1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

Cisco Easy VPN Remote

Cisco Easy VPN Remote

The Cisco Easy VPN Remote provides a remote VPN client feature, which is currently supported on the following platforms: Cisco 800, 1700, and UBR900 Series Routers, Cisco PIX 501 Firewalls, and Cisco VPN 3002 Hardware Client device. As with all new technologies, the Cisco online documentation includes any new platforms supported.

The Cisco Easy VPN Remote feature eliminates much of the basic VPN configuration by implementing Cisco’s Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server. These basic configuration and security policies are “pushed” down from the Cisco Easy VPN Server during the initial connection. Configuration changes, software upgrades, and, in some cases, firmware updates can also be pushed down to the remote site. This can reduce local VPN configuration requirements and ongoing VPN support at the remote location.

The Cisco Easy VPN Remote feature allows for “push” configuration and automatic management of the following details:

  • Managing security keys for encryption and decryption.

  • Negotiating tunnel parameters, including IP addresses, algorithms, lifetime, and so forth.

  • Establishing tunnels according to the defined security parameters.

  • Enabling and configuring NAT/PAT translation, plus any related access lists.

  • User authentication based on user names, group names, and passwords, as well as X.509 digital certificates.

  • Authenticating, encrypting, and decrypting data through the tunnel.

The Cisco Easy VPN Remote feature supports the following two modes of operation:

Client

The private hosts protected behind the Easy VPN Remote device are a separate network that remains invisible and nonroutable to the central site. The local hosts are assigned their IP addresses from the Easy VPN Remote device DHCP server feature. The Cisco Easy VPN Remote feature automatically configures the NAT/ PAT translation and any required access lists to implement the VPN tunnel. Because all traffic to the central network has the Public interface IP address, PAT both supplies and manages unique port number mappings to use in combination with the IP address.

Network Extension

The Cisco Easy VPN Remote device establishes a secure site-to-site connection with the central site device. PAT isn’t used, allowing the client hosts to have direct access to the hosts on the corporate network. The local stations behind the VPN Remote device are fully routable and the local network is visible to the central site. As the name implies, the local network becomes a part of the organization’s intranet.

Split Tunneling

Split tunneling is a useful feature that provides the capability to have a secure tunnel to the central site, while simultaneously maintaining a Cleartext connection to the Internet through the Internet service provider (ISP). The Cisco Easy VPN Remote device uses PAT to protect the local workstations during split tunneling to the Internet. Figure 12-1 shows secure a VPN tunnel and split tunneling for web browsing.

Click To expand
Figure 12-1: A secure VPN tunnel and split tunneling for web browsing

If the organization security policy prohibits split tunneling, it can be blocked by creating a policy on the central site device, which is then pushed down to the remote device.




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Chapter 9: Cisco IOS IPSec Introduction
Chapter 10: Cisco IOS IPSec for Preshared Keys
Chapter 11: Cisco IOS IPSec Certificate Authority Support
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
Introduction to Cisco Easy VPN
Cisco Easy VPN Server
Cisco Easy VPN Remote
Cisco VPN 3.6 Client
Easy VPN Server Configuration Tasks
Preconfiguring the Cisco VPN 3.6 Client
Management Center for VPN Routers
Easy VPN Remote Phase Two
Cisco VPN Firewall Feature for VPN Client
Chapter Review
Chapter 13: Cisco VPN Hardware Overview
Chapter 14: Cisco VPN 3000 Remote Access Networks
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars