Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT- REMOTE ACCESS VPNs

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Remote Access VPN concerns with Cisco expert Peter Davis. Peter worked for Altiga before it was acquired by Cisco and is now a product manager. Feel free to post any questions relating to Remote Access VPNs.

Peter may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 10. Visit this forum often to view responses to your questions and the questions of other community members.

51 REPLIES
Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Peter I am trying to find a cost sensitive solution for a client that already has 2600 router at multiple sites with dedicated T1 lines...I would like to setup multiple VPN sites using just cisco routers at each location and one pix firewall for incoming internet traffic. Is this even a feasable solution or do I need to setup a pix at each location ? Your help would be greatly appreciated!!

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Either solution would seem to work. If you are looking to allow direct Internet access in to each of these smaller sites, then you should probably consider additional PIX firewalls (the PIX 506 is now available at a lower price point).

If you're not looking to have any direct Internet access to any of these sites, you should be able to filter everything out except for the site-to-site connection and get away with having only an IOS router.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Hi, i am trying to cutomize VPN between two 2600 routers. I have some questions about the config statements.

1)When we define ipsec on a serial link, can we avoid encrypting some traffic on this link? In other words, can we define ipsec for some TCP ports whereas some of the traffic using the same serial port are not encrypted?

2)What is the alternate solution for pre-share authentication?

Thanks in advance,

Best regards, Belgin.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Hi Belgin,

Regarding your questions...

1) yes this is possible - you can chose to encrypt or not encrypt in the same way that you define a standard or extended access list. Which ever traffic is permitted by ACL 101 (for example) would undergo encryption as long as you include the "match address 101" command in the crypto-map statement. This works with named ACLs too.

2) the alternative to pre-shared key is a digital certificate (x.509) - this would be more suitable if you are planning a PKI architecture - but adds more cost and administrative overhead. You could "test-drive" IPSec digital certificates using the free trial from http://www.verisign.com

hope this helps

Patrick

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Hi Patrick, thank you for your interest. But I am not sure whether I expressed myself right about my 1st question. For example, I define "crypto map" statement on serial interface 1/0 to a destination IP address. Does this mean that, all traffic going to this address thru this interface will be encrypted? Or is there a way to except some traffic (regarding to TCP port numbers) between these two points, making them pass without being encrypted?

I have another question. What is the purpose of defining 2 options (ex. esp-des esp-md5-hmac) in transform-set statement? What are the roles of these 1st and 2nd option?

Thank you,

Regards, Belgin.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Hi Belgin,

W.R.T your queries,

1) when you define the Crypto Map, e.g.

crypto map My_Map 20

set peer 192.168.4.1

match address 101

set transform-set My_Transform_Set

then applying the crypto map to an interface will only encrypt the type of traffic that is permitted by ACL 101 - the rest goes un-encrypted.

2) As I understand it, specifying esp-des would indicate that you wish to encrypt the payload, adding esp-md5-hmac would sign the payload too.

You can do one without the other.

I will forward you a usefull IPSec pdf which describes the protocol in good detail.

regards

Patrick

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Hi Patrick - With your example can I also apply ACL 101 to the interface, and will that insure that only the traffic I want encrypted will also be the only traffic that goes through the interface? So if I want only IP traffic to go through S0, and be encrypted, I'd use this config:?

crypto map My_Map 20

set peer 192.168.4.1

match address 101

set transform-set My_Transform_Set

int s 0

ip access-list 101 out

access-list 101 permit IP host xxx.xxx.xxx host xxx.xxx.xxx

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Hi Jim,

To be honest, I've never tried this. If it causes problems then I suppose there's nothing to stop you defining separate ACLs to control what traffic is permitted, and what [permitted] traffic is encrypted.

rgds

Patrick

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I am very new to VPN products but I am currently investigating a hardware VPN solution. Can you tell if there are any VPN products that CISCO currently has that supports logging into NDS. I want my users to have a secure tunnel to my Novell Network and run Novell services.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

You may want to check out a Cisco VPN 5001 Concentrator. The 500x VPN Concentrator series products have support for IPX in conjunction with IPsec.

--pete

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I have a few questions regarding the Cisco Concentrator 3030 and the client. Please answer them as soon as possible. Thank you!

1) When will the Windows 2000 client for the 3030 concentrator be released? (Date)

2) Does the 3030 authenticate (directly with SecurID preferably) and encrypt in one box?

3) Can you have an external and internal DNS with the 3030 Client?

4) Does the 3030 allow a client to look as if it has an internal IP address? If so does the 3030 support internal IP address pooling?

5) How will the new Client integrate with the PIX firewall? Can the client be authenticated by the PIX (using SecurID not RADIUS) and then have the PIX direct encrypted traffic to the 3030?

6) What management software does the 3030 come with?

7) Does the 3030 support pushing policies to the Client?

8) Can the 3030 encrypt/decrypt and authenticate on the same box?

Thank you for spending the time to answer these questions.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

1. The Cisco VPN 3000 Concentrator supports the Microsoft L2TP/IPsec client today. In addition, we are currently in beta with the Cisco VPN 3000 Client with Windows 2000 support. The FCS date for the Cisco VPN client with Windows 2000 support is March 5th.

2. The 3030 authenticates directly to SecurID (with new pin and next tokencard) and encrypts in one box. Direct authentication to SecurID is supported with the Cisco VPN 3000 Client only (not PPTP or L2TP/IPsec). SecurID can be supported today with the MS L2TP/IPsec client via RADIUS without new pin / next tokencard support.

3. While the tunnel is up, all DNS resolution is done internally.

4. The 3030 assigns internal IP addreses. These can be from a DHCP server (local subnet), address pool (local subnet), address pool (different subnet), or assigned from RADIUS (Framed-IP-Address Attribute).

5. Usually the environment that larger companies use is to put a PIX on the perimeter of the network and put the public interface of the VPN Concentrator on another interface allowing inbound UDP 500, UDP X (for IPsec/UDP) and Protocol-50 (ESP). The private interface is usually then placed directly on the internal network. The user would be authenticated by the VPN 3K and then allowed direct access to the Internal network.

6. The default management software for the 3030 is embedded. It supports Web management (HTTP or HTTPS), Command line menu (TELNET/SSL-TELNET - SSHv1 in the next major release) or console.

7. Yes, the 3030 pushes policies down to the client upon connection.

8. The 3030 encrypts/decrypts and authenticates VPN users on the same device.

Best Regards,

-pete

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Are there any documents that assist in Windows 2000 ipsec client config to peer with a Pix Firewall VPN?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

For the PIX today, you would need to use the Cisco VPN Client (or VPN 3000 Client) or PPTP (also available in Windows 2000). L2TP/IPsec (used by Windows 2000 for Remote Access IPsec VPNs is not yet supported in the PIX platform. You may want to look at a VPN 3K platform which will provide you with support for PPTP, L2TP/IPsec and the Cisco VPN 3000 Client.

A document with information on how to configure support for the Windows 2000 L2TP/IPsec client in conjunction with a VPN 3000 Concentrator at:

http://www.cisco.com/warp/customer/471/Win_client.html

Best Regards,

-pete

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I work for a small business consisting of 11 employees. I would like to enable 4 of these employees to access our network remotely and didn't know if there was a cost effective VPN solution for this small a business. We have a 2610 router with dedicated T-1 service for internet access in the office. Our mobile users all have cable modem internet access from their homes. Thank you.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Probably the most cost effective for this few users / bandwidth would be to do PPTP (with MSCHAP) in to your IOS router. You could use Microsft IAS for a free RADIUS server for authentication (with MSCHAP v1 and v2 support) or Cisco Secure ACS 2.5 (available in a couple of weeks with MSCHAP support). You could also use the Cisco VPN client or something like the IRE client that you could purchase as long as you have a VPN/3DES image upgrade for your router.

Other options include purchasing a VPN 3005 Concentrator. This is the best solution available for Remote Access VPN with support for L2TP/IPsec, IPsec (Cisco VPN 3000 Client), and PPTP/MPPE or using a PIX firewall for the Remote Access termination (if you have a PIX).

Best Regards,

-pete

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I have few questions here, I have a cisco 2610 , PIX 515 UR. Just implementing a new T1 for network, prviously we had outsource VPN and firewall. my questions are.

1) where to terminate VPN Clients (PIX or Router) , want to use PIX here.

2)which tunneling protocol should be the best option.

I will prob have 10 -20 simultaneous clients connected.

3) I have Cisco Secure ACS NT 2.4, which i use for my other T1 for dial-in users, I want to use the same TACACS+ server for VPN clients do they use my existing NT account database, since this not supports MSCHAP, what restrictions i will face.

4) I have few remote users with DSL/cablemodem who cannot use VPN(is there ne work around for this)

5) since we will have some remote sites, 2-3 sites, with 5-10 users atmost. Can i use some kinda cisco equipment cost effective ( i really dont wanna add nother piece of device on my existing network like a VPN concentrator) .

Thanks

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

My company has VPN server set up. I am testing with

from with MS VPN Adapter on both Win95 and Win98 PC.s that connect to the internet via DSL/Cisco 675 router. I have only been able to connect occasionally (and when I do connect the connectoid reports I am connected at 9600bps). Most of the time I cannot connect and a 650 error is reported. Other users of the company VPN do not have problems connecting. One of our Network engineers suggested I try downloading the Cisco VPN client and trying it.

1. Where can I download this software or does it have to be purchased ? Any suggestion/info as to why I am getting the 650 errors and not connecting?

Thx

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

What device are you using at the central site for your VPN server? Most Cisco products have fairly comprehensive logs that will help determine what the issue is and why the connection is not being established. For example: Packets are never reaching the device (filter/non-GRE aware PAT), perhaps there's a misconfiguration, maybe you cannot connect because you're trying to do 40-bit encryption, but the central-site device only permits 128-bit RC4.

Are you doing PAT (Port Address Translation) or NAT on the Cisco 675 DSL Router that you're using or do you have a routable subnet for your machines?

You should ensure that you are running the latest version of DUN for your PC. There is a DUN upgrade available for Windows 95 (Version 1.3) that can be downloaded from:

http://support.microsoft.com/support/kb/articles/q191/4/94.asp

The Cisco VPN 30xx and 50xx ship with Cisco VPN clients. If you have a PIX with v5.2.x or greater (or upgrade using your Smartnet login), the Cisco VPN 30xx client is available free of charge under VPN SOFTWARE / 3000 (CCO) or can be ordered using the SKU "CVPN3000-CLNT-25=" for a small media charge.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I have configured a VPN for roaming clients using a Cisco2600 configured with autho-proxy, mode-config, & pre-share key. The clients are using IRE's new software [i think version5]. My questions is how can I dynamically assign these users WINS server addresses so that they can resolve names via the tunnel?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

To the best of my knowledge, there is no way to do this in conjunction with the IRE VPN client.

If this is the case, you would need to hard-code your WINS addresses for this particular configuration.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Thanks for the timely responds. Is there a client that can distribute this information? We are using dhcp in the office so all users [300+] would need to be hardcoded.

I was thinking of testing the VPN3060. Will I run into the same problem? I also am getting reports from desktop guys that users have problems remembering to deactivate their client in the office. Is the 3k client smart enough to do this for my sales force?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I am not aware of any clients that could distribute this information. Perhaps Netswitcher has this functionality.

The VPN30xx & Client will allow you to assign WINS addresses. There are a couple of caveats. As long as you're using a dynamically assigned IP, you should be fine. If you have a statically assigned IP, make sure you check out the Release Notes.

Log on to the network is supported for W95/98, Release 3.0 (our next release) will support this for W-NT and W2K as well. For W-NT and W2K today, you would use cached credentials.

You run the VPN3K client by clicking "connect", so you will not need to remember to turn it off when you're in the office.

--p

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

We are implementing vpns in a new network we have recently completed. The netwrok is not complete yet but the core switches have been installed and users are able to use the network. The next upgrade we plan on doing is to install redundnat pix firewalls and vpn. We are currently trying to decide between two design architectures.

The first design involves having a gateway router for outside world access connected to a 6500 switch on the 1st floor with an msfc card then another 6500 switch with an msfc card for the 4th floor. A Cisco pix firewall will be located beteen the two 6500 switches. The vpn server will be located on its on vlan off of the 1st floor switch the is not connected to the other vlans. Therefore, VPN network access will not go through the pix firewall

The second design will involve having the same gateway router and msfc switches, and the firewall will be located between the gateway router and the 1st floor switch and vpn access will be through the pix firewall. The 1st floor switch is primary switch for access to the world for both designs. The vpn server will be located on a vlan on the 1st floor switch.

A third and final design is similar to the firest design except the vlan access will be through a 3500 series switch that is located between the gateway router and the 1st floor 6500 switch. The idea is that it woudl be more secure to have the vpn network seperated by a piece of hardware rather than relying on software (vlan) to protect the network from hackers

I don't have any experience with vpns and any help would be greatly appreciated. Is there any reason why you wouldn't want vpn access through a pix firewall?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

As long as you have a free (extra) port on your PIX and an extra routable subnet, there's no reason not to put the public side of the VPN Concentrator after the PIX and place the private port on your internal network. This provides you with the flexibility of applying filters/etc prior to the traffic ever reaching the VPN Server. Make sure that your permit PROTO-50 (ESP) and UDP 500 (IKE), ICMP (optional). If you are supporting IPsec/UDP (PAT Transparent IPsec), you will also need to open another UDP port (default 10,000 but configurable). Make sure that you are not dropping fragmented packets at the firewall, or you may run in to issues. For PPTP, you will need to permit GRE (Proto 47) and TCP 1723.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I have few questions here, I have a cisco 2610 , PIX 515 UR. Just implementing a new T1 for network, prviously we had outsource VPN and firewall. my questions are.

1) where to terminate VPN Clients (PIX or Router) , want to use PIX here.

2)which tunneling protocol should be the best option.

I will prob have 10 -20 simultaneous clients connected.

3) I have Cisco Secure ACS NT 2.4, which i use for my other T1 for dial-in users, I want to use the same TACACS+ server for VPN clients do they use my existing NT account database, since this not supports MSCHAP, what restrictions i will face.

4) I have few remote users with DSL/cablemodem who cannot use VPN(is there ne work around for this)

5) since we will have some remote sites, 2-3 sites, with 5-10 users atmost. Can i use some kinda cisco equipment cost effective ( i really dont wanna add nother piece of device on my existing network like a VPN concentrator) .

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

Shabib -

You would probably be best off terminating a small amount of Remote Access users on the PIX. With Release 5.2.1 or greater, you can use the VPN 3000 Client. You can obtain the VPN Client via an orderable part CVPN3000-CLNT-25= or if you have Smartnet, it's available free of charge on CCO.

Either VPN protocol (PPTP) or IPsec would be fine. It's really more of a user preference (what are you most comfortable with?) What's more important, the additional security of IPsec or the ease of use of an integrated client in the Operating System?

Cisco Secure ACS 2.5 (available in two weeks) will support MSCHAPv1. With IPsec, you would not need to use MSCHAP.

Why can't your DSL/cablemodem used use VPN?

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I have VPN client 1.1, is there ne specific reason for usin VPN 3000 client. though i have Smartnet. What will be the advantage of using VPN 3000 ( i dont have a VPN 3000 concentrator)

As for Cisco Secure ACS 2.5, i recently got 2.4 and since i want to use IPSec as the tunnel protocol so that shouldnt matter right.

About the DSL/Cable modem users, welll i cant say much, since we have checkpoint firewall and it is manage by outsource. But i believe since the dsl companies give ip addresses which are not public, that might be the case, but i still cant figure out.

Community Member

Re: ASK THE EXPERT- REMOTE ACCESS VPNs

I have the VPN on the PIX firewall running Cisco Secure for the clients. I was wondering when the W2K version will be released for Cisco Secure.

63
Views
0
Helpful
51
Replies
CreatePlease to create content