 |
Ksiazki - Informatyczne .pl » informatyka » informatyka Complete Cisco VPN Configuration Guide
Opis Complete Cisco VPN Configuration Guide: Use Cisco concentrators, routers, Cisco PIX and Cisco ASA security appliances, and remote access clients to build a complete VPN solution
With increased use of Internet connectivity and less reliance on private WAN networks, virtual private networks (VPNs) provide a much-needed secure method of transferring critical information. As Cisco Systems® integrates security and access features into routers, firewalls, clients, and concentrators, its solutions become ever more accessible to companies with networks of all sizes. The Complete Cisco VPN Configuration Guide contains detailed explanations of all Cisco® VPN products, describing how to set up IPsec and Secure Sockets Layer (SSL) connections on any type of Cisco device, including concentrators, clients, routers, or Cisco PIX® and Cisco ASA security appliances. With copious configuration examples and troubleshooting scenarios, it offers clear information on VPN implementation designs. Part I, "VPNs," introduces the topic of VPNs and discusses today's main technologies, including IPsec. It also spends an entire chapter on SSL VPNs, the newest VPN technology and one that Cisco has placed particular emphasis on since 2003. Part II, "Concentrators," provides detail on today's concentrator products and covers site-to-site and remote-access connection types with attention on IPsec and WebVPN. Part III covers the Cisco VPN Client versions 3.x and 4.x along with the Cisco3002 Hardware Client. Cisco IOS® routers are the topic of Part IV, covering scalable VPNs with Dynamic Multipoint VPN, router certificate authorities, and router remote access solutions. Part V explains Cisco PIX and Cisco ASA security appliances and their roles in VPN connectivity, including remote access and site-to-site connections. In Part VI, a case study shows how a VPN solution is best implemented in the real world using a variety of Cisco VPN products in a sample network. Richard A. Deal has nearly 20 years experience in the computing and networking industry including networking, training, systems administration, and programming. In addition to a bachelor's of science degree in mathematics and computer science from Grove City College, Richard holds many certifications from Cisco. Since 1997, Richard has operated his own company, The Deal Group, Inc., located in Orlando, Florida. He also teaches Cisco security courses for Boson Training and writes preparation tests for them. This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Spis treści Complete Cisco VPN Configuration Guide: Part I VPNs Chapter 1 Overview of VPNs Traffic Issues Eavesdropping Attacks Eavesdropping Tools Eavesdropping Solutions Masquerading Attacks Masquerading Tools Masquerading Solutions Man-in-the-Middle Attacks Man-in-the-Middle Tools Man-in-the-Middle Solutions VPN Definition VPN Description VPN Connection Modes Transport Mode Tunnel Mode VPN Types Site-to-Site VPNs Remote Access VPNs Firewall VPNs User-to-User VPNs VPN Categories Intranet Extranet Internet VPN Components Authentication Device Authentication User Authentication Encapsulation Method Data Encryption Packet Integrity Key Management Non-Repudiation Application and Protocol Support Address Management VPN Designs Connection Types Point-to-Point Fully-Meshed Partially-Meshed VPN Considerations Protected Versus Unprotected Traffic Fragmentation Application Types Traffic Protection Address Translation and Firewalls Redundancy VPN Implementations GRE IPsec PPTP L2TP MPLS SSL VPNs: Choosing a Solution Security Implementation, Management, and Support High Availability Scalability and Flexibility Cost Summary Chapter 2 VPN Technologies Keys Key Usage Symmetric Keys Asymmetric Keys Asymmetric Keying and Encryption Asymmetric Keying and Authentication Advantages and Disadvantages of Asymmetric Keying Asymmetric Keying Examples Encryption Encryption Process Encryption Algorithms DES and 3DES Algorithms AES Algorithm Packet Authentication Packet Authentication Implementation MD5 HMAC Function SHA HMAC Function Packet Authentication Uses Packet Authentication Issues Sharing the HMAC Secret Key Sending Data and HMAC Signatures Through Translation Devices Using HMAC Functions in VPN Implementations Key Exchange Key Sharing Dilemma Pre-Share the Key Use an Already Encrypted Connection Encrypt the Key with an Asymmetric Keying Algorithm Diffie-Hellman Algorithm Key Refreshing Limitations of Key Exchange Methods Authentication Methods Man-in-the-Middle Attacks Authentication Solutions Device Authentication Pre-Shared Symmetric Keys Pre-Shared Asymmetric Keys Digital Certificates User Authentication Remote Access and Device Authentication Remote Access and User Authentication Summary Chapter 3 IPsec IPsec Standards IETF RFCs RFC 2401 RFC 2402 RFC 2403 RFC 2404 RFC 2405 RFC 2406 RFC 2407 RFC 2408 RFC 2409 RFC 2410 RFC 2411 IPsec Connections Basic Process of Building Connections ISAKMP/IKE Phase 1 The Management Connection Main Mode Aggressive Mode ISAKMP/IKE Transforms Key Exchange Protocol: Diffie-Hellman Device Authentication Remote Access Additional Steps User Authentication with XAUTH IKE Client/Mode Config Reverse Route Injection ISAKMP/IKE Phase 2 ISAKMP/IKE Phase 2 Components Phase 2 Security Protocols AH ESP Phase 2 Connection Modes Phase 2 Transforms Data Connections Components of a Data SA How Data SAs Are Negotiated IPsec Traffic and Networks IPsec and Address Translation Address Translation Issues Address Translation Solutions IPsec and Firewalls Allowing IPsec Traffic into Your Network Using Stateful Firewalls Other Issues Using IPsec Dead Peer Detection Initial Contact Summary Chapter 4 PPTP and L2TP PPTP PPP Review PPTP Phase 1 PPTP Phase 2 PPTP Phase 3 PPTP Phase 4 PPTP Components How PPTP Works Control Connection Tunnel Connection Example PPTP Connection Issues with the Use of PPTP Fragmentation Problems Security Concerns Address Translation Issues L2TP L2TP Overview L2TP Operation IPsec Review Tunnel Types IPsec Tunnel L2TP Control Messages L2TP User Data Tunnel L2TP/IPsec Versus PPTP Protocol Differences PPTP Advantages L2TP/IPsec Advantages Summary Chapter 5 SSL VPNs SSL Overview SSL Client Implementations SSL Protection SSL Authentication SSL Encryption SSL Content Control SSL Components SSL Client Gateway When to Use SSL VPNs Advantages of SSL VPNs Disadvantages of SSL VPNs SSL Versus IPsec Cisco WebVPN Solution VPN 3000 Series Concentrators WebVPN Operation Web Access Network Browsing and File Management Access Application Access and Port Forwarding E-mail Client Access Summary Part II Concentrators Chapter 6 Concentrator Product Information Concentrator Models 3005 Concentrator 3015 Concentrator 3020 Concentrator 3030 Concentrator 3060 Concentrator 3080 Concentrator Comparison of Concentrator Models Concentrator Modules SEP Modules SEP Operation Concentrator Features Version 3.5 Features Version 3.6 Features Version 4.0 Features Version 4.1 Features Version 4.7 Features Introduction to Accessing a Concentrator Command-Line Interface Bootup Process Initial Configuration CLI Menu Access Password Recovery Graphical User Interface HTTP Access Quick Configuration Main Menu Summary Chapter 7 Concentrator Remote Access Connections with IPsec Controlling Remote Access Sessions to the Concentrator Group Configuration Base Group Specific Groups Identity Tab General Tab External Authentication Address Assignment User Configuration Group Setup for Internal Authentication User Setup of Internal Authentication IPsec Remote Access ISAKMP/IKE Phase 1: IKE Proposals IKE Proposal Screen IKE Proposal Components ISAKMP/IKE Phase 1: Device Authentication Pre-Shared Keys Digital Certificates ISAKMP/IKE Phase 1: IPsec Tab Groups IPsec Tab Users IPsec Tab ISAKMP/IKE Phase 1: Mode/Client Config Tab IPsec Tunneling IE Proxy Split Tunneling Split DNS ISAKMP/IKE Phase 1: Client FW Tab Firewall Setting Supported Firewalls Firewall Policies ISAKMP/IKE Phase 2: Data SAs Network Access Control (NAC) for IPsec and L2TP/IPsec Users Global Configuration of NAC for IPsec NAC Global Parameters NAC Exception List Group Configuration of NAC AAA RADIUS Server Group NAC Tab Summary Chapter 8 Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN PPTP and L2TP Remote Access PPTP and L2TP Group Configuration PPTP Global Configuration L2TP Global Configuration WebVPN Remote Access HTTPS Access HTTPS Properties WebVPN Interface Configuration WebVPN Global Configuration HTTP/HTTPS Proxy Home Page Home Page Logo E-mail Proxy Servers and URLs Port Forwarding Group Configuration WebVPN Tab WebVPN Group Buttons SSL VPN Client (SVC) Installing SVC on the Concentrator Using the SVC Software Non-Administrator Users Cisco Secure Desktop for WebVPN Access Installing the Secure Desktop Software on Your Concentrator Configuring the Secure Desktop Parameters for Windows Configuring the Cache Cleaner for Mac & Linux Systems Configuring Upload/Download Settings Saving Settings and Enabling CSD Using the Secure Desktop Client Summary Chapter 9 Concentrator Site-to-Site Connections L2L Connectivity Example ISAKMP/IKE Phase 1 Preparation Existing IKE Policies IKE Policy Screen Adding Site-to-Site Connections Adding L2L Sessions Basic L2L Configuration Parameters Peer Connectivity Device Authentication Information Connection Policies Routing Options Local and Remote Networks Completing L2L Sessions Modifying L2L Sessions Address Translation and L2L Sessions Introducing Concentrator Address Translation Abilities Example Needing L2L Address Translation Creating L2L Address Translation Rules Enabling L2L Address Translation Summary Chapter 10 Concentrator Management Bandwidth Management Creating Bandwidth Policies Bandwidth Reservation Bandwidth Policing Activating Bandwidth Policies Bandwidth Policies: Interfaces Bandwidth Policies: Remote Access Sessions Bandwidth Policies: L2L Sessions Routing on the Concentrator Static Routing Default Route Static Routes RIP Routing Protocol OSPF Routing Protocol OSPF: IP Routing Screen OSPF: Interfaces Chassis Redundancy VRRP VRRP Example VRRP Configuration VRRP Configuration Synchronization VCA VCA Operation VCA Configuration VCA Verification Administration Screens Administrator Access Administrator Accounts Access Control Lists Access Settings AAA Servers Management Protocols and Access Concentrator Upgrades File Management Summary Chapter 11 Verifying and Troubleshooting Concentrator Connections Concentrator Tools System Status VPN Sessions Session Summary Table LAN-to-LAN Sessions Table Remote Access Sessions Table Management Sessions Table Additional Monitoring > Sessions Screens Event Logs Date and Time for Logging Events Event Classes and Logging Levels Live Event Log Filterable Event Log Monitoring Statistics Screens Troubleshooting Problems ISAKMP/IKE Phase 1 Problems IKE Policy Mismatch Authentication Problems ISAKMP/IKE Phase 2 Problems Mismatched Transform Sets Mismatched Protected Traffic Summary Part III Clients Chapter 12 Cisco VPN Software Client Cisco VPN Client Overview Cisco VPN Client Features Cisco VPN Client Installation Before the Installation Installation Process Installation Files Cisco VPN Client Interface Operating Modes Preferences Advanced Mode Toolbar Buttons and Tabs IPsec Connections Creating Connections using Pre-Shared Keys Authentication Tab Transport Tab Backup Servers Tab Dialup Tab Completing the Connection Creating Connections Using Certificates Manually Obtaining a Certificate Using SCEP to Obtain a Certificate Managing Certificates Specifying Certificates in a Connection Profile Other Connection Configuration Options Setting a Connection Profile as the Default Creating a Shortcut for a Connection Profile Connecting to the Easy VPN Server Client Connection Status Statistics Notifications Disconnecting the Connection VPN Client GUI Options Application Launcher Windows Login Properties Automatic Initiation vpnclient.ini File AI Configuration Verification VPN Client GUI and AI AI Usage Stateful Firewall Enabling the Stateful Firewall Feature Verifying the Stateful Firewall Operation Troubleshooting Firewall Connections VPN Client Software Updates Concentrator: Client Updates VPN Client Preparation for Auto-Update of Windows 2000 and XP Web Server Configuration for Auto-Update Concentrator Configuration for Auto-Update Client Update Process Manual Upgrades Automatic Upgrades VPN Client Troubleshooting Log Viewer Formatting of Logging Information Disabling the Logging Feature Searching for Logging Information Clearing Logging Information Authentication Problems ISAKMP/IKE Policy Mismatch Issues Address Assignment Troubleshooting Split Tunneling Problems Connectivity Problems Name Resolution Problems Address Translation Problems Fragmentation Issues Problems that Fragmentation Creates Looking for Fragmentation Problems Fragmentation Solutions Microsoft Network Neighborhood Issues Cannot Log in to a Windows Domain Cannot Ping Network Resources Cannot Browse the Network or Map a Network Drive Summary Chapter 13 Windows Software Client Windows Client Understanding Features of the Windows Client Verifying that the Windows Client is Operational Configuring the Windows VPN Client Creating a Security Policy Edit Properties Windows: Rules Tab Edit Properties Windows: General Tab Policy Assignment Requiring the Use of L2TP Creating a Microsoft VPN Connection Initial Connection Setup Connection Properties Configuring the VPN 3000 Concentrator IKE Proposals IPsec SAs Group Configuration Address Management User Configuration Microsoft Client Connections Connecting to a VPN Gateway Verifying the Connection on the PC Verifying the Connection on the Concentrator Troubleshooting VPN Connections Concentrator Troubleshooting Tools Microsoft Client Troubleshooting Tools IP Security Monitor Snap-In IPsecCMD Audit Logging Oakley Logging Summary Chapter 14 3002 Hardware Client Overview of the 3002 Hardware Client 3002 Features 3002 Models Deployment of the 3002 Software Client Option Hardware Client Option Initial Access to the 3002 Command-Line Interface Graphical User Interface Quick Configuration of the 3002 Overview of the Main GUI Authentication and Connection Options Unit Authentication Additional Authentication Options Interactive Unit Authentication Individual User Authentication Configuring the VPN 3000 Concentrator Building the IPsec Tunnel Verifying the Connection Connection Modes Client Mode Network Extension Mode 3002 Network Extension Mode Configuration Concentrator Network Extension Mode Configuration Network Extension Mode Verification Routing and Reverse Route Injection Routing Features RRI Configuration Administrative Tasks Accessing the 3002 from its Public Interface Upgrading the 3002 Manual Upgrade Auto-Update Summary Part IV IOS Routers Chapter 15 Router Product Information Router Deployment Scenarios L2L and Remote Access Connections Special Capabilities of Routers Data Transport Routing Scalability Media Translation Quality of Service Router Product Overview Summary Chapter 16 Router ISAKMP/IKE Phase 1 Connectivity IPsec Preparation Gathering Information Allowing IPsec Traffic ISAKMP/IKE Phase 1 Policies Enabling ISAKMP Creating Policies Negotiating Policies with Peers Enabling IKE Dead Peer Detection ISAKMP/IKE Phase 1 Device Authentication ISAKMP/IKE Identity Type Pre-Shared Keys Configuring Pre-shared Keys Protecting Pre-Shared Keys Viewing your Pre-Shared Keys RSA Encrypted Nonces Generating RSA Encrypted Nonces (Key Pairs) Multiple RSA Key Pairs Configuring a Peer's Public Key Removing RSA Keys Digital Certificates and Router Enrollment Enrolling for a Certificate using SCEP Enrolling for a Certificate Manually Autoenrollment for Certificates Certificate Attribute-Based Access Control CRL and Expired Certificate Access Control Lists Importing and Exporting RSA Keys and Certificates Monitoring and Managing Management Connections Viewing ISAKMP/IKE Phase 1 Connections Managing ISAKMP/IKE Phase 1 Connections Routers as Certificate Authorities Step 1: Generating and Exporting RSA Key Information Manual RSA Key Generation for the CA Step 2: Enabling the CA Using Manual RSA Keys Using Auto-Archiving Step 3: Defining Additional CA Parameters Step 4: Handling Enrollment Requests Viewing Enrollment Requests Removing Requests from the Enrollment Database Granting Enrollment Requests Rejecting Certificate Requests Controlling Certificate Requests with Passwords Manually Entering a Certificate Enrollment Step 5: Revoking Identity Certificates Step 6: Configuring a Server to Run in RA Mode RA Configuration and Operation Example of Setting Up an RA Step 7: Backing up a CA Step 8: Restoring a CA Step 9: Removing CA Services Summary Chapter 17 Router Site-to-Site Connections ISAKMP/IKE Phase 2 Configuration Defining Protected Traffic: Crypto ACLs Defining Protection Methods: Transform Sets Building a Static Crypto Map Entry Crypto Map Entries Using ISAKMP/IKE Not Using ISAKMP/IKE Activating a Crypto Map Viewing a Crypto Map Configuring an Example Using Static Map Entries Building Dynamic Crypto Maps Creating a Dynamic Crypto Map Using a Dynamic Crypto Map Configuring an Example Using a Dynamic Crypto Map Configuring Tunnel Endpoint Discovery with Dynamic Crypto Maps Distinguished Name-Based Crypto Maps Setting Up DN-Based Crypto Maps Illustrating the Use of DN-Based Crypto Maps Viewing and Managing Connections Viewing IPsec Data SAs Managing IPsec Data SAs Issues with Site-to-Site Connections Migration to an IPsec-Based Design IPsec Passive Mode Process IPsec Passive Mode Configuration Filtering of IPsec Traffic CACCTP Feature CACCTP Configuration Example Configuring CACCTP Address Translation and Stateful Firewalls NAT Transparency ESP Through NAT Non-Unicast Traffic GRE Tunneling Overview GRE Tunnel Configuration GRE Tunnel and OSPF Example Protected with IPsec Configuration Simplification IPsec Profiles IPsec Virtual Tunnel Interfaces IPsec Redundancy HSRP with RRI Stateful Failover for IPsec L2L Scalability DMVPN Overview A Network Not Using DMVPN DMVPN Configuration A Network Using DMVPN on Hubs and Spokes DMVPN and Hub Redundancy Summary Chapter 18 Router Remote Access Connections Easy VPN Server Easy VPN Server Configuration Defining AAA Creating Groups Implementing Call Admission Control for IKE Creating a Dynamic Crypto Map Entry Creating a Static Crypto Map and XAUTH VPN Group Monitoring Easy VPN Server Configuration Example Easy VPN Remote Easy VPN Remote Connection Modes Easy VPN Remote Configuration Step 1: Configure a DHCP Server Pool Step 2: Set up the Easy VPN Remote Configuration Step 3: Connect to the Easy VPN Server Step 4: Configure User Authentication Step 5: Verify the Easy VPN Remote Configuration Easy VPN Remote Configuration Example IPsec Remote Access and L2L Sessions on the Same Router Central Office Router Configuration Keyrings L2L ISAKMP/IKE Profiles Remote Access ISAKMP/IKE Profiles Dynamic Crypto Maps and Profiles Remote Access and L2L Example Configuration WebVPN WebVPN Setup Step 1: Configuring Prerequisites Step 2: Configuring WebVPN Step 3: Creating URL and Port Forwarding Entries for the Home Page Step 4: Maintaining, Monitoring, and Troubleshooting WebVPN Connections WebVPN Configuration Example Summary Chapter 19 Troubleshooting Router Connections ISAKMP/IKE Phase 1 Connections Overview of the Phase 1 Commands The show crypto isakmp sa Command The debug crypto isakmp Command L2L Sessions Remote Access Sessions The debug crypto pki Command The debug crypto engine Command ISAKMP/IKE Phase 2 Connections Overview of the Phase 2 Commands The show crypto engine connection active Command The show crypto ipsec sa Command The debug crypto ipsec Command Mismatched Data Transforms Mismatched Crypto ACLs Incorrect Peer Address Matching on the Incorrect Crypto Map Entry New IPsec Troubleshooting Features IPsec VPN Monitoring Feature Configuring IKE Peer Descriptions Seeing Peer Descriptions in show Commands Clearing Crypto Sessions Invalid Security Parameter Index Recovery Feature Invalid SPI Condition and the Invalid SPI Recovery Feature Invalid SPI Recovery Configuration Fragmentation Problems Issues with Fragmentation Fragmentation Discovery Solutions to Fragmentation Issues Static MTU Setting TCP Maximum Segment Size (MSS) Path MTU Discovery (PMTUD) Summary Part V PIX Firewalls Chapter 20 PIX and ASA Product Information PIX Deployment Scenarios L2L and Remote Access Connections Special Capabilities of PIXs and ASAs Address Translation Stateful Firewall Services Redundancy PIX and ASA Feature and Product Overview PIX and ASA VPN Features PIX Models ASA Models Summary Chapter 21 PIX and ASA Site-to-Site Connections ISAKMP/IKE Phase 1 Management Connection Allowing IPsec Traffic Using ACLs to Allow IPsec Traffic Using ACL Bypassing to Allow IPsec Traffic Transmitting IPsec Traffic Between Multiple Interfaces with the Same Security Level Setting Up ISAKMP Address Translation Issues Disconnect Notifications Main Mode Restriction Configuring Management Connection Policies Configuring Device Authentication Device Identity Type Pre-Shared Key Authentication Certificate Authentication (CA) ISAKMP/IKE Phase 2 Data Connections Specifying Traffic to Protect Defining How to Protect Traffic Building Crypto Maps Static Crypto Maps Dynamic Crypto Maps Activating a Crypto Map Data Connection Management Commands L2L Connection Examples FOS 6.3 L2L Example FOS 7.0 L2L Example Summary Chapter 22 PIX and ASA Remote Access Connections Easy VPN Server Support for 6.x Easy VPN Server Configuration for 6.x Address Pool Configuration for 6.x Group Configuration for 6.x XAUTH User Authentication Configuration for 6.x IKE Mode Config Activation for 6.x Easy VPN Server Example for 6.x Easy VPN Remote Support for 6.x 6.x Easy VPN Remote Configuration Using Certificates for Remote Access Verifying Your 6.x Remote Configuration and Connection 6.x Easy VPN Remote Example Configuration Easy VPN Server Support for 7.0 Understanding Tunnel Groups Defining Group Policies Group Policy Locations Default Group Policies Default and Specific Group Policy Attribute Configuration Creating Tunnel Groups Remote Access Tunnel Group General Properties Remote Access Tunnel Group IPsec Properties L2L Tunnel Groups Creating User Accounts for XAUTH Issues with Remote Access Sessions and Solutions in 7.0 Simultaneously Supporting Remote Access and L2L Sessions Using More than One Server to Handle Remote Access Sessions Restricting the Total Number of VPN Sessions Illustrating an Easy VPN Server Configuration Example for 7.0 Summary Chapter 23 Troubleshooting PIX and ASA Connections ISAKMP/IKE Phase 1 Connections Overview of the Phase 1 Commands The show isakmp sa Command The debug crypto isakmp Command L2L Sessions Remote Access Sessions The debug crypto vpnclient Command ISAKMP/IKE Phase 2 Connections Overview of the Phase 2 Commands The show crypto ipsec sa Command The debug crypto ipsec Command Mismatched Data Transforms Mismatched Crypto ACLs Matching on the Incorrect Crypto Map Entry Summary Part VI Case Study Chapter 24 Case Study Company Profile Corporate Office Authentication Devices Perimeter Routers DMZ2 Concentrators Perimeter Firewalls Campus Concentrators Regional Offices Branch Offices Remote Access Users Case Study Configuration Perimeter Router Configuration Basic VPN Configurations on the Routers Corporate Office Router Configurations Regional Office Router Configuration Internet Remote Access Configuration DMZ2 Concentrators Branch Office 3002 Hardware Clients Remote Access User Configuration Main Campus Wireless Configuration Wireless Concentrators Wireless User Configuration Summary 1587052040TOC031706 |
|
Księgarnia informatyczna © ksiazki-informatyczne.pl
- cisco press , książka informatyczna - Complete Cisco VPN Configuration Guide
|