CCIE Security: VPN

Concentrator 3000 Series

WRITTEN BY:

ASHWIN KOHLI

CCIE # 8877

SUNIL SETHI

CISCO QUALIFIED SPECIALIST (SECURITY)

CCSP
CCIE Practice Lab: VPN Concentrator 3000 Series
Ashwin Kohli, CCIE #8877
Copyright © 2005 Netcg, Inc.
Published by:
Network Learning Inc.
1997 Whitney Mesa Dr.
Henderson, LV 89014 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without
written permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America

Warning and Disclaimer

This book contains a practice lab and step-by-step instructions on how to complete the practice lab. Every effort has
been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The author, Netcg, Inc. shall have neither liability nor responsibility
to any person or entity with respect to any loss or damages arising from the information contained in this book.

The opinions expressed in this book belong to the authors and are not necessarily those of Network Learning Inc.

Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Netcg, Inc. or Network Learning, Inc. cannot attest to the accuracy of this information. Use of a team
in this book should not be regarded as affecting the validity of any trademark or service mark.

Feedback Information
At Network Learning Inc., our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members
from the professional technical community.

Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could
improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at
sales@ccbootcamp.com. Please make sure to include the book title in your message.

We greatly appreciate the assistance.

 ABOUT THE AUTHOR

ASHWIN KOHLI, Ashwin Kohli is a dual CCIE #8877 (Routing/Switching and Security). He
is currently a Global Architect for one of the top three financial companies, and is
responsible for architecting enterprise solutions. He has worked at many of the top financial
companies over the last 10 years. Ashwin also holds the CCNP®, CCDP® and a BSc in
Computer Science & Accounting form Manchester University, United Kingdom. He has
more than 10 years experience in Cisco® networking and security including planning,
designing, implementing, and troubleshooting enterprise multi-protocol networks. Ashwin
also writes Cisco® training material for Network Learning, Inc.

SUNIL SETHI, is Cisco Qualified Specialist in Cisco Security and currently working on his
CCIE security lab exam. He is working as a Sr. Network Security Consultant, and is
responsible for designing, implementing, monitoring and training field engineer on cisco
security products in Washington DC area. Sunil also holds the CCNP®, CCDP® and has
passed CCIE Security written exam. He has more than 8 years experience in Cisco®
networking, security.
Table of Contents i

TABLE OF CONTENTS

VPN CONCENTRATOR SERIES 3000 HANDS-ON ......................Error! Bookmark not defined.

LAB 1 - SETUP ..........................................................................Error! Bookmark not defined.

LAB 2 - ROUTING ON VPN 3000 STATIC ROUTING ................................................................ 5

LAB 3 - CONFIGURE RIP AND OSPF ON VPN CONCENTRATOR DYNAMIC ROUTING ......................... 7

LAB 4 - ACCESSING VPN3000 FROM THE INTERNET USING HTTP, HTTPS, SSH ..Error! Bookmark
not defined.

LAB 5 - CONFIGURE VPN 3000 FOR REMOTE ACCESS USING PRESHARED KEYS ....Error! Bookmark
not defined.

LAB 6 - CONFIGURING IPSEC OVER TCP ON A CISCO VPN 3000 CONCENTRATOR Error! Bookmark
not defined.

LAB 7 - CONFIGURING SPLIT DNS ...............................................Error! Bookmark not defined.

LAB 8 - CONFIGURING CISCO VPN CLIENT AND THE CISCO INTEGRATED CLIENT TO SECURE
NONENCRYPTED TRAFFIC WHILE USING SPLIT TUNNELING .......... Error! Bookmark not
defined.

LAB 9 - PPTP CLIENT CONFIGURATION TO VPN3000 LOCAL AUTHENTICATION ............ Error!

Bookmark not defined.

LAB 10 - ROUTER TO VPN 3000 TUNNEL ..................................Error! Bookmark not defined.

LAB 11 - CONFIGURING NAT TRANSPARENT MODE FOR IPSEC ON THE VPN 3000
CONCENTRATOR ......................................................................................................... 11

LAB 12 - CONFIGURING LAN-TO-LAN TUNNELS ON A VPN 3000 CONCENTRATOR

WITH A CISCO IOS ROUTER CONFIGURED FOR DHCP ...Error! Bookmark not defined.

LAB 13 - CONCENTRATOR TO CISCO VPN 3000 CONCENTRATOR TO THE PIX FIREWALL ........ Error!
Bookmark not defined.

LAB 14 - RADIUS AUTHENTICATION FOR IPSEC CLIENT VERSION 4.X .......... Error! Bookmark not
defined.
LAB 15 - CONFIGURING THE CISCO VPN 3000 CONCENTRATOR 4.1 TO GET A DIGITAL
CERTIFICATE USING SCEP FROM MICROSOFT CERTIFICATE SERVER
NETWORK BASED ENROLLMENT (AUTOMATED) .............Error! Bookmark not defined.

LAB 16 - CONFIGURING THE VPN CLIENT 4.X TO GET A DIGITAL CERTIFICATE .............................. 13

LAB 17 - CONFIGURING THE LAN-TO-LAN VPN WITH DIGITAL CERTIFICATE ....Error! Bookmark
not defined.

LAB 18 - CONFIGURING THE LAN-TO-LAN VPN WITH DIGITAL CERTIFICATE ROUTER

USING NAT ................................................................................................................ 14
VPN Concentrator 3000 Series: Sample Document

CLICK ADD TO DEFINE NEW USER

CLICK ON GENERAL TAB TO DEFINE USER SETTINGS

VPN Concentrator 3000 Series: Sample Document

CLICK ON IPSEC SETTINGS TO DEFINE USER IPSEC SA

IF USERS WILL BE USING PPTP CLICK ON PPTP/L2TP TAB

VPN Concentrator 3000 Series: Sample Document

LAB 2
ROUTING ON VPN 3000 STATIC ROUTING

Click Add to insert another static route

Adding a route to network 192.168.1.0 / 24 point to perimeter router but if your vpn concentrator is a gateway
just check the interface below router.
VPN Concentrator 3000 Series: Sample Document

Configure a Default Route

VPN Concentrator 3000 Series: Sample Document

LAB 3
CONFIGURE RIP AND OSPF ON VPN CONCENTRATOR DYNAMIC ROUTING

VPN CONCENTRATOR SERIES 3000 SUPPORTS RIP AND OSPF RIP ROUTING ON CONCENTRATOR

Routing configuration is interface based to configure routing using Rip or OSPF access the interface
configuration under CONFIGURAION option. Click on Private Interface

Click on RIP tab

VPN Concentrator 3000 Series: Sample Document

Above capture shows RIP V2 going out of the interface and RIP V1/V2 for inbound traffic.
VPN Concentrator 3000 Series: Sample Document

ROUTER R1

interface Loopback1
ip address 11.11.11.11 255.255.255.0
!
interface Loopback2
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.0.1.10 255.255.255.0
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 10.0.1.0 0.0.0.255 area 0
!
router rip
version 2
network 10.0.0.0
network 11.0.0.0
no auto-summary
!
r1#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

10.0.1.100 0 FULL/DROTHER 00:00:38 10.0.1.100 Ethernet0/0
r1#
VPN Concentrator 3000 Series: Sample Document

Step 5. Define IP allocation method

Step 6. Define the server type once user is authenticated.

VPN Concentrator 3000 Series: Sample Document

LAB 11
CONFIGURING NAT TRANSPARENT MODE FOR IPSEC ON THE VPN 3000 CONCENTRATOR

Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single
routable (public) address; this is also known as Port Address Translation (PAT). The association is
implemented at the port level. The PAT solution creates a problem for IPSec traffic that does not use any
ports.

ENCAPSULATING SECURITY PAYLOAD

Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec.
Most PAT devices do not work with ESP since they have been programmed to work only with
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message
Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs).
The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP
and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is
IPSec through NAT. A new protocol NAT-T which is an IETF standard (still in the DRAFT stage as of the
writing this article) also encapsulates IPSec packets in UDP, but it works on port 4500. That port is not
configurable.

HOW DOES NAT TRANSPARENT MODE WORK?

Activating IPSec transparent mode on the VPN Concentrator creates non-visible filter rules and applies
them to the public filter. The configured port number is then passed to the VPN Client transparently when
the VPN Client connects. On the inbound side, UDP inbound traffic from that port passes directly to IPSec
for processing. Traffic is decrypted and decapsulated, and then routed normally. On the outbound side
IPSec encrypts, encapsulates and then applies a UDP header (if so configured). The runtime filter rules are
deactivated and deleted from the appropriate filter under three conditions: when IPSec over UDP is
disabled for a group, when the group is deleted, or when the last active IPSec over UDP SA on that port is
deleted. Keepalives are sent to prevent a NAT device from closing the port mapping due to inactivity.
VPN Concentrator 3000 Series: Sample Document

If IPSec over NAT-T is enabled on the VPN Concentrator, then the VPN Concentrator/VPN Client uses
NAT-T mode of UDP encapsulation. NAT-T works by auto-detecting any NAT device between the VPN
Client and VPN Concentrator during IKE negotiation. You must ensure that UDP port 4500 is not blocked
between the VPN Concentrator/VPN Client for NAT-T to work. Also, if you are using a previous
IPSec/UDP configuration that is already using that port, you must reconfigure that earlier IPSec/UDP
configuration to use a different UDP port. Since NAT-T is an IETF draft, it helps when using multivendor
devices if the other vendor implements this standard.

NAT-T works with both VPN Client connections and LAN-to-LAN connections unlike IPSec over
UDP/TCP. Also, Cisco IOS® routers and the PIX firewall devices support NAT-T. You do not need IPSec
over UDP to be enabled to have NAT-T working.

Use the following procedure to configure NAT transparent mode on the VPN Concentrator.

Note: IPSec over UDP is configured on a per group basis, while IPSec over TCP/ NAT-T is configured
globally.

1. Configure IPSec over UDP:

On the VPN Concentrator, select Configuration > User Management > Groups.

a. To add a group, select Add. To modify an existing group, select it and click Modify.
b. Click the IPSec tab, check IPSec through NAT and configure the IPSec through NAT
UDP Port.
c. The default port for IPSec through NAT is 10000 (source and destination), but this setting
may be changed.

2. Configure IPSec over NAT-T and/or IPSec over TCP:

a. On the VPN Concentrator select Configuration > System > Tunneling Protocols > IPSec >
NAT Transparency.
b. Check the IPSec over NAT-T and/or TCP check box.

If everything is enabled, use this precedence:

• IPSec over TCP. 1.

• IPSec over NAT-T. 2.
• IPSec over UDP. 3.

CISCO VPN CLIENT CONFIGURATION TO USE NAT TRANSPARENCY

To use IPSec over UDP or NAT-T you need to enable IPSec over UDP on Cisco VPN Client 3.6 and later.
The UDP port is assigned by the VPN Concentrator in case of IPSec over UDP, while for NAT-T it is fixed
to UDP port 4500.

To use IPSec over TCP, you need to enable it on the VPN Client and configure the port that should be used
manually.
VPN Concentrator 3000 Series: Sample Document

LAB 16
CONFIGURING THE VPN CLIENT 4.X TO GET A DIGITAL CERTIFICATE

VPN 3000 CONFIGURATION

Step 1. Check the active IKE proposal list. For client to LAN with digital certificate to work the
concentrator requires of an RSA IKE proposal.

Step 2. Check the IKE proposal

Step 3. Modify or add an SA

Step 4. Configure Cisco VPN client versions 4.x

VPN Concentrator 3000 Series: Sample Document

LAB 18
CONFIGURING THE LAN-TO-LAN VPN WITH DIGITAL CERTIFICATE ROUTER USING NAT

VPN 3000 configuration is same as in previous lab with one more step to enable NAT-T