The PIX Firewall OS version 6.2 introduced the use of the
PIX unit as an Easy VPN Remote device (client) when connecting to any Easy VPN
Server, such as a Cisco VPN 3000 Concentrator, another PIX Firewall, or in later
releases of Cisco IOS Software. The Easy VPN Remote feature for the PIX is also
referred to as hardware client/EzVPN client. This “hardware client” feature
allows the PIX unit to establish a VPN tunnel to an Easy VPN Server. Host
devices on the PIX Firewall–protected LAN can connect through the Easy VPN
Server without having to run any VPN client software.
To enable the PIX Firewall as an Easy VPN Remote device, you must
select one of the following modes of operation.
Client
Mode
In the Client mode, the VPN connections are initiated by
traffic, using resources only as needed. In Client mode, the PIX unit performs
NAT on all IP addresses of all LAN clients connected through the inside (higher
security) interface. This mode also requires the DHCP server to be enabled on
the inside interface, as covered in Chapter 18.
Network
Extension Mode
In the Network Extension mode, the VPN connections are
maintained, even when they aren’t transmitting traffic. This option doesn’t
perform NAT on any client IP addresses connected through the inside (higher
security) interface.
In Network Extension mode, the IP addresses of clients on the
inside interface are received without change at the Easy VPN Server. If these
are legal global, they can be forwarded to the public Internet without further
processing. Otherwise, the Easy VPN Server can provide NAT for them or they can
be forwarded to a private network without translation.
Establishing
Preliminary Connectivity
Before attempting to create a VPN connection between the PIX
Firewall Easy VPN Remote device and an Easy VPN Server, you must establish
network connectivity between both devices through their respective ISPs. This
connectivity could include using a DSL or cable modem. Verify connectivity
before continuing.
Easy VPN Remote
Configuration
Because the Easy VPN Server controls the policy enforced on
any Easy VPN Remote device, the remote device configuration is simplified
considerably. The basic local configuration can be performed using the
command-line interface or by using Cisco PIX Device Manager (PDM), covered in Chapter 22. The
local configuration steps required include the following.
The vpnclient commands used to configure the
Easy VPN Remote device stores the configuration information in the flash memory
of the PIX Firewall, so it’s preserved when the device reboots.
Step 1: Define the VPN group and password by
entering the following command:
Pix(config)# vpnclient vpngroup groupname password preshared_key
Step 2: (Optional.) If the Easy VPN Server uses
extended authentication (Xauth) to authenticate the PIX Firewall client, enter
the following command:
Pix(config)# vpnclient username xauth_username password xauth_password
Step 3: Identify the remote Easy VPN Server by
entering the following command:
Pix(config)# vpnclient server ip_primary [ip_secondary_n]
Step 4: Set the Easy VPN Remote mode by entering
the following command:
Pix(config)# vpnclient mode {client-mode |
network-extension-mode}
Step 5: Enable Easy VPN Remote by entering the
following command:
Pix(config)# vpnclient enable
The no vpnclient enable command closes all
established VPN tunnels and prevents new VPN tunnels from initiating until you
enter a vpnclient enable command. The clear
vpnclient command removes all vpnclient commands from your
configuration.
Step 6: (Optional.) Use the show
vpnclient command to display the current status and configuration of Easy
VPN Remote. Enter the following command:
Pix(config)# show vpnclient
The following is an example Easy VPN Remote basic
configuration.
Pix(config)# vpnclient vpngroup testgrp_a password testkey_a
Pix(config)# vpnclient username testuser_1 password testpass_1
Pix(config)# vpnclient server 1.1.250.1
Pix(config)# vpnclient mode client-mode
Pix(config)# show vpnclient
Local Configuration
vpnclient vpngroup testgrp_a password ********
vpnclient username testuser_1 password ********
vpnclient server 1.1.250.1
vpnclient mode client-mode
Pix(config)#
Sections
Comments (0 posted)
Syndication
