Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Cisco VPN solutions provide an Internet-based WAN infrastructure for connecting branch
offices, home offices, business partner sites, and remote telecommuters to all or portions of
a company network. With cost-effective, high-bandwidth Internet connectivity that is
secured by encrypted VPN tunnels, you can reduce WAN bandwidth costs while increasing
connectivity speeds.
By integrating advanced network intelligence and routing, Cisco VPNs reliably transport
complex mission-critical traffic, such as voice and client-server applications, without
compromising communications quality or security.
VPNs and Their Benefits
A VPN is an encrypted connection between private networks over a public network such as
the Internet. The V stands for virtual, and the N stands for network. The information from
a private network is securely transported over a public network, the Internet, to form a
virtual network. The P stands for private. To remain private, the traffic is encrypted to keep
the data confidential. Instead of using a dedicated Layer 2 connection such as a leased line,
a VPN uses IPsec to form virtual connections that are routed through the Internet from the
private network of the company to the remote site or employee host. Figure 8-1 shows some
examples of using VPNs to connect different types of remote sites.
Figure 8-1 VPN Connectivity
Legacy
Concentrator
Legacy
PIX
Firewall
ASA
Business Partner
with a Cisco Router
Mobile Worker with a
Cisco VPN Client
on a Laptop Computer
Corporate
Main Site
Perimeter
Router
POP
Regional Office with
a PIX Firewall
SOHO with a Cisco
ISDN/DSL Router
IPsec
Introducing VPN Solutions 299
Benefits of VPNs include the following:
■ Cost savings: VPNs enable organizations to use cost-effective third-party Internet
transport to connect remote offices and remote users to the main corporate site, thus
eliminating expensive dedicated WAN links and modem banks. Furthermore, with the
advent of cost-effective high-bandwidth technologies, such as DSL, organizations can
use VPNs to reduce their connectivity costs while simultaneously increasing remote
connection bandwidth.
■ Security: VPNs provide the highest level of security by using advanced encryption and
authentication protocols that protect data from unauthorized access.
■ Scalability: VPNs enable corporations to use the Internet infrastructure within ISPs
and devices, which makes it easy to add new users. Therefore, corporations are able to
add large amounts of capacity without adding significant infrastructure.
■ Compatibility with broadband technology: VPNs allow mobile workers,
telecommuters, and people who want to extend their work day to take advantage of
high-speed, broadband connectivity, such as DSL and cable, to gain access to their
corporate networks, providing workers significant flexibility and efficiency.
Furthermore, high-speed broadband connections provide a cost-effective solution for
connecting remote offices.
Types of VPNs
There are two types of VPN networks:
■ Site-to-site
■ Remote-access, which includes these two types of VPN solutions:
— Cisco Easy VPN
— Cisco IOS IP Security (IPsec)/Secure Socket Layer (SSL) VPN, also
known as WebVPN
A site-to-site VPN is an extension of a classic WAN network. Site-to-site VPNs connect
entire networks to each other. For example, they can connect a branch office network to a
company headquarters network. In the past, a leased line or Frame Relay connection
was required to connect sites, but because most corporations now have Internet access,
these connections can be replaced with site-to-site VPNs. Figure 8-2 shows an example of
a site-to-site VPN.
300 Chapter 8: Extending the Network into the WAN
Figure 8-2 Site-to-Site VPN
In a site-to-site VPN, hosts do not have Cisco VPN Client software; they send and receive
normal TCP/IP traffic through a VPN “gateway,” which could be a router, firewall, Cisco
VPN Concentrator, or Cisco ASA 5500 Series adaptive security appliance. The VPN
gateway is responsible for encapsulating and encrypting outbound traffic for all the traffic
from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN
gateway at the target site. Upon receipt, the peer VPN gateway strips the headers, decrypts
the content, and relays the packet toward the target host inside its private network.
Remote access is an evolution of circuit-switching networks, such as plain old telephone
service (POTS) or ISDN. Remote-access VPNs can support the needs of telecommuters,
mobile users, and extranet consumer-to-business traffic. Remote-access VPNs connect
individual hosts that must access their company network securely over the Internet.
Figure 8-3 shows an example of a remote-access VPN.
In the past, corporations supported remote users by using dial-in networks and ISDN. With
the advent of VPNs, a mobile user simply needs access to the Internet to communicate with
the central office. In the case of telecommuters, their Internet connectivity is typically a
broadband, DSL, or cable connection.
In a remote-access VPN, each host typically has Cisco VPN Client software. Whenever the
host tries to send traffic, the Cisco VPN Client software encapsulates and encrypts that
traffic before sending it over the Internet to the VPN gateway at the edge of the target
network. Upon receipt, the VPN gateway behaves as it does for site-to-site VPNs.
Remote Site
DSL Cable
Intranet
Extranet
Business-to-Business
Central Site
Internet
Router
or
or
POP
Introducing VPN Solutions 301
Figure 8-3 Remote-Access VPN
When you are deploying VPNs for teleworkers and small branch offices, the ease of
deployment is increasingly important. Cisco Easy VPN makes it easier than ever to deploy
VPNs as part of a small, medium, or large enterprise network that has Cisco products. Cisco
Easy VPN is a cost-effective solution that is ideal for remote offices that have little
information technology support.
There are two components of Cisco Easy VPN:
■ Cisco Easy VPN Server: The server can be a dedicated VPN gateway such as a Cisco
VPN Concentrator, a Cisco PIX Firewall, a Cisco ASA adaptive security appliance, or
a Cisco IOS router with the firewall feature set. A VPN gateway that uses Cisco Easy
VPN Server software can terminate VPN tunnels that are initiated by mobile and
remote workers that run Cisco VPN Client software on PCs. A VPN gateway can also
terminate VPN tunnels from remote devices that act as Cisco Easy VPN remote nodes
in site-to-site VPNs.
■ Cisco Easy VPN Remote Clients: Cisco Easy VPN Remote Clients enables Cisco
IOS routers, PIX Firewalls, Cisco ASA adaptive security appliances, and Cisco VPN
Hardware Clients to receive security policies from a Cisco Easy VPN Server,
minimizing VPN configuration requirements at the remote location. Cisco Easy VPN
allows the VPN parameters, such as internal IP addresses, internal subnet masks,
DHCP server addresses, Microsoft Windows Internet Name Service (WINS) server
addresses, and split-tunneling flags (to allow local Internet access while connected to
the VPN), to be pushed from the Cisco Easy VPN Server to the remote device.
Remote-Access Client
DSL Cable
Central Site
Router
or
or
or
POP
POP
Extranet
Consumer-to-Business
Telecommuter
Mobile
Internet
302 Chapter 8: Extending the Network into the WAN
Figure 8-4 shows how Cisco Easy VPN components provide the framework for VPN
connectivity to remote sites.
Figure 8-4 Cisco Easy VPN
Benefits
The following are benefits of Cisco Easy VPN:
■ Centrally stored configurations allow dynamic configuration of end-user policy and
require less manual configuration.
■ The local VPN configuration is independent of the remote peer IP address. This feature
allows the provider to change equipment and network configurations as needed, with
little or no reconfiguration of the end-user equipment.
■ Cisco Easy VPN provides centralized security policy management.
■ Cisco Easy VPN enables large-scale deployments with rapid user provisioning.
■ Cisco Easy VPN removes the need for end users to install and configure Cisco Easy
VPN Remote software on their PCs.
Home Office
Remote Office
Internet
Headquarters
Workplace
Resources
Easy VPN
Clients
Easy VPN
Server
Introducing VPN Solutions 303
Restrictions
Implementing Cisco Easy VPN might not be appropriate for all networks because of
restrictions. The following restrictions apply to Cisco Easy VPN:
■ No manual Network Address Translation (NAT) or Port Address Translation (PAT)
configuration is allowed.
— Cisco Easy VPN Remote automatically creates the appropriate NAT or
PAT configuration for the VPN tunnel.
■ Only one destination peer is supported.
— Cisco Easy VPN Remote supports the configuration of only one
destination peer and tunnel connection.
— If an application requires the creation of multiple VPN tunnels, you must
manually configure the IPsec VPN and NAT and PAT parameters on both
the remote client and server.
■ Cisco Easy VPN requires destination servers.
— Cisco Easy VPN Remote requires that the destination peer be a Cisco
Easy VPN remote-access server.
■ Digital certificates are not supported.
— Authentication is supported using pre-shared keys (PSK).
— Extended Authentication (XAUTH) can also be used in addition to PSKs
to provide user-level authentication in addition to device-level
authentication.
■ Only Internet Security Association and Key Management Protocol (ISAKMP) policy
group 2 is supported on IPsec servers.
— Cisco VPN Client and server support only ISAKMP policies that use
group 2 (1024-bit Diffie-Hellman [DH]) Internet Key Exchange (IKE)
negotiation.
■ Some transform sets are not supported.
— The Cisco Easy VPN Remote feature does not support transform sets
that provide encryption without authentication (ESP-DES and ESP-
3DES) or transform sets that provide authentication without encryption
(ESP-NULL, ESP-SHA-HMAC, and ESP-NULL ESP-MD5-HMAC).
— Cisco VPN Client and server do not support Authentication Header (AH)
authentication but do support Encapsulating Security Payload (ESP).
No comments:
Post a Comment