Resources at the client site are unavailable to the central site. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. The Cisco Easy VPN client feature can be configured in one of two modes-client mode or network extension mode. Easy VPN server-enabled devices allow remote routers to act as Easy VPN Remote nodes.
Onnecting a client to cisco easyvpn software#
This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, WINS server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 series concentrator that is acting as an IPSec server.Īn Easy VPN server-enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. Figure 6-1 shows a typical deployment scenario. The example in this chapter illustrates the configuration of a remote access VPN that uses the Cisco Easy VPN and an IPSec tunnel to configure and secure the connection between the remote client and the corporate network. Remote access VPNs are used by remote clients to log in to a corporate network. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Two types of VPNs are supported-site-to-site and remote access.
The Cisco 870 series routers support the creation of Virtual Private Networks (VPNs).Ĭisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints. You'll want to consider these questions when designing your VPN policies so that you can configure filters to enforce per-company restrictions.Configuring a VPN Using Easy VPN and an IPSec TunnelĪpply Mode Configuration to the Crypto MapĬonfigure the IPSec Crypto Method and ParametersĪpply the Crypto Map to the Physical Interface
I am not sure from your description whether all 7 "group companies" should have access to the same resources at your main office, and whether those companies can access each other's networks using Frame Relay as a "hub and spoke" private network. To learn more about Cisco IOS IPsec configuration, see this Cisco white paper on IPsec deployment, particularly the section on "Cisco Easy VPN." You can authenticate users locally or use an ACS server for user authentication. On your Cisco 1760, you will probably decide to use Extended Authentication (XAUTH) and a policy that defines a preshared secret used by everyone in that group.
Onnecting a client to cisco easyvpn install#
You will need to work with each remote office to install appropriately-configured Cisco VPN Client software on every remote host, to identify the username/password for each authorized user, and to train users about how and when to launch VPN clients. However, the router/firewall at every remote office must be configured to permit bi-directional traffic on ports used by your VPN. NAT Traversal in your Cisco 1760 and VPN Client software will let IPsec traffic be forwarded through remote office router/firewalls, no matter what they might be. However, if you want to permit only a few clients, or need to vary permission for individual users, then a remote access VPN is more appropriate.įor a remote access VPN with the hardware that you describe, each remote office will require Internet access. This makes more sense if you want to let EVERYONE at each remote office have the SAME access to your main office network. Each host would not need its own VPN client software or user credentials, because all clients at each remote office would share the 7 tunnels between remote and main VPN gateways. You will need to configure policies on your Cisco 1760 to permit access by those clients, including user credentials to authenticate each client, and IPsec selectors that determine which hosts/subnets each client is permitted to access inside your main office network.Īnother option would be to install VPN hardware at every remote office and set up a site-to-site VPN that connects those 7 remote offices to your main office.
Every remote host that needs to access your main office network will require Cisco VPN client software and some kind of Internet access. The Cisco 1760 will serve as the VPN's gateway, using DSL to obtain access to the Internet. The scenario you describe sounds like a fairly typical IPsec remote access VPN.
0 kommentar(er)
