Deployment Scenarios of Cisco IPSec VPN
The Cisco remote-access solution is useful in deployments where remote and home users need corporate access without being physically connected to the corporate LAN. The remote-access solution can be deployed in many ways; however, this section covers the following two design scenarios for ease of understanding:
- IPSec hairpinning with Easy VPN and Firewalling
- Load balancing and site-to-site integration
Note
The design scenarios discussed in this section should be used solely to reinforce learning. They should be used for reference purposes only.
IPSec Hairpinning with Easy VPN and Firewalling
SecureMe has recently installed a Cisco ASA in its Brussels office to provide VPN access to its mobile users. Figure 16-13 shows SecureMe's network topology in Brussels.
Figure 16-13. SecureMe's Remote-Access Topology in Brussels
The security requirements for SecureMe are as follows:
- Use split tunneling and encrypt the traffic going over to the 192.168.0.0/16 network.
- Enforce Cisco Integrated Client Firewall and only allow HTTP and DNS traffic in clear text.
- Use IPSec over TCP on port 9000 as the encapsulation protocol.
- Allow one VPN client to be able to talk to the other client.
- Use local database for user authentication.
- Log all the system-generated syslog messages to a server.
Example 16-48 shows the relevant Cisco ASA configuration in Brussels.
Example 16-48. Cisco ASA Full Configuration Having Multiple Security Contexts
Brussels# show running-config : Saved : ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.202.129 255.255.255.0 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.40.1 255.255.255.0 ! hostname Brussels domain-name securemeinc.com ! To Allow IPSec hairpinning on the same interface same-security-traffic permit intra-interface ! ACL to define Split-tunnel policy. This will allow the Client to send encrypted ! traffic to 192.168.0.0/16 access-list ST_ACL standard permit 192.168.0.0 255.255.0.0 ! ACL to define Inbound FW policy to restrict inbound clear-text traffic access-list Inbound_FW_ACL extended permit tcp any eq www any access-list Inbound_FW_ACL extended permit udp any eq domain any ! ACL to define Outbound FW policy to restrict outbound clear-text traffic access-list Outbound_FW_ACL extended permit tcp any any eq www access-list Outbound_FW_ACL extended permit udp any any eq domain ! Enable logging to send syslog messages to 192.168.60.150 logging enable logging timestamp logging host inside 192.168.60.150 logging trap notifications ! IP Pool used to assign IP address to the VPN client ip local pool ippool 192.168.50.1-192.168.50.100 mask 255.255.255.0 ! Default gateways. route outside 0.0.0.0 0.0.0.0 209.165.202.130 1 route inside 192.168.60.0 255.255.255.0 192.168.40.2 route inside 0.0.0.0 0.0.0.0 192.168.40.2 tunneled ! Configuration of an internal user-group called SecureMeGrp group-policy SecureMeGrp internal ! Configuration of user-group attributes group-policy SecureMeGrp attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ST_ACL default-domain value securemeinc.com client-firewall req cisco-integrated acl-in Inbound_FW_ACL acl-out Outbound_FW_ACL ! Configuration of LOCAL user database username ciscouser password aE.CsXUz4UT9JfjO encrypted username adminuser password aE.T9JfjOCsXUz4U encrypted username poweruser password sXUzaE.C4UT9JfjO encrypted ! Configuration of ASDM for Appliance management http server enable http 0.0.0.0 0.0.0.0 inside ! sysopt to bypass traffic filters sysopt connection permit-ipsec ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! Dynamic crypto-map for Remote-Access Clients crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA ! Dynamic crypto-map is mapped to the static crypto-map crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map ! Static crypto-map is applied to the outside interface crypto map outside_map interface outside ! isakmp configuration isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! Tunnel Encapsulation to use IPSec over TCP over port 9000 isakmp ipsec-over-tcp port 9000 ! tunnel-group configuration for VPN client. The groupname is ciscovpn tunnel-group ciscovpn type ipsec-ra tunnel-group ciscovpn general-attributes address-pool ippool default-group-policy SecureMeGrp tunnel-group ciscovpn ipsec-attributes pre-shared-key *
Load-Balancing and Site-to-Site Integration
SecureMe's headquarters office in Chicago wants to deploy Cisco ASA to be used for remote-access VPN tunnels that will support about 2000 users. However, SecureMe wants to make sure that users do not overburden the system and therefore wants to use two security appliances in load-balancing mode. Figure 16-14 shows SecureMe's network topology in Chicago.
Figure 16-14. SecureMe's Remote-Access Topology in Chicago
The security requirements for SecureMe's Chicago office are as follows:
- Load-balance Cisco IPSec VPN connections across two Cisco ASA devices.
- Use NAT-T if there is a NAT device between the VPN peers.
- Use a RADIUS server as the external database for user lookup.
- Configure a site-to-site VPN tunnel to the London ASA.
- Assign the DNS and WINS server addresses as 192.168.20.100 and 192.168.20.101, respectively.
- Limit the number of simultaneous sessions per users to two.
- Display a banner warning authorized users.
- Translate the clear-text traffic if it is originated from the inside network and destined to the outside network.
Example 16-49 shows the complete configuration of SecureMe's Cisco ASA in Chicago.
Example 16-49. Cisco ASA Relevant Configuration Using Load-Balancing and Site-to-Site Integration
Chicago# show running-config : Saved ASA Version 7.0(1) ! ip address on the outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.0 ! ip address on the inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! hostname Chicago domain-name securemeinc.com ! Access-list entries to bypass NAT for the traffic going from Chicago to London access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 ! Access-list entries to bypass NAT for the traffic going from Chicago to RA_clients access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0 ! Encryption Access-list to encrypt the traffic from Chicago to London access-list to_London extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list to_London extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 ! IP Pool used to assign IP address to the VPN client ip local pool ippool 192.168.60.1-192.168.60.100 mask 255.255.255.0 ! NAT ACL is bound to NAT 0 statement to bypass address translation nat (inside) 0 access-list inside_nat0_outbound ! Address Translation for the inside network nat (inside) 1 192.168.10.0 255.255.255.0 nat (inside) 1 192.168.20.0 255.255.255.0 global (outside) 1 interface Default gateways. route outside 0.0.0.0 0.0.0.0 209.165.200.226 1 route inside 192.168.20.0 255.255.255.0 192.168.10.2 1 route inside 0.0.0.0 0.0.0.0 192.168.10.2 tunneled ! Radius configuration to enable user authentication aaa-server Radius protocol radius aaa-server Radius (inside) host 192.168.10.10 key cisco123 ! Configuration of an internal user group-policy called SecureMeGrp group-policy SecureMeGrp internal ! Configuration of user-group attributes group-policy SecureMeGrp attributes banner value Unauthorized Users will be prosecuted vpn-simultaneous-logins 2 wins-server value 192.168.20.101 dns-server value 192.168.20.100 default-domain value securemeinc.com ! Configuration of ASDM for Appliance management http server enable http 0.0.0.0 0.0.0.0 inside ! Transform set to specify encryption and hashing algorithm crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! Dynamic crypto-map for Remote-Access Clients crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA ! Crypto map configuration for London crypto map outside_map 20 match address to_London crypto map outside_map 20 set peer 209.165.201.1 crypto map outside_map 20 set transform-set ESP-3DES-SHA ! Dynamic crypto-map is mapped to the static crypto-map crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map ! Static crypto-map is applied to the outside interface crypto map outside_map interface outside ! isakmp configuration- Enabled on the outside interface isakmp enable outside ! isakmp configuration- Enabled on the inside interface for VPN LB isakmp enable inside ! isakmp policy configuration isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ! NAT-T is enabled with a default keepalive of 20 seconds isakmp nat-traversal 20 ! tunnel-group configuration for VPN client. The group-name is ciscovpn tunnel-group ciscovpn type ipsec-ra tunnel-group ciscovpn general-attributes address-pool ippool authentication-server-group Radius authentication-server-group (inside) Radius default-group-policy SecureMeGrp tunnel-group ciscovpn ipsec-attributes pre-shared-key * ! L2L tunnel-group configuration for London tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key * ! VPN Load-balancing. The virtual IP address is 209.165.200.227. Encryption is enabled with using cisco123 as the key vpn load-balancing cluster key cisco123 cluster ip address 209.165.200.227 cluster encryption participate