Each pool needs a unique name, which can contain up to 63 characters. You can have different pools of addresses for different remote access groups. Pix(config)# ip local pool pool_name IP_first-IP_last The same command used on an IOS router to define an address pool is used on the PIX appliance: With hardware clients connecting to the PIX Server, additional items may be configured, like the type of connection (client versus network-extension mode) and the type of authentication (default, device, and user).Īn address pool is needed on the PIX Server to assign logical internal addresses to connecting Remote clients. #CONFIGURE IPSECURITAS MAC PIX MOD#As with the routers and concentrators performing the Easy VPN Server function, groups are used to apply policies to the Remotes connecting the Server.Ĭonfiguring an Easy VPN Server is broken into these components:Ĭreate an address pool for remote access devices' internal addresses with the ip local pool command (this is required only for client mode connectionsnetwork extension mode connections do not require this).ĭefine group policies for remote access users with the vpngroup command.ĭisable address translation for the users' internal addresses with the nat (interface) 0 access-list ACL_name command (discussed in Chapter 21).Įnable XAUTH with the crypto map map_name client authentication command.Ĭreate ISAKMP policies with the isakmp policy command (discussed in the last chapter).ĭefine a compatible tunnel-mode transform set with the crypto ipsec transform-set command (discussed in the last chapter).Ĭreate a dynamic crypto map with the crypto dynamic-map command (discussed in the last chapter).Ĭreate a static crypto map and enable it with the crypto map command (discussed in the last chapter).Įnable IKE Mod Config for the static crypto map that has the dynamic crypto map reference with the crypto map map_nameclient configuration command.Īllow IPsec traffic with an ACL or the sysopt connection permit-ipsec command (discussed in the last chapter).Īs you can see from the above steps, many of the things you have to configure I've already discussed in the last chapter, "PIX and ASA Site-to-Site Connections." Therefore, I'll focus primarily on Steps 1, 2, 4, and 9 in my discussions throughout this section. Starting in FOS 6.2 and in later FOS releases, the PIX and ASA (7.0) appliances support the Easy VPN Server function, which allows them to terminate IPsec sessions from Easy VPN Remote devices, including the Cisco VPN Client software, the 3002 hardware client, the 800, ubr900, and 1700 routers, and the PIX 501 and 506E security appliances. Because of the differences, I've split up the configuration explanation into the following two sections: one for 6.3 (this section) and one for 7.0 (the following main section). The configuration of an Easy VPN Server is different if you're running FOS 6.3 or earlier when compared to 7.0. This is preferable to a router if your PIX supports a VAC+ encryption card to perform hardware encryption and your router lacks this, or if you need advanced address translation capabilities or security functions or features, which the router might lack. Normally, I prefer to use a VPN 3000 concentrator to support a large number of remote access users however, if you already have a PIX/ASA appliance in place and need to support only a small number of clients, you can use your existing PIX/ASA for this function. Since the release of FOS 6.2, the PIX security appliances, from the 501 all the way up to the 535, can perform the function of an Easy VPN Server and with the addition of the ASA appliances, they, too, can perform this function.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |