-
Cisco Security Appliance Command Line Configuration Guide, Version 7.0
-
About This Guide
-
Introduction to the Security Appliance
-
Getting Started
-
Enabling Multiple Context Mode
-
Configuring Ethernet Settings and Subinterfaces
-
Adding and Managing Security Contexts
-
Configuring Interface Parameters
-
Configuring Basic Settings
-
Configuring IP Routing and DHCP Services
-
Configuring IPv6
-
Configuring AAA Servers and the Local Database
-
Configuring Failover
-
Firewall Mode Overview
-
Identifying Traffic With Access Lists
-
Applying NAT
-
Permitting or Denying Network Access
-
Applying AAA for Network Access
-
Applying Filtering Services
-
Using Modular Policy Framework
-
Intercepting and Responding to Network Attacks
-
Applying QoS Policies
-
Applying Application Layer Protocol Inspection
-
Configuring ARP Inspection and Bridging Parameters
-
Configuring IPSec and ISAKMP
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring LAN-to-LAN VPNs
-
Configuring WebVPN
-
Configuring Certificates
-
Managing System Access
-
Managing Software, Licenses, and Configurations
-
Monitoring and Troubleshooting
-
Feature Licenses and Specifications
-
Sample Configurations
-
Using the Command-Line Interface
-
Addresses, Protocols, and Ports
-
Glossary
-
Table Of Contents
Setting General VPN Parameters
Configuring VPNs in Single, Routed Mode
Configuring IPSec to Bypass ACLs
Permitting Intra-Interface Traffic
NAT Considerations for Intra-Interface Traffic
Setting Maximum Active IPSec VPN Sessions
Setting General VPN Parameters
The security appliance implementation of virtual private networking includes useful features that do not fit neatly into categories. This chapter describes some of these features. It includes the following sections:
•
Configuring VPNs in Single, Routed Mode
•
•
•
Configuring VPNs in Single, Routed Mode
VPNs work only in single, routed mode. VPN functionality is unavailable in configurations that include either security contexts, also referred to as multi-mode firewall, or Active/Active stateful failover.
The exception to this caveat is that you can configure and use one connection for administrative purposes to (not through) the security appliance in transparent mode.
Configuring IPSec to Bypass ACLs
To permit any packets that come from an IPSec tunnel without checking ACLs for the source and destination interfaces, enter the sysopt connection permit-ipsec command in global configuration mode.
You might want to bypass interface ACLs for IPSec traffic if you use a separate VPN concentrator behind the security appliance and want to maximize the security appliance performance. Typically, you create an ACL that permits IPSec packets using the access-list command and apply it to the source interface. Using an ACL is more secure because you can specify the exact traffic you want to allow through the security appliance.
The syntax is sysopt connection permit-ipsec. The command has no keywords or arguments.
The following example enables IPSec traffic through the security appliance without checking ACLs:
hostname(config)# sysopt connection permit-ipsecPermitting Intra-Interface Traffic
The security appliance includes a feature that lets a VPN client send IPSec-protected traffic to another VPN user by allowing such traffic in and out of the same interface. Also called "hairpinning", this feature can be thought of as VPN spokes (clients) connecting through a VPN hub (security appliance).
In another application, this feature can redirect incoming VPN traffic back out through the same interface as unencrypted traffic. This would be useful, for example, to a VPN client that does not have split tunneling but needs to both access a VPN and browse the Web.
Figure 24-1 shows VPN Client 1 sending secure IPSec traffic to VPN Client 2 while also sending unencrypted traffic to a public Web server.
Figure 24-1 VPN Client Using Intra-Interface Feature for Hairpinning
To configure this feature, use the same-security-traffic command in global configuration mode with its intra-interface argument.
The command syntax is same-security-traffic permit {inter-interface | intra-interface}.
The following example shows how to enable intra-interface traffic:
hostname(config)# same-security-traffic permit intra-interfacehostname(config)#
Note
To use hairpinning, you must apply the proper NAT rules to the security appliance interface, as discussed in the following section.
NAT Considerations for Intra-Interface Traffic
For the security appliance to send unencrypted traffic back out through the interface, you must enable NAT for the interface so that publicly routable addresses replace your private IP addresses (unless you already use public IP addresses in your local IP address pool). The following example applies an interface PAT rule to traffic sourced from the client IP pool:
hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100 hostname(config)# global (outside) 1 interface hostname(config)# nat (outside) 1 192.168.0.0 255.255.255.0When the security appliance sends encrypted VPN traffic back out this same interface, however, NAT is optional. The VPN-to-VPN hairpinning works with or without NAT. To apply NAT to all outgoing traffic, implement only the commands above. To exempt the VPN-to-VPN traffic from NAT, add commands (to the example above) that implement NAT exemption for VPN-to-VPN traffic, such as:
hostname(config)# access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 hostname(config)# nat (outside) 0 access-list nonatFor more information on NAT rules, see the "Applying NAT" chapter of this guide.
Setting Maximum Active IPSec VPN Sessions
To limit VPN sessions to a lower value than the security appliance allows, enter the vpn-sessiondb max-session-limit command in global configuration mode.
•
•
The syntax is vpn-sessiondb max-session-limit {session-limit}.
The following example shows how to set a maximum VPN session limit of 450:
hostname (config)# vpn-sessiondb max-session-limit 450hostname (config)#Configuring Client Update
The client update feature lets administrators at a central location automatically notify VPN client users when it is time to update the VPN client software and the VPN 3002 hardware client image.
To configure client update, enter the client-update command in tunnel-group ipsec-attributes configuration mode. If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update. You can specify up to 4 client update entries.
The command syntax follows:
client-update type type {url url-string} {rev-nums rev-nums}
no client-update [type]
Syntax Description
The following example configures client update parameters for the remote-access tunnel-group called remotegrp. It designates the revision number 4.6.1 and the URL for retrieving the update, which is https://support/updates.
hostname(config)# tunnel-group remotegrp type ipsec_rahostname(config)# tunnel-group remotegrp ipsec-attributeshostname(config-ipsec)# client-update type windows url https://support/updates/ rev-nums 4.6.1hostname(config-ipsec)#
