The authentication proxy cache lists the host IP address, the source port number, the timeout value for the authentication proxy, and the state of the connection. Wait for one minute, which is the timeout value for this named rule, and ask the user to try the connection again.
After one minute, the user connection is denied because the authentication proxy has removed the user authentication entry and any associated dynamic ACLs. The user is presented with a new authentication login page and must log in again to gain access through the firewall. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book.
PDF - Complete Book 2. Scenario Description Figure shows a headquarters network providing a remote user access to the corporate intranet. To configure your Cisco IOS VPN gateway to create virtual-access interfaces from a virtual template for incoming PPTP calls, use the following commands beginning in global configuration mode: Command Purpose Step 1 hq-sanjose config interface virtual-template number Creates the virtual template that is used to clone virtual-access interfaces.
Step 2 hq-sanjose config-if ip unnumbered interface-type number Specifies the IP address of the interface the virtual-access interfaces uses. Step 4 hq-sanjose config-if ip local pool default first-ip-address last-ip-address Configures the default local pool of IP addresses that will be used by clients.
Step 6 hq-sanjose config-if ip mroute-cache Disables fast switching of IP multicast. Configuring PPTP To configure a Cisco series router to accept tunneled PPP connections from a client, use the following commands beginning in global configuration mode: Command Purpose Step 1 hq-sanjose config vpdn-enable Enables virtual private dialup networking on the router.
Step 3 hq-sanjose config-vpdn accept dialin Enables the tunnel server to accept dial-in requests. Step 4 hq-sanjose config-vpdn-acc-in protocol pptp Specifies that the tunneling protocol will be PPTP.
Step 5 hq-sanjose config-vpdn-acc-in virtual-template template-number Specifies the number of the virtual template that will be used to clone the virtual-access interface. Step 6 hq-sanjose config-vpdn-acc-in exit hq-sanjose config-vpdn local name localname Optional Specifies that the tunnel server will identify itself with this local name. Configuring L2TP To configure a Cisco series router to accept tunneled L2TP connections from a client, use the following commands beginning in global configuration mode: Command Purpose Step 1 hq-sanjose config vpdn-enable Enables virtual private dialup networking on the router.
Step 4 hq-sanjose config-vpdn-acc-in protocol l2tp Specifies that the tunneling protocol will be L2TP. Use the following commands in global configuration mode to enable authorization and to define the authorization methods: Command Purpose Step 1 hq-sanjose config aaa new-model Enables the AAA functionality on the router. Step 3 hq-sanjose config aaa authorization auth-proxy default [ method1 [ method Step 4 hq-sanjose config tacacs-server host hostname Specifies an AAA server.
Step 5 hq-sanjose config tacacs-server key sting Sets the authentication and encryption key for communications between the router and the AAA server. Step 6 hq-sanjose config access-list access-list-number permit tcp host source eq tacacs host destination Creates an ACL entry to allow the AAA server return traffic to the firewall. Enter the following commands in global configuration mode: Command Purpose Step 1 hq-sanjose config ip http server Enables the HTTP server on the router.
Step 3 hq-sanjose config ip http access-class access-list-number Specifies the access list for the HTTP server. Configuring the Authentication Proxy To configure the authentication proxy, use the following commands beginning in global configuration mode: Command Purpose Step 1 hq-sanjose config ip auth-proxy auth-cache-time min Sets the global authentication proxy idle timeout value in minutes.
Step 2 hq-sanjose config ip auth-proxy auth-proxy-banner Optional Displays the name of the firewall router on the authentication proxy login page. Step 3 hq-sanjose config ip auth-proxy name auth-proxy-name http [ auth-cache-time min ] [ list std-access-list ] Creates authentication proxy rules.
Step 4 hq-sanjose config interface type Enters interface configuration mode by specifying the interface type on which to apply the authentication proxy. Step 5 hq-sanjose config-if ip auth-proxy auth-proxy-name In interface configuration mode, applies the named authentication proxy rule at the interface.
Verifying the Authentication Proxy To check the current authentication proxy configuration, use the show ip auth-proxy configuration command in privileged EXEC mode. The display shows that no host list is specified, meaning that all connections initiating HTTP traffic at the interface are subject to the authentication proxy rule: router show ip auth-proxy configuration Authentication cache time is 60 minutes Authentication Proxy Rule Configuration Auth-proxy name pxy http list not specified auth-cache-time 1 minutes To verify that the authentication proxy is successfully configured on the router, ask a user to initiate an HTTP connection through the router.
Set up the aaa new model to use the authentication proxy. Define the AAA servers used by the router tacacs-server host Enable the HTTP server on the router: ip http server! Define standard access list 61 to deny any host. Apply a name to the authentication proxy configuration rule.
Apply the authentication proxy rule at an interface. Define the AAA servers used by the router tcacs-server host Was this Document Helpful? Yes No Feedback. Creates the virtual template that is used to clone virtual-access interfaces. Specifies the IP address of the interface the virtual-access interfaces uses. Returns an IP address from the default pool to the client. Perform these steps to apply mode configuration to the crypto map, beginning in global configuration mode:.
Applies mode configuration to the crypto map and enables key lookup IKE queries for the group policy from an authentication, authorization, and accounting AAA server. Configures the router to reply to mode configuration requests from remote clients. Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:.
Specifies AAA authentication of selected users at login, and specifies the method used. This example uses a local authentication database. Specifies AAA authorization of all network-related service requests, including PPP, and specifies the method of authorization. This example uses a local authorization database. This example implements a username of Cisco with an encrypted password of Cisco.
A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow. During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers.
When such a transform set is found, it is selected and applied to the protected traffic as a part of both peers' configurations.
Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration mode:. Defines a transform set—an acceptable combination of IPSec security protocols and algorithms. Specifies global lifetime values used when IPSec security associations are negotiated. Note With manually established security associations, there is no negotiation with the peer, and both sides must specify the same transform set.
A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters for example, IP address.
Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites.
However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet. Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:. Enters the interface configuration mode for the interface to which you want the crypto map applied. Perform these steps to create the remote configuration, beginning in global configuration mode:. Note A hostname can be specified only when the router has a DNS server available for hostname resolution.
Enters the interface configuration mode for the interface to which you want the Cisco Easy VPN remote configuration applied. The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter. Command or Action. Router config crypto isakmp policy 1. Router config-isakmp encryption 3des. Router config-isakmp hash md5. Router config-isakmp authentication pre-share.
All packets forwarded to the GRE tunnel are encrypted if no further access control lists ACLs are applied to the tunnel interface. VPN configuration information must be configured on both endpoints; for example, on your Cisco router and at the remote user, or on your Cisco router and on another router.
A configuration example showing the results of these configuration tasks is provided in the "Configuration Example" section. The priority is a number from 1 to , with 1 being the highest. The example specifies the Message Digest 5 MD5 algorithm. Perform these steps to configure the group policy, beginning in global configuration mode:. Creates an IKE policy group that contains attributes to be downloaded to the remote client.
Exits IKE group policy configuration mode, and enters global configuration mode. Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:. Specifies AAA authentication of selected users at login, and specifies the method used.
This example uses a local authentication database. This example uses a local authorization database. This example implements a username of cisco with an encrypted password of cisco. A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow. During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers.
When such a transform set is found, it is selected and applied to the protected traffic as a part of both peers' configurations. Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration mode:. Defines a transform set—An acceptable combination of IPSec security protocols and algorithms. Specifies global lifetime values used when negotiating IPSec security associations. Note With manually established security associations, there is no negotiation with the peer, and both sides must specify the same transform set.
A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters for example, IP address.
Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:. Creates a dynamic crypto map entry, and enters crypto map configuration mode. The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites.
However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet. Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:.
Enters interface configuration mode for the interface to which you want to apply the crypto map. Perform these steps to configure a GRE tunnel, beginning in global configuration mode:.
Note Dynamic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites. Exits interface configuration mode, and returns to global configuration mode. The following configuration example shows a portion of the configuration file for a VPN using a GRE tunnel scenario described in the preceding sections.
Command or Action.
0コメント