Misc 33

Now we'll move into setting up an EzVPN server. EzVPN is Cisco's implementation of Remote-Access VPN through IPSec. We'll be using this topology as shown:


In this topology, we'll create simple access to the Left router by allowing clients to remotely VPN to the Outside interface of the ASA.

The Left router's configuration is simple. The interface is given an IP address, and a default route points to the ASA. Telnet access is also set up for testing purposes later on.

in f0/0
ip add 1.1.1.2 255.255.255.0
no shut
line vty 0 4
password cisco
ip route 0.0.0.0 0.0.0.0 1.1.1.1

Your computer and PIX's default gateway both point to the Right router which simulates the internet. Configuration is also quite simple for the Right router:
in f0/0
ip add 2.2.2.1 255.255.255.0
no shut
in f0/1
ip add 192.168.66.2 255.255.255.0
no shut
line vty 0 4
password cisco

Finally, we set up the ASA's interfaces:
in e0
nameif Outside
ip add 2.2.2.2 255.255.255.0
no shut
in e1
nameif Inside
ip add 1.1.1.1 255.255.255.0
no shut
route Outside 0 0 3.3.3.1

At this point, your computer should be able to ping the ASA's Outside interface. When you're ready we'll move on to setting up RAVPN. First we'll enable ISAKMP on the outside interface:
crypto isa en Outside

We'll then create an ISAKMP policy as we did before:
crypto isa pol 1
hash sha
auth pre
group 2
life 86400
encr aes

Similarly we'll create a transform-set:
crypto ipsec transform TRANSFORM esp-aes esp-sha-hmac

We'll then apply the transform set to a dynamic map:
crypto dynamic DYNAMIC 1 set transform TRANSFORM
crypto dynamic DYNAMIC 1 set reverse-route

Notice that we specified to create reverse-routes. Reverse-routes automatically injects routing information for connected RA clients. Now we'll create the crypto map using the dynamic map we have:
crypto map MAP 1 ipsec-isakmp dynamic DYNAMIC

At this point we can apply the map to the Outside interface:
crypto map MAP interface Outside

Now we'll begin setting up the tunnel parameters. First we'll create an address pool like this:
ip local pool POOL 4.4.4.10-4.4.4.20 mask 255.255.255.0

Next we'll create a user account:
user cisco pass cisco

We'll then create a tunnel-group as shown:
tunnel-group GROUP type remote-access

Now we'll set the pool and authentication-server-group in the general parameters for the tunnel-group:
tunnel-group GROUP general
pool POOL
authentication-server-group LOCAL

Finally we'll set the pre-shared-key for the IPSec negotiations:
tunnel-group GROUP ipsec
pre-shared-key cisco

At this point we would be able to connect to the Outside interface using the following parameters:
Host: 2.2.2.2
Group Authentication
Name: GROUP
Password: cisco
Confirm Password: cisco
Username: cisco
Password: cisco

We can also implement NAT if we wish. To do this, we'll begin with a basic NAT configuration:
nat (Inside) 1 0 0
global (Outside) 1 interface

Next, we'll create an access-list to match traffic that goes through the NAT. We'll use this list to perform an identity NAT.

access-list DENYNAT extended permit ip any 4.4.4.0 255.255.255.0
nat (Inside) 0 access-list DENYNAT

Now traffic going anywhere but to the RA clients would be NATted.