tailieunhanh - Configuring VPN Client Remote Access

PIX Firewall can function as an Easy VPN Server in relation to an Easy VPN Remote device, such as a PIX 501 or PIX 506/506E, or in relation to Cisco VPN software clients. When used as an Easy VPN Remote device, the PIX Firewall can push VPN configuration to the VPN client or Easy VPN Remote device, which greatly simplifies configuration and administration. For information about configuring a PIX 501 or PIX 506/506E as an Easy VPN Remote device, refer to Chapter 5, “Using PIX Firewall in SOHO Networks.”. | CHAPTER 8 Configuring VPN Client Remote Access This chapter describes PIX Firewall configuration procedures that are specific to implementing remote access VPNs. It also provides configuration examples using the VPN software clients supported by PIX Firewall. PIX Firewall can function as an Easy VPN Server in relation to an Easy VPN Remote device such as a PIX 501 or PIX 506 506E or in relation to Cisco VPN software clients. When used as an Easy VPN Remote device the PIX Firewall can push VPN configuration to the VPN client or Easy VPN Remote device which greatly simplifies configuration and administration. For information about configuring a PIX 501 or PIX 506 506E as an Easy VPN Remote device refer to Chapter 5 Using PIX Firewall in SOHO Networks. This chapter includes the following sections Supporting Clients with Dynamic Addresses Configuring Extended Authentication Xauth Assigning IP Addresses to VPN Clients with IKE Mode Config Cisco VPN 3000 Client Version and Cisco VPN Client Version Cisco Secure VPN Client Version Xauth with RSA Ace Server and RSA SecurID Configuring L2TP with IPSec in Transport Mode Windows 2000 Client with IPSec and L2TP Using PPTP for Remote Access Supporting Clients with Dynamic Addresses Dynamic crypto maps are frequently used with Internet Key Exchange IKE to negotiate SAs with remote access VPN clients. Dynamic crypto maps are used to negotiate SAs for connections initiated from an external network for peers that do not have a known IP address. After successful IKE authentication the client connection request is processed using a dynamic crypto map that is configured to set up SAs without requiring a known IP address. A dynamic crypto map entry is essentially a crypto map entry that does not specify the identity of the remote peer. It acts as a template where the missing parameters are dynamically assigned based on the IKE negotiation. Only the transform set is required to configure a dynamic crypto map entry. Cisco