.....update soon....
Summary:
• Identify Site-to-site traffic (ACL) not to be translated.
access-list VPN-NO-NAT permit ip 10.100.1.0 255.255.255.0 10.10.0.0 255.255.255.0
nat (inside) 0 access-list VPN-NO-NAT
nat (inside) 1
Easy VPN Remote supports two modes of operation:
• Client mode
– Specifies that NAT and PAT be used.
– Client automatically configures the NAT and PAT translations and the ACLs that are needed to implement the VPN tunnel.
– Supports split tunneling.• Network extension mode
– Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses.
– PAT is not used.– Supports split tunneling.
Both modes of operation also optionally support split tunneling, which allows secure access to corporate resources through the IPSec tunnel while also allowing Internet access through a connection to an ISP or other service—thereby eliminating the corporate network from the path for web access.
The following is a detailed description of the Easy VPN Remote connection process:
Step 1 The Cisco VPN Client initiates the IKE Phase 1 process.
– Authentication methods
– DH group sizes
Step 3 The Easy VPN Server accepts the SA proposal.
• The Easy VPN Server searches for a match:
– The first proposal to match the server’s list is accepted (highest priority match).
– The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority).
• IKE SA is successfully established.
• Device authentication ends and user authentication begins.
Step 4 The Easy VPN Server initiates a username/password challenge.
• If the Easy VPN Server is configured for Xauth, the VPN Client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against authentication entities.
• All Easy VPN Servers should be configured to enforce user authentication.
Step 5 The mode configuration process is initiated.
If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server:
– Mode configuration starts.
– The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN Client.
• Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.
Step 6 IKE quick mode completes the connection.
• After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment.
• After IPSec SA establishment, the VPN connection is complete.
The following is a detailed description of the Easy VPN Remote connection process:
Step 1 The Cisco VPN Client initiates the IKE Phase 1 process.
- Using pre-shared keys? Initiate AM.
- Using digital certificates? Initiate MM.
- The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server.
- To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following:
– Authentication methods
– DH group sizes
Step 3 The Easy VPN Server accepts the SA proposal.
• The Easy VPN Server searches for a match:
– The first proposal to match the server’s list is accepted (highest priority match).
– The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority).
• IKE SA is successfully established.
• Device authentication ends and user authentication begins.
Step 4 The Easy VPN Server initiates a username/password challenge.
• If the Easy VPN Server is configured for Xauth, the VPN Client waits for a username/password challenge:
– The user enters a username/password combination.
– The username/password information is checked against authentication entities.
• All Easy VPN Servers should be configured to enforce user authentication.
Step 5 The mode configuration process is initiated.
If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server:
– Mode configuration starts.
– The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN Client.
• Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.
Step 6 IKE quick mode completes the connection.
• After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment.
• After IPSec SA establishment, the VPN connection is complete.
0 comments
Post a Comment