© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 16 Easy VPN RemoteSmall Office/Home Office

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Easy VPN two modes of operation. Configure the PIX Firewall as an Easy VPN Remote client. Explain the PIX Firewalls Secure Unit Authentication and Individual User Authentication feature. Configure the PIX Firewall for Secure Unit Authentication and Individual User Authentication. Describe the PIX Firewalls DHCP server feature. Configure the PIX Firewall as a DHCP server. Configure the PIX Firewalls PPPoE client.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Easy VPN Remote Feature Overview

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Implementing PIX Firewall Easy VPN Remote Cisco IOS > 12.2(8)T router PIX Firewall > 6.2 VPN 3000 > 3.11 (> recommended) Easy VPN Servers Cisco PIX Firewall 501/506E PIX Easy VPN Remote Push Policy

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Remote Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Remote Client Configuration PIX / pix1(config)# vpngroup training password cisco123 pix1(config)# vpnclient username student1 password training pix1(config)# vpnclient server pixfirewall(config)# vpnclient group_name password preshared_key vpnclient username { xauth_username} password { xauth_password} vpnclient server { ip_primary} [ ip_secondary_n] Group name and pre-shared key VPN client extended authentication username and password Easy VPN server IP address

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Client Device Mode PIX Firewall 501/506E (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) VPN tunnel Hidden address / PIX Firewall 501/506 (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) VPN tunnel /24 Client mode Network extension mode Visible address PAT

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Easy VPN Client Device Mode Configuration PIX / pix1(config)# vpnclient mode network-extension-mode pixfirewall(config)# vpnclient mode {client-mode | network-extension-mode} Sets the easy VPN remote device mode client of network extension mode. Network extension mode address visible from central site

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable Easy VPN Remote Device pix1(config)# vpnclient enable pixfirewall(config)# vpnclient enable Enables the Easy VPN Remote device. PIX / VPN tunnel

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Secure Unit Authentication PIX /24 PIX pix2(config)# vpngroup training secure-unit-authentication pixfirewall(config)# vpngroup groupname secure-unit-authentication Enables secure-unit-authentication policy at central site. Secure-unit-authentication policy pushed to Easy VPN Client Easy VPN Client must authenticate ACS

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Individual User Authentication pix2(config)# vpngroup training user-authentication pixfirewall(config)# vpngroup groupname user-authentication Enables individual user authentication policy at central site. PIX / VPN tunnel Individual authentication policy pushed to Easy VPN Client Remote user must authenticate ACS PIX2 vpngroup groupname user-idle-timeout vpngroup groupname authentication-server server_tag

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PPPoE and the PIX Firewall

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA The PIX Firewall as a PPPoE Client ISP PPPoE access concentrator DSL modem PPPoE client /24 PPPoE IPSec

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configure a Virtual Private Dial-Up Networking Group ISP PPPoE access concentrator DSL modem /24 pix1(config)# vpdn group PPPOEGROUP request dialout pppoe pix1(config)# vpdn group PPPOEGROUP ppp authentication pap pix1(config)# vpdn group PPPOEGROUP localname MYUSERNAME pixfirewall(config)# vpdn group group_name request dialout pppoe vpdn group group_name ppp authentication PAP | CHAP | MSCHAP vpdn group group_name localname username Defines a VPDN group to be used for PPPoE. Selects an authentication method. Associates the username assigned by your ISP with the VPDN group. PIX1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Create VPDN Username and Password pix1(config)# vpdn username student1 password training ISP PPPoE access concentrator DSL modem /24 vpdn username name password pass pixfirewall(config)# Creates a username and password pair for the PPPoE connection. PIX1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable PPPoE Client pix1(config)# ip address outside pppoe ISP PPPoE access concentrator DSL modem /24 Enables PPPoE client. pixfirewall(config)# ip address if_name pppoe [setroute] PIX1

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Monitoring the PPPoE Client show vpdn session [l2tp | pptp | pppoe] [id session_id | packets | state | window] Displays session information. pixfirewall(config)# show vpdn tunnel [l2tp | pptp | pppoe] [id tunnel_id | packets | state | summary | transport] Displays tunnel information. pixfirewall(config)# show vpdn Displays tunnel and session information.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Monitoring the PPPoE Client (Cont.) Displays detailed information about a PPPOE connection. pixfirewall(config)# show ip address if_name pppoe show vpdn pppinterface [id intf_id] pixfirewall(config)# Displays the interface identification value. pixfirewall(config)# show vpdn username [name] Displays local usernames. pixfirewall(config)# show vpdn group [groupname] Displays configured groups.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Debugging the PPPoE Client Enables debugging for the PPPoE client. pixfirewall(config)# debug pppoe event | error | packet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Server Configuration

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DHCP The PIX Firewalls DHCP server can be used to dynamically assign: An IP address and subnet mask The IP address of a DNS server The IP address of a WINS server A domain name The IP address of a TFTP server A lease length

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Server DHCP pool – DHCPDISCOVERThe client seeks an address. 2. DHCPOFFERThe server offers DHCPREQUESTThe client requests DHCPACKThe server acknowledges the assignment of Internet

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the PIX Firewall as a DHCP Server Step 1Assign a static IP address to the inside interface. Step 2Specify a range of addresses for the DHCP server to distribute. Step 3(Optional.) Specify the IP address of the DNS server. Step 4(Optional.) Specify the IP address of the WINS server. Step 5(Optional.) Configure the domain name. Step 6(Optional.) Specify the IP address of the TFTP server. Step 7Specify the lease length (default = 3,600 seconds). Step 8Enable DHCP.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configure DHCP Address Pool pix1(config)# dhcpd address – inside / ACS Specifies a range of addresses for DHCP to assign. pixfirewall(config)# dhcpd address ip1[-ip2][if_name] DHCP address pool: DHCP server

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Specify WINS, DNS, and Domain Name pix1(config)# dhcpd wins pix1(config)# dhcpd dns pix1(config)# dhcpd domain cisco.com pixfirewall(config)# dhcpd wins wins1 [wins2] dhcpd dns dns1 [dns2] dhcpd domain domain_name Defines a VPDN group to be used for PPPoE. Selects an authentication method. Associates the username assigned by your ISP with the VPDN group. DHCP Server / WINS WINS: DNS: Domain: cisco.com DNS

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Option 66 and 150 pix1(config)# dhcpd option 150 ip pix1(config)# dhcpd option 66 ip pixfirewall(config)# dhcpd option 150 ip server_ip1 [server_ip2 ] dhcpd option 66 ascii {server_name | server_ip_str} Distributes list of TFTP servers for IP Phone connections. Distributes TFTP server for IP Phone connections. DHCP server / Option 150: Option 66: TFTP server

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Setting DHCP Lease Length pix1(config)# dhcpd lease / ACS Specifies DHCP lease length. pixfirewall(config)# dhcpd lease lease_length DHCP server Lease length

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable DHCP pix1(config)# dhcpd enable inside / ACS Enables DHCP server. pixfirewall(config)# dhcpd enable [if_name] DHCP server

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA DHCP Server Auto Configuration Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server. pix1(config)# ip address outside dhcp pix1(config)# dhcpd address inside pix1(config)# dhcpd auto_config pix1(config)# dhcpd enable inside pixfirewall(config)# dhcpd auto_config[client_ifx_name] DHCP server DHCP client WINS: DNS: Domain: cisco.com IP Address: WINS: DNS: Domain: cisco.com

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA debug dhcpd and clear dhcpd Commands Displays information associated with the DHCP server. Removes all dhcpd command statements from the configuration. pixfirewall(config)# debug dhcpd event | packet pixfirewall(config)# clear dhcpd

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary Easy VPN Remote can operate in client or network extension mode. With Secure Unit Authentication, the remote PIX Firewall must authenticate before the VPN tunnel comes up. With Individual User Authentication, the remote user must authenticate before the user gains access to the VPN tunnel. The PIX Firewall can function as a DHCP client and DHCP server. Configuring the PIX Firewall as a PPPoE client enables it to secure broadband Internet connections such as DSL.