Cisco Easy VPN SolutionsApplications and Implementation with Cisco IOS Routers, PIX Firewalls, 3000 Series Concentrators & HW Clients & Client
Configuration ? VPN Deployment & Management Challenges Central Site • Heterogeneous CPE devices and clients • Remote sites without on-site support • VPN tunnels over static and dynamic WAN connections • Static & dynamic IP addresses • Pushing configuration changes once deployed • Coordinating custom configuration, IP address and mixed WAN environment (Cable/DSL, PPPoE/hostname) VPN Repository Mobile Workers Internet Teleworkers VPN Tunnels Small Branch Office Configuration ? IP Address ?? Configuration ? Configuration ?
Cisco Easy VPN Solutions Leverages Cisco Unified Client Framework Cisco Easy VPN RemoteEliminates complex remote-side configuration simplifying VPN deployments Cisco Easy VPN ServerAccepts VPN connection from Cisco VPN clients and Cisco Easy VPN Remote devices Central Site VPN Gateways with Cisco Easy VPN Server - Cisco VPN30xx - Cisco IOS® Routers with 12.2(8)T - PIX® Firewalls with 6.0+ Cisco VPN Clients Home Office CVPN 3002 Dial-Up Cable, DSL Cisco PIX 501 Internet Home Office Cable, DSL T1 Cisco 800 / uBR 900 Cisco 1700 Small Branch Office
CISCO Easy VPN Remotes CISCO Easy VPN Servers • Routers: • 800 Series • uBR900 Series • 1700 Series • Security Appliances: • PIX 501 • CVPN 3002 • Cisco VPN Client • Routers: • 1700 Series • 2600 Series • 3600 Series • 7100/7200 Series • Security Appliances: • PIX Firewall Series • CVPN 3000 Series Cisco Easy VPN Family Home Office Dial-Up Cable, DSL Internet Home Office Cable, DSL T1 Small Branch Office
Scalable Deployment & ManagementVPN Solution Cisco Easy VPN server on VPN gateway with security policy repository (Cisco CVPN 3000, Cisco IOS Router, PIX Firewall) Central Site HQ / ISP Cisco Easy VPN Remote and Server • Support for all Cisco VPN Clients • Dynamic policy updates, pushed to each CPE and clients • Dynamic VPN tunnels over static and dynamic WAN connections • Dynamic & static IP addresses Policy Updates Mobile Workers Internet Teleworkers VPN Tunnels Small Branch Office Configuration A Configuration A Configuration A Configuration A
Cisco Easy VPN Benefits 1. Remote CPE contact central site for authentication, & provide information Central Site Browser-based GUI on Cisco 800, 900, Cisco PIX 501 FW & CVPN 3002 Internet Cisco IOS Router, VPN Concentrator, PIX Firewall 2. Policy update delivered to designated CPE & PC clients Cisco 800, 900 Series Router, Cisco PIX 501 FW, CVPN 3002 3. VPN established from remote CPE/Client with new policy in place Cisco 1700, 2600, 3600 Series Router, Cisco PIX Firewall, CVPN 3002 • Support dynamic connections w/VPN • Availability • Lower cost connection for customers • More control by SP or Enterprise • Enable small or large deployments without user intervention • Simplified configuration during deployment • Automated initiation • Pre-configuration for faster uptime • Enforce consistent VPN Policy on all remote devices • Interoperability across Cisco access and security devices • No head end changes when adding extra devices
Cisco Easy VPN Remote Initiation on Cisco Routers & Security Appliances Crypto Ipsec 1p A Admin Configures Cisco Easy VPN Server Internet • 1. Configure Basic Connection • LAN Interface • WAN Interface • DNS Address • DHCP Address • NAT / PAT Configuration (optional) • 2. Configure Cisco Easy VPN Specifics • Mode (client or network ext.) • Peer address • VPN tunnel interface • Group name and password • User name and password Optional user initiation of Cisco Easy VPN Connection • Initiate Dynamic VPN • 100% pre-configured and automated initiation • Optional: admin final set upwith CLI, Telnet or console port • Optional: user final set up(Cisco 800 & uBR900, CVPN 3002 and Cisco PIX 501 FW only) • Group Name, Group Password, Peer IP Address, Host Name • Optional: dynamic/ongoing device authentication
Push VPN Policy with Cisco Easy VPN VPN functions are assigned IKE Mode Config Attributes; several parameters may be pushed at once Central Site HQ Teleworker / Small Branch Office SBO Internet Cisco 1700 Cisco Easy VPN Server on Central Site Gateways with security policy repository (Cisco CVPN 3000, Cisco IOS Router, Cisco PIX Firewall) Mobile Workers • Attributes • Internal IP Address • Internal NetMask • Internal DNS Server • Internal WINS Server • Split tunnel allowed when VPN tunnel is up (remote site traffic goes in the clear)
Simple Set with GUI – Example Cisco 800 Series Router Setting up Cisco Easy VPN Remote • Non-technical users can enable Easy VPN with simple login information provided by IT • No pre-configuration required, standard router configuration can be used Cisco Easy VPN Remote GUI support on Cisco 800, 900, Cisco PIX Firewalls, and CVPN 3002
Summary - Cisco Easy VPN Benefits • Streamlines VPN deployments for remote offices and teleworkers • Simplifies on-going VPN management • Ensures and applies up-to-date policies before connections are established • Removes complex remote-side administration burden • Provides a consistent policy, key management and system management approach for all Cisco VPN CPE devices – routers, security appliances and software clients
F0_7082_c2 11 © 2000, Cisco Systems, Inc.
Cisco Easy VPN Roadmap • Stateless failover via dead peer detection • Cisco Easy VPN Split tunneling (with tunnel up) and Cisco IOS Firewall enabled (available today with static configuration) • Easy VPN Split tunneling (with tunnel down) andCisco IOS Firewall enabled • Support for multiple VPN tunnels • User authentication for Cisco IOS routers