site_logo

Cisco® CCNA Security Exam Notes : Remote Access Vpn

RETIRED! Exam

Go to latest CCNA Exam Cram

  1. Cisco CCNA Exam Download
  2. Cisco CCNA Exam Sim with NetSim Download

3. VPN

3.2 Remote access VPN

To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the security appliance. All of these tasks are completed if you use the setup command

Remote Access VPN: Remote access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization's server. The user may not be aware of the networking used as it appears logically that the data is sent over a dedicated private link.

Gateway-to-Gateway VPN: a gateway-to-gateway VPN connection allows for two routers to securely connect to each other and for a client on one end to logically appear as if they are a part of the network on the other end. This enables data and resources to be shared more easily and securely over the Internet. Configuration must be done on both routers to enable a gateway-to-gateway VPN.

AnyConnect Always-on VPN - The ASA administrator can configure AnyConnect to automatically establish and maintain an SSLVPN session as soon as the user logs into their operating system.

If you use identity certificates, instead of a username/password, the user will not be prompted at all and the VPN experience will be totally transparent and in the background.

1. A GUI based device management tool for working with and monitoring Cisco routers.

2. Enables network admins to organize and manage multiple routers in the site by grouping, called device community.

3. CCP does not require a separate license

4. CCP Express may be run as a Java applet from the computer that is connecting to the router. CCP Express is a watered down version of CCP Professional.

5. CCP is a software tool that is typically installed on a Windows computer and run in conjunction with Cisco networking device(s)

The following are the important features of CCP (Cisco Configuration Professional):

  • Cisco Configuration Professional supports secure protocols such as Secure Shell (SSH) Protocol and Secure HTTP (HTTPS) to communicate with the devices.
  • Cisco Configuration Professional manages only Cisco devices
  • Currently there is no limitation on the number of communities that can be created.
  • When you move away a router from one community to another, you need to rediscover the routers in the new community.
  • Cisco Configuration Professional is a GUI device-management tool for Cisco IOS Software-based access routers, the Cisco Integrated Services Routers
  • A community is a group of devices that are managed together

Cisco Configuration Professional menu bar contains the following options:

  • Manage Community- allows you to create a new community or choose an existing community.
  • Create User Profile - allows you to restrict users from using all of the features that are available in the left navigation pane.
  • Import User Profile - allows you to import a user profile.
  • Options-allows you to set user preferences such as log level, show community at startup, and show CLI preview parameters.
  • Template - allows you to create, edit, or apply a template.
  • Work Offline - allows you to work with Cisco Configuration Professional in offline mode.
  • Exit-Exits the Cisco Configuration Professional application.
Cisco Configuration Professional

As shown in the figure above, Cisco Configuration Professional (CCP) display consists of the following:

  • Menu Bar-The row of menus across the top of the window. It offers application services, a list of open windows, and online help.
  • Toolbar-The row of icons directly below the menu bar. They represent the most often used application services and most often configured networking features.
  • Left Navigation Pane-The scalable panel on the left side of the content pane in which you select the features to configure and monitor.
  • Content Pane-The right side of the workspace, in which windows appear. You view reports here and enter information that configures networking features.
  • Status Bar-The bar at the bottom of the window. Where Cisco CP displays the status of the application

The following conditions should be satisfied for successful communication with router using CCP:

The router should be enabled to support HTTP or HTTPS.

Use the command:

Router(config)# ip http authentication local

Or

Use the following command for enabling https

Router(config)# ip http secure-server

2. Username with privilege level 15 rights should be created on the router.

Use the command:

Router(config)# username admin privilege 15 secret cisco

3. The authentication for HTTP/S should be set to use the local database (the runningconfig) on the router. Use the command:

Router(config)# ip http authentication local

Of course, you need to connect to the router physically, using an Ethernet or cross over cable, and the router interface should be reachable. You can verify the reachability using a ping command to the router interface at the DOS prompt.

Important points on CCP

  • A router needs to join a community before being administered using CCP
  • A community may contain a maximum of 10 devices
  • To have CCP discover all the devices in a community, check the Discover All Devices check box,
  • To join a community, you should provide IP address or hostname and the username and password information for the device.
  • When using CCP, in appropriate signature screen, highlight signature, click the Enable button, and then click the Unretire button (just to confirm that it is not retired).
  • When you click the Apply Changes button, CCP applies the changes to the router, which requests the router to recompile the changes.

Features of AnyConnect SSL VPN Client:

  • Full install of AnyConnect software is required on the client machine.
  • Full access to the corporate network as if you were accessing the local network
  • Clients are assigned their own virtual IP address to use while accessing the corporate network.
  • AnyConnect is supported on several operating systems including Windows, Linux, Android, etc.

Features of Clientless SSL VPN:

  • Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to a security appliance using a web browser. Users do not need a software or hardware client.
  • Clientless SSL VPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the Internet.
  • Browser cookies are required for the proper operation of clientless SSL VPN. When cookies are disabled on the web browser, the links from the web portal home page open a new window prompting the user to log in once more
images/pin-icon.png

SSL VPN support is provided for Windows, Macintosh, Linux, Apple's iOS, Android, and Windows Mobile with the appropriate licenses on the server, where the licenses are managed.

Split tunneling: Split tunneling is a computer networking concept which allows a mobile user to access dissimilar security domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same or different network connections. With split tunneling enabled on the remote VPN client machine, it separates corporate traffic and web-bound traffic. Only the traffic bound to the corporate office may be tunneled using secure VPN, while all other traffic such as visiting www sites etc. may be forwarded directly to the web instead of going to the ASA firewall through VPN tunnel. The negative side is that the security of the internal network may be weakened if proper security measures are not taken on the remote client machine. Installing IDS on the remote machine is preferred when split tunneling is configured.

Split tunnel option enables AnyConnect and Remote Access VPNs is to send traffic down the VPN only if it is destined for specific networks located at the headquarter site. All other traffic is sent normally, outside the VPN. This way, the bandwidth could be saved as there will be less amount of traffic traversing VPN tunnel via head-quarters. However, note that there is some amount of compromise on the security aspect, as the split tunnel is not secure as the outside traffic is sent normally and no encryption takes place.

You can monitor the remote access VPN users by navigating to Monitoring > VPN > VPN Statistics > Sessions in your ASA Security Device Manager.

Cisco Anyconnect VPN client: Employees may connect to the Internet from several public locations, such as airports and cafes, they had no acceptable use policy enforcement, minimal protection against malware, and are at a higher risk of data loss. Cisco's AnyConnect Secure Mobility may be used to extend the network perimeter to remote endpoints, enabling the seamless integration with the Corporate network.

Cisco has developed the AnyConnect Secure Mobility Client as a "next generation" Virtual Private Network (VPN) client. The connection is secure because both the user and device must be authenticated and validated prior to being provided access to the corporate network. When a user opens a VPN session using Cisco AnyConnect, the AnyConnect client connects to the adaptive security appliance using SSL. The client authenticates with the adaptive security appliance and is assigned an internal IP address on the network.

AnyConnect Clients are available on various platforms, including the following:

  • Cisco anyconnect VPN client windows 7
  • Cisco anyconnect VPN for windows 8
  • Cisco VPN windows 10
  • Cisco Anyconnect VPN for Android
  • Cisco anyconnect VPN client iPhone iPad
  • Cisco anyconnect VPN client for mac

It is important to note that Cisco AnyConnect Client is central to BYOD concept and its borderless networking concept.

images/pin-icon.png

Note that remote users connecting to the internal resources using secure VPN tunnel use their internal IP address. As such, they should be treated as internal users and should be exempted from NAT translation. Similarly, you should not use NAT on traffic coming from inside devices (say, file server) and going out to the VPN clients.

Previous   Contents   Next


CCNA Security Cram Notes Contents
certexams ad

simulationexams ad
  1. Cisco CCNA Exam Download
  2. Cisco CCNA Exam Sim with NetSim Download