ccnp security: securing networks with asa...
Post on 11-May-2018
242 Views
Preview:
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
CCNP Security: Securing Networks with
ASA VPNs BRKCRT-8163
Rob Settle, CCIE #23633 (Security, Routing & Switching)
2
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Life as a security admin…
✗ Firewalls
✗ IPS
✗ Web Proxy
✗ Mail Relays
✗ 802.1x User
3
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Rejoice… VPNs are enablers!
✗ Firewalls
✗ IPS
✗ Web Proxy
✗ Mail Relays
✗ 802.1x
✓ Site-to-Site VPN
✓ Remote Access VPN User
4
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Agenda
Overview of CCNP Security VPN v2.0 Exam
VPN v2.0 Topics
‒ ASA VPN Architecture and Fundamentals
‒ VPN Fundamentals
‒ IPSec Site to Site
‒ IPSec Remote Access
‒ AnyConnect VPN
‒ Clientless SSL VPN
‒ High Availability
Q&A
5
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Disclaimer / Warning
This session will strictly adhere to Cisco‘s rules of confidentiality
We may not be able to address specific questions
If you have taken the exam please refrain from asking questions from the
exam—this is a protection from disqualification
We will be available after the session to direct you to resources to assist
with specific questions or to provide clarification
7
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
CCNP Security Requirements
All four CCNP Security exams required
Some legacy CCSP exams qualify for CCNP Security credit. See FAQ:
https://learningnetwork.cisco.com/docs/DOC-10424
Exams
‒ SECURE v1.0 – 642-637
‒ IPS v7.0 – 642-617
‒ FIREWALL v2.0 – 642-618
‒ VPN v2.0 – 642-648
8
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
642-648 VPN v2.0 Exam
Approximately 90 minute exam
60-70 questions
Register with Pearson Vue
‒ http://www.vue.com/cisco
Exam cost is $200.00 US
9
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Preparing for the VPN v2.0 Exam
Recommended reading
‒ CCNP Security VPN 642-647 Official Cert Guide
‒ CCNP Security VPN 642-648 Official Cert Guide (July 2012)
‒ Cisco ASA 8.4 Configuration Guide
Recommended training via Cisco Learning Partners
‒ Deploying Cisco ASA VPN Solutions
Cisco learning network
www.cisco.com/go/learnnetspace
Practical experience
‒ Real equipment
‒ ASDM in demo mode
10
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Session Notes
Session and exam are based on ASA 8.4 and ASDM 6.4
This session covers most topics but cannot depth of each topic
Proper study and preparation is essential
11
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
ASA Architecture
ASA VPN Overview
ASA Design Considerations
AAA and PKI Refreshers
VPN Configuration Basics
13
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs) are a way to establish private
connections over another network
VPN Capabilities
Confidentiality Prevent others from reading data traffic
Integrity Ensure data traffic has not been modified
Authentication Prove identity of remote peer and packets
Anti-replay Prevent replay of encrypted traffic
InternetLAN BLAN A
Cisco ASACisco ASA
Site to Site VPN
14
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
ASA Virtual Private Network Options
15
VPN
Site-to-Site VPN
IPSec IKEv1
IPSec IKEv2
Remote Access VPN
ClientlessSSLVPN
Client Based
SSLVPN IPSec
IPSec IKEv1 IPSec IKEv2
Web Browser
AnyConnect
AnyConnect
Cisco VPN Client
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
ASA Virtual Private Networks (VPNs)
Site-to-Site VPN
‒ Connects two separate networks using two VPN gateway devices such as an
ASA
‒ Utilizes IPsec
Remote Access VPN
‒ Connects single user to a remote network via gateway such as an ASA
‒ Utilizes IPsec or Secure Sockets Layer (SSL)
InternetLAN BLAN A
Cisco ASACisco ASA
Site to Site VPN
16
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Remote Access VPN
Client-based VPN
‒ Remote access using an installed VPN client like AnyConnect
‒ Permits ―full tunnel‖ access
Clientless VPN
‒ Remote access through a web browser that leverages the browser‘s SSL
encryption for protection
‒ Permits limited access but no footprint required
Internet LAN
Remote Access VPN
Clientless WebVPN
Cisco ASA
AnyConnect Client
17
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Choosing Remote Access VPN Method
IPsec VPN
‒ Traditional IPsec access
‒ Cisco VPN Client
AnyConnect VPN
‒ Recommended next generation remote access – Windows 7 supported
‒ SSL VPN or IPSec
‒ Hostscan and other advanced features
Clientless SSL VPN (WebVPN)
‒ Recommended for thin, flexible access from any computer – no software required
‒ Permits network access via HTTP/S, plug-ins, and port forwarding
‒ Cisco Secure Desktop
18
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Choosing an ASA for Site-to-Site VPN
Model considerations
‒ VPN throughput
‒ Number of VPN peers
No licenses required for IPSec
‒ ASA 5505 Security Plus license increases session max
‒ 3DES/AES license ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 ASA 5585-X
VPN Throughput
(Mbps) 100 170 225 325 425 Up to 5,000
VPN Sessions 10/25 250 750 5,000 5,000 Up to 10,000
19
ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
VPN Throughput
(Mbps) 200 250 300 400 700
VPN Sessions 250 250 750 2500 5000
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Choosing an ASA for Remote Access VPN
Model considerations
‒ VPN throughput
‒ Number of Remote Access User Sessions (combined)
ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 ASA 5585-X
VPN Throughput
(Mbps) 100 170 225 325 425 Up to 5,000
IPsec VPN
Sessions 25 250 750 5,000 5,000 Up to 10,000
SSL VPN
Sessions 25 250 750 2,500 5,000 Up to 10,000
20
ASA 5512-X ASA 5515-X ASA 5525-X ASA 5545-X ASA 5555-X
VPN Throughput
(Mbps) 200 250 300 400 700
IPsec VPN
Sessions 250 250 750 2,500 5,000
SSL VPN Sessions 250 250 750 2,500 5,000
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Remote Access VPN Licensing
Other VPN – IPSec IKEv1
AnyConnect Essentials
‒ AnyConnect client provides full tunnel connectivity
‒ Windows, Mac, Linux, iOS, and Android
AnyConnect Premium
‒ Adds Clientless (Web VPN) and Hostscan features
‒ Adds additional AnyConnect client features
http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_mana
gement/license.html
Three RA approaches
21
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Remote Access Licensing
22
Other VPN - Basic IPSec IKEv1No License Required
AnyConnect EssentialsPlatform License
AnyConnect PremiumPer User License
Premium SharedFlex
AnyConnect MobilePlatform License
Advanced Endpoint Assessment
Platform License
OR
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
ASA License Keys
Two types – Permanent and Time-Based
One Permanent license
Time-Based licenses can be stacked
Some licensed features use higher value but some combine
Understand the rules:
http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_mana
gement/license.html
23
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Configuration Components
Users
DB
Group
Policies
Connection Profiles
IPSec
SSL VPN
Web VPN
25
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Group Policy
Internal (ASA) or External (RADIUS)
Sample of various settings:
‒ WINS, DNS, DHCP, web proxy settings
‒ VPN access hours, idle timeout, network filter, permitted VPN protocols
‒ Split tunneling
Default Group Policy is called DfltGrpPolicy. Can be modified but NOT
deleted.
Settings are inherited:
‒ User ==> Connection Profile‘s Group Policy ==> Default Group Policy
26
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
External Group Policy
Stored on a RADIUS server as a special user account
RADIUS user includes Vendor-Specific Attributes (VSAs) for Group Policy
settings
Group Policy configuration includes the RADIUS username and password
27
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Group Policy
28
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Connection Profile
Formerly called Tunnel Group. Command line still uses tunnel-group
terminology.
Core VPN Service Attributes
‒ VPN Type (IPsec Site-to-Site, IPsec Remote Access, SSL VPN, Clientless)
‒ Authentication, authorization, and accounting servers
‒ Default group policy
‒ Client address assignment method
‒ VPN type specific attributes for IPsec and SSL VPN
29
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Connection Profile
Default Connection Profiles. They can be modified but NOT deleted.
‒ DefaultRAGroup – Remote Access connections
‒ DefaultWEBVPNGroup – Clientless SSL VPN connections
‒ DefaultL2LGroup – IPsec site-to-site connections
Settings are inherited
CustomTunnelGroup
DefaultRAGroup
30
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Connection Profile
31
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Configuration Methods
Command line
ADSM with Connection Profiles and Group Policies
ASDM VPN Wizard
32
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AAA Refresher
Authentication, Authorization, and Accounting (AAA)
‒ Authentication: Proving the identity of the user
‒ Authorization: Granting permissions to the user
‒ Accounting: Logging the actions of the user
AAA servers are used to perform one or more of the AAA functions
‒ Supported AAA servers include RADIUS, TACACS+, RSA/SDI, NT, Kerberos,
LDAP, HTTP Forms, and LOCAL database
‒ Server example – Cisco ACS for RADIUS or TACACS+
34
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Public Key Infrastructure (PKI) Refresher
Pre-Shared Key (PSK) deployments do not scale (symmetric keys)
PKI scale better with improved security and management
Uses Digital Certificates and public key cryptography
Asymmetric Cryptography
‒ Encryption with the public key is decrypted with the private
‒ Encryption with the private key is decrypted with the public
Private Key Encryption
Hello World f7#%s9v2*!@fs Hello WorldPublic Key Decryption
35
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Public Key Infrastructure (PKI) Refresher
Each device has a public key, private key, and certificate signed by the
Certificate Authority
Certificates are issued:
‒ Manually
‒ Certificate Signing Requests (CSR)
‒ Simple Certificate Enrollment Protocol (SCEP)
Certificate Signing Request (CSR)
Private/Public Key Generation
User Private
User Public
CA Server CA Signs Certificate
CA Private
User Certificate
DN=joe.user
5 Public Key
1 2 3 4 5
36
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
PKI Refresher
Validation steps
‒ Check validity of the certificate based on date/time and certificate attributes
‒ Check the certificate using the stored Certificate Authority certificate
‒ Ensure certificate has not been revoked (optional)
Check the Certificate Revocation List (CRL)
Online Certificate Status Protocol (OCSP)
37
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
PKI Refresher
Enrollment options
‒ Manually enroll ASA and endpoints by creating certificates and loading them
‒ ASA can also utilize SCEP to enroll directly with the CA
‒ VPN Clients can enrollment online with the ASA using Simple Certificate
Enrollment Protocol (SCEP) proxy
ASA Configuration Guide -- Certificates
‒ http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.
html
38
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPsec Connection Overview
1. Interesting Traffic
2. Phase 1 (ISAKMP)
3. Phase 1.5 (ISAKMP, remote access)
4. Phase 2 (IPSec)
5. Data Transfer
6. IPSec Tunnel Termination
Host A Host B Cisco Security Appliance A
Cisco Security Appliance B
Branch Site Central Office
40
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPsec Connection Overview
1. Match Interesting Traffic
‒ Access Control List (ACL) defines matching source/destination addresses to
protect
‒ Both sides have mirrored ACLs
‒ Internet Key Exchange (IKE) kicks off when a packet matches the ACL
ASA 1 ASA 2
ACL ACL
41
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPsec Connection Overview
2. Phase 1 – ISAKMP
‒ Main Mode or Aggressive Mode exchange
‒ ISAKMP policies matched
‒ Diffie-Hellman exchange – Creates shared key
‒ Identities exchanged and authenticated
‒ ISAKMP Security Association (SA) created (bi-directional)
‒ Negotiate Phase 2 parameters
ASA 1 ASA 2
ACL ACL
IKE IKE UDP 500
42
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPsec Connection Overview
3. Phase 1.5 – Xauth and mode config
‒ Additional user authentication
‒ Client configuration – IP Address, DNS Server, etc.
ASA 1 ASA 2
ACL ACL
IKE IKE UDP 500
Clientless WebVPN
43
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPsec Connection Overview
4. Phase 2 – IPSec Security Associations (SA)
‒ SA is a unidirectional data channel
‒ Negotiated encryption and hashing
‒ Re-keyed after time or byte limit
5. Data transfer over IPSec SAs
ASA 1 ASA 2
ACL ACL
IKE IKE UDP 500
IPSec IPSec ESP or AH
Tunneled Traffic IPSec SAs
44
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPsec Connection Overview
6. Tunnel termination
‒ Lack of interesting traffic
‒ Peer quits responding
‒ Admin termination
‒ Re-keyed after time or byte limit
ASA 1 ASA 2
ACL ACL
IKE IKE UDP 500
IPSec IPSec ESP or AH
✖ ✖
✖ ✖
45
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IKEv1 Details
Main Mode
‒ Three 2-way exchanges (6 messages) for:
ISAKMP policy
Diffie-Hellman exchange
Verifying the IPSec peer‘s identity
‒ Protects identities by exchanging them in secure tunnel
Negotiate ISAKMP Policy
Diffie-Hellman Exchange
Identity and Authentication
46
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IKEv1 Details
Aggressive Mode
‒ Performs the 3 exchanges in a single exchange
‒ Faster than Main Mode due to less messages (3 total)
‒ Exposes identities
‒ 3 total exchanges
‒ Required in some cases! Dynamic peers with Pre-Shared Key (Easy VPN)
ISAKMP Policy
DH Exchange
Identity and Auth
47
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IKEv2
Internet Key Exchange version 2 – RFC 4306
Introduced in ASA 8.4 and AnyConnect 3.0
Benefits
‒ Denial of Service prevention using cookies
‒ Fewer negotiation messages
‒ Built-in Dead Peer Detection
‒ Built-in Configuration Payload and User Authentication (using EAP)
‒ Allows unidirectional authentication
‒ Built-in NAT Traversal
‒ Better rekeying and collision handling
48
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Details
Phase 2 – Quick Mode
‒ Exchange protected by Phase 1 IKE Security Association (SA)
‒ Negotiates IPSec SA parameters
‒ Creates IPSec SAs
‒ Periodically renegotiates the IPSec SAs
‒ (optional) Performs Diffie-Hellman exchange for Perfect Forward Secrecy (PFS)
InternetLAN BLAN A
Cisco ASACisco ASA
Site to Site VPN
49
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Phase 1 Configuration – Diffie-Hellman
Group Key Length Purpose
1 768-bit Considered weak and no longer recommended.
2 (default) 1024-bit Minimum strength required by VPN client.
5 1536-bit Used to support larger key sizes of AES.
7 163-bit Elliptical Weak algorithm meant for mobile devices. Deprecated.
50
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
SSL and TLS
TLS is the evolution of SSL (developed by Netscape Communications)
Server and client (optional) are be authentication via X.509 certificates
Cryptographic algorithms and shared secrets are negotiated
SSL VPN use the TLS encryption to protect tunneled IP traffic
Standard browsers and AnyConnect use TLS for SSL VPNs
51
Internet LAN
Remote Access VPN
Cisco ASA
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
VPN Ports and Protocols
Protocol Port Purpose
Internet Key Exchange
(IKE / ISAKMP) UDP 500 IPSec Phase 1 key negotiation
Encapsulating Security
Payload (ESP)
IP Protocol
50 IPSec Phase 2 encrypted payload
Authentication Header
(AH)
IP Protocol
51 IPSec Phase 2 authenticated payload
NAT Traversal (NAT-T) UDP 4500 Phase 1 and 2 UDP encapsulation when NAT is present
IPSec over TCP
IPSec over UDP
TCP and
UDP 10000
Used to bypass 3rd party network issues with IKE, ESP, and
AH by encapsulating IPSec in UDP or TCP packets
SSL VPN TCP and
UDP 443
Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) VPNs. DTLS uses UDP.
52
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Debugging Basics
Enable logging
Issue relevant debug commands
Utilize ASDM Log Viewer, CLI, or syslog
53
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
ASDM Real-Time Log Viewer
54
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
ASDM VPN Monitoring
55
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Debugging VPN Connections
Debugging commands
‒ debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs)
‒ debug crypto ipsec (Phase 2 debugs)
‒ debug [ webvpn | aaa | radius | dap ]
Common IPSec VPN problems
‒ http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e
0aca.shtml
IPSec debug guide
‒ http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008
00949c5.shtml
56
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Site-to-Site VPNs
Site to Site VPN overview
Site to Site VPN configuration
Site to Site debugging
58
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Site to Site VPNs
Site-to-site VPNs are used to connect two sites together
They are often used to connect a branch offices to the main office
Used instead of private WAN connections
InternetLAN BLAN A
Cisco ASACisco ASA
Site to Site VPN
59
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Site-to-Site IPsec Connection Creation
Key configuration choices:
‒ Peer IP Address
‒ Authentication type (Pre-Shared Key or certificate)
‒ IKE Policy (Phase 1)
‒ IPsec Policy (Phase 2)
‒ Interesting traffic ACL – Local and Remote networks
60
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Wizard Configuration
61
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Site-to-Site IPsec Configuration
1. Enable IKEv1 or IKEv2 on interface
2. Allow IPSec traffic into ASA (sysopt command or outside ACL)
3. Create Connection Profile
‒ Specify parameters such as peer address, protected networks, IKE parameters,
and IPSec parameters
62
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Group Policy
IPSec Config
Connection Profile
IPSec Manual Configuration
63
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Site-to-Site IPsec IKEv2
ASA supports fallback to IKEv1 for easy migration
Similar to a standard IPSec IKEv1 configuration
‒ Enable IKEv2 on the interface
‒ Configure and use IKEv2 Policies
‒ Configure and use IKEv2 Tunnel Group settings
64
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Debugging Site-to-Site Connections
Ensure Phase 1 (ISAKMP) Policies match
Ensure Phase 2 (IPSec) Transforms match
Ensure crypto Access Control Lists match
Ensure Pre-Shared Keys Match or Certificates are valid
‒ Ensure clocks are synchronized if using certificates
Ensure IPSec traffic can reach the ASA (sysopt command or ACL)
Debugging commands
‒ debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs)
‒ debug crypto ipsec (Phase 2 debugs)
65
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Remote Access VPN
Easy VPN Basics
Easy VPN Certificate Authentication example
Deploying Easy VPN Hardware Clients
Easy VPN Debugging
67
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Traditional IPsec VPN utilizing client software on the endpoint
Minimal client configuration for simplified deployment
Also works with hardware clients such as an ASA or Cisco router
Traffic can be tunneled over UDP or TCP for easier firewall and NAT traversal
Numerous authentication options. PSK, username/password, certificates, and combinations.
Easy VPN Remote Access VPN
Internet LAN
Remote Access VPN
Clientless WebVPN
Cisco ASA
AnyConnect Client
68
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Remote Access Configuration
1. Enable IKEv1 or IKEv2 on interface
2. Allow IPSec traffic into ASA (sysopt command or outside ACL)
3. Create Connection Profile with IPSec enabled
‒ Configure group authentication
‒ Configure user authentication
‒ Configure IPSec parameters
4. Customize group policy or create a custom group policy
‒ Configure user network settings
5. Configure Cisco VPN Client or Cisco AnyConnect
69
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Certificate Authentication for Easy VPN
Full EZVPN certificate configuration example:
‒ http://www.cisco.com/en/US/products/ps6120/products_configuration_example09
186a0080930f21.shtml
70
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Deploying an Easy VPN Hardware Client
Utilizes hardware such as Cisco ASA or Cisco ISR in two modes:
‒ Client mode performs Port Address Translation (PAT) for hosts behind client
‒ Network Extension Mode (NEM) connects the client network to the head-end
InternetLAN
Branch A
Cisco ASA
Easy VPN
Teleworker A
Teleworker B
Cisco ASA
Cisco ISR
Cisco ISR
Cisco ASA
Branch B
71
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Easy VPN Hardware Authentication
Authentication options for Phase 1.5 Xauth:
‒ Default authentication: Interactive CLI authentication
‒ No authentication (beyond group authentication during Phase 1)
‒ Secure Unit Authentication (SUA): Single user behind Client authenticates once
‒ Individual User Authentication (IUA): Each user behind Client must authenticate
HTTP redirection intercepts web traffic to permit interactive SUA or IUA
authentication
ASA VPN Server
72
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Deploying an Easy VPN Server
Uses a Dynamic Crypto Map
‒ Only IPSec Transform set defined
‒ Peers are unknown due to Remote Access clients with dynamic addresses
Easy VPN attributes are stored in the Group Policy and User attributes
Sample Group Policy settings
‒ Enable/disable NEM: nem
‒ Secure Unit Authentication: secure-unit-authentication
‒ Split Tunnel ACL: split-tunnel-network-list
‒ Split Tunnel Policy: split-tunnel-policy [ excludespecified | tunnelall |
tunnelspecified ]
‒ VPN Filter: vpn-filter
73
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect IKEv2 Remote Access
IKEv2 permits use of AnyConnect instead of Cisco VPN Client
Uses WebVPN attributes (not IPSec attributes) in Connection Profile
Allows Client Services features which run over SSL
‒ If services are disabled, provides basic IPSec IKEv2 tunnel
‒ Services: AnyConnect update, AnyConnect profile update, Hostscan, etc.
74
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Certificate Authentication
Utilizes certificate for authentication instead of PSK
Certificates can be revoked to disable a client if stolen/compromised
Can be enabled with AAA to provide 2-factor authentication
75
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
IPSec Certificate Authentication Configuration
Configure a trustpoint (CA certificate) and ASA certificate
Configure Certificate for IKE Authentication in the Connection Profile
Configure clients to use a Client Certificate instead of PSK
76
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Debugging Remote Access Connections
Ensure Phase 1 (IKE / ISAKMP) policies match
Ensure Phase 2 (IPSec) Transforms match
Ensure address pools are valid and not exhausted
Ensure Pre-Shared Keys Match or Certificates are valid
‒ Ensure clocks are synchronized if using certificates
Ensure AAA servers are reachable and functional
Utilize ASDM Monitoring VPN functionality
Ensure connections are mapping to correct group policy and connection profile
Debugging commands
‒ debug crypto [ ikev1 | ikev2] (Phase 1 and 1.5 debugs)
‒ debug crypto ipsec (Phase 2 debugs)
‒ debug aaa
‒ debug radius
77
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect SSL VPN
AnyConnect Overview
AnyConnect Configuration
AnyConnect Profiles
AnyConnect Advanced Deployment
79
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Secure Mobility Client
Complete client solution for secure connectivity
‒ VPN, 3G/4G, WiFi hotspot, trusted WiFi, 802.1x, MACSEC
Components
‒ IPSec IKEv2 VPN
‒ SSL VPN
‒ Posture Assessment (HostScan)
‒ Web Security (ScanSafe)
‒ Telemetry (Ironport integration)
‒ Network Access Manager (Wireless, 802.1x, MACSEC)
Understanding the components
80
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Remote Access Overview
Provides full tunnel access similar to IPsec remote access
AnyConnect Profiles allow client settings pushed from head-end
Provides extra security with Cisco Secure Desktop functionality
Requires the use of AnyConnect client
Client can be pre-loaded or downloaded from the ASA using WebVPN
81
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Remote Access Overview
Actual protocol is Transport Layer Security (TLS v1.0) or Datagram
Transport Layer Security (DTLS)
TLS uses TCP 443, DTLS uses UDP 443
DTLS functions over UDP to provide better performance for real-time
applications (voice) that are sensitive to packet delays and jitter
‒ Uses TLS first to negotiate and establish DTLS connections
‒ Uses DTLS to transmit datagrams
SSL VPN Protocol
82
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Configuration
Key design and configuration choices:
‒ Client deployment: pre-deploy and/or web deployment
‒ VPN Protocol: TLS or IPSec IKEv2
‒ Authentication type: password, one-time-password, certificate, or two methods
‒ Split tunneling policy
‒ Cisco Secure Desktop requirements
‒ AnyConnect Profile options
83
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Profiles
Profiles are XML files stored on the ASA flash and pushed to clients
Profile settings configure the client to simplify user interaction
Profiles are edited via ASDM
Sample profile settings
Load uploaded profiles for user with Group Policies
ASA VPN hostname or IP address Enable Start Before Logon for Windows users
VPN Server Selection Auto Reconnect
Backup Server list Auto Update
Certificate selection Trusted Network Detection
84
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Profile Configuration
85
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Certificate Authentication
Certificate authentication can enable simplified authentication, 2-factor
authentication, and on-demand VPN (mobile)
Configuration
1. Select ASA Device Certificate from Connection Profile screen
86
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Certificate Authentication
2. Enable Certificate or Both authentication methods in Connection Profile
3. Configure clients with valid certificates or enable SCEP Proxy
87
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
AnyConnect Double Authentication
Allows the use of two AAA servers
1. Configure first AAA server as normal
2. Configure Secondary Authentication Server Group
88
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Simple Certificate Enrollment Protocol (SCEP)
SCEP Proxy allows clients to self provision certificates
The ASA proxies requests from clients to CA
AnyConnect Client
Internet
CA Server
LAN
Cisco ASA
Authentication
SCEP Request Proxied SCEP Request
Issued CertificateIssued Certificate
89
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Cisco Secure Desktop
Advanced endpoint analysis, security, and remediation
Downloaded and executed when AnyConnect or Clientless session is initiated
Works on Windows, Mac, and Linux (varying capabilities)
Results of host analysis can be used with Dynamic Access Policies
Capabilities
‒ Host scan – Checks for OS, patch levels, registry entries, processes, and files
‒ Endpoint assessment – Checks and remediates Anti-Virus, Anti-Spyware, and Personal Firewall
‒ Vault – Secure desktop session
‒ Cache cleaner – Securely delete web browsing data remnants
‒ Keystroke logger detection
‒ Onscreen keyboard – Mitigate keystroke logger threat
91
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Cisco Secure Desktop Setup
CSD ASDM installation
1. On CSD Setup page, upload CSD image
2. Click ‗Enable Secure Desktop‘
Enable features needed like pre-login policy, onscreen keyboard, etc.
92
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Pre-login Policy Decision Tree
93
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Onscreen Keyboard Configuration
A B C
94
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Keystroke Logger Configuration
95
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Dynamic Access Policies (DAP)
Create powerful rules that enable dynamic access
DAP selection criteria are combined with logical expressions
‒ AAA attributes from LDAP or RADIUS
‒ Endpoint attributes from Endpoint Assessment and Host Scan
96
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Dynamic Access Policies Configuration
If criteria met, Access and Authorization Policies can be set
‒ Permit, Quarantine, or Terminate connection and display message to user
‒ Apply a Network ACL
‒ Apply a Web ACL (clientless)
‒ Enable/disable file browsing, file server entry, HTTP proxy, and URL entry (clientless)
‒ Enable/disable/auto-start port forwarding lists (clientless)
‒ Enable bookmark lists (clientless)
‒ Permit or deny access methods such as AnyConnect and/or Clientless
97
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Selection Hierarchy for VPN Attributes
98
User Group Policy
Connection Profile Group Policy
Dynamic Access Policy
User Attributes
Default Group Policy
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Troubleshooting AnyConnect Client
A B C
99
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Debugging AnyConnect SSL VPN
Utilize ASDM Monitoring VPN functionality
Ensure connections are mapping to correct group policy and connection
profile
Utilize AnyConnect client logging and DART
Debugging commands
‒ show webvpn ?
‒ debug webvpn ?
‒ debug aaa
‒ debug radius
100
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless SSL VPN
Clientless VPN Overview
Clientless Capabilities
‒ Application access
‒ Smart Tunnels
‒ Plug-ins
Troubleshooting Clientless SSL VPNs
Advanced Authentication and Single Sign-On in a Clientless SSL VPN
Customizing the Portal
102
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless SSL VPN Overview
Provides network access using a standard web browser. No client.
Secure access through multiple methods
‒ Internal websites – delivering internal websites over HTTPS
‒ Windows file shares – web-based file browsing capabilities
‒ Plug-ins – Java applets for telnet, SSH, RDP, VNC, and Citrix (ICA)
‒ Smart Tunnels – Automatic tunneling of application traffic through the SSL VPN
‒ Port Forwarding – Opening local ports to be forwarded over the SSL VPN
Provides extra security with Cisco Secure Desktop functionality
103
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless SSL VPN Configuration
Key design and configuration choices:
‒ Which access methods to permit (web, file browsing, plug-ins, etc.)
‒ Bookmarks for users
‒ Different web portals for different groups
‒ Authentication type: password, one-time-password, certificate, or two methods
‒ Cisco Secure Desktop requirements
104
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless ASDM Configuration
1. Upload Plug-ins and CSD to flash if needed
2. Configure AAA servers for required user authentication methods
3. Install an SSL certificate on the ASA for secure remote connections
4. Create Group Policy
• Define most of the Clientless options
5. Create Connection Profile
• User authentication type
• Associate Group Policy
• Create Connection Aliases and Group URLs for users to access this Clientless SSL VPN
6. Enable SSL VPN on the appropriate interface
105
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless SSL VPN Bookmarks
Methods for assigning bookmarks
‒ Group policy
‒ User attributes
‒ LDAP or RADIUS attributes
‒ Dynamic Access Policy (DAP) result
URL Variables for Single Sign On
‒ CSCO_WEBVPN_USERNAME — User login name
‒ CSCO_WEBVPN_PASSWORD — Obtained from user login password
‒ CSCO_WEBVPN_INTERNAL_PASSWORD — Obtained from the Internal password field. You can use this field as Domain for Single Sign-on operations.
‒ CSCO_WEBVPN_CONNECTION_PROFILE — User login group drop-down
‒ CSCO_WEBVPN_MACRO1 — Set via Radius or LDAP vendor specific attribute
‒ CSCO_WEBVPN_MACRO2 — Set via Radius or LDAP vendor specific attribute
106
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Bookmark Settings
107
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless Smart Tunnels
Allows a TCP-based application to tunnel through the clientless VPN
Benefits
‒ Better performance than plug-ins
‒ Simplifies user experience compared to forwarding local ports
‒ Does not require administrative privileges like port forwarding
Available for Windows (using Internet Explorer) and Mac
Configuring Smart Tunnels in Group Policy
108
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Deploying Advanced Application Access for
Clientless SSL VPN
Configuring Smart Tunnels
109
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless Plug-ins
Java applets that enable secure application connectivity through the SSL
VPN browser session and enables new URL and bookmark types
‒ Citrix Client (ica://), RDP (rdp://, rdp2://), Shell (telnet://, ssh://), VNC (vnc://)
‒ Does not require administrator privileges on endpoint
110
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless Plug-ins Configuration
1. Load the plug-ins via ASDM
2. Customize bookmarks with Plug-Ins URLs
111
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Clientless Port Forwarding
Port forwarding supports TCP applications over the SSL VPN
Works by opening local ports and forwarding the connection as defined by
the port forward configuration
DNS is intercepted to force applications to connect to the local ports
Requires administrative rights on the endpoint to function
Works on Windows, Mac, and Linux
112
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Port Forwarding Configuration
1. Configure Port Forwarding List
2. Specify Port Forwarding List in Group Policy
113
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Port Forwarding Configuration
114
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Customizing the Clientless SSL VPN User
Interface and Portal
115
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Customizing the SSL Login Page
Page can be branded
116
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
WebACL Example
117
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Debugging Clientless SSL VPN
Utilize ASDM Monitoring VPN functionality
Ensure connections are mapping to correct group policy and connection
profile
Debugging commands
‒ show webvpn ?
‒ debug webvpn ?
‒ debug aaa
‒ debug radius
‒ debug dap
118
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
High Availability Options
Redundant head-end peering
‒ Configure two head-ends with 2 IPsec tunnels
‒ Utilize two interfaces with 2 ISPs for additional redundancy
‒ Static route tracking is used to switch between ISPs
120
InternetCompanyNetwork
Remote Access VPNCisco ASA
AnyConnect Client
Cisco ASA
ISP 1
CompanyNetwork
ISP High Availability
ISP 1
Cisco ASA
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
High Availability Options
Active / Standby chassis redundancy
‒ ASA must be in single context and routed mode to support VPNs
‒ Configure both Failover link and Stateful link to preserve VPN sessions
121
Internet
CompanyNetwork
Active/Standby
Cisco ASA- Active
Cisco ASA- Standby
Failover Link
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
High Availability Options
External Load Balancer
‒ Utilize a stateful load balancer to distribute
VPN sessions among ASAs
VPN Load Balancing feature
‒ Virtual load balancing built into ASA
‒ No external load balancer required
‒ Works with IPsec (remote access),
SSL VPN tunnels, and SSL VPN clientless
‒ Use a single Unified Client Certificate or multiple certificates
122
Internet
CompanyNetwork
VPN Load Balancing
Virtual Load Balancing Cluster
Cisco ASACisco ASA Cisco ASA Cisco ASA Cisco ASA
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Summary
Overview of CCNP Security VPN v2.0 Exam
VPN v2.0 Topics
‒ ASA VPN Architecture and Fundamentals
‒ VPN Fundamentals
‒ IPSec Site to Site
‒ IPSec Remote Access
‒ AnyConnect VPN
‒ Clientless SSL VPN
‒ High Availability
Q&A
123
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, on-
demand session videos, networking, and more!
Follow Cisco Live! using social media:
‒ Facebook: https://www.facebook.com/ciscoliveus
‒ Twitter: https://twitter.com/#!/CiscoLive
‒ LinkedIn Group: http://linkd.in/CiscoLI
124
© 2012 Cisco and/or its affiliates. All rights reserved. BRKCRT-8163 Cisco Public
Complete Your Online
Session Evaluation Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Passport points for each
session evaluation you complete.
Complete your session evaluation
online now (open a browser through
our wireless network to access our
portal) or visit one of the Internet
stations throughout the Convention
Center.
Don‘t forget to activate your
Cisco Live Virtual account for access to
all session material, communities, and
on-demand and live activities throughout
the year. Activate your account at the
Cisco booth in the World of Solutions or visit
www.ciscolive.com.
125
top related