Cisco pix vpn configuration guide pdf

The ASA implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features. This section includes the guidelines and limitations for this feature.

Supported only in routed firewall mode. Transparent mode is not supported. To permit any packets that come from an IPsec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-vpn command in global configuration mode.

Typically, you create an ACL that permits IPsec packets by using the access-list command and apply it to the source interface. Decrypted through-traffic is permitted from the client despite having an access group on the outside interface, which calls a deny ip any any ACL, while no sysopt connection permit-vpn is configured. Trying to control access to the protected network via site-to-site or remote access VPN using the no sysopt permit-vpn command in conjunction with an access control list ACL on the outside interface are not successful.

Traffic to hosts on the inside network is blocked correctly by the ACL, but decrypted through-traffic to the inside interface is not blocked. The ssh and http commands are of a higher priority than the ACLs. Hairpinning can also redirect incoming VPN traffic back out through the same interface as unencrypted traffic. This can be useful, for example, to a VPN client that does not have split tunneling, but needs to both access a VPN and browse the web.

To configure this feature, use the same-security-traffic command in global configuration mode with its intra-interface argument. The following example shows how to enable intra-interface traffic:. Use the same-security-traffic command with the inter-interface argument to permit communication between interfaces with the same security level. This feature is not specific to IPsec connections. For the ASA to send unencrypted traffic back out through the interface, you must enable NAT for the interface so that publicly routable addresses replace your private IP addresses unless you already use public IP addresses in your local IP address pool.

To apply NAT to all outgoing traffic, implement only the commands above. To limit VPN sessions to a lower value than the ASA allows, enter the vpn-sessiondb command in global configuration mode:. The max-anyconnect-premium-or-essentials-limit keyword specifies the maximum number of AnyConnect sessions, from 1 to the maximum sessions allowed by the license. The correct licensing, term, tier, and user count is no longer determined with these commands.

The max-other-vpn-limit keyword specifies the maximum number of VPN sessions other than AnyConnect client sessions, from 1 to the maximum sessions allowed by the license. The following example shows how to set a maximum Anyconnect VPN session limit of The information in this section applies to IPsec connections only.

The client update feature lets administrators at a central location automatically notify VPN client users that it is time to update the VPN client software. Remote users might be using outdated VPN software or hardware client versions. You can use the client-update command at any time to enable updating client revisions; specify the types and revision numbers of clients to which the update applies; provide a URL or IP address from which to get the update; and, in the case of Windows clients, optionally notify users that they should update their VPN client version.

For Windows clients, you can provide a mechanism for users to accomplish that update. This command applies only to the IPsec remote-access tunnel-group type. To perform a client update, enter the client-update command in either general configuration mode or tunnel-group ipsec-attributes configuration mode. If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update.

The following procedure explains how to perform a client update:. In global configuration mode, enable client update by entering this command:. In global configuration mode, specify the parameters for the client update that you want to apply to all clients of a particular type.

That is, specify the type of client, the URL or IP address from which to get the updated image, and the acceptable revision number or numbers for that client. You can specify up to four revision numbers, separated by commas. This command specifies the client update values for all clients of the specified type across the entire ASA. You can specify up to three of these client update entries. The keyword windows covers all of the allowable Windows platforms. If you specify windows , do not specify the individual Windows client types.

The following example configures client update parameters for the remote access tunnel group. It designates the revision number 4. Alternatively, you can configure client update just for individual tunnel groups, rather than for all clients of a particular type. See Step 3. Define a set of client-update parameters for a particular ipsec-ra tunnel group.

In tunnel-group ipsec-attributes mode, specify the tunnel group name and its type, the URL or IP address from which to get the updated image, and a revision number. Optional Send a notice to active users with outdated Windows clients that their client needs updating. For these users, a pop-up window appears, offering them the opportunity to launch a browser and download the updated software from the site that you specified in the URL.

The only part of this message that you can configure is the URL. See Step 2 or 3. Users who are not active get a notification message the next time they log on. You can send this notice to all active clients on all tunnel groups, or you can send it to clients on a particular tunnel group. For example, to notify all active clients on all tunnel groups, enter the following command in privileged EXEC mode:. If you specify the client-update type as windows specifying all Windows-based platforms and later want to enter a client-update type of win9x or winnt for the same entity, you must first remove the windows client type with the no form of the command, then use new client-update commands to specify the new client types.

You can enable this feature on one interface per tunnel group. Because of routing issues, we do not recommend using this feature unless you know you need it. Only supports IPv4 assigned and public addresses.

Does not support load balancing because of routing issue. In global configuration mode, enter tunnel general. Use this syntax to enable the address translation:. The interface determines where to apply NAT. Use this syntax to disable the address translation:. This example uses Outside is the interface to which the AnyConnect client connects and inside is the interface specific to the new tunnel group.

To view the licensing information including maximum sessions for your ASA, enter the show version command in global configuration mode and look for the licensing section.

The following example shows the command and the licensing information from the output of this command; the other output is redacted for clarity. Use the following command to show the resource allocation:.

You can also use the sh resource usage system controller all 0 command to show system level usage with the limit as the platform limit. To remove the session limit, use the no version of this command.

For ikev2 remote access trustpoint configuration, use the following commands. Using this command allows the AnyConnect client to support group selection for the end user. The ASA scans the configured trustpoint list and chooses the first one that the client supports. The line number option specifies where in the line number you want the trustpoint inserted. Typically, this option is used to insert a trustpoint at the top without removing and re-adding the other line.

If a line is not specified, the ASA adds the trustpoint at the end of the list. If you try to add a trustpoint that already exists, you receive an error.

If you use the no crypto ikev2 remote-access trustpoint command without specifying which trustpoint name to remove, all trustpoint configuration is removed. These steps describe configuring the pool of cryptographic cores in either single or multiple context mode. With dynamic split tunneling, you can dynamically provision split exclude tunneling after tunnel establishment based on the host DNS domain name.

Dynamic split tunneling is configured by creating a custom attribute and adding it to a group policy. To use this feature, you must have AnyConnect release 4. Refer to About Dynamic Split Tunneling for further explanation. Define the custom attribute type in the WebVPN context with the following command: anyconnect-custom-attr dynamic-split-exclude-domains description dynamic split exclude domains. The attribute value contains the list of domain names to exclude from the VPN tunnel and must be comma-separated-values CSV format as the following: anyconnect-custom-data dynamic-split-exclude-domains webex.

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. Use these step-by-step tutorial guides to install and set up a vpn on mac, windows, android, ios, apple tv, playstation, routers, and more!. This guide details how to configure cisco asa vpn to use the okta radius server agent. We stand for clarity on the market, and hopefully our vpn comparison cisco vpn configuration guide pdf list will help reach that goal.

To the uninitiated, one vpn cisco vpn configuration guide pdf can seem just like the next. This guide should help you to get your remote access users up and running in no time. If you run into any difficulties, use the debug webvpn commands to diagnose the problem. Embed Size px x x x x Post on Dec 1. Category: Documents 8 download.

Cisco ASA Configuration 2. Richard has over 20 years of experience in the com- puting and networking industry including networking, training, systems administra- tion, and programming. Those individuals who took the time to learn the essential technologies have always had a much greater chance of success, both in pursuing certifications and working real life in the field. This book is a wonderful tool to help you learn about Cisco networking.

The access-list command designates a numbered extended access list; the ip access-list extended command designates a named access list. Tip If you have trouble, make sure you are specifying the correct access list number. You must define transform sets regardless of the tunneling protocol you use. To define a transform set and configure IPSec tunnel mode, complete the following steps starting in global configuration mode:.

Define a transform set and enter crypto-transform configuration mode. This example combines AH 1 transform ah-sha-hmac, ESP 2 encryption transform esp-des, and ESP authentication transform esp-sha-hmac in the transform set proposal4. There are complex rules defining which entries you can use for the transform arguments. These rules are explained in the command description for the crypto ipsec transform-set command. You can also use the crypto ipsec transform-set?

Change the mode associated with the transform set. The mode setting is only applicable to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic. All other traffic is in tunnel mode only.

This example configures tunnel mode for the transport set proposal4, which creates an IPSec tunnel between the IPSec peer addresses. This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the invariant fields in the outer IP header.

It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital signatures. This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header.

Note AH and ESP can be used independently or together, although for most applications just one of them is sufficient. For both of these protocols, IPSec does not define the specific security algorithms to use, but rather, provides an open framework for implementing industry-standard algorithms.

Remote devices need to be managed through a VPN from the central site when operating on a centralized IT model. VPN devices support numerous configuration options to determine the tunnel endpoint and, depending on the method chosen, these options may impact the manageability of the network. Refer to the "Dynamic versus Static Crypto Maps" section on page for a discussion of when to use static or dynamic crypto maps. To be the most effective in managing remote devices, you must use static cryptographic maps at the site where your management applications are located.

Dynamic cryptographic maps can be used at the headend for ease of configuration. Dynamic maps, however, accept only incoming IKE requests, and because dynamic maps cannot initiate an IKE request, it is not always guaranteed that a tunnel exists between the remote device and the headend site.

Static cryptographic map configuration includes the static IP addresses of the remote peers. Thus, remote sites must use static IP addresses to support remote management. For IPSec to succeed between two IPSec peers, both peer crypto map entries must contain compatible configuration statements.

When two peers try to establish a security association SA , they must each have at least one crypto map entry that is compatible with one of the other peer crypto map entries. For two crypto map entries to be compatible, they must meet the following minimum criteria:. In the case where the responding peer is using dynamic crypto maps, the entries in the local crypto access list must be "permitted" by the peer crypto access list. This means that you can specify lists such as lists of acceptable transforms within the crypto map entry.

After you have completed configuring IPSec at each participating IPSec peer, configure crypto map entries and apply the crypto maps to interfaces. The task of configuring IPSec at each peer can be eased by utilizing dynamic crypto maps.

By configuring the head-end Cisco series router with a dynamic map, and the peers with a static map, the peer will be permitted to establish an IPSec security association even though th e router does not have a crypto map entry specifically configured to meet all of the remote peer requirements. This section contains basic steps to configure crypto maps and includes the following tasks:. To create crypto map entries that will use IKE to establish the SAs, complete the following steps starting in global configuration mode:.

Create the crypto map and specify a local address physical interface to be used for the IPSec traffic. This step is only required if you have previously used the loopback command or if you are using GRE tunnels. Enter crypto map configuration mode, specify a sequence number for the crypto map you created in Step 1, and configure the crypto map to use IKE to establish SAs.

This example configures sequence number 2 and IKE for crypto map s4second. Specify an extended access list. This example configures access list , which was created in the "Creating Crypto Access Lists" section. This is the peer to which IPSec protected traffic can be forwarded. Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority highest priority first. To create dynamic crypto map entries that will use IKE to establish the SAs, complete the following steps, starting in global configuration mode:.

Specifies which transform sets are allowed for the crypto map entry. This is the only configuration statement required in dynamic crypto map entries. Optional Accesses list number or name of an extended access list. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec security in the context of this crypto map entry. Note Although access-lists are optional for dynamic crypto maps, they are highly recommended.

If the access list is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If the access list is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets.

This is similar to static crypto maps because they also require that an access list be specified. Care must be taken if the any keyword is used in the access list, because the access list is used for packet filtering as well as for negotiation.

This is rarely configured in dynamic crypto map entries. Dynamic crypto map entries are often used for unknown remote peers. Optional If you want the security associations for this crypto map to be negotiated using shorter IPSec security association lifetimes than the globally specified lifetimes, specify a key lifetime for the crypto map entry.

In the following example, peer Tip If you have trouble, make sure you are using the correct IP addresses. You need to apply a crypto map set to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the interface traffic against the crypto map set, and to use the specified policy during connection or SA negotiation on behalf of traffic to be protected by crypto.

To apply a crypto map set to an interface, complete the following steps starting in global configuration mode:.

Specify a physical interface on which to apply the crypto map and enter interface configuration mode. Apply the crypto map set to the physical interface.

This example configures crypto map s4second, which was created in the "Creating Crypto Map Entries" section. Manually established SAs are reestablished immediately.

Note Using the clear crypto sa command without parameters clears out the full SA database, which clears out active security sessions. You may also specify the peer , map , or entry keywords to clear out only a subset of the SA database. In particular, QoS features provide better and more predictable network service by:. You configure QoS features throughout a network to provide for end-to-end QoS delivery.

The following three components are necessary to deliver QoS across a heterogeneous network:. Not all QoS techniques are appropriate for all network routers.

Because edge routers and backbone routers in a network do not necessarily perform the same operations, the QoS tasks they perform might differ as well. This section contains basic steps to configure QoS weighted fair queuing WFQ , which applies priority or weights to identified traffic on the GRE tunnel you configured in the "Step 1—Configuring the Tunnel" section. When an application is recognized and classified by NBAR, a network can invoke services for that specific application. MQC provides a clean separation between the specification of a classification policy and the specification of other policies that act based on the results of the applied classification.

Configuring a QoS policy typically requires the configuration of traffic classes, the configuration of policies that will be applied to those traffic classes, and the attaching of policies to interfaces using the commands in the sections that follow. Use the class-map configuration command to define a traffic class and the match criteria that will be used to identify traffic as belonging to that class. Match statements can include criteria such as protocol, ACL, IP precedence value, or interface identifier.

The match criteria is defined with one or more of the match statements entered within the class-map configuration mode listed in the table below:. Specifies the user-defined name of the class map.

The match-all option specifies that all match criteria in the class map must be matched. The match-any option specifies that one or more match criteria must match. Use the no class-map command to disable the class map. Use the no match-all and no match-any commands to disable these commands within the class map. Use the match not command to configure a match that evaluates to true if the packet does not match the specified protocol. Enter the show class-map command to display all class map information.

You can also enter the show class-map class-name command to display the class map information of a user-specified class map. Use the policy-map configuration command to specify the QoS policies to apply to traffic classes defined by a class map. QoS policies that can be applied to traffic classification are listed in the table below. Enables weighted random early detection WRED drop policy for a traffic class which has a bandwidth guarantee. Specifies maximum number of packets queued for a traffic class in the absence of random-detect.

Use the no policy-map command to deconfigure the policy map. Use the no bandwidth , no police , no set, and no random-detect commands to disable these commands within the policy map. Use the service-policy interface configuration command to attach a policy map to an interface and to specify the direction in which the policy should be applied on either packets coming into the interface or packets leaving the interface.

Specifies the name of the policy map to be attached to the output direction of the interface. Specifies the name of the policy map to be attached to the input direction of the interface. Use the no service-policy [ input output ] policy-map-name command to detach a policy map from an interface.

Use the s how policy-map [ interface [ interface-spec [ input output [ class class-name ]]]] command to display the configuration of a policy map and its associated class maps. Forms of this command are listed in the following table:. Displays statistics and configurations of all input and output policies, which are attached to an interface. Displays configuration and statistics of the input and output policies attached to a particular interface.

Displays configuration and statistics of the input policy attached to an interface. Displays configuration statistics of the output policy attached to an interface. Displays the configuration and statistics for the class name configured in the policy.

Weighted Fair Queuing WFQ provides traffic priority management that automatically sorts among individual traffic streams without requiring that you first define access lists.

WFQ can also manage duplex data streams such as those between pairs of applications, and simplex data streams such as voice or video. There are two categories of WFQ sessions: high bandwidth and low bandwidth. Low-bandwidth traffic has effective priority over high-bandwidth traffic, and high-bandwidth traffic shares the transmission service proportionally according to assigned weights. When WFQ is enabled for an interface, new messages for high-bandwidth traffic streams are discarded after the configured or default congestive messages threshold has been met.

However, low-bandwidth conversations, which include control message conversations, continue to enqueue data. As a result, the fair queue may occasionally contain more messages than its configured threshold number specifies. With standard WFQ, packets are classified by flow.

WFQ allocates an equal share of the bandwidth to each flow. Flow-based WFQ is also called fair queuing because all flows are equally weighted.

To configure fair queuing on an interface, complete the following steps starting in global configuration mode:. Specify an interface and enter interface configuration mode. Packets satisfying the match criteria for a class constitute the traffic for that class. A queue is reserved for each class, and traffic belonging to a class is directed to that class queue.

Once a class has been defined according to its match criteria, you can assign it characteristics. To characterize a class, you assign it bandwidth, weight, and maximum packet limit. The bandwidth assigned to a class is the minimum bandwidth delivered to the class during congestion. To characterize a class, you also specify the queue limit for that class, which is the maximum number of packets allowed to accumulate in the class queue.

Packets belonging to a class are subject to the bandwidth and queue limits that characterize the class. After a queue has reached its configured queue limit, enqueuing of additional packets to the class causes tail drop or packet drop to take effect, depending on how class policy is configured. Tail drop is used for CBWFQ classes unless you explicitly configure policy for a class to use weighted random early detection WRED to drop packets as a means of avoiding congestion.

Note that if you use WRED packet drop instead of tail drop for one or more classes comprising a policy map, you must ensure that WRED is not configured for the interface to which you attach that service policy. If a default class is configured, all unclassified traffic is treated as belonging to the default class. If no default class is configured, then by default the traffic that does not match any of the configured classes is flow classified and given best-effort treatment.

Once a packet is classified, all of the standard mechanisms that can be used to differentiate service among the classes apply. Flow classification is standard WFQ treatment. WFQ allocates an equal share of bandwidth to each flow. Flow-based WFQ is also called fair queueing because all flows are equally weighted.

For CBWFQ, which extends the standard WFQ, the weight specified for the class becomes the weight of each packet that meets the match criteria of the class. Packets that arrive at the output interface are classified according to the match criteria filters you define, then each one is assigned the appropriate weight. The weight for a packet belonging to a specific class is derived from the bandwidth you assigned to the class when you configured it; in this sense the weight for a class is user-configurable.

After a packet's weight is assigned, the packet is enqueued in the appropriate class queue. CBWFQ uses the weights assigned to the queued packets to ensure that the class queue is serviced fairly. For this reason, you should ensure that WFQ is not enabled on such an interface.

To create a class map containing match criteria against which a packet is checked to determine if it belongs to a class, and to effectively create the class whose policy can be specified in one or more policy maps, use the first command in global configuration mode to specify the class-map name.

Then use one of the following commands in class-map configuration mode:. Specifies the name of the numbered ACL against whose contents packets are checked to determine if they belong to the class. Specifies the name of the output interface used as a match criterion against which packets are checked to determine if they belong to the class.

Specifies the name of the protocol used as a match criterion against which packets are checked to determine if they belong to the class. To configure a policy map and create class policies including a default class comprising the service policy, use the first global configuration command to specify the policy-map name. Then use the following policy-map configuration commands to configure policy for a standard class and the default class.

For each class that you define, you can use one or more of the following policy-map configuration commands to configure class policy. For example, you might specify bandwidth for one class and both bandwidth and queue limit for another class.

The policy-map default class is the class to which traffic is directed if that traffic does not satisfy the match criteria of other classes whose policy is defined in the policy map. To configure policy for more than one class in the same policy map, repeat Steps 2 through 4. Note that because this set of commands uses queue-limit, the policy map uses tail drop for both class policies, not WRED packet drop. To attach a service policy to an interface and enable CBWFQ on the interface, you must create a policy map.

You can configure class policies for as many classes as are defined on the router up to the maximum of Specifies the name of a class to be created and included in the service policy. Specifies the amount of bandwidth in kilobits per second kbps to be assigned to the class. Specifies the amount of bandwidth in kilobits per second to be assigned to the default class.

Specifies the maximum number of packets that can be enqueued for the specified default class. To attach a service policy to the output interface and enable CBWFQ on the interface, use the interface configuration command in the following table:. Note When CBWFQ is enabled, all classes configured as part of the service policy map are installed in the fair queueing system.

To display the contents of a specific policy map, a specific class from a specific policy map, or all policy maps configured on an interface, use one of the following global configuration commands:. Displays the configuration of all classes comprising the specified policy map. Displays the configuration of the specified class of the specified policy map.

Displays the configuration of all classes configured for all policy maps on the specified interface. Cisco IOS software provides an extensive set of security features with which you can configure a simple or elaborate firewall, according to your particular requirements. When you configure Cisco IOS firewall features on your Cisco router, you turn your router into an effective, robust firewall.

Cisco IOS firewall features are designed to prevent unauthorized, external individuals from gaining access to your internal network, and to block attacks on your network, while at the same time allowing authorized users to access network resources. Note Although Cisco series routers support intrusion detection features, intrusion detection configuration procedures are not explained in this guide.

For detailed information on intrusion detection, refer to the Intrusion Detection Planning Guide. At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure your Cisco series router to function as a firewall by using the following Cisco IOS security features:. For information on how to access these documents, see "Related Documentation" section on page xi.

This section explains how to configure an extended access list, which is a sequential collection of permit and deny conditions that apply to an IP address. Note The extended access list configuration explained in this section is different from the crypto access list configuration explained in the "Creating Crypto Access Lists" section. Crypto access lists are used to define which IP traffic is or is not protected by crypto, while an extended access list is used to determine which IP traffic to forward or block at an interface.