|
The VPN 3002 works in either of two modes: Client mode or Network Extension mode. To view a brief interactive multimedia piece that explains the differences between the two modes, go to this url:
http://www.cisco.com/mm/techsnap/VPN3002_techsnap.html
Your web browser must be equipped with a current version of the Macromedia Flash Player to view the content. If you are unsure whether your browser has the most recent version, you may want to download and install a free copy from:
http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash
Policy management on the VPN 3002 includes deciding whether you want the VPN 3002 to use Client Mode or Network Extension mode. This section lets you enable or disable PAT.
The Configuration | Policy Management screen introduces this section of the Manager.
To enable or disable PAT, click Traffic Management.
To enable and set criteria that must match for the VPN 3002 to verify a certificate from the Concentrator to which it connects, click Certificate Validation.
When you click Traffic Management on the Configuration | Policy Management screen, the Manager displays the Configuration | Policy Management | Traffic Management screen.
To configure PAT (Port Address Translation) click PAT.
Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the VPN 3002 private network from those on the corporate network. In PAT mode:
All traffic from the private network appears on the network behind the IKE peer with a single source IP address. This IP address is the one the central-site VPN Concentrator assigns to the VPN 3002. The IP addresses of the computers on the VPN 3002 private network are hidden. You cannot ping or access a device on the VPN 3002 private network from outside of that private network, or directly from a device on the private network at the central site.
In client mode, the tunnel establishes when data passes to the VPN Concentrator, or when you click Connect Now in the Monitoring | System Status screen.
You assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec and PAT are applied to all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator.
Traffic from the VPN 3002 to any destination other than those within the network list for that group on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices connected to the VPN 3002 private interface to the assigned IP address of the public interface and also keeps track of these mappings so that it can forward replies to the correct device.
The network and addresses on the private side of the VPN 3002 are hidden, and cannot be accessed directly.
For the VPN 3002 to use PAT, these are the requirements for the central-site VPN Concentrator.
1. The VPN Concentrator at the central site must be running Software version 3.x or later.
2. Address assignment must be enabled, by whatever method you choose to assign addresses (for example, DHCP, address pools, per user, or client-specified). If the VPN Concentrator uses address pools for address assignment, make sure to configure the address pools your network requires. See Chapter 6, Address Management, in the VPN 3000 Series Concentrator Reference Volume I.
3. Configure a group to which you assign this VPN 3002. This includes assigning a group name and Password. See Chapter 14, User Management, in the VPN 3000 Series Concentrator Reference Volume I.
4. Configure one or more users for the group, including usernames and passwords.
Network Extension mode allows the VPN 3002 to present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the VPN 3002 private network to networks behind the central-site VPN Concentrator. PAT does not apply. Therefore, devices behind the VPN Concentrator have direct access to devices on the VPN 3002 private network over the tunnel, and only over the tunnel, and vice versa. The VPN 3002 must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
In this mode, the central-site VPN Concentrator does not assign an IP address for tunneled traffic (as it does in Client/PAT mode). The tunnel is terminated with the VPN 3002 private IP address (the assigned IP address). To use Network Extension mode, you must configure an IP address other than the default of 192.168.10.1 and disable PAT.
In Network Extension mode, the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator. However, if you enable interactive hardware client authentication, the tunnel establishes when you perform the following steps.
Step 2 Click Connect Now in the Connection/Login screen.
Step 3 Enter the username and password for the VPN 3002.
Alternatively, you can initiate a tunnel by clicking Connect Now on the in the Monitoring | System Status screen.
You always assign the VPN 3002 to a client group on the central-site VPN Concentrator. If you enable split tunneling for that group, IPSec operates on all traffic that travels through the VPN 3002 to networks within the network list for that group behind the central-site VPN Concentrator. PAT does not apply.
Traffic from the VPN 3002 to any other destination than those within the network list on the central-site VPN Concentrator travels in the clear without applying IPSec. NAT translates the network addresses of the devices on the VPN 3002 private network to the address of the VPN 3002 public interface. Thus the network and addresses on the private side of the VPN 3002 are accessible over the tunnel, but are protected from the Internet, that is, they cannot be accessed directly.
For the VPN 3002 to use Network Extension mode, these are the requirements for the central-site VPN Concentrator.
1. The VPN Concentrator at the central site must be running Software version 3.0 or later.
2. Configure a group to which you assign this VPN 3002. This includes assigning a group name and password. See Chapter 14, User Management, in the VPN 3000 Series Concentrator Reference Volume I.
3. Configure one or more users for the group, including usernames and passwords.
4. Configure either a default gateway or a static route to the VPN 3002 private network. See
Chapter 8, "IP Routing" in the VPN 3000 Series Concentrator Reference Volume I.
5. If you want the VPN 3002 to be able to reach devices on other networks that connect to this VPN Concentrator, review your Network Lists. See Chapter 15, "Policy Management" in the VPN 3000 Series Concentrator Reference Volume I.
6. Enable Network Extension Mode. See the section that follows for details.
A network administrator can now restrict the use of network extension mode. VPN 3002 hardware clients can use network extension mode only if, on the VPN Concentrator, you enable network extension mode on a group basis for VPN 3002 hardware clients.
Note If you disallow network extension mode, which is the default setting on the VPN Concentrator, the VPN 3002 can connect to that VPN Concentrator in PAT mode only. In this case, be careful that all VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 will attempt to connect every 4 seconds, and every attempt will be rejected; this is the equivalent of denial of service attack. |
The VPN 3002 always initiates the tunnel to the central-site VPN Concentrator. The central-site VPN Concentrator cannot initiate a tunnel to a VPN 3002. The VPN 3002 creates only one IPSec tunnel to the central-site VPN Concentrator, in either PAT or Network Extension mode. The tunnel can support multiple encrypted data streams between users behind the VPN 3002 and the central site. With split tunneling enabled, it can also support multiple unencrypted data streams to the internet.
In PAT mode, the tunnel establishes when data passes to the VPN Concentrator, or when you click Connect Now in the Monitoring | System Status screen.
In Network Extension mode, the VPN 3002 automatically attempts to establish a tunnel to the VPN Concentrator.
In either Client or Network Extension mode, when you enable interactive hardware client authentication, the tunnel establishes when you perform the following steps.
Step 2 Click Connect Now.
Step 3 Enter the username and password for the VPN 3002.
See the section, "Logging in With Interactive Hardware Client and Individual User Authentication" in Chapter 1 for detailed instructions.
Alternatively, you can click Connect Now on the in the Monitoring | System Status screen, after which the system prompts you to enter the username and password for the VPN 3002. See the section, "Monitoring | System Status" in the Monitoring chapter.
After the tunnel is established between the VPN 3002 and the central-site VPN Concentrator, the VPN Concentrator can initiate data exchange only in Network Extension mode with all traffic travelling through the tunnel. If you want the tunnel to remain up indefinitely, configure the VPN 3002 for Network Extension mode and do not use split tunneling.
Table 11-1 summarizes instances in which the VPN 3002 and the central-site VPN Concentrator can initiate data exchange.
Table 11-1 Data Initiation: VPN 3002 and Central-Site VPN Concentrator
|
When you click PAT in the Configuration | Policy Management | Traffic Management screen, the Configuration | Policy Management | Traffic Management | PAT screen displays.
PAT mode provides many-to-one translation; that is, it translates many private network addresses to the single address configured on the public network interface.
This screen lets you enable or disable PAT, which applies PAT to all configured traffic traveling from the private interface to the public interface.
Check the box to enable Client Mode (PAT), or clear it to enable Network Extension Mode.
Note Remember that to use Network Extension Mode, you must configure an IP address other than the default for the private interface. If you do not change the IP address of the private interface, you can not disable PAT. |
To enable or disable PAT, and include your setting in the active configuration, click Apply. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your entry and leave the active configuration unchanged, click Cancel. The Manager returns to the Configuration | Policy Management | Traffic Management | PAT screen.
When you click Certificate Validation on the Configuration | Policy Management screen, the Manager displays the Configuration | Policy Management | Certificate Validation screen.
To provide additional security, you can set criteria that a certificate from the VPN Concentrator to which the VPN 3002 connects must match. The criteria are based on fields in either the subject or issuer distinguished name (DN). If the criteria do not match, the connection fails.
This feature prevents a user from connecting with a stolen but valid certificate and a hijacked IP address.
Check the box to enable certificate validation based on matching criteria you configure in this screen.
Select the type of distinguished name (Subject or Issuer) and the fields you want to use in the matching criteria.
A distinguished name can contain a selection from the following fields:
The Operators are =, !=, * or !*. This section defines each of the operators, and explains how they are used in a sample Matching Criteria set at CN="IDCert",OU*"Cisco",ISSUER-CN!="Entrust",ISSUER-OU!*"wonderland"
The value to be matched against. The VPN 3002 automatically places text values within double quotes. To enter values manually, follow the rules on the screen. Values are not case-sensitive.
To enter the next part of a rule, click Append. When you click Append, the VPN Concentrator adds on the part you have defined to the rule that appears under Matching Criteria. In this way, you can build a complex rule testing on multiple components. The VPN Concentrator checks the information in the certificate against all parts of the rule. All parts must test true for the rule to match for this group.
The matching criteria text box displays the rule. You can create or edit the rule directly in this box. If you create a rule in this way, separate the components with commas. Also, be sure to add double quotes around the value. If the value itself contains double quotes, replace them with two double quotes. For example, enter the value "Tech" Eng as: """Tech"" Eng".
After entering all parts of the rule for this group, click Apply to complete or Cancel to cancel it.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | Policy Management | Certificate Group Matching | Rules screen, and the Rules list is unchanged.
Posted: Fri Jan 30 05:18:14 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.