Configuring Cisco Easy VPN
Traditionally, Virtual Private Network (VPN) connectivity has been viewed as rather complex and requiring specialized resources to implement. While this is true from a hardware perspective, the same is not necessarily true from a software perspective. In fact, the advent of the Cisco Integrated Services Router has made VPN connectivity, well, easy. “Do I Know This Already?” Quiz The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 12-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you to determine how to spend your limited study time. Table 16-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of self-assessment. Giving yourself credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security.
Foundation Topics
The growing move toward the Service-Oriented Network Architecture (SONA) is laying down a path of evolution that will enable clients of all types to access network resources, applications, and services available to those in the corporate headquarters site. This allows enterprise networks to move further toward the goal of providing a single experience to all users regardless of the method by which they access those applications and services. The Cisco Easy VPN solution simplifies the deployment of remote offices and teleworkers. Teleworkers, on the whole, represent one of the fastest growth areas of network users. The availability of high bandwidth at low cost is spurring a great deal of industry evolution. Along with this growth in remote connection requests comes a similar, if not greater, growth in security needs of the network. Cisco Easy VPN serves to simplify client configuration and allow for a centralized management model of VPN Clients. This client configuration can be dynamically pushed to remote clients. Cisco Easy VPN provides a quick, efficient, and, most importantly, secure means of configuring VPN services for remote users of all kinds. It consists of two primary components, Easy VPN Remote and Easy VPN Server. Using Internet Key Exchange (IKE) Mode Config functionality to push configuration parameters to clients, the clients can be preconfigured to conform to a set of IKE policies and IPsec transform sets. This ensures that all clients are up to date with the latest policies in place prior to establishing connections.
Cisco Easy VPN Components
The Cisco Easy VPN solution consists of two components, Server and Remote. Cisco Easy VPN Server allows Cisco IOS Routers, Cisco PIX Security Appliances, and Cisco VPN 3000 Concentrators to act as VPN headend devices in site-to-site or remote-access VPN models. Easy VPN–enabled devices can terminate IPsec tunnels initiated by teleworkers using the Cisco VPN Client software on a PC. This makes it possible for mobile and remote workers to access corporate services and applications.Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 series hardware/software clients to act as remote VPN Clients. They receive security policies from an Easy VPN Server. This minimizes the need for manual configuration tasks. Easy VPN Remote provides for automated, centralized management of the following:In the figure, the hosts at the teleworker’s home are all addressed with RFC 1918 addresses, as are the destination resources at the corporate office site. RFC 1918 addresses are nonroutable addresses within the public Internet; however, NAT/PAT allow them to be translated and routed across. With the VPN connection running in Client mode, routing information can pass between the customer premises equipment (CPE) and the corporate office site. Network Extension mode is very similar in concept to Client mode. So long as the addresses in the teleworker subnet are fully routable and unique within the corporate infrastructure, Figure 16-1 can also be said to be an example of Network Extension mode. If not, there will need to be a NAT/ PAT operation performed at the VPN Server to pass traffic into the corporate network and back to the teleworker premises.