Cisco VPN Configuration Guide

Table of Contents:

Chapter 1 Introduction to VPN Technologies. 8

1.1 Policy-Based Vs Route-Based VPN.. 9

1.2 Policy-Based VPN (Traditional IPSEC VPN). 11

1.2.1 What is IPSEC.. 11

1.2.2 How IPSEC Works. 13

1.2.3 Site-to-Site and Hub-and-Spoke IPSEC VPN.. 13

1.2.4 Remote Access IPSEC VPN.. 15

1.3 Route-Based VPN.. 16

1.3.1 VPN using GRE.. 16

1.3.1.1 GRE Vs IPSEC.. 17

1.3.2 VPN using Virtual Tunnel Interface (VTI). 20

1.3.2.1 Static VTI. 20

1.3.2.2 Dynamic VTI. 22

1.4 Dynamic Multipoint VPN (DMVPN). 24

1.5 SSL Based VPNs (WebVPN). 28

1.5.1 Types of SSL Based VPNs. 28

1.5.2 Comparison between SSL VPN Technologies. 28

1.5.3 Overview of AnyConnect VPN operation: 29

1.6 Practical Applications for each VPN Type. 31

1.6.1 Policy-Based (Traditional IPSEC) VPN Applications. 31

1.6.2 Route-Based GRE VPN Applications. 31

1.6.3 Route-Based VTI VPN Applications. 32

1.6.4 Dynamic Multipoint VPN Applications. 33

Chapter 2 VPN Configuration on Cisco Routers. 34

2.1 Policy-Based VPN Configuration on Cisco Routers. 34

2.1.1 Site-to-Site IPSEC VPN.. 34

2.1.1.1 Site-to-Site IPSEC VPN with Dynamic IP.. 42

2.1.2 Hub-and-Spoke IPSEC VPN.. 44

2.1.3 Remote Access IPSEC VPN.. 47

2.1.4 Site-to-Site and Remote Access IPSEC VPN on same device. 54

2.2 Route-Based VPN Configuration on Cisco Routers. 59

2.2.1 Site-to-Site VPN Using GRE with IPSEC Protection.. 59

2.2.2 Hub-and-Spoke VPN Using GRE with IPSEC Protection.. 63

2.2.3 VPN Using Static Virtual Tunnel Interface (SVTI). 68

2.2.4 VPN Using Dynamic Virtual Tunnel Interface (DVTI). 69

2.3 Dynamic Multipoint VPN (DMVPN). 76

2.4 PPTP VPN.. 82

Chapter 3 VPN Configuration on ASA Firewalls. 86

3.1 Policy-Based VPN Configuration on Cisco ASA.. 86

3.1.1 Site-to-Site IPSEC VPN.. 86

3.1.1.1 Restricting IPSEC VPN Traffic between the Two Sites. 93

3.1.2 Hub-and-Spoke IPSEC VPN with Dynamic IP Spoke. 94

3.1.2.1 Spoke to Spoke Communication via the Hub ASA.. 97

3.1.3 IPSEC VPN between Cisco ASA and Cisco Router. 100

3.1.4 Remote Access IPSEC VPN.. 104

3.1.5 Hub-and-Spoke and Remote Access VPN on same device. 109

3.1.5.1 Enable Remote Users to Access Spoke Sites through the Hub.. 113

3.1.6 Site-to-Site IPSEC VPN with failover using backup ISP.. 115

3.1.7 Site-to-Site IPSEC VPN with Duplicate Subnets –Example1.. 121

3.1.8 Site-to-Site IPSEC VPN with Duplicate Subnets –Example2.. 124

3.2 SSL-Based VPN Configuration on Cisco ASA.. 129

3.2.1 Anyconnect SSL Web VPN.. 129

3.3 VPN Authentication using External Server. 138

3.3.1 VPN Authentication using Microsoft Active Directory.. 138

3.3.2 VPN Authentication using RADIUS or TACACS. 141

3.3.3 VPN Authentication using RSA.. 143

Chapter 4 Complete Configuration Examples. 145

4.1 Complete VPN Configurations on Cisco Routers. 145

4.1.1 Site-to-Site IPSEC VPN.. 145

4.1.2 Site-to-Site IPSEC VPN with Dynamic IP.. 149

4.1.3 Hub-and-Spoke IPSEC VPN – Static IP Spokes. 153

4.1.4 Hub-and-Spoke IPSEC VPN – Dynamic IP Spoke. 159

4.1.5 Remote Access IPSEC VPN.. 162

4.1.6 Site-to-Site and Remote Access IPSEC VPN on same device. 165

4.1.7 Site-to-Site VPN using GRE with IPSEC Protection.. 172

4.1.8 Hub-and-Spoke VPN using GRE with IPSEC Protection.. 176

4.1.9 Hub-and-Spoke VPN using DVTI and SVTI. 182

4.1.10 Dynamic Multipoint VPN (DMVPN). 188

4.1.11 Point to Point Tunelling Protocol (PPTP). 195

4.2 Complete VPN Configurations on Cisco ASA.. 197

4.2.1 Site-to-Site IPSEC VPN.. 197

4.2.2 Hub-and-Spoke IPSEC VPN with Dynamic IP Spoke. 202

4.2.3 IPSEC VPN Between Cisco ASA and Cisco Router. 209

4.2.4 Remote Access IPSEC VPN on Cisco ASA.. 213

4.2.5 Hub-and-Spoke and Remote Access VPN on same device. 216

4.2.6 Site-to-Site IPSEC VPN with failover using backup ISP.. 223

4.2.7 Site-to-Site IPSEC VPN with Duplicate Subnets-Example1.. 228

4.2.8 Site-to-Site IPSEC VPN with Duplicate Subnets-Example2.. 233

4.2.9 Anyconnect SSL Web VPN.. 238