The Cisco Easy VPN Remote provides a remote VPN client feature, which is currently supported on the following platforms: Cisco 800, 1700, and UBR900 Series Routers, Cisco PIX 501 Firewalls, and Cisco VPN 3002 Hardware Client device. As with all new technologies, the Cisco online documentation includes any new platforms supported.
The Cisco Easy VPN Remote feature eliminates much of the basic VPN configuration by implementing Cisco’s Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server. These basic configuration and security policies are “pushed” down from the Cisco Easy VPN Server during the initial connection. Configuration changes, software upgrades, and, in some cases, firmware updates can also be pushed down to the remote site. This can reduce local VPN configuration requirements and ongoing VPN support at the remote location.
The Cisco Easy VPN Remote feature allows for “push” configuration and automatic management of the following details:
Managing security keys for encryption and decryption.
Negotiating tunnel parameters, including IP addresses, algorithms, lifetime, and so forth.
Establishing tunnels according to the defined security parameters.
Enabling and configuring NAT/PAT translation, plus any related access lists.
User authentication based on user names, group names, and passwords, as well as X.509 digital certificates.
Authenticating, encrypting, and decrypting data through the tunnel.
The Cisco Easy VPN Remote feature supports the following two modes of operation:
The private hosts protected behind the Easy VPN Remote device are a separate network that remains invisible and nonroutable to the central site. The local hosts are assigned their IP addresses from the Easy VPN Remote device DHCP server feature. The Cisco Easy VPN Remote feature automatically configures the NAT/ PAT translation and any required access lists to implement the VPN tunnel. Because all traffic to the central network has the Public interface IP address, PAT both supplies and manages unique port number mappings to use in combination with the IP address.
The Cisco Easy VPN Remote device establishes a secure site-to-site connection with the central site device. PAT isn’t used, allowing the client hosts to have direct access to the hosts on the corporate network. The local stations behind the VPN Remote device are fully routable and the local network is visible to the central site. As the name implies, the local network becomes a part of the organization’s intranet.
Split tunneling is a useful feature that provides the capability to have a secure tunnel to the central site, while simultaneously maintaining a Cleartext connection to the Internet through the Internet service provider (ISP). The Cisco Easy VPN Remote device uses PAT to protect the local workstations during split tunneling to the Internet. Figure 12-1 shows secure a VPN tunnel and split tunneling for web browsing.
If the organization security policy prohibits split tunneling, it can be blocked by creating a policy on the central site device, which is then pushed down to the remote device.