This document shows how a subset of Enterprise Class Teleworker (ECT) can be deployed for Remote Access with EasyVPN in client mode, with firewall, NAT, QoS and 802.1x. Wireless and Cisco Authentication Proxy are show as well.
Introduction
With Cisco Easy VPN in "client mode" configuration, the entire LAN behind the EasyVPN Client undergoes NAT to the ip address that is pushed down by the EasyVPN Server. In this mode, there is no need to manage the ip address space in the local LAN behind the remote access router-all routers can be configured with the same local ip DHCP server pool. When Easy VPN runs in client mode, once the IPSec tunnel is established, a loopback interface is dynamically configured and assigned to one ip address defined in the EasyVPN server's pool. This pool needs to be routable to the corporate network.
Access to the intranet and the Internet is provided in split tunnel mode, where only corporate traffic is routed through the tunnel. Optionally, split-tunnel can be enabled on the EasyVPN server, meaning that all non-corporate traffic is sent directly to the Internet, thereby lightening the load for the VPN head end.
With release 12.4(11)T2, only audio calls are supported with this solution. Cisco 7960 IP Phones have been used to test this solution. In an upcoming Cisco IOS release, support for Skinny Client Control Protocol (SCCP) video calls will be added.
The remote access solution described in this document, based on EasyVPN in client mode, corresponds to a subset of the Enterprise Class Teleworker solution (ECT) which is deployed by many customers and within Cisco for Tele-working.
Cisco Enterprise Class Teleworker (ECT) solution is an integral part of the Cisco Service Oriented Network Architecture (SONA) framework to guide customers to achieve Intelligent Information Network (IIN) in their Enterprises.
Based on the SONA and IIN framework, Cisco Enterprise Class Teleworker (ECT) Solution is a highly scalable Cisco IOS Software solution that securely integrates the network infrastructure, management infrastructure, managed services, and applications across the entire enterprise: LAN, WAN, Branch, and Teleworker locations. The key differentiator of ECT Solution is the integration of Cisco IOS Software, managed services, and applications on the same CPE.
Cisco has successfully deployed ECT Solution internally, thus increasing productivity and improving efficiency, while enabling seamless "zero-touch deployment", manageability, and low-to-negative Total Cost of Ownership (TCO). Both Enterprises and Service Providers can leverage ECT Solution to offer the benefits of network services to their end users/customers, while maintaining an effective ROI.
Network Architecture
Figure 1 shows the ECT network topology that is deployed internally at Cisco. For harden this solution further, beside regular lab regression testing, solution level test are run on a "live alpha network" which consists of Cisco employees that have a Cisco 871 router for Tele-working. This "live lab" network runs a superset of the minimum number of features needed for remote access. With ECT it is recommended to have three tunnels available for any remote router:
• one to access the management network
• one for primary data traffic
• one for failover
PKI is recommended instead of pre-shared keys for ISAMKP, as it is more secure and it is easier to manage-but PSK works perfectly fine in technical terms.
Cisco recommends having a management tool for large enterprise provisioning-the Cisco Security Manager. This allows us to do zero touch deployments from the admin side perspective, and makes it very convenient for the day-to-day on-going management activities, as it provides a framework for easily and quickly updating security policies for thousands of remote routers with centralized management.
From Cisco's ECT internal deployment experience, it is clear that Quality of Service (QoS) is absolutely necessary to be able to provide a good end-user experience, as it permits being on a call while uploading/downloading files.
Figure 1. ECT Network Topology
Platforms and Images Used In EasyVPN Client Mode Users
EasyVPN client: Cisco w871
EasyVPN server: Cisco 3845 with an AIM-VPN/SSL-3 encryption card.
EasyVPN client mode with NAT audio support is available in Cisco IOS Software Release 12.4(15)T and later.
Configuration of the Remote Access Cisco 871 Router
The Easy VPN client configuration including Firewall, NAT, 802.1x and QoS is provided below. This is a sample configuration, and it needs to be customized to your correct corporate servers.
QoS shaping can keep the voice quality for the end-user clear under normal usage-simultaneously receiving/sending email, sharing applications, web browsing.
DVTI
Cisco Enhanced Easy VPN is a new method for configuring Easy VPN using Dynamic Virtual Tunnel Interface (DVTI) instead of a crypto map, which is used by traditional Easy VPN. DVTI can be used on both the Easy VPN Server and Easy VPN Remote routers. DVTI relies on the virtual tunnel interface to create a virtual access interface for every new Easy VPN tunnel. The configuration of the virtual access interface is cloned from a virtual template configuration. The cloned configuration includes the IPSec configuration and any Cisco IOS Software feature configured on the virtual template interface, such as QoS, Network Address Translation (NAT), Context-Based Access Control (CBAC) firewall, NetFlow, or access control lists (ACLs).
Using DVTI simplifies the VPN configuration, supports per-session features, and tunnel-specific features can be applied. This simplifies the deployment and management of the solution.
Please note the following regarding the 871 Cisco router EasyVPN client shown below:
• To add wireless support to the 871 router, look below for addition configuration lines
• The four 871 switch ports FastEthernet0-FastEthernet3 are configured such that hosts with an 802.1x supplicant (client) or is a Cisco IP phone, gain corporate network access. The voice vlan feature of 802.1x will automatically detect Cisco IP phones, bypass the 802.1x authentication for that device, and put the phone in the voice vlan. Other phones can be manually bypassed by using mac-bypass configuration. Other devices, with no 802.1x supplicant for guests and spouse & kids will be put in the guest VLAN, and only have internet connectivity.
• For QoS, replace the end-user ISP uplink speed in the configuration line shown in red color below. (The ISP uplink speed can be determined running a public Internet speed testing tool).
• The client is configured with a default peer and a backup-peer. If the default peer goes down, the backup-peer becomes the active one. When the default peer comes back up, it will become the active server again. If the default keyword is not used, the backup-peer will remain the active server.
!!! Create VLANs
Vlan 20
Vlan 30
!
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service sequence-numbers
!
!!!! **** Encrypt the easyvpn passwordskeys with AES for extra security
key config password-encrypt <your-own-password>
service password-encryption
password encryption aes
!
hostname EasyVPN-client-vpn
!
boot-start-marker
boot-end-marker
!
logging buffered 50000
enable secret 0 <secretpassword>
!
aaa new-model
!
aaa group server radius dot1x-aaa
server-private <rad-ip> auth-port 1812 acct-port 1813 key <rad-key>
ip radius source-interface Vlan20
!
aaa authentication login default local
aaa authentication dot1x default group dot1x-aaa
aaa authorization exec default local
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
ip cef
!
ip dhcp pool CORPORATE_Pool
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
option 150 ip <corporate-tftpserver-for-callManager>
netbios-name-server <corporate-netbios>
dns-server <corporate-dns-servers>
update arp
lease 33
!
ip dhcp pool GUEST_Pool
import all
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
lease 33
!
ip dhcp pool CORPORATE_VOICE_Pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
option 150 ip <corporate-tftpserver-for-callManager>
netbios-name-server <corporate-netbios>
dns-server <corporate-dns-servers>
update arp
lease 33
!
ip tftp source-interface Vlan20
no ip bootp server
!!! user your company domain name
ip domain name cisco.com
no ip domain lookup
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall streamworks
ip inspect name firewall esmtp
ip inspect name firewall sip
ip inspect name firewall skinny
!
!! Enable 802.1x globally
dot1x system-auth-control
!
username debuguser secret 0 debugonly
!
!! This are the QoS matching classes
class-map match-any call-setup
match ip dscp af31
match ip dscp af32
match ip dscp cs3
match ip precedence 3
class-map match-any internetwork-control
match ip dscp cs6
match access-group name control_acl
class-map match-any voice
match ip dscp ef
match ip dscp cs5
match ip precedence 5
!
class-map match-any call-setup
match ip dscp cs3
match ip precedence 3
class-map match-any internetwork-control
match access-group name isakmp_acl
match ip precedence 6
match ip precedence 7
class-map match-any voice
match access-group name voice_acl
match ip precedence 5
class-map match-all discover_signaling
match protocol skinny
class-map match-all discover_video
match protocol rtp video
class-map match-all discover_voip
match protocol rtp audio
class-map match-any video
match access-group name video_acl
match ip dscp af41
match ip precedence 4
class-map match-all non_voip
match access-group name non_voip_traffic_acl
!
!!! Marking traffic with correct DSCP values - after the discovery is done with NBAR
policy-map mark_incoming_traffic
class discover_signaling
set dscp cs3
class discover_video
set dscp af41
class discover_voip
set dscp ef
class non_voip
set dscp default
!
policy-map voice_and_video
class voice
bandwidth 128
class call-setup
priority percent 5
class internetwork-control
priority percent 5
class video
!!! Video set for 384bps - this is set on the call manager
priority 384
class class-default
fair-queue
random-detect
policy-map shaper
class class-default
!!! enter here the user ISP uplink speed for shaping
shape average 600000 6000
service-policy voice_and_video
!
ip access-list extended isakmp_acl
permit udp any any eq isakmp
ip access-list extended voice_acl
permit udp any any range 24576 24656
ip access-list extended non_voip_traffic_acl
permit ip any any
ip access-list extended video_acl
permit udp any any eq 5445
permit udp any any range 2326 2373
!
crypto ipsec client ezvpn vpnserver
connect auto
group <easyvpn-group> key <EzVPNkey>
mode client
peer <enter-you-easyvpn-server-ip-here> default
peer <backup-peer>
virtual-interface 1
username <EzVPNuser> password <EzVPNpassword>
xauth userid mode local
!
interface FastEthernet0
switchport access vlan 20
switchport voice vlan 1
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 20
switchport voice vlan 1
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 20
switchport voice vlan 1
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
switchport voice vlan 1
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 30
spanning-tree portfast
!
interface FastEthernet4
description *** Outside - WAN side - Interface
!!! enter here the correct ISP ip address
ip address dhcp
ip access-group firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
fair-queue
no cdp enable
crypto ipsec client ezvpn vpnserver
!
interface Vlan1
description *** Corporate-access Voice Vlan Interface ***
ip address 192.168.1.1 255.255.255.0
ip access-group allow_skinny_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip inspect firewall in
ip virtual-reassembly
ip tcp adjust-mss 1360
no autostate
crypto ipsec client ezvpn vpnserver inside
!
interface Vlan20
description *** Corporate-access Vlan Interface ***
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip nat inside
ip inspect firewall in
ip virtual-reassembly
ip tcp adjust-mss 1360
no autostate
crypto ipsec client ezvpn vpnserver inside
service-policy input mark_incoming_traffic
!
interface Vlan30
description *** Guest/Family Vlan Interface ***
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect firewall in
ip virtual-reassembly
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
service-policy output shaper
!
no ip http server
no ip http secure-server
!
ip nat inside source list nat_acl interface FastEthernet4 overload
!
ip access-list extended allow_skinny_acl
permit udp any any eq bootps
permit udp any any range bootps bootpc
permit udp any host <corporate-tftpserver-for-callManager> eq tftp
permit udp any host <corporate-tftpserver-backup> eq tftp
permit udp any host <corporate-dns-server> eq domain
permit tcp any any eq 2000
permit udp any any range 24576 24656
permit udp any any eq 5445
permit udp any any range 2326 2373
permit tcp any host <directory-services-server> eq www
permit tcp any host <phone-services-server> eq www
deny ip any any
!
ip access-list extended control_acl
permit udp any eq isakmp any eq isakmp
!
ip access-list extended firewall_acl
permit esp any any
permit udp any any eq isakmp
permit udp any eq isakmp any
permit udp any eq non500-isakmp any
permit udp any any eq bootpc
deny ip any any
!
ip access-list extended nat_acl
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.30.0 0.0.0.255 any
!
end
Wireless
EAP-PEAP provides a very secure, ease of deployment, and centralized authentication using Cisco Secure Access Control Server (ACS) with Radius. This is the additional 871 configuration that enables wireless:
Vlan 21
!
interface Vlan21
no ip addres