Danilo Dy Thu, 03/06/2008 - 03:17
User Badges:
  • Blue, 1500 points or more

Hi,


There are multiple types of VPN.

- Site-to-Site VPN

- Remote Access VPN

- SSL VPN


There are multiple device that support VPN as well

- Cisco Router

- Cisco PIX/ASA Firewall

- Cisco VPN Concentrator


There are also multiple encryption

- SSL

- DES

- AES


Which of the above?


Cisco IOS (Router) Site-To-Site VPN configuration

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html


Cisco ASA/PIX Site-to-Site VPN Configuration

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html


Regards,

Dandy

sham_chennala Thu, 03/06/2008 - 04:43
User Badges:

Hi,

Can you send the configuration for vpn ip sec for site to site.


Regards,

Sham.



farzadcheema Thu, 03/06/2008 - 07:02
User Badges:

Virtual Private Networks Tutorial

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.


For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.



In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.


In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.


Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.

VPN Tunneling Protocols

Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.



Configuring PIX Firewall 1 with VPN Tunneling


Follow these steps to configure PIX Firewall 1:


Step 1 Define a host name:


hostname NewYork



Step 2 Configure an ISAKMP policy:


isakmp enable outside


isakmp policy 9 authentication pre-share


isakmp policy 9 encrypt des



Step 3 Configure a pre-shared key and associate with the peer:


crypto isakmp key cisco1234 address 209.165.200.229



Step 4 Configure the supported IPSec transforms:


crypto ipsec transform-set strong esp-des esp-sha-hmac



Step 5 Create an access list:


access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0



This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.


Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.


Step 6 Exclude traffic between the intranets from NAT:


nat 0 access-list 90



This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.


Step 7 Enable NAT for all other traffic:


nat (inside) 1 0 0



Step 8 Assign a pool of global addresses for NAT and PAT:


global (outside) 1 209.165.202.129-209.165.202.159


global (outside) 1 209.165.202.160



The pool of registered addresses are only used for connections to the public Internet.


Step 9 Define a crypto map:


crypto map toSanJose 20 ipsec-isakmp


crypto map toSanJose 20 match address 90


crypto map toSanJose 20 set transform-set strong


crypto map toSanJose 20 set peer 209.165.200.229



Step 10 Apply the crypto map to the outside interface:


crypto map toSanJose interface outside



Step 11 Specify that IPSec traffic be implicitly trusted (permitted):


sysopt connection permit-ipsec



Actions

This Discussion