Using PDM to Create a Remote Access VPN

The same VPN Wizard is used to create a remote-access VPN configuration. A remote access configuration allows secure remote access for outside VPN clients, such as telecommuters or employees traveling for a company. These remote users will then have secure access centralized network resources much like at their own desks. Using the remote access VPN, the PIX Firewall provides secure connectivity between individual remote users and the resources protected by the local firewall.

After choosing Remote Access VPN and indicating the outside interface on the initial wizard, the Remote Access Client panel is used to specify the type of remote access client to connect to the new VPN link. Figure 22-13 shows the client choices, which include the following:

Cisco VPN Client, Release 3.x or higher
Cisco VPN 3000 Client, Release 2.5/2.6
Microsoft Windows client using PPTP
Microsoft Windows client using L2TP

Figure 22-13: Remote Access Client panel for selecting the client type

The choices on the subsequent panels depend on the client choice made here. Figure 22-14 shows the information required when choosing either of the first two options. The VPN Client Group panel is used to group remote access users using Cisco VPN Client, so attributes associated with a group will be applied and downloaded to the client(s) that are part of a given group. The group password is a preshared key to be used for IKE authentication.

Figure 22-14: VPN Client Group panel for defining the VPN groups

The group name must also be configured on the remote-access client software to make sure any group attributes are properly downloaded.

The next screen, the Extended Client Authentication panel, is an optional feature that would require remote VPN clients to authenticate using an AAA server before being able to access the private network.

Extended Authentication (Xauth) is a feature within the IKE protocol that allows deploying IPSec VPNs using TACACS+ or RADIUS as the authentication method. The VPN clients would be prompted for a user name and password combination, which would then be verified with the information stored in a TACACS+ or a RADIUS database.

If this feature is selected, an AAA server must be defined using the New button, which opens the AAA Server Group panel. These panel entries define the group name, the protocol used for AAA, and the location of the AAA server. An option also exists to specify a one-time-password OTP. Figure 22-15 shows the Extended Client Authentication panel choices.

Figure 22-15: Extended Client Authentication panel choices

The next wizard screen, the Address Pool panel, creates a pool of local addresses that can be dynamically assigned to remote VPN clients, running Cisco VPN Client v3.x or higher. It’s necessary to define a pool name, and then a beginning and ending address to define the range.

The next screen, the Attributes Pushed to Client (Optional) panel, is used to provide the other DHCP-type information that will be necessary for the remote client to function within the local network. The information provided includes the following:

Primary DNS Server
Secondary DNS Server
Primary WINS Server
Secondary WINS Server
Default Domain Name

The next two screens define the IKE Policy (Phase one) and Transform Set (Phase two), exactly the same as in the previous Site-to Site Wizard.

Figure 22-16 shows the final screen—the Address Translation Exemption (Optional) panel—used to define local hosts/networks that are to be exempted from address translation (NAT). The considerable security provided by NAT might cause problems for those hosts that have been authenticated and protected by VPN. If an inside host is translated to the outside address using a randomly selected public addresses, remote VPN clients would be unable to connect to that host. You can specify which networks will be seen by connecting VPN clients using this exemption rule.

Figure 22-16: Address Translation Exemption panel