN traf | ypn-idle-timeout: Specifies the number of minutes that a session can be idle before it times out, imeout: Specifies the maximum number of minutes for VPN connections nultaneous-logins: Specifies the maximum number of simultaneous logins. -ypn-tunnel-protocok: Specifies the permitted tunneling protocols wins-server: Specifies the IP address of the primary and secondary Windows Internet Name Service (WINS) servers, or prohibits the use of WINS servers. 4230 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. neNote ‘Although ths lst is meant o be comprehensive, it only covers a portion of the attributes that pertain to configuring the ASA 5505 Adaptive Security Appliance as a Cisco Easy VPN Remote. Most of these policy and user attributes are discussed in length in the previous two lessons. Afier the ASA 5505 Adaptive Security Appliance has been enabled as a Cisco Easy VPN Remote, the configuration of IKE and IPsec parameters is not allowed, except with the Easy VPN Remote pane (in some configuration setups, no changes at all are allowed). If configuration changes are attempted, the security appliance will send a warning that only the Cisco Easy VPN Server can change the settings. Therefore, changes to certain attributes pushed to the Cisco Easy VPN hardware elient must be made the from the security appliances on the primary and secondary Cisco Easy VPN servers. {© 2008 Ciseo Systems, Inc IPsec VPNs 4231Cisco Easy VPN Hardware Client This topic describes the configuration of the ASA 5505 Adaptive Security Appliance as a Cisco Easy VPN Remote and the ASA 5520 Adaptive Security Appliance as a Cisco Easy VPN Server Enabling Cisco Easy VPN Remote 9 ee ig The ASA 5505 Adaptive Security Appliance is the only appliance within the ASA 5500 Series that ean be configured as a Cisco Easy VPN Remote. The ASA 5505 Adaptive Security Appliance can function as a Cisco Easy VPN Remote or as a server, but it cannot funetion in both of these modes at the same time. It does not have a default role for Cisco Easy VPN. To configure the ASA 5505 Adaptive Security Appliance as a Cisco ASDM for the ASA 5505, complete the following steps: co Easy VPN Remote, within Step1 Choose the Configuration icon. Step2 Click the Remote Aceess VPN menu. Step3 Click the Easy VPN Remote option. The Easy VPN Remote pane appear. Step Check the Enable Easy VPN Remote check box. 4232 Securing Networks wah Cisco ASA Advanced (SNAA) vt 0 (© 2008 Gisco Systems. ncNetwork Extension Mode é 17216206 + Network extension mode ~ Specifies thatthe hosts at the client end of the VPN connection use {uly routable IP addresses Does not use PAT ~ Supports spit tunneling In network extension mode (NEM), the PCs and other hosts at the client end of the IPsee tunnel are given IP addresses that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network. Because Port Address Translation (PAT) is not used, the client PCs and hosts have direct access to the PCs and hosts on the network of the headend. This mode supports split tunneling, which allows secure access to corporate resources through the IPsec tunnel while also allowing Internet access through a connection to an ISP of other service—thereby eliminating the corporate network from the path for Internet access In network extension mode, all small office, home office (SOHO) PCs that are connected to the ASA 5505 Adaptive Security Appliance are uniquely addressable through the tunnel. This allows direct connection to devices behind the ASA 5505 Adaptive Security Appliance. It enables central-site management information system (MIS) petsonnel to directly address devices behind the ASA 5505 Adaptive Security Appliance over the IPsec tunnel. ‘The figure illustrates the network extension mode of operation. In this example, two ASA 5505 Adaptive Security Appliances act as Cisco Easy VPN Remote clients, connecting to the ASA 5520 Easy VPN Server The client hosts are given IP addresses that are fully routable by the destination network over the tunnel. These IP addresses could be either in the same subnet space as the destinati network, or they could be in separate subnets, as long as the destination routers are cont to properly route those IP addresses over the tunnel. This provides a seamless exten remote network, {© 2008 Cisco Systems, Ine. TPeec VPNs 4255Client Mode toor2 a sooo vwasoar g-| woreers | rosea {Veins |) —Y¥ Asassz0 (cio Easy VPN (ce Easy VPN Rernte) ‘Sever * Client mode Does use PAT Enables the client to automatically configure PAT translations and the ACLs that are needed to implement the VPN tunnel ‘Supports split tunneling In client mode, also called PAT the 1P address of the Cisco Easy VPN Remote client private network is isolated from those ofthe enterprise network. IP address management is not required for the inside interface or inside host. The Cisco Easy VPN Remote feature automatically configures the PAT translation and access control lists (ACL) that are needed to implement the VPN connection, These configurations are automatically created when the VPN connection is initiated, When the tunnel is tors down, PAT translations and the ACL configurations are automatically deleted. Note ‘The PAT translation and ACL configurations that are created by the Cisco Easy VPN. Remote feature are not writen to either the startup configuration or running configuration files. However, you can display these configurations in Cisco routers by using the show ip nat statistics, show access-list, or show vpnelient detail commands, Client mode is for those who want to deploy a VPN quickly and easily in a SOHO. If there is no need to see the devices behind the Cisco VPN Hardware Client and ease of use and installation is essential, then you should implement client mode. In client mode, the ASA 5505 Adaptive Security Appliance uses PAT to isolate its private network from the public network. SOHO PCs behind the Cisco VPN Hardware Client are invisible to the outside network. PAT «causes all traffic from the SOHO PCs to appear on the private network as a single-source IP address. 4-234 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneThe figure illustrates the Cisco Easy VPN Remote client mode of operation. In this example the ASA 5505 Adaptive Security Appliance provides access to two PCs, which have IP addresses in the 192.168. .0 private network space. These PCs connect to the Ethernet interface on the ASA 5505 Adaptive Security Appliance. The two PC IP addresses are translated to the ASA 5505 Easy Remote IP address 10.0.1.2. The ASA 5505 Adaptive Security Appliance performs PAT translation over the IPsec tunnel so that the PCs can access the destination network. If split tunneling is enabled, any traffic bound for networks on the outside interface and also not bound for the IPsec tunnel would be translated to the IP addresses found in the global pool or translated to the outside interface IP address of 172.16.1.2 Configuring Mode oo cag re the Easy VPN Remote mode of operation for the ASA S50 Adaptive Security Appliance, complete the following steps Step5 Within the Mode section of the Easy VPN Remote pane, choose Client Mode or Network Extension Mode. If Network Extension Mode is selected, the Auto ‘connect option becomes available. With this option, the Easy VPN Remote automatically s IPsec data tunnels to the Cisco Easy VPN Server when network extension mode and split tunnels are configured. In this example, elient ‘mode is chosen as the mode of operation. IPsec data tunnels are automatically initiated and sustained when in network extension mode, except when split tunneling is configured. Automatic tunnel initiation is disabled if secure unit authentication is enabled. {© 2008 Cisco Systems, nc TPeec VPNs 4255Group Settings: Tunnel Group and Trustpoint ASA5508 (0's Easy VEN Renete) * IKE peer authentication Digital certificate ~ Pre-shared key When configuring the ASA 5505 Adaptive Security Appliance as a Cisco Easy VPN Remote, ‘you can configure it to use a tunnel group oF a trustpoint for authentication, depending on the Cisco Eas, VPN Server configuration. When you chose a tunnel group, the tunnel group name and its pre-shared key configured on the Cisco Easy VPN Server are used as the group and password. If you choose trustpoint, you must configure the CA identity certificate and a device identity certificate. Certificate configuration can be found on the Certificate option of the Remote Access VPN menu, By default, if no tunnel group or trustpoint is configured, the Easy VPN Remote attempts to use Rivest, Shamir, and Adleman (RSA) certificates. 4296 Securing Networks with Cisco ASA Advanced (SNAA} vi 0 (© 2008 Cisco Systems, ncgure the ASA $505 Easy VPN Remote group settings, complete the following steps ‘Step6 Within the Group Settings section of the Easy VPN Remote pane, choose Pre- shared Key or x.509 Certificate. Step7 _If you choose the Pre-shared Key option, the Group Name and Group Password options become available. The Group Name is the name of the VPN tunnel group that is configured on the Easy VPN Server. You must configure this tunnel group on the server before establishing a connection, The Group Password is the IKE pre~ shared key that is used for authentication on the Easy VPN Server. Step8 If you choose the X.509 Certificate option, the option to select a configured certificate is available from the Select Certificate drop-down list and Send Centficate Chain becomes available. A certificate chain is a sequence of cert where the subsequent CA in the higher hierarchy signs each certificate. The last certificate in the chain is normally the self-signed certificate of the root CA. In this example, the X.509 Certificate option is chosen, and a previously configured certificate is selected (© 2008 Giseo Systems, Inc WPeec VPNs 4.257User or Unit Authentication le ‘ASA 5505 Cisco Easy VPN Remote IKE authentication options Pre shared key Dig! certiatos * ASA 5606 Cisco Easy VPN Remote available user and unit ‘authentication options: No extended sutbeneaton Secure unt auterteaton Iraindual user autentcation The ASA 5505 Easy VPN Remote configures the authentication mechanism that it uses, based on the group poliey and user attributes pushed to it from the Easy VPN Server. The following list identifies the user authentication options that are supported by the Easy VPN hardware client; however, you must configure them on the Easy VPN Server: = No Extended Authentication: Requires no XAUTH for the ASA cach time a tunnel initiation occurs = Unit Authentication (Automatic XAUTH Authentication): Requires only the preconfigured XAUTH for the ASA 3505 Easy VPN Remote to occur each time a tu ation occurs. The ASA 5505 Easy VPN Remote is configured with this userna password so that no other XAUTH requests happen. 5 Easy VPN Remote nel and = Secure Unit Authentication (SUA) (also called interactive unit authentication): Requires the user to authenticate the ASA 5505 Easy VPN Remote each time a tunnel initiation oveurs, by entering a username and password. By default, SUA is not enabled. Because the policy pushed down from the Cisco Easy VPN Server overwrites the local policy on the Easy VPN Remote, SUA ignores the vpnelient username command used for XAUTH if it is configured 4 Individual User Authentication (IUA): Requires each user behind the ASA 5505 Adaptive Security Appliance to authenticate before being granted access to the VPN network. By default, IUA is not enabled. Authentication by HTTP Redirection: The Cisco Easy VPN Server intercepts HTTP traffic and redirects the user to a login page. HTTP redirection is automatic and does not require configuration on the Easy VPN Server. HTTP redire: happens if one of the following is true: | SUA or the XAUTH username and password are not configured on the Easy VPN hardware client. © IUA is enabled. 4238 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Giseo Systems. IncXAUTH Configuration—Remote =| * To configure the local policy of the Easy VPN Remote for Unit Authentication (Automatic XAUTH Authentication), complete the following steps: Stop 9 Within the User Settings section of the Easy VPN Remote pane, enter @ usernam the Usemame field. Step 10 Enter and confirm the password in the User Password and Confirm Password fields, In this example, the username “student” is entered is entered in the User Password a the Username field and the password Confirm Password fields. {© 2008 Cisco Systems, Inc IPsec VPNs 4230SUA and IUA Authentication Configuration—Server To configure the group policy on the Ciseo Easy VPN Server to require SUA or IUA, c the following steps: Step 11 Choose the appropriate group policy from the Group Policy submenu under the Network (Client) Access menu option in the Remote Access VPN ment under the Configuration icon, and click the Edit button, (Click the New button in this submenu to ereate a new group policy.) Step 12 Under the Advanced menu choose IPsec Clients. Then choose the Hardware Client option. Step 13. (Optional) Remove the check from the Inherit check box for the Req Interactive Client Authentication (SUA) option. Step 14 (Optional) The default is that Interactive Client Authentication is disabled: so click the Enable radio button to enable it. Step 15 (Opti nal) Remove the check from the Inherit check box for the Req idual User Authentication (IUA) option, Step 1 (Optional) The default is that Individual User Authentication is disabled: so click the Enable radio button to enable it. Step 17 (Optional) From this window, you can configure the User Au ‘Timeout as well. ‘The default timeout value is 30 minutes. ntication Idle 1m this example, Require Interactive Client Authentication and Require Individual User Authentication are enabled. Because these are enabled, the XAUTH username and password configuration on the ASA $505 Easy VPN Remote will be ignored. Typically, both Interactive Unit Authentication and Individual User Authentication are not enabled with the same configuration, but they are here for example only. 4240 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, incPrimary and Backup Servers ¥ = a Se ae (cise Easy VEN Remote) ASA Cisco Easy VPN Remote can be configured for multiple servers. = VPN connections are attempted based on the order of the list. = The first server in the lst the primary, * The remaining servers are backup servers, ‘The ASA 5505 Easy VPN Remote can be configured for primary and secondary (backup) servers to provide it another way to the central site if the primary server becomes unavailable. ‘The ASA 5505 Easy VPN Remote can be configured for up to 10 backup servers. VPN connections attempted to the servers are attempted in the order in which they are added to the configuration until a successful connection is made. The first server in the list is the primary server. {© 2008 Cisco Systems, Inc. IPsec VPNs 4.241Peat | To configure primary and backup server for the ASA $505 Easy VPN remote, complete the following steps: Step 18 Within the Easy VPN Server To Be Added section of the Easy VPN Remote pane, center a DNS name or an IP address in the Name or IP Address field. Step 19 Click the Add button. In this example, the IP address of 192.168.1.2 was added as the primary server for the ASA 5305 Easy VPN Remote. After a VPN connection is initialized, any backup servers that are configured on the Cisco Easy VPN Server will be pushed to ASA 3505 Easy VPN Remote 4242 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneRemote Management $ = snc rent eet aes The Cisco ASA 5505 Easy VPN Remote supports three methods of remote management acess. The three supported methods for remote management of the Cisco ASA Easy VPN Remote are in the following lis: m= Tunneled: Automates the setup of IPsec tunnels specifically for management the corporate network to the outside interface of the ASA 5505 Adaptive Security Appliance that is running as a Cisco Easy VPN Client. Administrative access to the client side is limited to specitic hosts or networks on the corporate network. = Clear: Uses normal routing to provide management access from the corporate network to the outside interface of the ASA 5505 Adaptive Security Appliance that is running as a Cisco Easy VPN Client. This option does not create management tunnels. This option should be used if'a NAT deviee is between the Cisco Easy VPN Remote and th ver. Disabled: Prohibits management access from the Cisco Easy VPN Server side of the VPN. connection unless specifically allowed in the configuration of Cisco Easy VPN remote. When remote manage Lis enabled, Cisco ASDM and Secure Shell (SSH) management access is deni for the private network side of the Cisco Easy VPN Remote. {© 2008 Cisco Systems. Inc. (sec VPNs 4.243,Remote Management ‘ose y— CEE To configure remote management for the Cisco ASA 3505 Easy VPN Remote, complete the flowing steps: Step 20 Click the Advanced button in the Easy VPN Remote pane. The Advanced Easy VPN Properties window appears. Step 21 Within the Tunneled Management section of the Advanced Easy VPN Properties window, check the Enable Tunneled Management or Clear Tunneled Management check box. Step 22, (Optional) When the Enable Tunneled Management check box is checked, the IP ‘Address and Mask fields are enabled. Enter the IP address and mask in these fields for the tunneled management hosts that can access the management ports for the Cisco Easy VPN Remote. Step 23 Click the Add button. In this example, the network IP address of 10.0.1.0 and the mask of 255.2: 255.0 is 4-244 Secung Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneNAT Transparency we) Gy ASA 5505 (se0 Easy VPN Remote) (Cisco Easy VPN Serve By defaul, he VPN remote and server use IPsec over UDP. = When UDP communications are not allowed because of network configurations, remote and server can be configured for IPsec over TCP. There are many situations where customers require a Cisco VPN Client to operate in an environment where standard Encapsulating Security Payload (ESP) (Protocol 50) or User Datagram Protocol (UDP) 500 Internet Key Exchange (IKE) can either not function, or not funetion transparently (without modification to existing firewall rules). VPN uses IKE for tunnel setup and security association (SA) negotiations. IKE uses UDP so that a nonroutable IP address and port number can be translated into a routable public address and port number. PAT ‘can translate IKE packets using its inherent UDP port number The problem arises when the VPN deviee tries to get the IP: ESP encapsulation protocol. ESP does not use UDP or TCP port numbers. The PAT method of translating UDP port numbers does not work with IPsec. The translating device drops the IPsec frame. Cisco has created a proprietary to solve the IPsec PAT translation issue. By default, in the Cisco ASA security appliance, a standard IPsec datagram is wrapped in ESP and 1P with no UDP port number. I the frame must traverse a NAT device, the security appliance ean be configured to add a UDP header between the outer IP address and the ESP header. After the configuration change, when the datagram arrives at the PAT device, the datagram address can be translated due to the UDP encapsulation, The goal of IPsec over TCP is to allow the Cisco VPN Clients to operate in the various ments by using TCP to encapsulate both IKE and ESP. This takes advantage of the Known faet that most firewalls allow outgoing TCP traffic and the inbound packets associated he outbound connection. Using TCP is preferred over UDP through firewalls becau state can be maintained for TCP packets, resulting in higher security. The TCP implementation defaults to port 10000, but does not restrict the ability of the administrator to configure the Cisco VPN Client to listen on different ports {© 2008 Cisco Systems, ne IPsec VPNs 4245By default, the Cisco Easy VPN hardware client and server encapsulate IPsec in UDP packets In some environments, such as those with firewall or NAT and PAT devices, UDP may be prohibited. To use standard ESP Protocol 50 or IKE UDP 500 in such environments, you must configure the client and the server to encapsulate IPsec within TCP packets to enable secure tunneling. Configuring IPsec over TCP adds unnecessary overhead to the VPN tunnel if itis not necessary. For this reason, it should not be configured unless necessary IPsec over TCP—Remote Configuration a To configure IPsec over TCP for NAT transparency, complete the following steps Step 24 Within the IPsec over TCP section of the Advanced Easy VPN Properties window, check the Enable check box. Stop 25 In the Enter port Number field, enter the TCP port number to use for IPsec over TCP connections. The default TCP port number is 10000. In this example, using the default TCP 10000 enables IPsec over TCP. The Cisco Easy VPN Server needs to have this setting enabled within its IKE policy as well. For the VPN tunnel to come up, the TCP ports for IPsec over TCP on the client and the server must match. 4-246 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncDevice Pass-Through t+ e-9Z Ge] acess ssxino (caatan VPN (ceo 20/0 * Devices that are incapable of authenticating the VPN tunnel are ‘exempted from authentication. * MAC addresses of exempted devices are added to the configuration of the Cisco Easy VPN Remote. When the ASA 5505 Adaptive Security Appliance is deployed as a Cisco Easy VPN Remote, it can be configured to allow certain types of devices to access to the VPN tunnel without authentication because these devices are incapable of performing authentication. Cisco 1P phones, network devices, and printers are examples of these types of devices, To allow a device to pass through the VPN tunnel without authentication, the Cisco ASA 5505 Easy VPN Remote needs to know the Media Access Control (MAC) address of the pass- through devices. If the MAC address is not known, it assumes that the device is capable of authentication and will not allow access to the VPN tunnel until authentication is provided. (© 2008 Cisco Systems, ne IPsec VPNs 4.247Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing authentication, To configure the Cisco ASA 5505 Easy VPN Remote to allow devices to pass through the VPN tunnel without authentication, complete the following steps ‘Step 26 Within the MAC Exemption section of the Advanced Easy VPN Properties window, enter the MAC address and MAC mask in the MAC Address and MAC Mask fields. ‘A MAC mask of f£8-f100.0000 matches all devices made by the same manufacturer ‘A MAC mask of fiff-f11F- TIF matches a single device. Step 27 Click the Add button. Step 28 Click OK to close the Advanced Easy VPN Properties window. Step 29 Click Apply to send the commands to the security appliance. In the example, the MAC address of 0007 50d5.4495 is entered for the IP phone with a MAC ‘mask of fHFLANTAN to match this specific IP phone and MAC address. 4248 Secunng Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, incDevices such as Cisco IP phones and wireless access points are incapable of performing, authentication. You can allow Cisco IP phones to bypass individual user authentication behind a hardware client, To enable Cisco IP Phone Bypass, enter the ip-phone-bypass command with the enable keyword in group-policy configuration mode. Cisco IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. Cisco IP Phone Bypass is disabled by default When Cisco Lightweight Extensible Authentication Protocol (LEAP) Bypass is enabled, Cisco LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish Cisco LEAP authentication and then authenticate again per user authen -0 LEAP Bypass is disabled by default. To configure the Cisco ASA $520 Cisco Easy VPN Server to allow devices to pass through the VPN tunnel without authentication, complete the following steps: Stop 30 Remove the check from the Inherit check box for the LEAP Bypass. Step 31 The default for LEAP Bypass is disable, so click the Enable radio button to Step 32 10 IP Phone Bypass. Step 33 The default for Cisco IP Phone Bypass is disable, so click the Enable radio enable it. ton to Step 34 Click OK to close the Edit Imernal Group Policy window. Step 35 Click Apply to send the commands to the ASA {© 2008 Cisco Systems, Inc IPsec VPNs 4.249ASA Cisco Easy VPN Commands ‘enc ‘Sie os (Gen Tunnel) ‘The figure shows the commands sent to the ASA 5505 Easy VPN remote and the ASA 5520 Cisco Easy VPN Server based on the Cisco Adaptive Security Device Manager (Cisco ASDM) configuration. For the ASA 5305, the Easy VPN mode is set to client-mode, and authentication is set to the trustpoint ASDM_TrustPoint3. XAUTH is configured with the username of “student” and the password “training.” The Cisco Easy VPN Server is set to the IP address 192.168.1.2. Device pass through is enabled for the MAC address and the MAC address for the IP phone is allowed to pass through without authentication, A management tunnel is built for the network IP address 10.0.1.0/24. IPsec over TCP is enabled on the default port TCP 10000. Lastly, the Easy VPN client is enabled. On the ASA 5520, the group policy RA-VPN-Engineers is modified so that SUA and IUA are required. IP phone and LEAP are allowed to pass through without authentication from an end user. 4250 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems. IncSummary This topic summarizes the key points that were discussed in this lesson Summary * Cisco Easy VPN features greatly enhanced deployment of remote ‘access solutions for Cisco IOS software customers * The Cisco Easy VPN Server determines the group policy forall Cisco Easy VPN Remotes for which itis a Cisco Easy VPN Server. = The Cisco ASA 5505 Adaptive Security Appliance can be a Cisco Easy VPN Remote by configuring the Cisco Easy VPN Remote pane within the Cisco ASDM + The Cisco ASA 5520 Adaptive Security Appliance can be configured to enhance the group policy or user attributes for Cisco Easy VPN Remotes connecting to it as a Cisco Easy VPN Server. (© 2008 cisco Systems, In IPsec VPNs 4251,4252 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IneLesson 7 Configuring QoS for IPsec VPNs Overview This lesson discusses the quality of serv 1¢ (QoS) features available to the Cisco ASA 5500 Series Adaptive Security Appliance. It begins with an overview of QoS a the Cisco ASA security appliance. It continues with an example of applying QoS to virtual private network (VPN) tunnel trafic, The lesson concludes with a description of the commands available to verify the QoS configuration and a review of QoS statistical information. Objectives on completing this lesson, you will be able to identify the steps to configure QoS for VPN tunnel traffic. This ability includes being able to meet these objectives: Describe the QoS features of the Cisco ASA 5500 Series Adaptive Security Appliance = Conf 1ure QoS on the Cisco ASA 5500 Series Adaptive Security Appliance for VPN Verify the QoS for VPN tunnel tr: Adaptive Security Appliance -onfiguration of the Cisco ASA $500 SeriesQoS Overview This topic describes the need for QoS and the benefits of QoS, Quality of Service Telecommuters a1 Branch we ‘Office ae aa Mobite Workers » Simplify network operations by collapsing separate networks for data, voice, and video onto one. = Control network use by resources and users through prioritizing or policing traffic. » Enable new network applications that would otherwise be impossible. Have you ever participated in a voice over IP (VoIP) call and heard static or interru during the conversation? Maybe the called even dropped or was disconnected. During the early deployments of VoIP, these problems could have arisen because of latency. Latency is the time interval between the arrival of packets being transmitted over the network. VolP and streaming video traffic cannot tolerate high latency. QoS is a network feature that lets you give priority to traffic that cannot tolerate latency. QoS allows a network to provide better service to selected network traffic over various technologies for the best overall services with limited bandwidth of the underlying technologies. With the growth in broadband and the geographical diversity of the workforce, more businesses are supporting remote offices, telecommuters, and mobile workers. These connections to the corporate or central site are inereasing, as are the demands for network resources. As new applications increase the use of network resources, a small number of the users could absorb most, if not all, oF the available bandwidth, and starve the other users of network resources. To prevent any one user of site-to-site connection from consuming more than its appropriate share of bandwidth, QoS provides a policing feature that regulates the maximum bandwidth that any user can use. QoS can also give traffic, such as VoIP or streaming video, a higher priority because ofits low tolerance for latency. Video and VoIP are increasingly important for interoffice communication with network. And with more corporate networks being geographically dispersed sit ng the infrastructure of the Intemet as the transport mechanism is key to business operations and. continuity, Firewalls are key to securing networks by controlling access and provid inspecting VoIP protocols. QoS is the focal point to provide clear, uninterrupted voice and video communications, while still providing a basic level of service for all other traffic passing through the device. n the corporate 4254 ‘Seouring Networks with Gison ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncFor voice and video to traverse IP networks in a secure, reliable, and toll-quality manner, QoS ‘must be enabled at all points of the network. The implementation of QoS lets you do the following: ‘= Simplify network operations by collapsing all data, voice, and video network traffic onto a single network using similar technologies. Control resource use by controlling which traffic receives which resources. In this ‘manner, the most important, time-critical traffic receives the network resources that it needs, and other applications that are not as important share network resources without interfering with mission-critical traffic, = Enable new network applications, such as integrated call center applications and video based training, that can help differentiate enterprises in their respective market spaces and increase productivity. {© 2008 Cisco Systems, ne IPsec VPNs 4255Cisco ASA QoS This topic describes the QoS features that are available on the Cisco ASA adaptive security appliance. Best Effort * Cisco ASA uses best-effort queuing by default for traffic received on a configured interface, * Best effort is given to get the packet to its destination with no guarantee of reliability or the bandwidth used. * Queue is serviced on first-in-frst-out basis QoS was introduced in the ASA 5500 Series Adaptive Security Appliance software with version 7.0 to provide low latency queuing (LLQ) and rate limiting on selected network trattic for both individual flow and VPN tunnel flow to ensure that all traffic gets its fair share of limited bandwidth. With the Ciseo ASA security appliance, QoS can apply to a combination of source and destination IP addresses, source and destination port numbers, and the type of service (ToS) byte of the IP header. By default, the QoS is not enabled on the Cisco ASA security appliance, so traffic is placed in the default queue or best-effort queue. The best-effort queue works om a first-come first-served basis, and no traffic has priority over any other traffic. Best effort does not guarantee reliable delivery of packets because there is no sophisticated acknowledgement system in place for the best-effort queue. It does make a “best effort" to deliver packets to the destination, 4-288 Securing Networks with Cisco ASA Advanced (SNAA) vt © (© 2008 Cisco Systems, neRate Limiting = Also known as traffic policing * Set bandwidth limits for traffic types defined in Cisco Modular Policy Framework (MPF) + Allows QoS through bandwidth limits—more for resources requiring more bandwidth and less for those that do not The Cisco ASA security appliance QoS feature provides rate control, or policing, for tunneled traffic for each individual user tunnel and every site-to-site tunnel. The Cisco ASA security appliance can police individual user traffic within a LAN-to-LAN tunnel by configuri ‘maps that are not associated with the tunnel, but whose traffic eventually passes through the LANc-to-LAN tunnel, The traffic before the LAN-to-LAN tunnel can then be specifically policed as it passes through the tunnel and is policed again to the aggregate rate applied to the tunnel. This prevents any one individual user traffic from overwhelming any other. class {© 2006 Cisco Systems, Inc. Psec VPNs 4.257* Also know as priority queuing * Enables a priority queue on a per-physical-interface basis * Enables QoS traffic that is of a higher priority or that is more latency-sensitive than best-effort traffic The Cisco ASA security appliance can also achieve QoS through two traffic queues for each interface, a low latency queue, and a default, or best-effort, queue. The low latency queue or priority queue is used for time-sensitive, mission-critical traffic that the Cisco ASA security appliance recognizes, and it enforces appropriate policy, based on class and policy maps. Traffic designated for the priority queue cannot have rate limiting applied to it. Only the best- effort queue is subject to rate limiting, Because queues are not of infinite size, they can fill and overflow. When a queue is full, any additional packets cannot get into the queue and are dropped. To avoid having the queue fill up, the buffer size of the queue is configurable, The maximum number of packets allowed in the {transmit queue can also be configured. These configurations allow for control of the lateney and robustness of the priority queuing Because QoS can consume large amounts of resources, which could degrade security appliance performance, Qos is disabled by default Note ‘You must consider that in an ever-changing network environment, QoS is not @ one-time: deployment, but an ongoing, essential part of network design. 4-258 Secunng Networks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Gisco Systems, IneConfiguring QoS for VPNs This topic describes how to configure QoS for unified communications that are traversing a LAN-to-LAN VPN tunnel § elie] FG) ~ Aame Transport Company has LAN10-LAN VPNs deployed for branch ice connections. ~ All traffic currently is placed in the same “best-effort” queue for ‘transmission through the tunnel. * Remote-office Unified Communications needs QoS applied for VPN tunneled traffic, QoS can be applied to any traffic flows traversing the Cisco ASA security appliance. A common application of Qos is to apply it to VPN tunneled traffic. This seetion describes how to configure QoS for site-to-site VPN tunnels, using the Aeme Transport network as an example. ‘The Acme Transport network currently does not have QoS configured. In this example, QoS. for site-to-site VPN tunnels that are connecting remote offices to the corporate office will be configured. Unified Communications, VoIP, video, and the Cisco TelePresentce is configured for priority queuing, and all other traffic using the site-to-site VPN tunnel has rate limi applied to it. Also, all non-VPN traffic leaving the “outside” is rate limited as well {© 2008 Cisco Systems, ne. Peec VPNe 4259Configuring Priority Queue = yey er To enable L.LQ QoS, a priority queue must be configured on the physical interface, To configure a priority queue, complete these steps: Step Choose the Priority Queue submenu option from the Advanced option within the Device Management menu under the Configuration icon. The Priority Queue pane is displayed Step2 Click the Add button, and the Add Priority Queue window appears, Step 3 Choose the appropriate interface from the Interface drop-down menu. Step 4 Enter the priority queue butfer size in the Queue Limit field. The default priority queue limit size is 2048 packets, The upper limit of the priority queue is determined dynamically at run time based primarily on available system memory. The only way to view the upper limit is from the command-line interface (CLI). Use the help priority-queue command. In this example, the default value of 2048 is left unchanged. Step Enter the maximum number of packets to be placed in the transmit queue in the ‘Transmission Ring Limit field, In this example, the transmission ring is set to 256 packets. Note The ASA 5505 Adaptive Security Appliance is an exception to priorty queue configuration Configuring priority queue on one interface configures all other interfaces with the same Configuration. If prionty queue configuration is removed from one interface, i's removed from all interfaces. If priority queuing is needed, configure priority queuing on the one interface that requires the largest queue and transmission ring limits, 4-260 Securing Networks with Cio ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems, neg a VPN QoS Service Policy = yea Now that there is a priority queue for the outside interface, to configure QoS for VPN tunneled and nontunneled traffic, complete the following steps: Step 1 Step2 step 3 Step 4 Step § Step 6 Choose the Service Policy Rules option from the Firewall menu under the Configuration icon. The Service Policy Rules pane is displayed. Click the Add button, The Add Service Policy Rule Wizard window opens. interface from the Interface drop-down list. In this example, the outside is selected. (Optional) Enter a description for the service policy map in the Description field. Other administrators can use the description to assist them in determining how the service policy is used. In this example, the description of “QoS for UC trai entered, Click Next to continue with the wizard setup, {© 2008 Cisco Systems, nc IPsec VPNs 4.261Define Unified Communications Class Map ee To configure class maps for the service policy, continue with these steps: Step 7 Step 8 Step 9 Choose the Create a New Traffic Class radio button and enter the new class map hhame in the field. In this example, the name “UC-tunneled” is entered. (Optional) Enter a description for the class map in the Description field. Other administrators can use the description to assist them in determining what tra matched by the class policy. In this example, the description of “Match UC tunneled traffic” is entered. Choose the Traffie Match Criteria by checking the appropriate check box. Only two traffic match criteria can be chosen. The different types of match criteria are these: = Default Inspection Traffic: The class maiches the default TCP and User Datagram Protocol (UDP) ports used by all applications that the security Appliance can inspect. The security appliance includes a default global policy that matches the default inspection traffic, and applies common inspections to the traffic on all interfaces. Not all applications whose ports are included in the Default Inspection Traffic class are enabled by default in the policy map. | Source and Destination IP Address (Uses ACL): The class matches traffic specified by an extended access list. Ifthe security appliance is operating in transparent firewall mode, you can use an ethertype access list = Tunnel Group: The class matches traffic for a tunnel group to which you want to apply QoS. You ean also specify one other traffic match option to refine the traffic match, excluding Any traffic, Source and Destination IP Address (uses ACL), or Default Inspection Traffic = TCP or UDP Destination Port: The class matches a single port or a contiguous. ange of ports. For applications that use multiple, noncontiguous ports, use the Source and Destination IP Address (Uses ACL) option to match each port. 4202 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneStep 10 Step 11 = RTP Range: The cla traf. = IP DiffServ CodePoints (DSCP): The class matches up to eight DSCP values in the IP header. map matches Real-Time Transport Protocol (RTP) = IP Precedence: ‘The class map matches up to four precedence values, represented by the type of service (ToS) byte in the IP header. = Any Traffic: Matches all traffic. Choose Use elass-default as the Traffic Class ifthe traffic does not match an existing traffic class. This option uses the class-default class, which matches all traffic, The class-default class is created automatically by the security appliance and placed at the end of the policy. If you do not apply any actions to it, itis still ereated by the security appliance, but for internal purposes only. You can apply actions to this class, if desired, which might be more convenient than creating a new traf class that matches all trafic. You can create only one rule using the class-default class, because each traffic class can be associated with only a single rule. In this example, the Tunnel Group and IP DiffServ CodePoints check boxes are checked Click the Next button to continue. Note The wizard will adjust the match definition options based on the criteria selected on this ‘screen. If different criteria are selected, the configuration options and the corresponding ‘commands sent to the ASA wil ifr {© 2008 Ciseo Systems, Ine IPsec VPNs 4263Define Unified Communications Tunnel Group Match = Yaa EE On the previous Traffic Classi raffic mateh criteria, Tunnel Group, and IP DiffServ CodePoints. On this page, the administrator is asked to identify the specific Tunnel Group. To define the specific class map Tunnel Group match for the service policy map, continue with these steps: Step 12 Choose the tunnel group from the Tunnel Group drop-down list. Ifa new tunnel ‘group needs to be defined, click the New button, and the Manage Connections Profile window appears. In this example, the tu ‘predefined tunnel group for sit and the corporate off remote offict Step 13 Click the Next button to continue. 4-264 Securing Networks wi Cisco ASA Advanced (SNAA) vi 0 (© 2008 Gisco Systems, neDefine Unified Communications DSCP Match ‘On the previous Traffic Classification Criteria page, the administrator selected the traffic match criteria, Tunnel Group, and IP DiffServ CodePoints. On this page, the administrator is asked to identify the specific IP DiffServ CodePoints DSP value. To define the DSP class map match for the service policy map, continue with these steps: Step 14 Select the appropriate DSCP values to add and click the Add button. In this example, the DSCP value for Expedited Forwarding (EF), ef (46), is selected because this DSCP bit of EF is set in the IP header for UC packets. Step 15 Click the Next button to continue, '© 2008 Cisco Sysiems, ne IPsec VPNs 4265Define Unified Communications Policy Map ‘= Y-Girsy—y CRReEETRETEERNEE 2 he Alter the traffic criteria are defined, a policy rule is defined for the identified traffic. To define @.Q0S policy map rule for the UC-tunneled class map, continue with these steps: ‘Step 16 Choose the QoS tab. The Qos policy rules options are displayed. ‘Step 17 Check the Enable Priority for this Flow check box, Based on this example, by checking this box, the traffic that matches the UC-tunneled class map will be pla in the priority queue on the outside interface. Step 18 Click the Finish button Now the Aeme Transport network security administrators have defined a class map for UC traffic within the selected tunnel to be placed in a priority queue on the outside interface 4266 Securing Networks win Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, IncDefine Non-Unified Communications Class ‘There is still more traffic traversing the tunnel, and the network security administrators need to apply QoS to it. However, this traffic is not a priority and needs to be policed to ensure that there is bandwidth for the priority traffic. To continue configuring the service policy map, ad additional policy maps by using these steps: Step 19. From the Service Policy Rules pane, click the Add button, (Not shown.) Step 20 Inthe Add Service Policy Rule Wizard window, click Next, (Not shown.) Step 21. Choose the Create a new traffic class radio button and enter the new class map name in the field. tn th ple, the name “non-UC-tunneled” is entered Step 22, (Optional) Enter a description for the class map in the Description fiekd, Other administrators can use this field (o assist them in determining what traffic is matched by the class policy. In this example, the description of “Match non UC tunneled traffic” is entered. Step 23. Choose the Traffie Match Criteria by checking the appropriate check box. In this example, the Tunnel Group check box is checked, Step 24 Click the Next button to continue. (© 2008 Cisco Systems, Inc. IPsec VPNs 4267Define Non-Unified Communications Class Map Match oe Ge To define the speciti lass map match for the service policy map, continue with these steps Step 25 Choose the tunnel group from the Tunnel Group drop-down list. In this example, the tunnel group RemoteOffice is chosen because itis a predefined tunnel group for site- to-site VPN connections between remote offices and the corporate office. Stop 26 Check the Match flow destination IP address check box. All traffic going to a unique destination IP address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. For remote-access VPNs, this command applies to each remote-access host flow. For site-to-site VPNs, this command applies to the single aggregated VPN flow identified by the local and remote tunnel address pair, This option is chosen because the Aeme Transport security administrators want to match the non-UC traffic that is using too much bandwidth within the VPN tunnel. Step 27 Click the Next button to continue. 4-268 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems. IneDefine Non-Unified Communications Policy Map xt Gee or To define the policy map rules for the non-UC-tunneled class map, continue with these steps Step 28. Choose the QoS tab. The QoS policy rules options are displayed Step 29. Check the Enable poli policing check boxes. wg check box. This enables the input policing and output Step 30 Check the Output policing check box to enable output policing QoS. This enables the configuration options for output policing Step 31 Enter the committed rate in the Committed Rate field. The committed rate is the rate limit for the traffic flow. This isa value in the range 8,000 to 2,000,000,000,, specifying the maximum speed (bits per second) allowed. In this example, the ‘committed rate is set to 200,000 b/s. Step 32. Choose the conform action from the Conform Action drop-down list, The action is taken when the rate is less than the burst size value. The action options are to drop or to transmit the packet. In this example, the conform action is set to transmit. ‘Step 33 Select the exceed action from the Exceed Action drop-town list. The options are to transmit o to drop. This action is taken when the rate is between the conform-rate value and the conform-burst value. In this example, the exceed action is set to drop. Stop 34 Enter a burst rate limit in the Burst Size field. T 512000000, specifying the ma: umber of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value. In this example, the burst rate limit is set to 37,500 bys. in the range of 1000 to ‘Step 35 Click the Finish button. Now the Acme Transport network security administrators have defined a class map for non-UC traffic within the selected tunnel, and this traffic is policed to limit its available bandwidth as it leaves the outside interface (© 2008 isco Systems, Inc Peec VPNs 4.269Default Class There is still more traffic traversing the outside interface of the Cisco ASA security appliance This traffic would be nontunneled traffic, and the network security administrators need to apply QoS to it to ensure that it does not deplete available bandwidth, which could cause problems for the VPN tunneled traffic, This traffic is classified as the default class. The default class cla default always exists, and it is the class for all traffic that is not matched within another elass. This traffic needs to be policed to ensure that there is bandwidth for the VPN tunneled tratfic. To continue configuring the service policy map, complete these steps: ‘Step 36 From the Service Policy Rules pane, click the Add button. (Not shown.) ‘Stop 37 _ In the Add Service Policy Rule Wizard window, click Next. (Not shown.) Step 38 In the Traffic Classification Criteria window, select the Use class-default as the ‘Traffic Class radio button, Step 39 Click the Next button to cor 4-270 Secuting Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, neDefault Policy Map =)-GHE-eo= eee SST ost In this window, the administrator d ines the QoS policy assigned to the default tral configure a policy map rules for the default class, continue with these steps: Step 40, Step 41 Step 42 Step 43 Step 44 Step 45 Step 46 Step 47 Step 48 Choose the QoS tab. The QoS policy rules options are displayed. Check the Enable Policing check box. This action enables the input policing and output policing check boxes. Check the Output Policing check box to enable output policing QoS. This action ‘enables the configuration options for output policing. Enter the committed rate in the Com committed rate is set 10 1,000,000 b/s. ted Rate field. In this example, thy Select the conform action from the Conform Action drop-down list. In this, ‘example, the conform action is set to transmit. Select the exceed action from the Exceed Action drop-down list. In this example, the exceed action is set to drop. Enter a burst rate lin set to 37,500 bis. nthe Burst Size field. In this example, the burst rate limit is Click the Finish button, Click the Apply button within the Service Polis Rule pane (© 2006 Cisco Systems, Ine TPeee VPNE 4271QoS Service Policy Commands Pray Ooms —— Eppa aR uccentee —f “een erste enue Comat —— “att pad Sicineseharatbes, ee Potro Hen VN Tat paket 00 S20 cufonrn bn exer en

You might also like

• Chapter 1 Case Study

  

  Document6 pages

  Chapter 1 Case Study

  Subhrendu Guha Neogi

  100% (1)
• Topic8 Lab-Basic Networking

  

  Document2 pages

  Topic8 Lab-Basic Networking

  Shemariyah

  No ratings yet
• Topic7 Lab

  

  Document3 pages

  Topic7 Lab

  Shemariyah

  No ratings yet
• • Magazines
  • Podcasts
  • Sheet music
• VPN10SG Vol3 PDF

  

  Document293 pages

  VPN10SG Vol3 PDF

  Shemariyah

  No ratings yet
• Test - Topic 4 Lab-Maintaining Hard Disks

  

  Document11 pages

  Test - Topic 4 Lab-Maintaining Hard Disks

  Shemariyah

  No ratings yet
• Topic6 Lab-1-Overview of Directory Services Commands

  

  Document2 pages

  Topic6 Lab-1-Overview of Directory Services Commands

  Shemariyah

  No ratings yet
• Batch Files Ch10 - Discussion

  

  Document4 pages

  Batch Files Ch10 - Discussion

  Shemariyah

  No ratings yet
• Reduce Attachment Size

  

  Document1 page

  Reduce Attachment Size

  Shemariyah

  No ratings yet
• DOS Command Tutorial2

  

  Document16 pages

  DOS Command Tutorial2

  Shemariyah

  No ratings yet
• WAAS407SG Vol1 PDF

  

  Document226 pages

  WAAS407SG Vol1 PDF

  Shemariyah

  No ratings yet
• WAAS407SG Vol2 PDF

  

  Document406 pages

  WAAS407SG Vol2 PDF

  Shemariyah

  No ratings yet
• SNRS 3.0 Vol2 PDF

  

  Document354 pages

  SNRS 3.0 Vol2 PDF

  Shemariyah

  No ratings yet
• UCCXD Ver2 SG Vol2 PDF

  

  Document210 pages

  UCCXD Ver2 SG Vol2 PDF

  Shemariyah

  No ratings yet
• VPN10SG Vol2 PDF

  

  Document385 pages

  VPN10SG Vol2 PDF

  Shemariyah

  No ratings yet
• SNAA 1.0 Vol4 PDF

  

  Document66 pages

  SNAA 1.0 Vol4 PDF

  Shemariyah

  No ratings yet
• VPN10SG Vol1

  

  Document383 pages

  VPN10SG Vol1

  No No

  No ratings yet
• UCCXD Ver2 SG Vol1 PDF

  

  Document341 pages

  UCCXD Ver2 SG Vol1 PDF

  Shemariyah

  No ratings yet
• SNAF 1.0 Vol1 PDF

  

  Document390 pages

  SNAF 1.0 Vol1 PDF

  Shemariyah

  No ratings yet
• SNRS 3.0 Vol3 PDF

  

  Document210 pages

  SNRS 3.0 Vol3 PDF

  Shemariyah

  No ratings yet
• SNRS 3.0 Vol1 PDF

  

  Document284 pages

  SNRS 3.0 Vol1 PDF

  Shemariyah

  No ratings yet
• UCCXD Ver2 Lab Guide PDF

  

  Document243 pages

  UCCXD Ver2 Lab Guide PDF

  Shemariyah

  No ratings yet
• SNRS 3.0 Lab PDF

  

  Document210 pages

  SNRS 3.0 Lab PDF

  Shemariyah

  No ratings yet
• SNAF 1.0 Lab PDF

  

  Document180 pages

  SNAF 1.0 Lab PDF

  Shemariyah

  No ratings yet
• SNAF 1.0 Vol3 PDF

  

  Document194 pages

  SNAF 1.0 Vol3 PDF

  Shemariyah

  No ratings yet
• SNAA 1.0 Vol3 PDF

  

  Document421 pages

  SNAA 1.0 Vol3 PDF

  Shemariyah

  No ratings yet
• SNAF 1.0 Vol2 PDF

  

  Document430 pages

  SNAF 1.0 Vol2 PDF

  Shemariyah

  No ratings yet
• SNAA 1.0 Vol1 PDF

  

  Document302 pages

  SNAA 1.0 Vol1 PDF

  Shemariyah

  No ratings yet
• SG V2 PDF

  

  Document320 pages

  SG V2 PDF

  Shemariyah

  No ratings yet
• The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  

  From Everand

  The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  Mark Manson

  Rating: 4 out of 5 stars

  4/5 (5783)
• The Yellow House: A Memoir (2019 National Book Award Winner)

  

  From Everand

  The Yellow House: A Memoir (2019 National Book Award Winner)

  Sarah M. Broom

  Rating: 4 out of 5 stars

  4/5 (98)
• Never Split the Difference: Negotiating As If Your Life Depended On It

  

  From Everand

  Never Split the Difference: Negotiating As If Your Life Depended On It

  Chris Voss

  Rating: 4.5 out of 5 stars

  4.5/5 (838)
• Shoe Dog: A Memoir by the Creator of Nike

  

  From Everand

  Shoe Dog: A Memoir by the Creator of Nike

  Phil Knight

  Rating: 4.5 out of 5 stars

  4.5/5 (537)
• The Emperor of All Maladies: A Biography of Cancer

  

  From Everand

  The Emperor of All Maladies: A Biography of Cancer

  Siddhartha Mukherjee

  Rating: 4.5 out of 5 stars

  4.5/5 (271)
• Fear: Trump in the White House

  

  From Everand

  Fear: Trump in the White House

  Bob Woodward

  Rating: 3.5 out of 5 stars

  3.5/5 (738)
• Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  

  From Everand

  Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  Margot Lee Shetterly

  Rating: 4 out of 5 stars

  4/5 (890)
• The Little Book of Hygge: Danish Secrets to Happy Living

  

  From Everand

  The Little Book of Hygge: Danish Secrets to Happy Living

  Meik Wiking

  Rating: 3.5 out of 5 stars

  3.5/5 (399)
• Team of Rivals: The Political Genius of Abraham Lincoln

  

  From Everand

  Team of Rivals: The Political Genius of Abraham Lincoln

  Doris Kearns Goodwin

  Rating: 4.5 out of 5 stars

  4.5/5 (234)
• Yes Please

  

  From Everand

  Yes Please

  Amy Poehler

  Rating: 4 out of 5 stars

  4/5 (1888)
• Grit: The Power of Passion and Perseverance

  

  From Everand

  Grit: The Power of Passion and Perseverance

  Angela Duckworth

  Rating: 4 out of 5 stars

  4/5 (587)
• Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  

  From Everand

  Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  Gilbert King

  Rating: 4.5 out of 5 stars

  4.5/5 (265)
• A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  

  From Everand

  A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  Dave Eggers

  Rating: 3.5 out of 5 stars

  3.5/5 (231)
• On Fire: The (Burning) Case for a Green New Deal

  

  From Everand

  On Fire: The (Burning) Case for a Green New Deal

  Naomi Klein

  Rating: 4 out of 5 stars

  4/5 (72)
• Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  

  From Everand

  Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  Ashlee Vance

  Rating: 4.5 out of 5 stars

  4.5/5 (474)
• Principles: Life and Work

  

  From Everand

  Principles: Life and Work

  Ray Dalio

  Rating: 4 out of 5 stars

  4/5 (599)
• Rise of ISIS: A Threat We Can't Ignore

  

  From Everand

  Rise of ISIS: A Threat We Can't Ignore

  Jay Sekulow

  Rating: 3.5 out of 5 stars

  3.5/5 (137)
• The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  

  From Everand

  The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  Ben Horowitz

  Rating: 4.5 out of 5 stars

  4.5/5 (344)
• The Unwinding: An Inner History of the New America

  

  From Everand

  The Unwinding: An Inner History of the New America

  George Packer

  Rating: 4 out of 5 stars

  4/5 (45)
• Steve Jobs

  

  From Everand

  Steve Jobs

  Walter Isaacson

  Rating: 4.5 out of 5 stars

  4.5/5 (806)
• The World Is Flat 3.0: A Brief History of the Twenty-first Century

  

  From Everand

  The World Is Flat 3.0: A Brief History of the Twenty-first Century

  Thomas L. Friedman

  Rating: 3.5 out of 5 stars

  3.5/5 (2219)
• Angela's Ashes: A Memoir

  

  From Everand

  Angela's Ashes: A Memoir

  Frank McCourt

  Rating: 4.5 out of 5 stars

  4.5/5 (440)
• The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  

  From Everand

  The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  Brené Brown

  Rating: 4 out of 5 stars

  4/5 (1090)
• John Adams

  

  From Everand

  John Adams

  David McCullough

  Rating: 4.5 out of 5 stars

  4.5/5 (2409)
• Bad Feminist: Essays

  

  From Everand

  Bad Feminist: Essays

  Roxane Gay

  Rating: 4 out of 5 stars

  4/5 (1015)
• The Glass Castle: A Memoir

  

  From Everand

  The Glass Castle: A Memoir

  Jeannette Walls

  Rating: 4.5 out of 5 stars

  4.5/5 (1711)
• The Outsider: A Novel

  

  From Everand

  The Outsider: A Novel

  Stephen King

  Rating: 4 out of 5 stars

  4/5 (1800)
• The Woman in Cabin 10

  

  From Everand

  The Woman in Cabin 10

  Ruth Ware

  Rating: 3.5 out of 5 stars

  3.5/5 (2322)
• A Man Called Ove: A Novel

  

  From Everand

  A Man Called Ove: A Novel

  Fredrik Backman

  Rating: 4.5 out of 5 stars

  4.5/5 (4609)
• The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  

  From Everand

  The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  Viet Thanh Nguyen

  Rating: 4.5 out of 5 stars

  4.5/5 (119)
• The Light Between Oceans: A Novel

  

  From Everand

  The Light Between Oceans: A Novel

  M.L. Stedman

  Rating: 4.5 out of 5 stars

  4.5/5 (789)
• Brooklyn: A Novel

  

  From Everand

  Brooklyn: A Novel

  Colm Tóibín

  Rating: 3.5 out of 5 stars

  3.5/5 (1937)
• Wolf Hall: A Novel

  

  From Everand

  Wolf Hall: A Novel

  Hilary Mantel

  Rating: 4 out of 5 stars

  4/5 (3811)
• Manhattan Beach: A Novel

  

  From Everand

  Manhattan Beach: A Novel

  Jennifer Egan

  Rating: 3.5 out of 5 stars

  3.5/5 (791)
• Little Women

  

  From Everand

  Little Women

  Louisa May Alcott

  Rating: 4 out of 5 stars

  4/5 (104)
• The Perks of Being a Wallflower

  

  From Everand

  The Perks of Being a Wallflower

  Stephen Chbosky

  Rating: 4.5 out of 5 stars

  4.5/5 (2099)
• The Art of Racing in the Rain: A Novel

  

  From Everand

  The Art of Racing in the Rain: A Novel

  Garth Stein

  Rating: 4 out of 5 stars

  4/5 (4193)
• A Tree Grows in Brooklyn

  

  From Everand

  A Tree Grows in Brooklyn

  Betty Smith

  Rating: 4.5 out of 5 stars

  4.5/5 (1929)
• Her Body and Other Parties: Stories

  

  From Everand

  Her Body and Other Parties: Stories

  Carmen Maria Machado

  Rating: 4 out of 5 stars

  4/5 (821)
• Sing, Unburied, Sing: A Novel

  

  From Everand

  Sing, Unburied, Sing: A Novel

  Jesmyn Ward

  Rating: 4 out of 5 stars

  4/5 (1103)
• The Constant Gardener: A Novel

  

  From Everand

  The Constant Gardener: A Novel

  John le Carré

  Rating: 3.5 out of 5 stars

  3.5/5 (104)