did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781587052040

The Complete Cisco VPN Configuration Guide

by
  • ISBN13:

    9781587052040

  • ISBN10:

    1587052040

  • Edition: 1st
  • Format: Paperback
  • Copyright: 2005-12-15
  • Publisher: Cisco Press
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $90.00

Summary

Use Cisco concentrators, routers, Cisco PIX and Cisco ASA security appliances, and remote access clients to build a complete VPN solution A complete resource for understanding VPN components and VPN design issues Learn how to employ state-of-the-art VPN connection types and implement complex VPN configurations on Cisco devices, including routers, Cisco PIX and Cisco ASA security appliances, concentrators, and remote access clients Discover troubleshooting tips and techniques from real-world scenarios based on the authorrs"s vast field experience Filled with relevant configurations you can use immediately in your own network With increased use of Internet connectivity and less reliance on private WAN networks, virtual private networks (VPNs) provide a much-needed secure method of transferring critical information. As Cisco Systemsreg; integrates security and access features into routers, firewalls, clients, and concentrators, its solutions become ever more accessible to companies with networks of all sizes. The Complete Cisco VPN Configuration Guide contains detailed explanations of all Ciscoreg; VPN products, describing how to set up IPsec and Secure Sockets Layer (SSL) connections on any type of Cisco device, including concentrators, clients, routers, or Cisco PIXreg; and Cisco ASA security appliances. With copious configuration examples and troubleshooting scenarios, it offers clear information on VPN implementation designs. Part I, "VPNs," introduces the topic of VPNs and discusses todayrs"s main technologies, including IPsec. It also spends an entire chapter on SSL VPNs, the newest VPN technology and one that Cisco has placed particular emphasis on since 2003. Part II, "Concentrators," provides detail on todayrs"s concentrator products and covers site-to-site and remote-access connection types with attention on IPsec and WebVPN. Part III covers the Cisco VPN Client versions 3.x and 4.x along with the Cisco3002 Hardware Client. Cisco IOSreg; routers are the topic of Part IV, covering scalable VPNs with Dynamic Multipoint VPN, router certificate authorities, and router remote access solutions. Part V explains Cisco PIX and Cisco ASA security appliances and their roles in VPN connectivity, including remote access and site-to-site connections. In Part VI, a case study shows how a VPN solution is best implemented in the real world using a variety of Cisco VPN products in a sample network. This security book is part of the Cisco Pressreg; Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Author Biography

Richard A. Deal has nearly 20 years experience in the computing and networking industry including networking, training, systems administration, and programming. In addition to a bachelor’s of science degree in mathematics and computer science from Grove City College, Richard holds many certifications from Cisco. Since 1997, Richard has operated his own company, The Deal Group, Inc., located in Orlando, Florida. He also teaches Cisco security courses for Boson Training and writes preparation tests for them.

Table of Contents

Introduction xxxiii
Part I VPNs
3(172)
Overview of VPNs
5(40)
Traffic Issues
5(6)
Eavesdropping Attacks
5(1)
Eavesdropping Tools
6(1)
Eavesdropping Solutions
6(1)
Masquerading Attacks
7(1)
Masquerading Tools
7(1)
Masquerading Solutions
8(1)
Man-in-the-Middle Attacks
8(2)
Man-in-the-Middle Tools
10(1)
Man-in-the-Middle Solutions
10(1)
VPN Definition
11(10)
VPN Description
11(1)
VPN Connection Modes
12(1)
Transport Mode
13(1)
Tunnel Mode
14(2)
VPN Types
16(1)
Site-to-Site VPNs
16(1)
Remote Access VPNs
17(2)
Firewall VPNs
19(1)
User-to-User VPNs
20(1)
VPN Categories
20(1)
Intranet
20(1)
Extranet
20(1)
Internet
21(1)
VPN Components
21(6)
Authentication
21(1)
Device Authentication
22(1)
User Authentication
23(1)
Encapsulation Method
23(1)
Data Encryption
24(1)
Packet Integrity
24(1)
Key Management
24(1)
Non-Repudiation
25(1)
Application and Protocol Support
25(1)
Address Management
26(1)
VPN Designs
27(9)
Connection Types
28(1)
Point-to-Point
28(1)
Fully-Meshed
29(1)
Partially-Meshed
30(1)
VPN Considerations
30(1)
Protected Versus Unprotected Traffic
31(1)
Fragmentation
31(1)
Application Types
32(1)
Traffic Protection
33(1)
Address Translation and Firewalls
33(2)
Redundancy
35(1)
VPN Implementations
36(5)
GRE
37(1)
IPsec
38(1)
PPTP
39(1)
L2TP
39(1)
MPLS
40(1)
SSL
40(1)
VPNs: Choosing a Solution
41(2)
Security
41(1)
Implementation, Management, and Support
42(1)
High Availability
42(1)
Scalability and Flexibility
43(1)
Cost
43(1)
Summary
43(2)
VPN Technologies
45(44)
Keys
45(4)
Key Usage
45(1)
Symmetric Keys
46(1)
Asymmetric Keys
46(1)
Asymmetric Keying and Encryption
47(1)
Asymmetric Keying and Authentication
47(1)
Advantages and Disadvantages of Asymmetric Keying
48(1)
Asymmetric Keying Examples
49(1)
Encryption
49(4)
Encryption Process
50(1)
Encryption Algorithms
50(1)
DES and 3DES Algorithms
51(1)
AES Algorithm
52(1)
Packet Authentication
53(7)
Packet Authentication Implementation
53(2)
MD5 HMAC Function
55(1)
SHA HMAC Function
55(1)
Packet Authentication Uses
55(3)
Packet Authentication Issues
58(1)
Sharing the HMAC Secret Key
58(1)
Sending Data and HMAC Signatures Through Translation Devices
58(1)
Using HMAC Functions in VPN Implementations
59(1)
Key Exchange
60(5)
Key Sharing Dilemma
60(1)
Pre-Share the Key
60(1)
Use an Already Encrypted Connection
60(1)
Encrypt the Key with an Asymmetric Keying Algorithm
61(1)
Diffie-Hellman Algorithm
61(3)
Key Refreshing
64(1)
Limitations of Key Exchange Methods
65(1)
Authentication Methods
65(22)
Man-in-the-Middle Attacks
65(1)
Authentication Solutions
66(1)
Device Authentication
67(1)
Pre-Shared Symmetric Keys
67(1)
Pre-Shared Asymmetric Keys
68(1)
Digital Certificates
69(15)
User Authentication
84(1)
Remote Access and Device Authentication
85(1)
Remote Access and User Authentication
85(2)
Summary
87(2)
IPsec
89(42)
IPsec Standards
89(11)
IETF RFCs
91(1)
RFC 2401
91(1)
RFC 2402
92(1)
RFC 2403
93(1)
RFC 2404
93(1)
RFC 2405
93(1)
RFC 2406
94(1)
RFC 2407
94(1)
RFC 2408
94(1)
RFC 2409
95(1)
RFC 2410
95(1)
RFC 2411
95(1)
IPsec Connections
96(2)
Basic Process of Building Connections
98(2)
ISAKMP/IKE Phase 1
100(16)
The Management Connection
101(1)
Main Mode
101(1)
Aggressive Mode
102(1)
ISAKMP/IKE Transforms
102(2)
Key Exchange Protocol: Diffie-Hellman
104(1)
Device Authentication
104(1)
Remote Access Additional Steps
105(1)
User Authentication with XAUTH
106(1)
IKE Client/Mode Config
107(7)
Reverse Route Injection
114(2)
ISAKMP/IKE Phase 2
116(7)
ISAKMP/IKE Phase 2 Components
116(1)
Phase 2 Security Protocols
117(1)
AH
118(1)
ESP
119(1)
Phase 2 Connection Modes
120(1)
Phase 2 Transforms
121(1)
Data Connections
121(1)
Components of a Data SA
121(1)
How Data SAs Are Negotiated
122(1)
IPsec Traffic and Networks
123(6)
IPsec and Address Translation
124(1)
Address Translation Issues
124(1)
Address Translation Solutions
124(2)
IPsec and Firewalls
126(1)
Allowing IPsec Traffic into Your Network
126(1)
Using Stateful Firewalls
127(1)
Other Issues Using IPsec
128(1)
Dead Peer Detection
128(1)
Initial Contact
128(1)
Summary
129(2)
PPTP and L2TP
131(24)
PPTP
131(13)
PPP Review
133(1)
PPTP Phase 1
133(1)
PPTP Phase 2
133(1)
PPTP Phase 3
134(1)
PPTP Phase 4
134(1)
PPTP Components
134(1)
How PPTP Works
135(1)
Control Connection
136(2)
Tunnel Connection
138(3)
Example PPTP Connection
141(1)
Issues with the Use of PPTP
142(1)
Fragmentation Problems
142(1)
Security Concerns
143(1)
Address Translation Issues
143(1)
L2TP
144(9)
L2TP Overview
145(1)
L2TP Operation
146(1)
IPsec Review
146(1)
Tunnel Types
147(1)
IPsec Tunnel
148(1)
L2TP Control Messages
149(2)
L2TP User Data Tunnel
151(1)
L2TP/IPsec Versus PPTP
151(1)
Protocol Differences
151(1)
PPTP Advantages
152(1)
L2TP/IPsec Advantages
152(1)
Summary
153(2)
SSL VPNs
155(20)
SSL Overview
155(9)
SSL Client Implementations
156(1)
SSL Protection
157(2)
SSL Authentication
159(1)
SSL Encryption
160(1)
SSL Content Control
160(1)
SSL Components
161(1)
SSL Client
161(2)
Gateway
163(1)
When to Use SSL VPNs
164(4)
Advantages of SSL VPNs
165(1)
Disadvantages of SSL VPNs
165(1)
SSL Versus IPsec
166(2)
Cisco WebVPN Solution
168(5)
VPN 3000 Series Concentrators
169(1)
Web VPN Operation
169(1)
Web Access
170(1)
Network Browsing and File Management Access
171(1)
Application Access and Port Forwarding
172(1)
E-mail Client Access
173(1)
Summary
173(2)
Part II Concentrators
175(246)
Concentrator Product Information
177(30)
Concentrator Models
177(5)
3005 Concentrator
178(1)
3015 Concentrator
179(1)
3020 Concentrator
180(1)
3030 Concentrator
181(1)
3060 Concentrator
181(1)
3080 Concentrator
181(1)
Comparison of Concentrator Models
181(1)
Concentrator Modules
182(2)
SEP Modules
183(1)
SEP Operation
183(1)
Concentrator Features
184(5)
Version 3.5 Features
185(1)
Version 3.6 Features
186(1)
Version 4.0 Features
187(1)
Version 4.1 Features
188(1)
Version 4.7 Features
188(1)
Introduction to Accessing a Concentrator
189(16)
Command-Line Interface
190(1)
Bootup Process
190(1)
Initial Configuration
191(2)
CLI Menu Access
193(1)
Password Recovery
193(1)
Graphical User Interface
194(1)
HTTP Access
194(1)
Quick Configuration
195(8)
Main Menu
203(2)
Summary
205(2)
Concentrator Remote Access Connections with IPsec
207(70)
Controlling Remote Access Sessions to the Concentrator
207(22)
Group Configuration
207(1)
Base Group
208(1)
Specific Groups
209(1)
Identity Tab
210(1)
General Tab
211(3)
External Authentication
214(7)
Address Assignment
221(6)
User Configuration
227(1)
Group Setup for Internal Authentication
227(1)
User Setup of Internal Authentication
227(2)
IPsec Remote Access
229(41)
ISAKMP/IKE Phase 1: IKE Proposals
230(1)
IKE Proposal Screen
230(2)
IKE Proposal Components
232(3)
ISAKMP/IKE Phase 1: Device Authentication
235(1)
Pre-Shared Keys
235(1)
Digital Certificates
235(12)
ISAKMP/IKE Phase 1: IPsec Tab
247(1)
Groups IPsec Tab
248(2)
Users IPsec Tab
250(1)
ISAKMP/IKE Phase 1: Mode/Client Config Tab
251(1)
IPsec Tunneling
252(3)
IE Proxy
255(1)
Split Tunneling
256(2)
Split DNS
258(2)
ISAKMP/IKE Phase 1: Client FW Tab
260(1)
Firewall Setting
260(1)
Supported Firewalls
261(1)
Firewall Policies
262(6)
ISAKMP/IKE Phase 2: Data SAs
268(2)
Network Access Control (NAC) for IPsec and L2TP/IPsec Users
270(5)
Global Configuration of NAC for IPsec
270(1)
NAC Global Parameters
270(1)
NAC Exception List
271(1)
Group Configuration of NAC
272(1)
AAA RADIUS Server
272(1)
Group NAC Tab
273(2)
Summary
275(2)
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
277(46)
PPTP and L2TP Remote Access
277(4)
PPTP and L2TP Group Configuration
278(2)
PPTP Global Configuration
280(1)
L2TP Global Configuration
280(1)
WebVPN Remote Access
281(40)
HTTPS Access
282(1)
HTTPS Properties
282(2)
WebVPN Interface Configuration
284(1)
WebVPN Global Configuration
285(1)
HTTP/HTTPS Proxy
285(1)
Home Page
286(2)
Home Page Logo
288(1)
E-mail Proxy
289(2)
Servers and URLs
291(3)
Port Forwarding
294(3)
Group Configuration
297(1)
WebVPN Tab
298(5)
WebVPN Group Buttons
303(1)
SSL VPN Client (SVC)
304(1)
Installing SVC on the Concentrator
304(1)
Using the SVC Software
305(2)
Non-Administrator Users
307(1)
Cisco Secure Desktop for WebVPN Access
307(1)
Installing the Secure Desktop Software on Your Concentrator
308(1)
Configuring the Secure Desktop Parameters for Windows
308(10)
Configuring the Cache Cleaner for Mac & Linux Systems
318(1)
Configuring Upload/Download Settings
318(1)
Saving Settings and Enabling CSD
319(1)
Using the Secure Desktop Client
320(1)
Summary
321(2)
Concentrator Site-to-Site Connections
323(28)
L2L Connectivity Example
323(2)
ISAKMP/IKE Phase 1 Preparation
325(2)
Existing IKE Policies
326(1)
IKE Policy Screen
326(1)
Adding Site-to-Site Connections
327(17)
Adding L2L Sessions
328(1)
Basic L2L Configuration Parameters
328(3)
Peer Connectivity
331(1)
Device Authentication Information
332(1)
Connection Policies
333(2)
Routing Options
335(6)
Local and Remote Networks
341(1)
Completing L2L Sessions
342(2)
Modifying L2L Sessions
344(1)
Address Translation and L2L Sessions
344(5)
Introducing Concentrator Address Translation Abilities
345(1)
Example Needing L2L Address Translation
346(1)
Creating L2L Address Translation Rules
346(2)
Enabling L2L Address Translation
348(1)
Summary
349(2)
Concentrator Management
351(34)
Bandwidth Management
351(8)
Creating Bandwidth Policies
352(1)
Bandwidth Reservation
353(1)
Bandwidth Policing
354(1)
Activating Bandwidth Policies
355(1)
Bandwidth Policies: Interfaces
355(2)
Bandwidth Policies: Remote Access Sessions
357(1)
Bandwidth Policies: L2L Sessions
358(1)
Routing on the Concentrator
359(7)
Static Routing
359(1)
Default Route
359(1)
Static Routes
360(1)
RIP Routing Protocol
361(2)
OSPF Routing Protocol
363(1)
OSPF: IP Routing Screen
363(1)
OSPF: Interfaces
364(2)
Chassis Redundancy
366(10)
VRRP
366(1)
VRRP Example
366(2)
VRRP Configuration
368(1)
VRRP Configuration Synchronization
369(2)
VCA
371(1)
VCA Operation
371(2)
VCA Configuration
373(3)
VCA Verification
376(1)
Administration Screens
376(7)
Administrator Access
377(1)
Administrator Accounts
377(2)
Access Control Lists
379(1)
Access Settings
379(1)
AAA Servers
379(1)
Management Protocols and Access
380(1)
Concentrator Upgrades
381(1)
File Management
382(1)
Summary
383(2)
Verifying and Troubleshooting Concentrator Connections
385(36)
Concentrator Tools
385(25)
System Status
386(1)
VPN Sessions
387(1)
Session Summary Table
388(1)
LAN-to-LAN Sessions Table
389(2)
Remote Access Sessions Table
391(1)
Management Sessions Table
391(1)
Additional Monitoring > Sessions Screens
392(1)
Event Logs
393(1)
Date and Time for Logging Events
393(1)
Event Classes and Logging Levels
394(10)
Live Event Log
404(2)
Filterable Event Log
406(3)
Monitoring Statistics Screens
409(1)
Troubleshooting Problems
410(9)
ISAKMP/IKE Phase 1 Problems
411(1)
IKE Policy Mismatch
411(2)
Authentication Problems
413(4)
ISAKMP/IKE Phase 2 Problems
417(1)
Mismatched Transform Sets
417(1)
Mismatched Protected Traffic
418(1)
Summary
419(2)
Part III Clients
421(150)
Cisco VPN Software Client
423(74)
Cisco VPN Client Overview
423(12)
Cisco VPN Client Features
424(2)
Cisco VPN Client Installation
426(1)
Before the Installation
426(1)
Installation Process
427(1)
Installation Files
428(7)
Cisco VPN Client Interface
435(3)
Operating Modes
435(2)
Preferences
437(1)
Advanced Mode Toolbar Buttons and Tabs
437(1)
IPsec Connections
438(22)
Creating Connections using Pre-Shared Keys
438(1)
Authentication Tab
439(1)
Transport Tab
439(3)
Backup Servers Tab
442(1)
Dialup Tab
443(1)
Completing the Connection
443(1)
Creating Connections Using Certificates
444(1)
Manually Obtaining a Certificate
444(3)
Using SCEP to Obtain a Certificate
447(1)
Managing Certificates
448(3)
Specifying Certificates in a Connection Profile
451(1)
Other Connection Configuration Options
452(1)
Setting a Connection Profile as the Default
452(1)
Creating a Shortcut for a Connection Profile
453(1)
Connecting to the Easy VPN Server
453(3)
Client Connection Status
456(1)
Statistics
456(2)
Notifications
458(1)
Disconnecting the Connection
459(1)
VPN Client GUI Options
460(8)
Application Launcher
460(1)
Windows Login Properties
460(1)
Automatic Initiation
461(1)
vpnclient.ini File
461(2)
AI Configuration Verification
463(1)
VPN Client GUI and AI
464(1)
AI Usage
464(1)
Stateful Firewall
464(1)
Enabling the Stateful Firewall Feature
465(1)
Verifying the Stateful Firewall Operation
466(2)
Troubleshooting Firewall Connections
468(1)
VPN Client Software Updates
468(6)
Concentrator: Client Updates
468(2)
VPN Client Preparation for Auto-Update of Windows 2000 and XP
470(1)
Web Server Configuration for Auto-Update
470(2)
Concentrator Configuration for Auto-Update
472(1)
Client Update Process
472(1)
Manual Upgrades
472(1)
Automatic Upgrades
473(1)
VPN Client Troubleshooting
474(20)
Log Viewer
475(1)
Formatting of Logging Information
475(2)
Disabling the Logging Feature
477(1)
Searching for Logging Information
477(1)
Clearing Logging Information
478(1)
Authentication Problems
478(1)
ISAKMP/IKE Policy Mismatch Issues
479(1)
Address Assignment Troubleshooting
480(3)
Split Tunneling Problems
483(1)
Connectivity Problems
483(2)
Name Resolution Problems
485(1)
Address Translation Problems
486(1)
Fragmentation Issues
487(1)
Problems that Fragmentation Creates
488(1)
Looking for Fragmentation Problems
489(2)
Fragmentation Solutions
491(2)
Microsoft Network Neighborhood Issues
493(1)
Cannot Log in to a Windows Domain
493(1)
Cannot Ping Network Resources
493(1)
Cannot Browse the Network or Map a Network Drive
494(1)
Summary
494(3)
Windows Software Client
497(36)
Windows Client
497(3)
Understanding Features of the Windows Client
498(1)
Verifying that the Windows Client is Operational
499(1)
Configuring the Windows VPN Client
500(16)
Creating a Security Policy
501(1)
Edit Properties Windows: Rules Tab
502(3)
Edit Properties Windows: General Tab
505(1)
Policy Assignment
506(1)
Requiring the Use of L2TP
506(1)
Creating a Microsoft VPN Connection
507(1)
Initial Connection Setup
507(1)
Connection Properties
508(8)
Configuring the VPN 3000 Concentrator
516(5)
IKE Proposals
516(1)
IPsec SAs
517(1)
Group Configuration
518(2)
Address Management
520(1)
User Configuration
520(1)
Microsoft Client Connections
521(3)
Connecting to a VPN Gateway
521(1)
Verifying the Connection on the PC
522(1)
Verifying the Connection on the Concentrator
523(1)
Troubleshooting VPN Connections
524(7)
Concentrator Troubleshooting Tools
524(1)
Microsoft Client Troubleshooting Tools
525(1)
IP Security Monitor Snap-In
525(1)
IPsecCMD
526(1)
Audit Logging
527(3)
Oakley Logging
530(1)
Summary
531(2)
3002 Hardware Client
533(38)
Overview of the 3002 Hardware Client
533(4)
3002 Features
533(1)
3002 Models
534(1)
Deployment of the 3002
535(1)
Software Client Option
536(1)
Hardware Client Option
536(1)
Initial Access to the 3002
537(11)
Command-Line Interface
538(1)
Graphical User Interface
538(1)
Quick Configuration of the 3002
539(8)
Overview of the Main GUI
547(1)
Authentication and Connection Options
548(8)
Unit Authentication
549(2)
Additional Authentication Options
551(1)
Interactive Unit Authentication
551(1)
Individual User Authentication
551(1)
Configuring the VPN 3000 Concentrator
552(1)
Building the IPsec Tunnel
553(3)
Verifying the Connection
556(1)
Connection Modes
556(8)
Client Mode
557(1)
Network Extension Mode
557(1)
3002 Network Extension Mode Configuration
558(1)
Concentrator Network Extension Mode Configuration
559(1)
Network Extension Mode Verification
559(2)
Routing and Reverse Route Injection
561(1)
Routing Features
562(1)
RRI Configuration
563(1)
Administrative Tasks
564(5)
Accessing the 3002 from its Public Interface
564(1)
Upgrading the 3002
565(1)
Manual Upgrade
565(1)
Auto-Update
566(3)
Summary
569(2)
Part IV IOS Routers
571(236)
Router Product Information
573(8)
Router Deployment Scenarios
573(4)
L2L and Remote Access Connections
573(1)
Special Capabilities of Routers
574(1)
Data Transport
574(1)
Routing Scalability
575(1)
Media Translation
575(1)
Quality of Service
575(2)
Router Product Overview
577(2)
Summary
579(2)
Router ISAKMP/IKE Phase 1 Connectivity
581(62)
IPsec Preparation
581(2)
Gathering Information
581(1)
Allowing IPsec Traffic
582(1)
ISAKMP/IKE Phase 1 Policies
583(4)
Enabling ISAKMP
583(1)
Creating Policies
583(2)
Negotiating Policies with Peers
585(1)
Enabling IKE Dead Peer Detection
586(1)
ISAKMP/IKE Phase 1 Device Authentication
587(31)
ISAKMP/IKE Identity Type
587(1)
Pre-Shared Keys
588(1)
Configuring Pre-shared Keys
588(1)
Protecting Pre-Shared Keys
589(1)
Viewing your Pre-Shared Keys
590(1)
RSA Encrypted Nonces
590(1)
Generating RSA Encrypted Nonces (Key Pairs)
591(1)
Multiple RSA Key Pairs
592(1)
Configuring a Peer's Public Key
593(1)
Removing RSA Keys
594(1)
Digital Certificates and Router Enrollment
595(1)
Enrolling for a Certificate using SCEP
595(8)
Enrolling for a Certificate Manually
603(4)
Autoenrollment for Certificates
607(3)
Certificate Attribute-Based Access Control
610(3)
CRL and Expired Certificate Access Control Lists
613(2)
Importing and Exporting RSA Keys and Certificates
615(3)
Monitoring and Managing Management Connections
618(2)
Viewing ISAKMP/IKE Phase 1 Connections
618(2)
Managing ISAKMP/IKE Phase 1 Connections
620(1)
Routers as Certificate Authorities
620(21)
Step 1: Generating and Exporting RSA Key Information
621(1)
Manual RSA Key Generation for the CA
622(3)
Step 2: Enabling the CA
625(1)
Using Manual RSA Keys
625(3)
Using Auto-Archiving
628(1)
Step 3: Defining Additional CA Parameters
629(2)
Step 4: Handling Enrollment Requests
631(1)
Viewing Enrollment Requests
632(1)
Removing Requests from the Enrollment Database
633(1)
Granting Enrollment Requests
633(1)
Rejecting Certificate Requests
634(1)
Controlling Certificate Requests with Passwords
634(1)
Manually Entering a Certificate Enrollment
634(1)
Step 5: Revoking Identity Certificates
635(1)
Step 6: Configuring a Server to Run in RA Mode
636(1)
RA Configuration and Operation
636(1)
Example of Setting Up an RA
637(1)
Step 7: Backing up a CA
638(1)
Step 8: Restoring a CA
639(1)
Step 9: Removing CA Services
640(1)
Summary
641(2)
Router Site-to-Site Connections
643(88)
ISAKMP/IKE Phase 2 Configuration
643(23)
Defining Protected Traffic: Crypto ACLs
644(1)
Defining Protection Methods: Transform Sets
645(2)
Building a Static Crypto Map Entry
647(1)
Crypto Map Entries
648(1)
Using ISAKMP/IKE
648(2)
Not Using ISAKMP/IKE
650(2)
Activating a Crypto Map
652(1)
Viewing a Crypto Map
652(1)
Configuring an Example Using Static Map Entries
653(2)
Building Dynamic Crypto Maps
655(1)
Creating a Dynamic Crypto Map
656(1)
Using a Dynamic Crypto Map
657(1)
Configuring an Example Using a Dynamic Crypto Map
658(2)
Configuring Tunnel Endpoint Discovery with Dynamic Crypto Maps
660(4)
Distinguished Name-Based Crypto Maps
664(1)
Setting Up DN-Based Crypto Maps
664(1)
Illustrating the Use of DN-Based Crypto Maps
665(1)
Viewing and Managing Connections
666(2)
Viewing IPsec Data SAs
667(1)
Managing IPsec Data SAs
668(1)
Issues with Site-to-Site Connections
668(61)
Migration to an IPsec-Based Design
669(1)
IPsec Passive Mode Process
669(1)
IPsec Passive Mode Configuration
670(1)
Filtering of IPsec Traffic
670(1)
CACCTP Feature
671(1)
CACCTP Configuration
671(1)
Example Configuring CACCTP
672(1)
Address Translation and Stateful Firewalls
673(1)
NAT Transparency
673(1)
ESP Through NAT
674(3)
Non-Unicast Traffic
677(1)
GRE Tunneling Overview
677(1)
GRE Tunnel Configuration
678(1)
GRE Tunnel and OSPF Example Protected with IPsec
679(4)
Configuration Simplification
683(1)
IPsec Profiles
683(1)
IPsec Virtual Tunnel Interfaces
684(3)
IPsec Redundancy
687(1)
HSRP with RRI
687(6)
Stateful Failover for IPsec
693(12)
L2L Scalability
705(1)
DMVPN Overview
706(1)
A Network Not Using DMVPN
707(3)
DMVPN Configuration
710(4)
A Network Using DMVPN on Hubs and Spokes
714(5)
DMVPN and Hub Redundancy
719(10)
Summary
729(2)
Router Remote Access Connections
731(42)
Easy VPN Server
731(15)
Easy VPN Server Configuration
732(1)
Defining AAA
733(1)
Creating Groups
734(4)
Implementing Call Admission Control for IKE
738(2)
Creating a Dynamic Crypto Map Entry
740(1)
Creating a Static Crypto Map and XAUTH
741(1)
VPN Group Monitoring
742(1)
Easy VPN Server Configuration Example
743(3)
Easy VPN Remote
746(9)
Easy VPN Remote Connection Modes
746(2)
Easy VPN Remote Configuration
748(1)
Step 1: Configure a DHCP Server Pool
749(1)
Step 2: Set up the Easy VPN Remote Configuration
749(1)
Step 3: Connect to the Easy VPN Server
750(1)
Step 4: Configure User Authentication
751(1)
Step 5: Verify the Easy VPN Remote Configuration
752(1)
Easy VPN Remote Configuration Example
753(2)
IPsec Remote Access and L2L Sessions on the Same Router
755(6)
Central Office Router Configuration
756(1)
Keyrings
756(1)
L2L ISAKMP/IKE Profiles
756(1)
Remote Access ISAKMP/IKE Profiles
757(1)
Dynamic Crypto Maps and Profiles
758(1)
Remote Access and L2L Example Configuration
759(2)
WebVPN
761(10)
WebVPN Setup
762(1)
Step 1: Configuring Prerequisites
762(3)
Step 2: Configuring WebVPN
765(2)
Step 3: Creating URL and Port Forwarding Entries for the Home Page
767(1)
Step 4: Maintaining, Monitoring, and Troubleshooting WebVPN Connections
768(1)
WebVPN Configuration Example
769(2)
Summary
771(2)
Troubleshooting Router Connections
773(34)
ISAKMP/IKE Phase 1 Connections
773(15)
Overview of the Phase 1 Commands
774(1)
The show crypto isakmp sa Command
774(1)
The debug crypto isakmp Command
775(1)
L2L Sessions
775(6)
Remote Access Sessions
781(4)
The debug crypto pki Command
785(1)
The debug crypto engine Command
786(2)
ISAKMP/IKE Phase 2 Connections
788(6)
Overview of the Phase 2 Commands
788(1)
The show crypto engine connection active Command
788(1)
The show crypto ipsec sa Command
789(1)
The debug crypto ipsec Command
790(2)
Mismatched Data Transforms
792(1)
Mismatched Crypto ACLs
792(1)
Incorrect Peer Address
793(1)
Matching on the Incorrect Crypto Map Entry
793(1)
New IPsec Troubleshooting Features
794(4)
IPsec VPN Monitoring Feature
794(1)
Configuring IKE Peer Descriptions
795(1)
Seeing Peer Descriptions in show Commands
795(1)
Clearing Crypto Sessions
796(1)
Invalid Security Parameter Index Recovery Feature
797(1)
Invalid SPI Condition and the Invalid SPI Recovery Feature
797(1)
Invalid SPI Recovery Configuration
797(1)
Fragmentation Problems
798(7)
Issues with Fragmentation
799(2)
Fragmentation Discovery
801(1)
Solutions to Fragmentation Issues
801(1)
Static MTU Setting
802(1)
TCP Maximum Segment Size (MSS)
803(1)
Path MTU Discovery (PMTUD)
803(2)
Summary
805(2)
Part V PIX Firewalls
807(104)
PIX and ASA Product Information
809(8)
PIX Deployment Scenarios
809(2)
L2L and Remote Access Connections
809(1)
Special Capabilities of PIXs and ASAs
810(1)
Address Translation
810(1)
Stateful Firewall Services
810(1)
Redundancy
811(1)
PIX and ASA Feature and Product Overview
811(4)
PIX and ASA VPN Features
812(1)
PIX Models
813(1)
ASA Models
814(1)
Summary
815(2)
PIX and ASA Site-to-Site Connections
817(30)
ISAKMP/IKE Phase 1 Management Connection
817(16)
Allowing IPsec Traffic
818(1)
Using ACLs to Allow IPsec Traffic
818(1)
Using ACL Bypassing to Allow IPsec Traffic
819(1)
Transmitting IPsec Traffic Between Multiple Interfaces with the Same Security Level
820(1)
Setting Up ISAKMP
820(1)
Address Translation Issues
821(1)
Disconnect Notifications
821(1)
Main Mode Restriction
822(1)
Configuring Management Connection Policies
822(1)
Configuring Device Authentication
823(1)
Device Identity Type
823(1)
Pre-Shared Key Authentication
824(1)
Certificate Authentication (CA)
824(9)
ISAKMP/IKE Phase 2 Data Connections
833(7)
Specifying Traffic to Protect
834(1)
Defining How to Protect Traffic
834(1)
Building Crypto Maps
835(1)
Static Crypto Maps
835(3)
Dynamic Crypto Maps
838(1)
Activating a Crypto Map
839(1)
Data Connection Management Commands
839(1)
L2L Connection Examples
840(5)
FOS 6.3 L2L Example
841(2)
FOS 7.0 L2L Example
843(2)
Summary
845(2)
PIX and ASA Remote Access Connections
847(40)
Easy VPN Server Support for 6.x
847(9)
Easy VPN Server Configuration for 6.x
847(1)
Address Pool Configuration for 6.x
848(1)
Group Configuration for 6.x
849(2)
XAUTH User Authentication Configuration for 6.x
851(2)
IKE Mode Config Activation for 6.x
853(1)
Easy VPN Server Example for 6.x
853(3)
Easy VPN Remote Support for 6.x
856(6)
6.x Easy VPN Remote Configuration
857(1)
Using Certificates for Remote Access
858(1)
Verifying Your 6.x Remote Configuration and Connection
859(2)
6.x Easy VPN Remote Example Configuration
861(1)
Easy VPN Server Support for 7.0
862(23)
Understanding Tunnel Groups
863(1)
Defining Group Policies
864(1)
Group Policy Locations
864(1)
Default Group Policies
864(2)
Default and Specific Group Policy Attribute Configuration
866(5)
Creating Tunnel Groups
871(1)
Remote Access Tunnel Group General Properties
871(2)
Remote Access Tunnel Group IPsec Properties
873(2)
L2L Tunnel Groups
875(1)
Creating User Accounts for XAUTH
876(1)
Issues with Remote Access Sessions and Solutions in 7.0
877(1)
Simultaneously Supporting Remote Access and L2L Sessions
877(3)
Using More than One Server to Handle Remote Access Sessions
880(3)
Restricting the Total Number of VPN Sessions
883(1)
Illustrating an Easy VPN Server Configuration Example for 7.0
883(2)
Summary
885(2)
Troubleshooting PIX and ASA Connections
887(24)
ISAKMP/IKE Phase 1 Connections
887(14)
Overview of the Phase 1 Commands
887(1)
The show isakmp sa Command
888(1)
The debug crypto isakmp Command
889(1)
L2L Sessions
890(5)
Remote Access Sessions
895(4)
The debug crypto vpnclient Command
899(2)
ISAKMP/IKE Phase 2 Connections
901(8)
Overview of the Phase 2 Commands
901(1)
The show crypto ipsec sa Command
902(2)
The debug crypto ipsec Command
904(2)
Mismatched Data Transforms
906(1)
Mismatched Crypto ACLs
906(1)
Matching on the Incorrect Crypto Map Entry
907(2)
Summary
909(2)
Part VI Case Study
911(44)
Case Study
913(42)
Company Profile
913(7)
Corporate Office
914(1)
Authentication Devices
914(2)
Perimeter Routers
916(1)
DMZ2 Concentrators
916(1)
Perimeter Firewalls
917(1)
Campus Concentrators
918(1)
Regional Offices
918(1)
Branch Offices
919(1)
Remote Access Users
919(1)
Case Study Configuration
920(32)
Perimeter Router Configuration
920(1)
Basic VPN Configurations on the Routers
920(4)
Corporate Office Router Configurations
924(2)
Regional Office Router Configuration
926(2)
Internet Remote Access Configuration
928(1)
DMZ2 Concentrators
928(11)
Branch Office 3002 Hardware Clients
939(2)
Remote Access User Configuration
941(1)
Main Campus Wireless Configuration
942(1)
Wireless Concentrators
943(8)
Wireless User Configuration
951(1)
Summary
952(3)
Index 955

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program