VPV RoadshowVPN Client Firewall Application Client and Firewall Encrypted tunnel traffic Internet traffic Local LAN www.cisco.com Split tunneling • Split tunneling • Encrypted tunnel tra
Trang 1© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Cisco VPN Partner Technical Development
Module 6 : VPN client Configuration
APAC Channels Technical Operations
Trang 2© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Overview of Software Client’s
Firewall Feature
Trang 3© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
VPN Client Firewall Application
Client and Firewall
Encrypted tunnel traffic
Internet traffic
Local LAN
www.cisco.com
Split tunneling
• Split tunneling
• Encrypted tunnel traffic
• Local LAN traffic
• Internet traffic
Trang 4© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Windows-Based Software
Client—Firewall Features
Trang 5© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Software Client’s Are You
There Feature
Trang 6© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Are You There Feature
MS Windows PC
VPN Client software
Stateful Firewall
driver
AYT
Trang 7© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Configuring AYT Feature
Trang 8© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Configuring Optional or
Required Firewall
Trang 9© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Configuring Firewall Type Selection
Trang 10© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Custom Firewall
Trang 11© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Configuring AYT Firewall Policy
Trang 12© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
How the Are You There Feature Works
Zone Labs ZoneAlarm Firewall is operational
OK—Tunnel will be established now
Internet
VPN Client Firewall
AYT 1
2
3
4
Trang 13© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Firewall Optional—Warning
Trang 14© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Software Client’s Stateful
Firewall Feature
Trang 15© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Stateful Firewall
Tunneled traffic Stateful Firewall
(always on) enabled
MS Windows PC
Non-tunneled traffic
Trang 16© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Enabling the Stateful Firewall Feature
Trang 17© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Software Client’s Central Policy Protection Feature
Trang 18© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
How Central Policy Protection Works
VPN Client
Firewall Internet
Forward policy Administrator
defines policy
Push policy
Trang 19© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
CPP Supported Firewalls
Firewall CPP
Network ICE BlackICE Defender
Trang 20© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Configure CPP
Trang 21© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Summary
Software client supports three Firewall
features.
• The Are You There feature monitors the
operation of a specific firewall.
• The Stateful Firewall feature is always on, even when no VPN tunnels are established.
• CPP enables an administrator to push firewall policy to software clients.
Trang 22© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Overview of Port Address
Translation
Trang 23© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Network Address Translation (NAT)
Corporate office
Internet
10.0.1.5
Application server
192.168.1.5
NAT Remote office
205.151.254.10
Trang 24© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
205.151.254.10
205.151.254.10
Trang 25© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Port Address Translation (PAT)
Corporate office
10.0.1.5
Application server
205.151.254.10 – Port 600
205.151.254.10 – Port 601
Trang 26© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Port Address Translation (PAT) (cont.)
Corporate office
Application server
PAT
Internet Remote office
601 205.151.254.10
10000 192.168.1.6
600 205.151.254.10
10000 192.168.1.5
Port # Source Address
Port # Source Address
Trang 27© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
IKE and UDP Issue
NAT IKE
IPSec
Internet
VPN Concentrator
Dropped
Trang 28© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Release 3.0 NAT Support
Release 3.0 IPSec over UDP
IPSec client NAT
Trang 29© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Release 3.5
IPSec Over TCP Enhancement
IPSec client PAT
device
205.151.254.10
Internet
IPSec Over TCP
(System wide)
10.0.1.5
Hash Data IP ESP TCP IP
Trang 30© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
IPSec Through PAT Mode
PAT
Client
Internet
VPN Concentrator
Data IP
Hash Data IP ESP IP
Hash Data IP ESP UDP IP
Hash Data IP ESP TCP IP
either/or
IPSec through NAT mode
Trang 31© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Configuring IPSec Over UDP
Trang 32© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Trang 33© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Software Client Configuration—
IPSec Over UDP
Client
Internet Concentrator VPN
Trang 34© 2003, Cisco Systems, Inc All rights reserved VPN Roadshow
Configuring IPSec Over TCP
Trang 35© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Trang 36© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
VPN 3002—IPSec Over
TCP Configuration
VPN Concentrator
Internet SOHO
Hash Data IP ESP TCP IP
Trang 37© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Software Client—IPSec
Over TCP Configuration
Client
VPN Concentrator
Internet
Trang 38© 2003, Cisco Systems, Inc All rights reserved VPV Roadshow
Summary
• IPSec does not translate through a NAT or PAT device.
• Configure IPSec over UDP or TCP in both the
Concentrator and clients.
• For each tunnel type, an applicable port number
is defined.
• IPSec over TCP or UDP statistics are viewable
on both the Concentrator and clients.