You need to download the VPN 3.5 Client Software from CCO or use the software provided with a VPN Concentrator. To access CCO, you need a SMARTnet contract.
1. Extract the software from the zip file and run the setup.exe file.
2. You may be prompted to disable the Windows IPSec policy agent. If you are, click Yes.
3. When the screen introducing the Installshield Wizard comes up, click Next.
318 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
4. When the software license agreement appears, make sure to read it thoroughly. Once you understand it and agree to all of the terms, click Yes.
5. Verify the directory to install the software into and click Next.
6. When prompted to restart your machine, make your selection and then click Finish.
320 Chapter 9 Cisco IOS Remote Access Using Cisco Easy VPN
Answers to Written Lab
1. Cisco Easy VPN supports DH groups 2 and 5.
2. To remove user prompts when installing the Cisco VPN 3.5 Client, you modify the oem.ini file.
3. The Cisco Easy VPN Server supports the DES and 3DES encryption algorithms.
4. A Cisco IOS router, a Cisco PIX Firewall, or a Cisco VPN Concentrator can be an Easy VPN Server.
5. Tunnel mode is the IPSec protocol supported by the Cisco Easy VPN Server.
6. You modify the *.pcf files, one per connection, when installing the Cisco VPN 3.5 Client.
7. The IPSec protocol identifiers supported by the Cisco Easy VPN Server are ESP and IPCOMP-LZS.
8. Transport mode is the IPSec protocol mode not supported by the Cisco Easy VPN Server.
9. The operating systems supported by the Cisco VPN 3.5 Client Software are Solaris (Ultra-Sparc 32-bit), Mac OS X, Windows, and Linux (Intel).
10. IPSec AH is not supported by the Cisco Easy VPN Server.
Answers to Review Questions
1. A, B. Pre-shared keys and RSA digital signatures are supported authentication types. DSS is not supported. DES and 3DES are encryption algorithms, not authentication types.
2. C. You must have at least 12.2(8)T to run the IOS Easy VPN Server.
3. C, F. DH groups 2 and 5 are supported. DSS, DH1, PFS, and manual keys are not supported.
4. B, C, D. An IOS router, PIX Firewall, or VPN Concentrator can act as a Cisco Easy VPN Server. The VPN 3.5 Client Software cannot.
5. A, C, D. DES, 3DES, and NULL are the three types of IPSec encryption supported by the Cisco Easy VPN.
6. C. Split Tunneling enables remote user traffic destined for the Internet to go directly to the Internet and not across the VPN tunnel.
7. B. The oem.ini file is used to remove all user prompts and force the PC to reboot when the installation is finished.
8. E. Enabling policy lookup via AAA is the first configuration task for the Easy VPN Server.
9. B, E. DH groups 2 and 5 are supported by the Cisco Easy VPN Server.
10. D. You would configure and add one .pcf file for each connection you wish to add to the VPN 3.5 Client.
11. A. Tunnel mode is supported by the Cisco Easy VPN Server; transport mode is not.
12. D. Initial contact allows Cisco VPN devices to clear existing connections when devices attempt to establish new connections.
13. C. You would modify the vpnclient.ini file to pre-configure global profiles.
14. A. DH group 1 (DH1) is not supported by the Cisco Easy VPN Server.
15. E. Any of these can be used as Cisco Easy VPN Remotes.
16. C, D, F, G. The Cisco VPN 3.5 Client Software is available for Linux (Intel), Mac OS X, Win- dows, and Solaris (Ultra-Sparc 32-bit).
17. C. The oem.ini, vpnclient.ini, and .pcf files are placed in the same directory as the setup.exe file.
18. A, B, E. The VPN 3.5 Client supports DH groups 1, 2, and 5.
Appendix
A
Introduction to the PIX Firewall
4231AppA.fm Page 323 Monday, May 5, 2003 3:02 PM
This appendix is by no means meant to be a comprehensive guide to the installation and configuration of PIX Firewalls. Instead, it gives you an introduction to the information covered in the CCSP PIX exam, including the features and basic configuration of PIX Firewalls. (Please go to www .sybex.com for information about Sybex’s Study Guides on the CCSP exams.)
Here are some of the topics covered in this appendix:
The advantages of using a PIX Firewall to protect your network
How a firewall passes traffic from one interface to another and the rules that traffic must follow
The basics of configuring a PIX Firewall: how to navigate the different modes, how to con- figure interfaces, and how to save configurations
How you can influence the traffic between interfaces, that is, how you can control exactly which traffic crosses the firewall
How to enable AAA on PIX Firewalls
Some of the advanced features available on the PIX Firewall
Be prepared—there are a lot of configuration details, and many new commands and syntax will be introduced.
The Cisco Packet Internet eXchange (PIX) Firewall
The PIX Firewall is a tool used to prevent unauthorized access between any two (or more) net- works. The PIX Firewall uses a secure, real-time, embedded operating system.
Many other competing firewalls run on top of another operating system such as Unix or Win- dows NT. The problem with this is that Unix and Windows NT (or even Cisco’s IOS) have well- known security issues. This means that potential intruders can attack the operating system of the box your firewall is running using commonly available information! So much for the firewall….
Since the PIX Firewall uses a proprietary operating system (called Finesse), it is much more difficult to attack. There is no source code floating around that a potential hacker might use to
The Cisco Packet Internet eXchange (PIX) Firewall 325
PIX Firewall interfaces must be purchased from Cisco or Cisco resellers. No other interfaces are supported, because vendors would not be able to provide drivers to work with the closed oper- ating system used by the PIX Firewall. Currently, the following interface types are available:
Single-port 10/100BaseT Ethernet
Four-port 10/100BaseT Ethernet
Token Ring
FDDI
Network Separation
Consider the following PIX Firewall separating three distinct networks:
Because all traffic between these three networks must physically pass through the PIX Fire- wall, it is in the ultimate position to control and potentially limit all access between these net- works. These networks are labeled inside, perimeter, and outside. They each have a separate function:
Inside network The inside network is your internal network where you keep your protected resources such as enterprise servers or other internal-access devices, along with your internal users.
Outside network The outside network is the open, untrusted Internet.
Perimeter network Also called a DMZ (for de-militarized zone), the perimeter network is where you host services such as DNS (Domain Name System) servers, e-mail servers, web and FTP servers, and so on. These services are generally made available to users from the outside network.
Some of you may recognize this terminology from the classic three-part firewall.
The administrator has the ability to control what the PIX Firewall lets through. There are many functions that the PIX Firewall can accomplish, but once it is installed, there are only three ways to get traffic through a PIX Firewall. You will learn about these next.
Inside Outside
Perimeter
Enterprise server
DNS server
E-mail server PIX Firewall
4231AppA.fm Page 325 Monday, May 5, 2003 3:02 PM
326 Appendix A Introduction to the PIX Firewall
Three Ways through a PIX Firewall
The PIX Firewall has ultimate control over what traffic goes between the networks it separates, and it gives a great deal of control to the administrator in configuring which traffic is to be per- mitted and which traffic is not allowed. The PIX Firewall can permit traffic between networks using three methods:
Cut-through proxy user authentication
Static route
Adaptive Security Algorithm (ASA)
Cut-Through Proxy User Authentication
The cut-through proxy user authentication method performs user authentication at the Application layer. When a user requests a resource through the PIX Firewall, the firewall intercepts that request and forces the user to provide a username and password. The firewall then authenticates this user against a security server using either the TACACS+ or the RADIUS security protocol (as discussed in Chapter 3, “Configuring CiscoSecure ACS and TACACS+”). Assuming that the security policy allows this particular user to access this resource, the user’s request is forwarded through the fire- wall. This method can be used for either inbound or outbound requests.
One common problem with proxy servers is that they must evaluate the contents of each and every packet passing through them. This is a processor-expensive operation and can introduce a potential bottleneck into the network. The PIX Firewall gets around this requirement by using a cut-through proxy technique. Once the user’s request has been approved, the PIX Firewall establishes a data flow between the two communicating partners. All traffic between that user and the resource then flows directly through the PIX Firewall, without needing to have each individual packet “proxied.”
Static Route
You can enter static routes on a PIX Firewall. The syntax is similar to that used on a Cisco router, but it is not the same. You must specify an interface name in the command, as in the following examples:
route outside 0.0.0.0 0.0.0.0 172.19.20.1 1 route inside 10.0.0.0 255.0.0.0 10.1.1.1
This syntax should look familiar to those of you with router experience. The only difference is the addition of the inside and outside parameters, which are the interface names. The
“Configuring Interfaces” section later in this appendix discusses the naming of interfaces.
The routing protocol that the PIX Firewall supports is RIP (Routing Information Protocol).
Earlier PIX Firewall versions support only RIP version 1 (RIPv1). RIP version 2 (RIPv2) is sup- ported as of PIX Firewall version 5.1(1).
PIX Firewall Configuration Basics 327
Adaptive Security Algorithm
The Adaptive Security Algorithm (ASA) uses a “stateful” approach to connection security. ASA checks each inbound packet against connection state information stored in memory.
The ASA follows a set of rules:
No packets can cross the firewall without a connection and state, and the connection and state must be recorded in the ASA table.
Outbound connections (connections from a higher security to a lower security interface) are allowed, except those specifically denied using outbound lists.
Inbound connections (connections from a lower security to a higher security interface) are denied, except those specifically allowed using conduits.
Any packet attempting to bypass the previous rules is dropped and logged to Syslog.
All ICMP packets are denied unless specifically permitted using the conduit permit icmp command.
PIX Firewall Configuration Basics
Anyone familiar with configuring Cisco routers using Cisco’s IOS will be at home when config- uring a PIX Firewall. The command-line interface (CLI) is similar for the two products, but as mentioned earlier, it is not exactly the same. There are a number of differences, such as the ability to enter any command while in configuration mode on the PIX Firewall. Here, you’ll start your configuration by first changing from user to enable mode, then to configuration mode:
toddfw>enable toddfw#config t toddfw(config)#^Z toddfw#disable toddfw>
First, you enter privileged mode using the enable command, and then you enter configura- tion mode using the config t command. Notice how the prompt changes, just as during router configuration. Then you enter ^Z (Ctrl-Z) to go back to privileged mode, after which you enter the disable command to go back to user mode (called unprivileged mode). Now, you need to set an enable password:
toddfw>enable toddfw#config t
toddfw(config)#enable password todd toddfw(config)#^Z
toddfw#show password
Notice that you set the password from privileged mode. Also, when you enter the show passwd command, the password is shown encrypted.
4231AppA.fm Page 327 Monday, May 5, 2003 3:07 PM
328 Appendix A Introduction to the PIX Firewall
Configuring Interfaces
Now, let’s configure some interfaces! You need to assign duplex settings, interface names, and IP addresses. Take a look at a simple firewall:
This PIX Firewall has two interfaces: one internal and one external. The internal interface is meant to have IP address 172.16.10.1, and the external interface is to have the IP address 192.168.30.1. Here is how you configure these interfaces:
toddfw#config t
toddfw(config)#nameif ethernet0 inside sec100 toddfw(config)#nameif ethernet1 outside sec0 toddfw(config)#interface ethernet0 auto toddfw(config)#interface ethernet1 auto
toddfw(config)#ip address inside 172.16.10.1 255.255.255.0 toddfw(config)#ip address outside 192.168.30.1 255.255.255.0 toddfw(config)#^Z
toddfw#
In this example, you use three commands to configure these interfaces: the nameif command, the interface command, and the ip address command. Let’s take a closer look at the argu- ments for each of these commands and how these arguments are used.
The nameif Command
The nameif command is used to give the interface a name and specify its security level. It has the following syntax:
nameif hardware_id if_name security_level
The interface name is then used throughout the configuration whenever referencing that interface.
The security_level parameter specifies the security level of the interface on a scale of 0 to 100. You use 0 for the outside network and 100 for the inside network. DMZ or perimeter net- works have some number between 1 and 99. You’ll learn more about security levels in the “Con- figuring Access through the PIX Firewall” section later in this appendix.
The interface Command
The interface command is used to specify the speed on the interface and can be used to enable Inside
172.16.10.1
Outside 192.168.30.1 PIX Firewall
PIX Firewall Configuration Basics 329
In the previous example, you set each Ethernet interface to auto. You can set the interface to 10-megabit half duplex using the following command:
toddfw(config)#interface ethernet0 10baset
Or you can set the interface to 100-megabit full duplex using this command:
toddfw(config)#interface ethernet0 100full
The ip address Command
The ip address command, as you might expect, is used to assign an IP address to the interface.
Here is its syntax:
ip address if_name ip_address [netmask]
Unlike with a router, where you use an interface-configuration mode to set the IP address on an interface, for the PIX Firewall, you specify the name you gave that interface using the name-if command. Other than this difference, the command is similar to the router com- mand and is straightforward.
Default Gateway Assignment
One last thing you need to do is to assign a default gateway using the route command (men- tioned in the “Static Route” section earlier in this appendix). Here is how you set the default gateway:
toddfw(config)#route outside 0.0.0.0 0.0.0.0 192.168.30.2 toddfw(config)#^Z
toddfw#
Testing the Configuration with Ping and ARP
Now that you have the IP addresses configured, you can do a bit of testing. Let’s start with a ping:
toddfw#ping inside 172.16.10.45 172.16.10.45 response received -- Oms 172.16.10.45 response received -- Oms 172.16.10.45 response received -- Oms toddfw#
Note that you specify the name of the interface closest to the ping target. The ping command makes three attempts to reach the specified IP address.
If you want to ping through a PIX Firewall, you must create an ICMP conduit, covered in the “Configuring Inbound Access” section later in this appendix.
4231AppA.fm Page 329 Monday, May 5, 2003 3:12 PM
330 Appendix A Introduction to the PIX Firewall
Finally, let’s check the contents of the ARP cache to make sure that the MAC address for the host you pinged in the preceding example is present:
toddfw#show arp
inside 172.16.10.45 00d0.b78f.3553 toddfw#
Saving Your Configuration
Those of you who remember the old router commands for saving and displaying the configuration files will find this refreshing. To save the current firewall configuration to flash memory, do the following:
toddfw#write memory Building configuration…
[OK]
toddfw#
You can also save the configuration to a floppy disk or to a TFTP (Trivial File Transfer Pro- tocol) server on the network.
To erase the configuration stored in flash memory, you can use this command:
toddfw#write erase
Erase PIX configuration in Flash Memory? [confirm] y toddfw#
And finally, to show the current running configuration, use this command:
toddfw#write terminal Building configuration…
…
If you remember these commands from the old IOS days, great! You are so old that you prob- ably drive 10 miles per hour under the speed limit in the left lane, with your turn signal on! If you know the new router commands such as show running-config and copy running-config startup-config, well, once upon a time, this is how we used to do it.
Configuring Access through the PIX Firewall
Configuring Access through the PIX Firewall 331
Firewall. As mentioned earlier, when interfaces are defined, they are given a security level num- ber between 0 and 100. 0 is used for the outside interface, and 100 is used for the inside inter- face. Perimeter or DMZ interfaces are assigned numbers between 1 and 99.
As traffic goes between interfaces, it is placed into one of two categories: outbound or inbound.
Which category it falls into depends on the security levels of the interfaces it is traversing:
Outbound connections are for higher security to lower security interfaces.
Inbound connections are for lower security to higher security interfaces.
The PIX Firewall uses different methods for passing traffic in each of these categories. Let’s look at each category and talk about how to allow traffic in that direction.
Configuring Outbound Access
You may recall from the introduction of the ASA earlier in this appendix that outbound connec- tions are allowed unless specifically prohibited. However, you need to do a bit of configuration to start traffic flowing in outbound situations. In most instances, you use the nat and global commands to accomplish this.
The PIX Firewall anticipates that you are using Network Address Translation (NAT).
Although it is possible to run the firewall without using NAT, Cisco strongly recommends against it. Use NAT on the firewall if at all possible.
To configure outbound access using the nat and global commands, you must first start with a diagram of your PIX Firewall, showing all interfaces and their associated names and security levels. Consider the diagram shown here:
Here is a summary of the configuration of this PIX Firewall:
Now you must decide where you will have outbound access. Remember that outbound access is where traffic originates on an interface with a higher security level destined for an inter- face with a lower security level. This occurs in only the following situations:
Inside to outside
Interface Security Level IP Address
Inside 100 172.16.10.1
Outside 0 192.168.30.1
Perimeter 50 192.168.40.1
Inside 100 172.16.10.1
Outside 0 192.168.30.1 Perimeter 50 192.168.40.1 PIX Firewall 4231AppA.fm Page 331 Monday, May 5, 2003 3:14 PM
332 Appendix A Introduction to the PIX Firewall
Inside to perimeter
Perimeter to outside
There will never be outbound traffic originating on the outside interface because its security level is 0. Traffic from the outbound interface can never go to another interface with a lower security level!
The nat Command
You use the nat command to specify each higher security level interface you want to be able to access lower security level interfaces. Here is your configuration:
toddfw#config t
toddfw(config)#nat (inside) 1 0 0 toddfw(config)#nat (perimeter) 1 0 0 toddfw(config)#^Z
toddfw#
Notice that, once again, you did not specify the outside interface, because outbound connec- tions cannot originate there. Each nat command allows users of the specified interface (in paren- theses) to access lower security interfaces. So, in this example, the first nat command allows users on the inside interface to access both the perimeter and outside interfaces. The second nat com- mand allows users on the perimeter interface to access the outside interface (the only other inter- face with a lower security level).
The global Command
Now you need to configure the lower-level interfaces with the global command to finalize the outbound traffic configuration. Here is the configuration:
toddfw#config t
toddfw(config)#global (outside) 1 192.168.30.2 netmask 255.255.255.0 toddfw(config)#global (perimeter) 1 192.168.40.10-192.168.40.100 netmask 255.255.255.0
toddfw(config)#^Z toddfw#
In this configuration, you’ve done two different things. First, you’re assuming that the out- bound interface IP address is a registered Internet address and that you do not have an unlimited number of registered Internet addresses to use for NAT. Therefore, in the preceding configura- tion of the external or outbound interface, you’re using Port Address Translation (PAT). With PAT, each outbound client connection can use a separate port on the single translated address, allowing you to service more than 64,000 connections from a single IP address!
On the perimeter interface (where you’re translating and have essentially unlimited address