cc/td/doc/product/vpn/vpn3000/4_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Policy Management
Configuration | Policy Management
Configuration | Policy Management | Access Hours
Configuration | Policy Management | Access Hours | Add or Modify
Configuration | Policy Management | Traffic Management
Configuration | Policy Management | Traffic Management | Network Lists
Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy
Configuration | Policy Management | Traffic Management | Rules
Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy
Configuration | Policy Management | Traffic Management | Rules | Delete
Configuration | Policy Management | Traffic Management | Security Associations
Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify
Configuration | Policy Management | Traffic Management | Security Associations | Delete
Configuration | Policy Management | Traffic Management | Filters
Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy
Configuration | Policy Management | Traffic Management | Assign Rules to Filter
Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule
Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule
Configuration | Policy Management | Traffic Management | NAT
Configuration | Policy Management | Traffic Management | NAT | Enable
Configuration | Policy Management | Traffic Management | NAT | Interface Rules
Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces
Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify
Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules
Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify
Configuration | Policy Management | Traffic Management | Bandwidth Policies
Configuration | Policy Management | Traffic Management | Add or Modify
Configuration | Policy Management | Certificate Group Matching
Configuration | Policy Management | Certificate Group Matching | Rules
Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify
Configuration | Policy Management | Certificate Group Matching | Policy

Policy Management


Managing a VPN, and protecting the integrity and security of network resources, includes carefully designing and implementing policies that govern who can use the VPN, when, and what data traffic can flow through it. User management deals with "who can use it"; see "User Management" for that discussion. Policy management deals with "when" and "what data traffic can flow through it"; this section covers those topics.

You configure when remote users access the VPN under Access Hours.

You configure "what data traffic can flow through it" under Traffic Management. The Cisco VPN 3000 Concentrator hierarchy is straightforward: you use filters that consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first configure rules and SAs, then use them to construct filters.

Basically, a filter determines whether to forward or drop a data packet traversing the system. It examines the data packet in accordance with one or more rules—direction, source address, destination address, ports, and protocol—which determine whether to forward, apply IPSec and forward, or drop. And it examines the rules in the order they are arranged on the filter.

You apply filters to Ethernet interfaces, and thus govern all traffic through an interface. You also apply filters to groups and users, and thus govern tunneled traffic through an interface.

If you are applying different filters to a large number of groups or users, you might find it more convenient to configure filters on an external RADIUS server. For more information on configuring the VPN Concentrator to use external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.

With IPSec, the VPN Concentrator negotiates Security Associations during tunnel establishment that govern authentication, key management, encryption, encapsulation, etc. Thus IPSec also determines how to transform a data packet before forwarding it. You apply Security Associations to IPSec rules when you include those rules in a filter, and you apply SAs to groups and users.

The VPN Concentrator also lets you create network lists, which are lists of network addresses that are treated as a single object. These lists simplify the configuration of rules for complex networks. You can also use them to configure split tunneling for groups and users, and to configure IPSec LAN-to-LAN connections.

To fully configure the VPN Concentrator, you should first develop policies (network lists, rules, SAs, and filters), since they affect Ethernet interfaces, groups, and users. And once you have developed policies, we recommend that you configure and apply filters to interfaces before you configure groups and users.

Traffic management on the VPN Concentrator also includes NAT (Network Address Translation) functions that translate private network addresses into legitimate public network addresses. Again, you develop rules to configure and use NAT.

Configuration | Policy Management

This section of the Manager lets you configure policies that apply to groups, users, and VPN Concentrator Ethernet interfaces.

Policies govern:


Figure 15-1   Configuration | Policy Management Screen


Configuration | Policy Management | Access Hours

This section of the Manager lets you configure access times, to control when remote-access groups and users can access the VPN Concentrator. You assign access hours to groups and users under Configuration | User Management. Access hours do not apply to LAN-to-LAN connections.


Figure 15-2   Configuration | Policy Management | Access Hours Screen


Current Access Hours

The Current Access Hours list shows the names of configured access times. The Cisco-supplied default access times are:

Additional access times that you configure appear in the list.

Add / Modify / Delete

To configure and add a new access time to the list, click Add. The Manager opens the Configuration | Policy management | Access Hours | Add screen.

To modify a configured access time, select the entry from the list and click Modify. The Manager opens the Configuration | Policy management | Access Hours | Modify screen.

To remove a configured access time, select the entry from the list and click Delete. There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the Current Access Hours list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Access Hours | Add or Modify

These Manager screens let you:


Figure 15-3   Configuration | Policy Management | Access Hours | Add or Modify Screens


Name

Enter a unique name for this set of access hours. Maximum is 48 characters.

Sunday - Saturday

For each day of the week, click the Sunday - Saturday drop-down menu button and choose:

Enter or edit hours in the range fields. Times are inclusive: starting time through ending time. Enter times as HH:MM:SS and use 24-hour notation, for example: enter 5:30 p.m. as 17:30. By default, all ranges are 00:00:00 to 23:59:59.

Add or Apply / Cancel

To add this access time to the list, click Add. Or to apply your changes for this access time, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Access Hours screen. Any new entry appears in the Current Access Times list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Access Hours screen, and the Current Access Times list is unchanged.

Configuration | Policy Management | Traffic Management

This section of the Manager lets you configure network lists, rules, filters, and security associations, as well as network address translation and bandwidth policies. These features let you control the data traffic through the VPN Concentrator.

A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the default action specified in the filter.

You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they apply to all traffic. You also apply filters to groups and users under Configuration | User Management; these filters apply to tunneled traffic only.


Figure 15-4   Configuration | Policy Management | Traffic Management Screen


Configuration | Policy Management | Traffic Management | Network Lists

This section of the Manager lets you configure network lists, which are lists of networks that are grouped as single objects. Network lists make configuration easier: for example, you can use a network list to configure one filter rule for a set of networks rather than configuring separate rules for each network.

You can use network lists in configuring filter rules (see Configuration | Policy Management | Traffic Management | Rules). You can also use them to configure split tunneling for groups and users (see Configuration | User Management), and to configure IPSec LAN-to-LAN connections (see Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN).

The Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.

A single network list can contain a maximum of 10 network entries. The Manager does not limit the number of network lists you can configure.


Figure 15-5   Configuration | Policy Management | Traffic Management | Network Lists Screen


Network List

The Network List field shows the names of the network lists you have configured. If no lists have been configured, the field shows --Empty--.

Add / Modify / Copy / Delete

To configure and add a new network list, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Network Lists | Add screen.

To modify a configured network list, select the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Network Lists | Modify screen.

To copy a configured network list, modify it, and save it with a new name, select the list and click Copy. See the Configuration | Policy Management | Traffic Management | Network Lists | Copy screen.

To delete a configured network list, select the list and click Delete. If the network list is configured on a filter rule or an IPSec LAN-to-LAN connection, the Manager displays an error message indicating the action to take before you can delete the list. Otherwise, there is no confirmation or undo. The Manager deletes the list, refreshes the screen, and shows the remaining network lists.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy

These screens let you:

On the Add and Modify screens, the Manager can automatically generate a network list containing the private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table, and Inbound RIP must be enabled on that interface.


Figure 15-6   Configuration | Policy Management | Traffic Management | Network Lists | Add, Modify, or Copy Screens


List Name

Enter a unique name for this network list. Maximum 48 characters, case-sensitive. Spaces are allowed.

If you use the Generate Local List feature on the Add screen, enter this name after the system generates the network list.

Network List

Enter the networks in this network list. Enter each network on a single line using the format n.n.n.n/w.w.w.w, where n.n.n.n is a network IP address and w.w.w.w is a wildcard mask.


Note   Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 10.10.1.nnn addresses.

If you omit the wildcard mask, the Manager supplies the default wildcard mask for the class of the network address. For example, 192.168.12.0 is a Class C address, and default wildcard mask is 0.0.0.255.

You can include a maximum of 200 network/wildcard entries in a single network list.

Generate Local List

On the Add or Modify screen, click the Generate Local List button to have the Manager automatically generate a network list containing the first 200 private networks reachable from the Ethernet 1 (Private) interface. It generates this list by reading the routing table (see Monitoring | Routing Table), and Inbound RIP must be enabled on that interface (see Configuration | Interfaces). The Manager refreshes the screen after it generates the list, and you can then edit the Network List and enter a List Name.


Note   If you click Apply, the generated list replaces any existing entries in the Network List.

Add or Apply / Cancel

To add this network list to the configured network lists, click Add. Or to apply your changes to this network list, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Network Lists screen. Any new entry appears at the bottom of the Network List field.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Network Lists screen, and the Network Lists field is unchanged.

Configuration | Policy Management | Traffic Management | Rules

This section of the Manager lets you add, configure, modify, copy, and delete filter rules. You use rules to construct filters.


Caution   The Cisco-supplied default rules are intended as templates that you should examine and modify to fit your network and security needs. Unmodified, or incorrectly applied, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter. For example, the default Incoming HTTP rules are intended to allow an administrator outside the private network to manage the VPN Concentrator with a browser. Unmodified, they could allow browser connections to any system on the private network. If you apply these rules to a filter, you should at least change the Source and Destination Address to limit the connections.


Figure 15-7   Configuration | Policy Management | Traffic Management | Rules Screen


Filter Rules

The Filter Rules list shows the configured rules that are available to apply to filters. The list shows the rule name and the action/direction in parentheses. The rules are listed in the order they are configured.

Cisco supplies several default rules that you can modify and use. See Table 15-1 for their parameters, and see Configuration | Policy Management | Traffic Management | Rules | Add for explanations of the parameters.

For all the default rules except VRRP In and Out, these parameters are identical:

For maximum security and control, we recommend that you change the Source Address and Destination Address to fit your network addressing and security scheme.

Table 15-1   Cisco-Supplied Default Filter Rules

Filter Rule Name  Direction  Protocol  TCP
Connection
 
TCP/UDP
Source Port
 
TCP/UDP
Destination Port
 
ICMP
Packet
Type
 

Any In

Inbound

Any

Don't Care

Range 0-65535

Range 0-65535

0-255

Any Out

Outbound

Any

Don't Care

Range 0-65535

Range 0-65535

0-255

CRL over LDAP In

Inbound

TCP

Don't Care

LDAP (389)

Range 0-65535

CRL over LDAP Out

Outbound

TCP

Don't Care

Range 0-65535

LDAP (389)

GRE In

Inbound

GRE

GRE Out

Outbound

GRE

ICMP In

Inbound

ICMP

0-18

ICMP Out

Outbound

ICMP

0-18

IKE In

Inbound

UDP

Range 0-65535

IKE (500)

IKE Out

Outbound

UDP

IKE (500)

Range 0-65535

Incoming HTTP In

Inbound

TCP

Don't Care

Range 0-65535

HTTP (80)

Incoming HTTP Out

Outbound

TCP

Don't Care

HTTP (80)

Range 0-65535

Incoming HTTPS In

Inbound

TCP

Don't Care

Range 0-65535

HTTPS (443)

Incoming HTTPS Out

Outbound

TCP

Don't Care

HTTPS (443)

Range 0-65535

IPSec-ESP In

Inbound

ESP

L2TP In

Inbound

UDP

Range 0-65535

L2TP (1701)

L2TP Out

Outbound

UDP

L2TP (1701)

Range 0-65535

LDAP In

Inbound

TCP

Don't Care

Range 0-65535

LDAP (389)

LDAP Out

Outbound

TCP

Don't Care

LDAP (389)

Range 0-65535

OSPF In

Inbound

OSPF

OSPF Out

Outbound

OSPF

Outgoing HTTP In

Inbound

TCP

Don't Care

HTTP (80)

Range 0-65535

Outgoing HTTP Out

Outbound

TCP

Don't Care

Range 0-65535

HTTP (80)

Outgoing HTTPS In

Inbound

TCP

Don't Care

HTTPS (443)

Range 0-65535

Outgoing HTTPS Out

Outbound

TCP

Don't Care

Range 0-65535

HTTPS (443)

PPTP In

Inbound

TCP

Don't Care

Range 0-65535

PPTP (1723)

PPTP Out

Outbound

TCP

Don't Care

PPTP (1723)

Range 0-65535

RIP In

Inbound

UDP

RIP (520)

RIP (520)

RIP Out

Outbound

UDP

RIP (520)

RIP (520)

SSH In

Inbound

TCP

Don't Care

Range 0-65535

SSH (22)

SSH Out

Outbound

TCP

Don't Care

SSH (22)

Range 0-65535

Telnet/SSL In

Inbound

TCP

Don't Care

Range 0-65535

Telnet/SSL (992)

Telnet/SSL Out

Outbound

TCP

Don't Care

Telnet/SSL (992)

Range 0-65535

VCA In

Inbound

UDP

Range 0-65535

9023

VCA Out

Outbound

UDP

9023

Range 0-65535

VRRP In1

Inbound

Other 112

VRRP Out1

Outbound

Other 112

For VRRP In and VRRP Out, the Destination Address is 224.0.0.18/0.0.0.0, which is the IANA-assigned IP multicast address for VRRP.

Add / Modify / Copy / Delete

To configure a new rule, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Rules | Add screen.

To modify a rule that has been configured, select the rule from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Rules | Modify screen.

To copy a configured rule, modify it, and save it with a new name, select the rule from the list and click Copy. See the Configuration | Policy Management | Traffic Management | Rules | Copy screen.

To delete a configured rule, select the rule from the list and click Delete.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy

These Manager screens let you:

The VPN Concentrator applies rule parameters to data traffic (packets) in the order presented on this screen (from Protocol down) to see if they match. If all parameters match, the system takes the specified Action. If at least one parameter does not match, the system ignores the rest of this rule and examines the packet in accordance with the next rule, and so forth.


Note   On the Modify screen, any changes take effect as soon as you click Apply. Changes affect all filters that use this rule. If this rule is being used by an active filter, changes might affect tunnel traffic.

Creating Rules for a Firewall Filter

If you are creating rules for a VPN Client firewall filter:

For more information on configuring rules for VPN Client firewall filters, refer to the VPN Client Administrator Guide.


Figure 15-8   Configuration | Policy Management | Traffic Management | Rules | Add, Modify, or Copy Screen


Rule Name

Enter a unique name for this rule. Maximum is 48 characters.

Direction

Click the Direction drop-down menu button and choose the data direction to which this rule applies:

Action

Click the Action drop-down menu button and choose the action to take if the data traffic (packet) matches all parameters that follow.


Note   If you are configuring this rule to use for a VPN Client firewall filter, you must choose either Drop or Forward.

The choices are:

Protocol or Other

This parameter refers to the IANA (Internet Assigned Numbers Authority) assigned protocol number in an IP packet. The descriptions include the IANA number, in brackets, for reference.

Click the Protocol or Other drop-down menu button and choose the protocol to which this rule applies.

TCP Connection


Note   Do not configure this field if you are using this rule for a client firewall filter.

Click the TCP Connection drop-down menu button and choose whether this rule applies to packets from established TCP connections. For example, you might want a rule to forward only those TCP packets that originate from established connections on the public network interface, to provide maximum protection against "spoofing."

The choices are:

Source Address

Specify the packet source address that this rule checks (the address of the sender).

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the source addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose:

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields.


Note   An IP address is used with a wildcard mask to provide the desired granularity. A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses

IP Address

Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.

Wildcard-mask

Enter the source address wildcard mask in dotted decimal notation. Default is 255.255.255.255.

Destination Address

Specify the packet destination address that this rule checks (the address of the recipient).

Network List

Click the Network List drop-down menu button and choose the configured network list that specifies the destination addresses. A network list is a list of network addresses that are treated as a single object. See the Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can choose Use IP Address/Wildcard-mask, which lets you enter a network address.

If you choose a configured network list, the Manager ignores entries in the IP Address and Wildcard-mask fields. See the preceding wildcard mask note.

IP Address

Enter the destination IP address in dotted decimal notation. The default value is 0.0.0.0.

Wildcard-mask

Enter the destination address wildcard mask in dotted decimal notation. The default value is 255.255.255.255.

TCP/UDP Source Port

If you chose TCP or UDP under Protocol, choose the source port number that this rule checks.

Many different protocols or processes run in TCP or UDP environments, and each TCP or UDP process running on a network host is assigned a port number. Thus an IP address plus a port number uniquely identifies a process on a network host. Only TCP and UDP protocols use port numbers. The Internet Assigned Numbers Authority (IANA) manages port numbers and classifies them as Well Known, Registered, and Dynamic (or Private). The Well Known ports are those from 0 through 1023; the Registered Ports are those from 1024 through 49151; and the Dynamic ports are those from 49152 through 65535.

Port or Range

Click the Port or Range drop-down menu button and choose the process (port number):

TCP/UDP Destination Port

If you chose TCP or UDP under Protocol, choose the destination port number that this rule checks. See the preceding explanation of port numbers under TCP/UDP Source Port.

Port or Range

Click the Port or Range drop-down menu button and choose the process (port number). The choices are the same as listed under TCP/UDP Source Port, Port or Range.

ICMP Packet Type


Note   Do not configure this field if you are using this rule for a client firewall filter.

The ICMP protocol has many messages that are identified by a type number. For example:

0 = Echo Reply

8 = Echo

13 = Timestamp

14 = Timestamp Reply

17 = Address Mask Request

18 = Address Mask Reply


The Internet Assigned Numbers Authority (IANA) manages these ICMP type numbers.

If you selected ICMP under Protocol, enter the range of ICMP packet type numbers to which this rule applies. To specify a single packet type, enter the same number in both fields. Defaults are 0 to 255 (all packet types). For example, to specify the Timestamp and Timestamp Reply types only, enter 13 to 14.

Add or Apply / Cancel

To add this rule to the list of configured filter rules, click Add. Or to apply your changes to this rule, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If the rule is being used by an active filter, changes might affect tunnel traffic. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen. Any new rule appears in the Filter Rules list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.

Configuration | Policy Management | Traffic Management | Rules | Delete

This screen asks you to confirm deletion of a rule that is being used in a filter. Doing so deletes the rule from all filters that use it, and deletes it from the VPN Concentrator active configuration. To remove a rule from a filter but retain it in the active configuration, see the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.


Figure 15-9   Configuration | Policy Management | Traffic Management | Rules | Delete Screen



Note   The Manager deletes the rule from the filter as soon as you click Yes. If this rule is being used by an active filter, deletion might affect data traffic.

Yes / No

To delete this rule from all filters that use it, and delete it from the active configuration, click Yes. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen and shows the remaining rules in the Filter Rules list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To not delete this rule, click No. The Manager returns to the Configuration | Policy Management | Traffic Management | Rules screen, and the Filter Rules list is unchanged.

Configuration | Policy Management | Traffic Management | Security Associations

This section of the Manager lets you add, configure, modify, and delete Security Associations (SAs). SAs apply only to IPSec tunnels. During tunnel establishment the two parties negotiate Security Associations that govern authentication, encryption, encapsulation, key management, etc. In other words, while rules and filters specify what traffic to manage, SAs tell how to do it.

IPSec configurations actually involve two SA negotiation phases: first, to establish the tunnel (the IKE SA); and second, to govern traffic within—the use of—the tunnel (the IPSec SA). You must configure IKE proposals before configuring Security Associations. See Configuration | System | Tunneling Protocols | IPSec | IKE Proposals, or click the IKE Proposals link on this screen.

You apply SAs to filter rules that are configured with an Apply IPSec action, for LAN-to-LAN traffic. See Configuration | Policy Management | Traffic Management | Rules. The VPN Concentrator automatically creates and applies appropriate rules when you create a LAN-to-LAN connection; see Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN. You also apply SAs to groups and users, for remote-access traffic, under the IPSec Parameters section on the appropriate Configuration | User Management screens.

You can use IPSec in both client-to-LAN (remote-access) configurations and LAN-to-LAN configurations. The Cisco VPN Client complies with the IPSec protocol and is specifically designed to work with the VPN Concentrator. However, the VPN Concentrator can establish IPSec connections with many protocol-compliant clients. Likewise, the VPN Concentrator can establish LAN-to-LAN connections with other protocol-compliant VPN devices (often called "secure gateways"). The instructions in this section, however, assume peer VPN Concentrators.

The Cisco VPN Client supports these IPSec attributes:


Figure 15-10   Configuration | Policy Management | Traffic Management | Security Associations Screen


IPSec SAs

The IPSec SAs list shows the configured SAs that are available. The SAs are listed in alphabetical order.

Cisco supplies default SAs that you can use or modify; see Table 15-2 and Table 15-3. See the Configuration | Policy Management | Traffic Management | Security Associations | Add section for explanations of the parameters.

Table 15-2   Cisco-Supplied Default Security Associations, Part 1

SA Name

Parameter
 
ESP-DES-MD5  ESP-3DES-
MD5
 
ESP/IKE-3DES-
MD5
 
ESP-3DES-
NONE
 

Inheritance

From Rule

From Rule

From Rule

From Rule

IPSec Parameters

Authentication
Algorithm

ESP/MD5/
HMAC-128

ESP/MD5/
HMAC-128

ESP/MD5/
HMAC-128

None

Encryption
Algorithm

DES-56

3DES-168

3DES-168

3DES-168

Encapsulation Mode

Tunnel

Tunnel

Tunnel

Tunnel

Perfect Forward Secrecy

Disabled

Disabled

Disabled

Disabled

Lifetime
Measurement

Time

Time

Time

Time

Data Lifetime

10000 KB

10000 KB

10000 KB

10000 KB

Time Lifetime

28800 sec

28800 sec

28800 sec

28800 sec

IKE Parameters

IKE Peer

0.0.0.0

0.0.0.0

0.0.0.0

0.0.0.0

Negotiation Mode

Main

Main

Main

Main

Digital Certificate

None (Use Preshared Keys)

None (Use Preshared Keys)

None (Use Preshared Keys)

None (Use Preshared Keys)

IKE Proposal

IKE-DES-
MD5

IKE-DES-
MD5

IKE-3DES-
MD5

IKE-3DES-
MD5

Table 15-3   Cisco-Supplied Default Security Associations, Part 2

SA Name

Parameter
 
ESP-L2TP-
TRANSPORT
 
ESP-3DES-
MD5-DH7
 
ESP-3DES-
MD5-DH5
 
ESP-AES-
128-SHA
 

Inheritance

From Rule

From Rule

Rule

Rule

IPSec Parameters

Authentication
Algorithm

ESP/MD5/
HMAC-128

ESP/MD5/
HMAC-128

ESP/MD5/
HMAC-128

ESP/SHA1/
HMAC-160

Encryption
Algorithm

DES-56

3DES-168

3DES-168

AES-128

Encapsulation Mode

Transport

Tunnel

Tunnel

Tunnel

Perfect Forward Secrecy

Disabled

Disabled

Disabled

Disabled

Lifetime
Measurement

Time

Time

Time

Time

Data Lifetime

10000 KB

10000 KB

10000 KB

10000 KB

Time Lifetime

3600 sec

28800 sec

28800 sec

28800 sec

IKE Parameters

IKE Peer

0.0.0.0

0.0.0.0

0.0.0.0

0.0.0.0

Negotiation Mode

Main

Aggressive

Aggressive

Aggressive

Digital Certificate

None (Use Preshared Keys)

None (Use Preshared Keys)

None (Use Preshared Keys)

None (Use Preshared Keys)

IKE Proposal

IKE-3DES-MD5

IKE-3DES-MD5-
DH7

CiscoVPNClient-
3DES-MD5-DH5

CiscoVPNClient-
AES128-SHA

Add / Modify / Delete

To configure a new SA, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Add screen.

To modify an SA that has been configured, select the SA from the list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Security Associations | Modify screen.

To delete a configured SA, select the SA from the list and click Delete.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify

These screens let you:


Figure 15-11   Configuration | Policy Management | Traffic Management | Security Associations | Add or Modify Screen


SA Name

Enter a unique name for this Security Association. Maximum is 48 characters.

Inheritance

This parameter specifies the granularity, or how many tunnels to build for this connection. Each tunnel uses a unique key.

Click the Inheritance drop-down menu button and choose:

IPSec Parameters

These parameters apply to IPSec SAs, which are Phase 2 SAs negotiated under IPSec, where the two parties establish conditions for use of the tunnel.

Authentication Algorithm

This parameter specifies the data, or packet, authentication algorithm. Packet authentication proves that data comes from whom you think it comes from; it is often referred to as "data integrity" in VPN literature. The IPSec ESP (Encapsulating Security Payload) protocol provides both encryption and authentication.

Click the Authentication Algorithm drop-down menu button and choose the algorithm:

Encryption Algorithm

This parameter specifies the data, or packet, encryption algorithm. Data encryption makes the data unreadable if intercepted.

Click the Encryption Algorithm drop-down menu button and choose the algorithm:

Encapsulation Mode

This parameter specifies the mode for applying ESP encryption and authentication; in other words, what part of the original IP packet has ESP applied.

Click the Encapsulation Mode drop-down menu button and choose the mode:

Perfect Forward Secrecy

This parameter specifies whether to use Perfect Forward Secrecy, and the size of the numbers to use, in generating Phase 2 IPSec keys. Perfect Forward Secrecy is a cryptographic concept where each new key is unrelated to any previous key. In IPSec negotiations, Phase 2 keys are based on Phase 1 keys unless Perfect Forward Secrecy is specified. Perfect Forward Secrecy uses Diffie-Hellman techniques to generate the keys.

Click the Perfect Forward Secrecy drop-down menu button and choose the Perfect Forward Secrecy option:

Lifetime Measurement

This parameter specifies how to measure the lifetime of the IPSec SA keys, which is how long the IPSec SA lasts until it expires and must be renegotiated with new keys. It is used with the Data Lifetime or Time Lifetime parameters.


Note   If the peer proposes a shorter lifetime measurement, the VPN Concentrator uses that lifetime measurement instead.

Click the Lifetime Measurement drop-down menu button and choose the measurement method:

Data Lifetime

If you chose Data or Both under Lifetime Measurement, enter the number of kilobytes of payload data after which the IPSec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Time Lifetime

If you chose Time or Both under Lifetime Measurement, enter the number of seconds after which the IPSec SA expires. Minimum is 60 seconds, default is 28800 seconds (8 hours), maximum is 2147483647 seconds (about 68 years).

IKE Parameters

These parameters govern IKE SAs, which are Phase 1 SAs negotiated under IPSec, where the two parties establish a secure tunnel within which they then negotiate the IPSec SAs. In this IKE SA they exchange automated key management information under the IKE (Internet Key Exchange) protocol (formerly called ISAKMP/Oakley).

All these parameters (except IKE Peer) must be configured the same on both parties; the IKE Peer entries must mirror each other. If you create multiple IPSec SAs for use between two IKE peers, the IKE SA parameters must be the same on all SAs.

For best performance and interoperability, we strongly recommend that you use the default parameters where appropriate.

Connection Type

(This field appears only when this Security Association is used in a LAN-to-LAN connection, and it appears only on the Security Associations | Modify page, not on the Security Associations | Add page.) View this field to determine the role of this VPN Concentrator in establishing the IKE tunnel of the LAN-to-LAN connection that uses this SA. This field is read-only.

To configure the Connection Type, see "Connection Type" on the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN Add/Modify screen.

IKE Peer(s)

This parameter applies only to IPSec LAN-to-LAN configurations. It is ignored for IPSec client-to-LAN configurations.

On the Configuration | Policy Management | Traffic Management | Security Associations | Modify page, this field is read-only.

Enter the IP address of the remote peer VPN Concentrator. Use dotted decimal notation. This must be the IP address of the public interface on the peer VPN Concentrator.

This IP address must also match the Peer IP Address on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify screen. It must also match the Group Name for the LAN-to-LAN connection. When you configure the connection on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add screen, the Manager automatically creates a group with the Peer IP address as the Group Name. See Configuration | User Management for information on groups.

When you configure this parameter on the remote peer, enter the IP address of this VPN Concentrator. The entries must mirror each other.

Negotiation Mode

This parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode that the initiator of the negotiation uses; the responder auto-negotiates.

Click the Negotiation Mode drop-down menu button and choose the mode:

Digital Certificate

This parameter specifies whether to use preshared keys or a PKI (Public Key Infrastructure) digital identity certificate to authenticate the peer during Phase 1 IKE negotiations. See the discussion under Administration | Certificate Management.

Click the Digital Certificate drop-down menu button and choose the option. The list shows any digital certificates that have been installed, plus the following option:

Certificate Transmission

If you configured authentication using digital certificates, choose the type of certificate transmission.

IKE Proposal

This parameter specifies the set of attributes that govern Phase 1 IPSec negotiations, which are known as IKE proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. When the VPN Concentrator is acting as an IPSec initiator, this is the only IKE proposal it negotiates. As an IPSec responder, the VPN Concentrator checks all active IKE proposals in priority order, to see if it can find one that agrees with parameters in the initiator's proposed SA. You must configure, activate, and prioritize IKE proposals before configuring Security Associations.

Click the IKE Proposal drop-down menu button and choose the IKE proposal. The list shows only active IKE proposals in priority order. Cisco-supplied default active proposals are:

Add or Apply / Cancel

To add this Security Association to the list of configured SAs, click Add. Or to apply your changes to this Security Association, click Apply. On the Modify screen, any changes take effect as soon as you click Apply. If this SA is being used by an active filter rule or group, changes might affect tunnel traffic. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen. Any new SA appears at the bottom of the IPSec SAs list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.

Configuration | Policy Management | Traffic Management | Security Associations | Delete

This screen asks you to confirm deletion of a Security Association that is assigned to a rule in a filter. Doing so deletes the SA from the VPN Concentrator active configuration, deletes the SA from all rules that use it, and removes those rules from filters.


Figure 15-12   Configuration | Policy Management | Traffic Management | Security Associations | Delete Screen



Note   The Manager deletes the SA as soon as you click Yes. If this SA is being used by an active filter, deletion might affect tunnel traffic.

Yes / No

To delete this SA from all rules that use it, and delete it from the active configuration, click Yes. There is no undo. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen and shows the remaining SAs in the IPSec SAs list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To not delete this SA, click No. The Manager returns to the Configuration | Policy Management | Traffic Management | Security Associations screen, and the IPSec SAs list is unchanged.

Configuration | Policy Management | Traffic Management | Filters

This section of the Manager lets you add, configure, modify, copy, and delete filters, and assign rules to filters.

Filters consist of rules. A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a packet matches all the parameters specified in the rule, the system takes the Action specified in the rule. If at least one rule parameter does not match, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.

Configuring a filter involves two steps:


Step 1   Configure the basic filter parameters (name, default action, etc.) by clicking Add Filter, Modify Filter, or Copy Filter.

Step 2   Assign rules to a filter by clicking Assign Rules to Filter.



You apply filters to interfaces under Configuration | Interfaces, and these are the most important filters for security since they govern all traffic through an interface. You also apply filters to groups and users under Configuration | User Management, and thus govern tunneled traffic through an interface.


Caution   The Cisco-supplied default filters and rules are intended as templates that you should examine and configure to fit your network and security needs. If left in their default configuration or if incorrectly configured, they could present security risks. You should also be especially careful about adding rules to the Public (Default) filter, which allows only tunneled and ICMP traffic.

This screen allows you only to configure filters on the VPN Concentrator. You can also configure filters on an external RADIUS server for use on the VPN Concentrator. For more information on configuring external filters, see Monitoring | Dynamic Filters in VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring.


Figure 15-13   Configuration | Policy Management | Traffic Management | Filters Screen


Filter List

The Filter List shows configured filters, listed in alphabetical order.

Cisco supplies default filters that you can use and modify; see Table 15-4.

Table 15-4   Cisco-Supplied Default Filters

Parameter  Private (Default)  Public (Default)  External (Default)  Firewall Filter for VPN Client (Default) 

Description

Default filter for the Private Interface

Default filter for the Public Interface

Default filter for the External Interface

Default filter for the VPN Client, when using Policy Pushed (CPP) firewall configuration

Default Action

Drop

Drop

Drop

Drop

Source Routing

No

No

No

N/A

Fragments

Yes

Yes

Yes

N/A

Current Rules in Filter

Any In (forward/in)

Any Out (forward/out)

GRE In (forward/in)

IPSEC-ESP In (forward/in)

IKE In (forward/in)

PPTP In (forward/in)

L2TP In (forward/in)

ICMP In (forward/in)

VRRP In (forward/in)

GRE Out (forward/out)

IKE Out (forward/out)

PPTP Out (forward/out)

L2TP Out (forward/out)

ICMP Out (forward/out)

VRRP Out (forward/out)

-Empty-

Any Out (forward/out)

Add Filter

To configure and add a new filter, click Add Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Add screen. The Manager then automatically lets you assign rules to the filter.

Assign Rules to Filter

To assign or change rules in a configured filter, select the filter from the list and click Assign Rules to Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen, which lets you assign and order the rules that apply to this filter.

Modify Filter

To modify the basic parameters—but not the rules—for a filter that has been configured, click Modify Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Modify screen.

Copy Filter

To create a new filter by copying the basic parameters and rules from a filter that has been configured, click Copy Filter. The Manager opens the Configuration | Policy Management | Traffic Management | Filters | Copy screen.

Delete Filter

To delete a configured filter, select the filter from the list and click Delete Filter. See the following notes. The Manager refreshes the screen and shows the remaining entries in the Filter List.


Note   You cannot delete a filter that has been applied to an interface. If you try to do so, the Manager displays an error message.


Note   You can delete a filter that has been applied to a group or user, and there is no confirmation or undo. Doing so might affect their use of the VPN.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy

These screens let you:

You configure the rules in a filter on the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen.


Note   On the Modify screen, any changes take effect as soon as you click Apply. If this filter is being used by an interface or group, changes might affect data traffic.


Figure 15-14   Configuration | Policy Management | Traffic Management | Filters | Add, Modify, or Copy Screen


Filter Name

Enter a unique name for this filter. Maximum is 48 characters.

Default Action

Click the Default Action drop-down menu button and choose the action that this filter takes if a data packet does not match any of the rules on this filter. The choices are:

Source Routing

Check the Source Routing check box to allow IP source routed packets to pass. A source routed packet specifies its own route through the network and does not rely on the system to control forwarding. This box is unchecked by default, because source-routed packets can present a security risk.

Fragments

Check the Fragments check box to allow fragmented IP packets to pass. Large data packets might be fragmented on their journey through networks, and the destination system reassembles them. While you would normally allow fragmented packets to pass, you might disallow them if you suspect a security problem. This box is checked by default.

Description

Enter a description of this filter. This optional field is a convenience for you or other administrators; use it to describe the purpose or use of the filter. Maximum is 255 characters.

Add or Apply / Cancel

Add screen:

Modify screen:

Copy screen:

To discard your changes, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen, and the Filter List is unchanged.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Assign Rules to Filter

This section of the Manager lets you add, remove, and prioritize the rules in a filter, and assign Security Associations to rules that are configured with an Apply IPSec action.

A filter applies its rules to data packets coming through the system, in the order the rules are arranged on the filter. If a rule matches, the system takes the Action specified in the rule. If not, it applies the next rule; and so on. If no rule matches, the system takes the Default Action specified in the filter.

The Manager groups applied rules by direction (inbound or outbound), with inbound rules first. You can prioritize rules only within a direction.

You configure rules on the Configuration | Policy Management | Traffic Management | Rules screens.


Note   Rules affect the operation of the filter as soon as you add, remove, or prioritize them. If the filter is being used by an active interface or group, changes might affect data traffic.


Note   Be careful about adding or changing rules on the Public (Default) filter. You could compromise security.


Figure 15-15   Configuration | Policy Management | Traffic Management | Assign Rules to Filter Screen


Filter Name

The name of the filter for which you are configuring the rules. You cannot change this name here. (See Configuration | Policy Management | Traffic Management | Filters | Modify.)

Current Rules in Filter

This list shows the rules currently assigned to the filter. Use the scroll controls (if present) to see all the rules in the list. If no rules have been assigned, the list shows --Empty--. Each entry shows the rule name and the action/direction in parentheses; Apply IPSec rules include their Security Association.

Available Rules

This list shows all the rules currently configured on the system (all the rules in the active configuration) that have not been assigned to this filter. Use the scroll controls (if present) to see all the rules in the list. Each entry shows the rule name and the action/direction in parentheses. (Since Security Associations are added to Apply IPSec rules only when those rules are assigned to a filter, this list does not show SAs.)

<< Add

To add a rule to the filter, select the rule from the Available Rules list and click << Add. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and by default orders the current rules with all inbound rules preceding all outbound rules.

If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a Security Association to the rule. The Manager also, by default, adds Apply IPSec rules to the top of the group of rules with the same direction (inbound or outbound).

<< Insert Above

To add an available rule above a current rule, select the rule from the Available Rules list, then select a target rule in the Current Rules in Filter list, and click Insert Above. The Manager moves the rule to the Current Rules in Filter list, modifies the active configuration, refreshes the screen, and orders the new rule above the current rule. Both selected rules must have the same direction (inbound or outbound).

If you add a rule that has an Apply IPSec action configured, the Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule screen, which lets you add a Security Association to the rule.

>> Remove

To remove a rule from the filter, select the rule from the Current Rules in Filter list and click >> Remove. The Manager moves the rule to the Available Rules list, modifies the active configuration, refreshes the screen, and shows the remaining current rules in the filter.

You cannot remove a rule that is configured as part of a LAN-to-LAN connection. See the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add | Done screen.

Move Up / Move Down

To change the order in which a rule is applied within the filter, select the rule from the Current Rules in Filter list and click Move Up or Move Down. The Manager reorders the current rules, modifies the active configuration, refreshes the screen, and shows the reordered list. If you try to move a rule out of its direction group (inbound or outbound), the Manager displays an error message.

Assign SA to Rule

To modify the Security Association applied to a current rule that has an Apply IPSec action configured, select the rule from the Current Rules in Filter list and click Assign SA to Rule. The Manager displays the Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule screen.

Done

When you are finished configuring the rules in this filter, click Done. The Manager returns to the Configuration | Policy Management | Traffic Management | Filters screen and refreshes the Filter List.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule

This screen lets you add a configured Security Association to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.

You configure Security Associations on the Configuration | Policy Management | Traffic Management | Security Associations screens.


Figure 15-16   Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Add SA to Rule Screen


Add SA to Rule on Filter:

The Manager shows the name of filter to which you are adding a rule that has an Apply IPSec action configured. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify.

IPSec SAs

The IPSec SAs list shows the configured SAs that are available, that is, all the SAs in the active configuration.

Apply

To add an SA to the rule, select the SA from the list and click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its SA.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule

This screen lets you change the configured Security Association that is applied to a rule that has an Apply IPSec action configured. You can assign only one SA to a rule.

On this screen, you change which SA is applied. You configure SAs themselves on the Configuration | Policy Management | Traffic Management | Security Associations screens.


Note   The change takes effect as soon as you click Apply. If this filter is being used by an interface or group, the change might affect tunnel traffic.


Figure 15-17   Configuration | Policy Management | Traffic Management | Assign Rules to Filter | Change SA on Rule Screen


Change SA on Rule in Filter

The Manager shows the name of the filter to which the IPSec rule is assigned. You cannot change this name here. See Configuration | Policy Management | Traffic Management | Filters | Modify.

IPSec SAs

The IPSec SAs list shows the configured SAs that are available (all the SAs in the active configuration). By default, the SA that is currently applied to the rule is selected.

Apply / Cancel

To apply a different SA to this rule, select the SA from the list and click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, modifies the active configuration, and updates the Current Rules in Filter list to show the rule with its new SA. The change takes effect as soon as you click Apply. If this filter is being used by an active interface or group, the change might affect tunnel traffic.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard the change and keep the current SA on the rule, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Assign Rules to Filter screen for the filter you are configuring, and the Current Rules in Filter list is unchanged.

Configuration | Policy Management | Traffic Management | NAT

This section of the Manager lets you configure and enable NAT (Network Address Translation). NAT translates private network addresses into an IANA-assigned public network address, and vice versa, and thus allows traffic routing between the networks.

A NAT session is a translation instance. When a packet passing through the VPN Concentrator matches a NAT rule and is translated, a NAT session begins. The NAT session records details of the translation, including the source IP address and port, the destination IP address and port, and the translated, or mapped, address and port.

A NAT rule defines the criteria that a packet must meet to be translated. For interface NAT rules, criteria include the protocol: portless, UDP, or TCP. For LAN-to-LAN connections, the criteria are the source, translated and destination IP addresses.

To use NAT, we recommend that you first configure NAT rules, then enable the function.

You can change NAT rules while NAT is enabled. Doing so affects subsequent sessions, but not current sessions, as long as the changed rule still allows the current session; if it doesn't traffic will stop.

For inbound packets, the destination address and port are mapped. For outbound traffic, the source address and port are mapped.

As packets pass through the VPN Concentrator, NAT sessions are searched for a match prior to applying NAT rules. If a match exists, the packet is translated in the same way as the packet that caused the session to initiate, and the session continues, allowing the VPN Concentrator to maintain address and port continuity within a session. NAT sessions expire and are deleted if they are unused for a certain time period, which varies depending on the protocol. Therefore, unless the NAT rule is a static rule, NAT sessions between the same clients may have different translated addresses for different NAT sessions.

For a detailed explanation of NAT and PAT, see http://www.cisco.com/warp/public/556/nat-cisco.shtml.


Figure 15-18   Configuration | Policy Management | Traffic Management | NAT Screen


Configuration | Policy Management | Traffic Management | NAT | Enable

This screen lets you enable NAT operation for Interfaces, which applies NAT to all non-tunneled traffic flowing through the public interface, and for LAN-to-LAN tunnels. We recommend that you configure NAT rules before you enable the function.


Figure 15-19   Configuration | Policy Management | Traffic Management | NAT | Enable Screen


Interface NAT Rules Enabled

Check the Interface NAT Rules Enabled check box to enable NAT rules for interfaces, or uncheck it to disable these NAT rules. By default, the box is unchecked.

LAN-to-LAN Tunnel NAT Rule Enabled

Check the LAN-to-LAN Tunnel NAT Rule Enabled check box to enable NAT rules for LAN-to-LAN connections, or uncheck it to disable these NAT rules. By default, the box is unchecked.

Apply / Cancel

To enable or disable NAT rules, and include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT screen.

Configuration | Policy Management | Traffic Management | NAT | Interface Rules

This section of the Manager lets you add, configure, modify, and delete Interface NAT rules. We recommend that you first configure and add rules, then enable the function. To configure Interface NAT rules, you must first configure a VPN Concentrator public interface; see Configuration | Interfaces.

You need at least one rule for each private network that the VPN Concentrator connects to, and that uses NAT.


Figure 15-20   Configuration | Policy Management | Traffic Management | NAT | Interface Rules Screen


Interface NAT Rules

The Interface NAT Rules list shows NAT rules that have been configured. If no rules have been configured, the list shows --Empty--. The format of each rule is: Private Address/Subnet-Mask-on Interface (Action); for example, 10.0.0.0/8 on Ethernet 2 (Public) (TCP).

Add / Modify / Delete

To configure and add a new Interface NAT rule to the list of configured rules, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add screen. If you have not configured a public interface, the Manager displays the Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces screen.

To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Modify screen.

To delete a configured NAT rule, select the rule from the NAT Rules list and click Delete.


Note   There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining rules in the list.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces

The Manager displays this screen if you have not configured a public interface on the VPN Concentrator and you try to add a NAT rule. The public interface need not be enabled, but it must be configured with an IP address and the Public Interface parameter enabled.

You should designate only one VPN Concentrator interface as a public interface.


Figure 15-21   Configuration | Policy Management | Traffic Management | NAT | Rules | No Public Interfaces Screen


Click the highlighted link to configure the desired public interface. The Manager opens the appropriate Configuration | Interfaces screen.

Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify

These screens let you:

You must configure a public interface on the VPN Concentrator before you can add an Interface NAT rule. See the Configuration | Interfaces screens.


Figure 15-22   Configuration | Policy Management | Traffic Management | NAT | Interface Rules | Add or Modify Screen


Interface

Add screen:

Modify screen:

Private Address

Specify the private network (subnet) addresses that NAT translates to and from the public address.

IP Address

Enter the private IP address in dotted decimal notation, for example: 10.0.0.1.

Subnet Mask

Enter the subnet mask appropriate for the private IP address range. Use dotted decimal notation; the default is 255.255.255.255. For example, to translate all private addresses in class A network 10, enter 255.0.0.0.

In the NAT Rules list, the subnet mask is shown as the number of ones; for example, 255.255.0.0 is shown as /16.

Action

Check the box(es) to choose the translation action(s) for this NAT rule:

Add or Apply / Cancel

To add this rule to the list of configured Interface NAT rules, click Add. Or to apply your changes to this Interface NAT rule, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Interface Rules screen. Any new rule appears at the bottom of the Interface NAT Rules list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | NAT | Rules screen, and the Interface NAT Rules list is unchanged.

Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules

This section of the Manager lets you add, configure, modify, and delete LAN-to-LAN NAT rules that apply only to traffic that passes over LAN-to-LAN tunnels. We recommend that you first configure and add rules, then enable the function.

About LAN-to-LAN NAT

Private networks often use the same private address spaces. For connecting VPN networks, this duplication of IP addresses can prevent communication, because traffic from one private network to another using the same address space is perceived as local, and therefore does not travel to the second network. You can use NAT to solve this problem, translating private network addresses to legitimate public network addresses as packets enter the tunnel, rather than assigning new IP addresses to the networks.

Mapping rules that you configure determine how LAN-to-LAN NAT translates network addresses. There are three types of mapping rules:

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

Figure 15-23 is an example of a network topology that has complete overlap in the address spaces for the networks behind VPN Concentrators A and B.


Figure 15-23   LAN-to-LAN NAT Example


VPN Concentrator

 

Rule and Type

 

Mappings

 

VPN Concentrator A

A - Dynamic/PAT

10.10.10.0/24 -> 20.20.20.9

VPN Concentrator B

B - Static NAT

10.10.10.0/24 -> 30.30.30.0/24

The LAN-to-LAN NAT mapping rules for these VPN Concentrators are as follows:

The VPN Concentrators are configured as follows:

A client with the IP address of 10.10.10.2 on network A sends a message to a server on network B with an IP address of 10.10.10.4. The clients on Network A already know the static address translation of the servers on Network B. Table Table 15-5 describes the message flow and the NAT translations that occur.

Table 15-5  

Concentrator A   Concentrator B
Private network 10.10.10.0  After outbound NAT translation  After inbound NAT translation  tunnel direction  After inbound NAT translation  After outbound NAT translation  Private network 10.10.10.0 

Host with source IP address of 10.10.10.2 sends a message to server on network B with destination IP address of 30.30.30.4

Source IP address translates to 20.20.20.9, using Rule A to create Session A1.

Destination IP address is 30.30.30.4.

 

->

->

Source IP address is 20.20.20.9.

Destination IP address 30.30.30.4 translates to 10.10.10.4, using Rule B to create Session B1.

 

Server with destination IP address 10.10.10.4 receives packet from host with source IP address of 20.20.20.9.

 

 

 

 

 

 

 

 

| |

vv

 

 

Source IP address is 30.30.30.4.

Destination IP address translates to 10.10.10.2, with Concentrator A using mapping information from Session A1.

<-

<-

 

Source IP address translates to 30.30.30.4, with Concentrator B using mapping information from Session B1.

Destination IP address is 20.20.20.9.

Server with source IP address of 10.10.10.4 replies to host with destination IP address of 20.20.20.9.

LAN-to-LAN NAT Message Flow for LAN-to-LAN Tunnel Networks 20.20.20.0/24 and 30.30.30.0/24.

You configure LAN-to-LAN NAT rules in the Configuration | Policy Management | NAT | LAN-to-LAN Rules screen.


Figure 15-24   Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules Screen


LAN-to-LAN NAT Rules

The LAN-to-LAN NAT Rules list show rules that have been configured. The format is
[Source : Translated] -> Remote (Type). If no LAN-to-LAN NAT rules have been configured, the list shows --Empty--.

Source

This is the host IP address and wildcard mask on the private network.

Translated

This is the translated IP address and wildcard mask for the local address of this LAN-to-LAN connection. This is also the translated address space.

Remote

This is the destination IP address and wildcard mask for this LAN-to-LAN connection. The rule is applied only to packets bound for this address space. The address space must be part of the destination address space of a LAN-to-LAN connection.

Type

This identifies the type of LAN-to-LAN NAT Rule:

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

Add / Modify / Delete

To configure and add a new LAN-to-LAN NAT rule, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add screen.

To modify a configured NAT rule, select the rule from the NAT Rules list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Modify screen.

To delete a configured NAT rule, select the rule from the LAN-to-LAN NAT Rules list and click Delete.


Note   There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining rules in the list.

Move Up / Move Down

You can use the Move Up and Move Down buttons to sort LAN-to-LAN NAT rules in priority order, except

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify

This screen lets you add or modify NAT LAN-to-LAN rules.


Figure 15-25   Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Add or Modify Screens


NAT Type

This identifies the type of LAN-to-LAN NAT Rule:

Static rules are restricted to networks in which the local network and mapped network are of the same size. Port mappings are unnecessary, and are not performed.

Guideline for Defining NAT Rules and Types

Understand this caveat as you define NAT rules for LAN-to-LAN connections:

If you expect inbound traffic, you need to define a static LAN-to-LAN NAT rule. This is because with any other type of NAT rule, the translated address is impossible to predict, leaving the sender no way of identifying the IP address to which it should send packets.

Source Network

This is the network IP address and wildcard mask the rule translates.

Translated Network

This is the translated IP address and wildcard mask for the local network of this LAN-to-LAN connection.

Remote Network

This is the destination IP network and wildcard mask for this LAN-to-LAN connection.


Note   If you have a network with any remote access clients, you must specifically define the remote network, and not accept the default values of 0.0.0.0/255.255.255.255. If you were to accept these default values, and the source network and wildcard mask of the rule overlaps or is the same as the network addresses assigned to remote access clients, the VPN Concentrator attempts to NAT traffic intended for the remote access clients for the LAN-to-LAN connection instead, and that traffic never reaches the remote access clients. The only exception to this is for remote access clients that get their IP addresses from a third network, in which case you can use default values for this parameter.

IP Address

Enter the source IP address in dotted decimal notation. Default is 0.0.0.0.

Wildcard Mask

Enter the wildcard mask in dotted decimal notation. Default is 255.255.255.255.


Note   A wildcard mask is the reverse of a subnet mask. The wildcard mask has ones in bit positions to ignore, zeros in bit positions to match. For example:
0.0.0.0/255.255.255.255 = any address
10.10.1.35/0.0.0.0 = only 10.10.1.35
10.10.1.35/0.0.0.255 = all 10.10.1.nnn addresses


Note   There is no confirmation or undo.

Reminder:

The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | Policy Management | Traffic Management | Bandwidth Policies

This section of the Manager lets you configure bandwidth management policies. You can configure a bandwidth policy to do one or all of the following:

Once you configure bandwidth policies, you can apply them either to an interface, or a group, or both. If you apply a policy to an interface only, it applies to each user on the interface. If you apply a policy to a group, it applies only to the users in that group. If you apply one policy to an interface and a different policy to a group, users who are members of that group use the group policy, and all other users use the interface policy.


Figure 15-26   Configuration | Policy Management | Traffic Management | Bandwidth Policies Screen


Add / Modify / Delete

To create a new bandwidth policy, click Add. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add screen.

To modify a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Modify. The Manager opens the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Modify screen

To delete a configured bandwidth policy, select the policy in the Bandwidth Policies list and click Delete.

Configuration | Policy Management | Traffic Management | Add or Modify

This screen lets you:

Add: Configure and add a bandwidth policy

Modify: Modify a previously configured bandwidth policy

Overview of Bandwidth Management

There are two aspects of bandwidth management: bandwidth policing and bandwidth reservation. Bandwidth policing limits the maximum rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate. Bandwidth reservation sets aside a minimum bandwidth rate for tunneled traffic. Using bandwidth management, you can allocate bandwidth to groups and users equitably, thus preventing certain groups or users from consuming a majority of the bandwidth.

Bandwidth management applies only to tunneled traffic (L2TP, PPTP, IPSec) and is most commonly applied to the public interface.


Tip If you receive an error message when you're configuring any bandwidth management feature, check the event log. The event log gives very specific feedback for bandwidth management errors.

Bandwidth Reservation

Bandwidth reservation sets aside a minimum limit of bandwidth per tunnel for tunneled traffic. Each user receives at least a set amount of bandwidth. When there is little traffic on the box, users receive more than their allocated minimum of bandwidth. When the box becomes busy, they receive at least that much. When the combined total of the reserved bandwidth amounts of all active tunnels on an interface approaches the limit of the total bandwidth available on that interface, the VPN Concentrator refuses further connections to users who demand more reserved bandwidth than is available.

You can configure bandwidth reservation on just an interface (usually the public). In this case, every user who connects on the public interface receives the same reserved minimum bandwidth. If, in addition, you configure reserved bandwidth on a particular group, users in that group can claim an amount of reserved bandwidth that differs from that of the other users on the interface. You cannot configure reserved bandwidth on a specific group unless you have first configured reserved bandwidth on the interface.

Example One: A Bandwidth Reservation Policy Applied to an Interface

Suppose the link rate on your public interface is 1,544 kbps. And suppose you apply a reserved bandwidth policy to that interface that sets the reserved bandwidth to the default: 56 kbps per user. With this link rate and policy setting, only a total of 27 users can connect to the VPN Concentrator at one time. (1544 kbps per interface divided by 56 kbps per user equals 27 connections.)

Example Two: Bandwidth Reservation Policies Applied to an Interface and a Group

Add bandwidth reservation on a particular group to the above example. The group "Executives" reserves 112 kbps of the public interface bandwidth for any member of the group.

Keep in mind that there may be many groups using the VPN Concentrator, each with different bandwidth policies.

Bandwidth Aggregation

From Example Two, you can see that configuring bandwidth reservation alone can lead to a scenario in which high priority, high bandwidth users are unable to connect to a congested VPN Concentrator because of their bandwidth requirements. For this case, the VPN Concentrator provides a feature called bandwidth aggregation. Bandwidth aggregation allows a particular group to reserve a fixed portion of the total bandwidth on the interface. (This fixed portion is known as an aggregation.) Then, as users from that group connect, each receives a part of the total bandwidth allocated for the group. Users who are not in that group cannot share this reserved portion, even if no one else is using it. When one group makes a reserved bandwidth aggregation, it does not affect the bandwidth allocated to users who are not in that group; however, those other users are now sharing a smaller amount of total bandwidth. Fewer of them can connect.

Suppose the company president in Example Three wants two top executives to be able to access the VPN Concentrator at any time. In this case, you can configure a bandwidth aggregation of x/2 (or half the bandwidth) for the group "Top Executives." Half the bandwidth of the interface would then be set aside for the use of this group. This means however, that all the other users on the interface compete for the remaining half of the bandwidth.

LAN-to-LANs and Bandwidth Reservation

Configure bandwidth reservation for a LAN-to-LAN connection as you would for a group with one user. In this way, you reserve a set amount of bandwidth for the connection. (The users on the LAN-to-LAN connection are not managed, only the connection.) When you apply a bandwidth reservation policy to a LAN-to-LAN connection, the VPN Concentrator automatically adds bandwidth aggregation.

Bandwidth Policing

Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. The VPN Concentrator transmits traffic it receives below this rate; it drops traffic above this rate.

Because traffic is bursty, some flexibility is built into policing. Policing involves two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The VPN Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the burst rate. But should traffic bursts consistently exceed the burst rate, the VPN Concentrator enforces the policing rate threshold.

Configuring Bandwidth Management

To configure bandwidth management, follow these steps:


Step 1   Using this section of the Manager: define one or more bandwidth management policies.

Step 2   On the Configuration | Interfaces | Ethernet 2 screen, Bandwidth Parameters Tab:

    a. Enable bandwidth management on the public (or any other) interface.

    b. Specify the link rate.

    c. Assign a bandwidth policy to the interface to assign a default policy for all users on that interface. If you are further planning to assign a bandwidth reservation policy to a specific group, this default policy must include bandwidth reservation.

Step 3   If you also want to manage bandwidth for a specific group, use the Configuration | User Management | Groups | Bandwidth Policy screen to apply a bandwidth policy to that group.

Step 4   To manage bandwidth for a specific LAN-to-LAN connection, use the Bandwidth Policy parameters on the Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN screen to apply a bandwidth policy to that connection.



Note the following dependencies when assigning bandwidth management policies to an interface and a group combined:

Use Table 15-6 as a guide to these dependencies when you configure this feature.

Table 15-6   Conceptual Overview of Bandwidth Management Configuration

In order to... Configure the following...
Enable Bandwidth Management on the Public Interface Use this Type of Bandwidth Management Policy... Apply the Bandwidth Management Policy to:
Bandwidth Policing  Bandwidth Reservation  Bandwidth Aggregation 

Allow users and tunnels to consume bandwidth as needed on a first-come first-served basis.

-

-

-

-

-

Reserve every user on the interface aa default minimum amount of the bandwidth of the interface.

Yes

-

Yes

-

Interface

Reserve every user in a particular group an equal minimum amount of the bandwidth of the interface. (Users not in the group use the bandwidth reservation assigned to the interface.)

Yes

-

Yes

-

Interface and group

Set aside a fixed amount of bandwidth for the exclusive use of members of a specific group. (Users not in this group cannot access this bandwidth, even if it is unused.)

Yes

-

Yes

Yes

Apply bandwidth reservation to the interface and apply bandwidth aggregation to the group.

Reserve a set amount of bandwidth for the exclusive use of a LAN-to-LAN tunnel. Ensure that bandwidth is always available for the LAN-to-LAN tunnel. (In other words, ensure that the LAN-to-LAN tunnel can always connect, even if the VPN Concentrator is congested.)

Yes

-

Yes

Yes (Done automatically)

Interface and LAN-to-LAN

Limit all users on the interface to a set bandwidth threshold.

Yes

Yes

-

-

Interface

Limit all users in a particular group to a set bandwidth threshold.

Yes

Yes

-

-

Apply either bandwidth reservation or policing to the Interface.

Apply policing to the group

Once you know which bandwidth management features you want to apply to which level (interface, group, or LAN-to-LAN), follow the steps in Table 15-7 to configure them.

Table 15-7   Bandwidth Management Configuration Guide

Task Use this Screen... Do this...
Create a Bandwidth Management Policy

Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add

Name the policy, then apply reservation and/or policing and set the corresponding parameters.

Enable Bandwidth Management on the Public Interface

Configuration | Interfaces | Ethernet 2, Bandwidth tab

Check the Bandwidth Management check box.

Set the link rate.

Apply a bandwidth management policy.

Use Bandwidth Policing

Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify

Create a policing policy: Check the Policing check box and enter the policing rate and burst size.

Use Bandwidth Reservation

Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify

Create a reservation policy: Check the Bandwidth Reservation check box and enter the minimum bandwidth.

Use Bandwidth Aggregation

Configuration | User Management | Groups | Bandwidth Policy | Interfaces

Set Aggregate Bandwidth to a value greater than zero.

Assign Bandwidth Policy(ies) to:
  • Interface

Configuration | Interfaces | Ethernet 2, Bandwidth tab

Choose a policy from the Bandwidth Policy drop-down menu.

  • Group

Configuration | User Management | Groups | Bandwidth Policy | Interfaces

Choose a policy from the Policy drop-down menu.

  • LAN-to-LAN

Configuration | System | Tunneling Protocols | IPSec LAN-to-LAN | Add or Modify

Choose a policy from the Bandwidth Policy drop-down menu.


Figure 15-27   Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify screen


When configuring a bandwidth policy, you must enable (check) either Bandwidth Reservation or Policing. You can enable both policies.

Policy Name

Enter a unique policy name that can help you remember the policy. The maximum length is 32 characters.

Bandwidth Reservation

To reserve a minimum amount of bandwidth for each session, check the Bandwidth Reservation check box.

Minimum Bandwidth

The minimum bandwidth is the amount of bandwidth reserved per user during periods of congestion. Enter a value for the minimum bandwidth and select one of the following units of measurement. The range is between 8000 bps and 100 Mbps. The default is 56000 (bps)

Policing

To enable policing, check the Policing check box.

Policing Rate

Enter a value for Policing Rate and select the unit of measurement. The VPN Concentrator transmits traffic that is moving below the policing rate and drops all traffic that is moving above the policing rate. The range is between 56000 bps and 100 Mbps. The default is 56000 (bps)

Normal Burst Size

The VPN Concentrator drops traffic that are above the normal burst size. The normal burst size is the amount of instantaneous burst that the VPN Concentrator can send at any give time.

To set the burst size, use the following formula: (Policing Rate/8) * 1.5. For example, to limit users to 250 kbps of bandwidth, set the police rate to 250 kbps and set the burst size to 46875, that is: (250000 bps/8) * 1.5.

Enter the Normal Burst Size and select the unit of measurement. The default is 10500 bytes. The minimum is 10500 bytes.

Add/Cancel

To add this policy to the configuration, click Add. To cancel the action, click Cancel.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | Bandwidth Policies screen, and the Bandwidth Policies list is unchanged.

Configuration | Policy Management | Certificate Group Matching

This section of the Manager allows you to define rules to match a user's certificate to a permission group based on fields in the distinguished name (DN). In releases previous to 3.6, the VPN Concentrator used the OU field from a user's certificate to assign that user to a permission group. For example, if the OU field of a user's certificate were "Sales," the VPN Concentrator assigned that user to the "Sales" permission group. The certificate group matching feature allows you identify members of a permission group on the basis of other criteria: you can use other fields of the certificate or you can have all certificate users share a permission group.

To match users' permission groups based on other fields of the certificate, you must define rules that specify which fields to match for a group and then enable each rule for that selected group. Rules cannot be longer than 255 characters. A group must already exist in the configuration before you can create a rule for it.

You can assign multiple rules to the same group. When multiple rules are assigned to the same group, a match results for the first rule that tests true.

To match users' permission groups based on multiple fields in the certificate so that all the criteria must match for the user to be assigned to a permission group, create a single rule with multiple matching criteria. To match users' permission groups based on one criterion or another so that successfully matching any of the criteria identifies the member of the group, create multiple rules.

For example, to assign particular permissions to members of the Sales group who are in the division "VPNDIV" and who are located in San Jose, create a single rule and assign it to the group "Sales:"

sales <-- ou="vpndiv",l="san jose"

To assign particular permissions to members the Sales group who are either in the VPN division or located in San Jose, create two rules and apply both to the group "Sales:"

sales <-- ou="vpndiv"
sales <-- l="san jose"

Once you have defined rules, you must configure a certificate group matching policy to define the method you want to use to identify the permission groups of certificate users: match the group from the rules, match the group from the OU field, or use a default group for all certificate users. You can use any or all of these methods.


Figure 15-28   Configuration | Policy Management | Certificate Group Matching Screen


Rules

Click the Rules link to create certificate group matching rules.

Matching Policy

Click the Matching Policy link to choose a method to identify the permission groups of certificate users.

Configuration | Policy Management | Certificate Group Matching | Rules

This screen lets you:


Figure 15-29    Configuration | Policy Management | Certificate Group Matching | Rules Screen


Add/Modify Rule

To configure and add a new rule, click Add on the Configuration | Policy Management | Certificate Group Matching | Rules screen.

To modify an existing rule, select a rule in the Certificate Matching Rules box and click Modify. When you select a rule, the complete text appears in the box below the Certificate Matching Rules box.

Delete

To delete a configured rule, select the rule from the list in the Certificate Matching Rules box and click Delete. The Manager refreshes the screen and shows the remaining rules in the list.

Move Up

To have the VPN Concentrator check the rule earlier in the order, select the rule and click Move Up.

Move Down

To have the VPN Concentrator check the rule later in the order, select the rule and click Move Down.

Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify

These screens let you:


Figure 15-30    Configuration | Policy Management | Certificate Group Matching | Rules | Add or Modify Screen


Enable

To allow the VPN Concentrator to use the rule you are adding or modifying, click Enable. To disable the rule, clear the Enable field. If the rule is disabled, it is marked with (D) in the Certificate Matching Rules box.

Group

Select the group to assign this rule to from the pull-down menu. You can assign this rule only to groups that are currently defined in the configuration. If the group you want to use is not in the list, you must first go to Configuration | User Management | Groups and define the group.

Distinguished Name Component

Select the type of distinguished name (Subject or Issuer) and the fields you want to use in the rule.

Field Content

Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C. These labels and acronyms conform to X.520 terminology.

Subject

The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.

Issuer

The CA or other entity (jurisdiction) that issued the certificate.

A distinguished name can contain a selection from the following fields:

Field  Content 

Common Name (CN)

The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

Surname (SN)

The family name or last name of the certificate owner.

Country (C)

The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Locality (L)

The city or town where the organization is located.

State/Province (S/P)

The state or province where the organization is located.

Organization (O)

The name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

The subgroup within the organization.

Title (T)

The title of the certificate owner, such as Dr.

Name (N)

The name of the certificate owner.

Given Name (GN)

The first name of the certificate owner.

Initials (I)

The first letters of each part of the certificate owner's name.

E-mail Address (EA)

The e-mail address of the person, system or entity that owns the certificate

Generational Qualifier (GENQ)

A generational qualifier such as Jr, Sr, or III.

DN Qualifier (DNQ)

A specific DN attribute.

Serial Number (SER)

The serial number of the certificate.

Operator

Field Content

Equals (=)

The distinguished name field must exactly match the value.

Not Equals (!=)

The distinguished name field must not match the value.

Contains (*)

The distinguished name field must contain the value within it.

Does Not Contain (!*)

The distinguished name field must not contain the value within it.

Value

The value to be matched against. The VPN Concentrator automatically places text values within double quotes. To enter values manually, follow the rules on the screen. Values are not case-sensitive.

Append

To enter the next part of a rule, click Append. When you click Append, the VPN Concentrator adds on the part you have defined to the rule that appears under Matching Criteria. In this way, you can build a complex rule testing on multiple components. The VPN Concentrator checks the information in the certificate against all parts of the rule. All parts must test true for the rule to match for this group.

Matching Criterion

The matching criterion text box displays the rule. You can create or edit the rule directly in this box. If you create a rule in this way, separate the components with commas. Also, be sure to add double quotes around the value. If the value itself contains double quotes, replace them with two double quotes. For example, enter the value "Tech" Eng as: """Tech"" Eng".

Add/Cancel

After entering all parts of the rule for this group, click Add to complete the action or Cancel to cancel it.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Rules screen, and the Rules list is unchanged.

Configuration | Policy Management | Certificate Group Matching | Policy

This screen lets you configure a policy for certificate group matching. The VPN Concentrator processes the enabled policies in the order listed until it finds a match.

There are three ways to match a certificate to a group:

By default, the first choice is not checked and the second and third choices are checked.


Figure 15-31    Configuration | Policy Management | Certificate Group Matching | Policy Screen


Match Group from Rules

To use the rules you have defined for certificate group matching, click to select Match Group from Rules.

Obtain Group from OU

To use the organizational unit in the certificate to specify the group to match, click to select Obtain Group from OU. This choice is enabled by default.

Default to Group

To use a default group or the Base Group for certificate users, click to select Default to Group. Then select the group from the drop down box. The group must already exist in the configuration. If the group does not appear in the list, you must define it by using the Configuration | User Management | Groups screen. This choice is enabled for the Base Group by default.

Apply/Cancel

After checking the policies you want to use for certificate group matching, click Apply. Or to cancel, click Cancel.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Policy screen, and the Policy list is unchanged.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Jul 16 12:48:31 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.