The VPN 3002 in the Network
The VPN 3002 Hardware Client fits into the network anytime a
relatively small group of users need secure VPN connections to the corporate
network. Figure 15-3 shows both an overall view of the small
branch connecting to the corporate network via a VPN 3002 and a more detailed
view of the possible local connection using cable or DSL services.
VPN Modes
The Cisco VPN 3002 supports two modes of operation to offer
implementation choices based on flexibility, security, and easy configuration.
Those modes are as follows:
-
Client mode
-
Network Extension mode
A large VPN implementation might frequently have both types of
operation.
Client Mode
In Client mode (also called PAT mode), the VPN 3002 emulates the VPN client software
appearing to the main network like a single remote user, isolating all devices
on the VPN 3002 private network from the corporate network. The private hosts
protected behind the VPN 3002 are a separate network that remains invisible and
can’t be routed to by the central site hosts. The local hosts are assigned their
IP addresses from the VPN 3002 private interface configured as a DHCP server,
while the public network port can be configured to use DHCP client feature to
acquire its IP address from an Internet service provider (ISP).
The 3002 device uses Port Address Translation (PAT) on the public
interface to help secure (hide) the local network and to allow local hosts to
travel out of the network in Client mode. Because all traffic to the central
network will have the Public interface IP address, PAT supplies and manages
unique port number mappings to be used in combination with the IP address.
Because the VPN 3002 configured for Client mode can only create
outbound connections, there’s no way for an outside source—even from the
corporate network—to initiate a connection with the 3002 unit or through it to
the workstations behind.
Client Mode and Split Tunneling
Split tunneling provides the
capability to have a secure tunnel to the central site, while simultaneously
maintaining an unsecured clear-text tunnel to the Internet through the ISP. PAT
is used to protect the local workstations during split tunneling to the
Internet. The network and addresses on the private side of the VPN 3002 remain
hidden and can’t be accessed directly from the Internet. If the organization
security policy prohibits split tunneling, it can be blocked by creating a
policy on the central site device, which is then pushed down to the 3002
Client.
Network Extension Mode
In Network Extension mode, the VPN
3002 establishes a secure, site-to-site connection with the central site device.
The local stations behind the VPN 3002 are fully routable and the local network
is visible to the central site. As the name implies, the local network becomes
part of the organization’s intranet. VPN and device configuration and security
policies are pushed from the central site. The VPN 3002 must initiate the tunnel
to the central site but, after the tunnel is up, either side can initiate data
exchange.
In Network Extension mode, the private address can be assigned
using the DHCP server. Any shared resources in the protected network that must
be accessed by the central area hosts should be assigned manually to allow
central site hosts and applications to reliably reach any local server, printer,
POS terminal, IP phone, or other device critical to the business.
Network Extension Mode and Split Tunneling
PAT provides security for local host traffic heading to the
Internet through split tunneling. The network and addresses on the private side
of the VPN 3002 are accessible over the tunnel, but are protected from the
Internet because they can’t be accessed directly. This outbound PAT on the VPN
3002 provides centralized security control because no configuration parameters
exist for local users to adjust, which might cause the central site to be
compromised.
Network Extension Mode per Group
VPN software versions 3.6 and later let a network
administrator restrict the use of Network Extension mode. The administrator can
now enable/disable Network Extension mode on the VPN Concentrator for VPN 3002
hardware clients on a per-group basis.
Network Extension mode is the default setting on the VPN
Concentrator. If the concentrator is configured to disallow Network Extension
mode for a group, all VPN 3002s in the group must be configured for Client (PAT)
mode.
IPSec VPNs
The VPN 3002 Hardware Client supports IPSec for secure
connections to a central-site VPN Concentrator over a VPN tunnel. The VPN 3002
Hardware Client, which supports one tunnel at a time, running software release
3.6 or higher, supports the following IPSec implementations, but only one for
each tunnel.
-
IPSec over TCP
-
IPSec over NAT-T
-
IPSec over UDP
IPSec over TCP
IPSec over TCP encapsulates encrypted
data traffic within TCP packets. This allows the VPN 3002 to operate in networks
where standard ESP (Protocol 50) or IKE (UDP 500) can’t function, or they can
only function by modifying existing firewall rules. IPSec over TCP enables
secure tunneling through NAT and PAT devices, and through firewalls by
encapsulating both the IKE and IPSec protocols within TCP packets.
To use IPSec over TCP, both the VPN 3002 and the VPN Concentrator
must meet the following requirements:
IPSec over NAT-T
NAT Traversal (NAT-T) allows IPSec peers to establish a
connection through a device using NAT. NAT-T accomplishes this by encapsulating
IPSec traffic in UDP datagrams (port 4500), thereby providing NAT devices with
needed port information. NAT-T technology auto-detects any NAT devices and only
encapsulates IPSec traffic when necessary.
The VPN 3002 hardware client uses NAT-T by default and requires no
special configuration. The VPN 3002 first attempts NAT-T, and then uses IPSec
over UDP if a NAT device isn’t autodetected. The UDP packets allow IPSec traffic
to pass through firewalls, which would normally reject and discard it.
To use NAT-T, the VPN 3002 must meet the following
requirements:
-
Run version 3.6 or later software.
-
Port 4500 on any firewall between the VPN 3002 and the VPN
peer must be open.
-
Reconfigure any existing IPSec over UDP using port 4500 to a
different port.
-
Use the Configuration | Interfaces | Public screen to select
the second or third options for the Fragmentation Policy parameter. These
options let traffic travel across NAT devices that don’t support IP
fragmentation, while not impeding NAT devices that do support IP
fragmentation.
IPSec over UDP
The VPN 3002 supports UDP NAT/Firewall Transparent IPSec.
This technology encapsulates encrypted data traffic within UDP packets to
provide secure connections between a VPN 3002 and a VPN Concentrator through a
device, such as a firewall performing NAT.
The VPN 3002 uses frequent keepalives to ensure the mappings on
the NAT device remain active. The VPN 3002 doesn’t require special configuration
for this feature, but the following minimum requirements must be met.
283 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
