Example 7-10 Address Assignment from Local Pool
CiscoASA(config)# ip local pool vpnpool 10.10.200.1-10.10.200.254CiscoASA(config)# tunnel-group NAC-Group general-attributesCiscoASA(config-general)# address-pool vpnpool
Many large enterprises prefer to authenticate users on the external RADIUS servers, which can assign IP addresses to the client after successfully authenticating the users. Example 7-11 shows the configuration of the security appliance if RADIUS, set up as an authenticating device, is assigning the IP address.
Example 7-11 Address Assignment from an AAA Server
CiscoASA(config)# aaa-server Radius protocol radiusCiscoASA(config-aaa-server-group)# exitCiscoASA(config)# aaa-server Radius (inside) host 10.10.20.181CiscoASA(config-aaa-server-host)# key cisco123ciscoCiscoASA(config-aaa-server-host)# exitCiscoASA(config)# vpn-addr-assign aaa
Note - If all three methods are configured for address assignment, the security appliance prefers RADIUS over DHCP and an address pool. If the Cisco security appliance cannot get an address from the RADIUS server, it contacts the DHCP server for address allocation. If that method fails as well, the security appliance checks the local address pool as the last resort.
Step 8: Defining the IPSec Policy
An IPSec transform set specifies the encryption and hashing method to be used on the data packets when the tunnel is up. To configure the transform set, use the following command syntax:
crypto ipsec transform-set transform-set tag esp-3des | esp-aes | esp-aes-192| esp-aes-256 | esp-des | esp-md5-hmac | esp-null | esp-none | esp-sha-hmac}
Note - If the security appliance does not have a license for the VPN-3DES-AES feature, the security appliance allows DES encryption only for ISAKMP and IPSec policies. Administrators can now obtain a 3DES-AES license free from the Cisco website. The software download page includes instructions for obtaining the license.
In Example 7-12, the security appliance in CiscoASA is set up for AES-256 encryption and SHA hashing. The transform set name is myset.
Example 7-12 Transform Set Configuration
CiscoASA(config)# crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
Step 9: Setting Up a Dynamic Crypto Map
VPN clients often get dynamic IP addresses from their ISPs. Therefore, it is impossible to statically map their IP addresses in the group settings. The Cisco security appliance solves this problem by allowing configuration of a dynamic crypto map. Example 7-13 demonstrates the configuration of the Cisco security appliance to use the defined transform set. The dynamic crypto map name is dynmap, and it is configured with a sequence number of 10. Setting up a transform set in a dynamic crypto map is a required attribute. The dynamic crypto map becomes incomplete if no transform set is applied to it.
Example 7-13 Dynamic Crypto Map Configuration
CiscoASA(config)# crypto dynamic-map dynmap 10 set transform-set myset
Step 10: Configuring the Crypto Map
The dynamic map is associated with a crypto map entry, which is eventually applied to the interface terminating the IPSec tunnels. Example 7-14 shows crypto map configuration on the CiscoASA security appliance. The crypto map name is IPSec_map, and the sequence number is 65535.
Example 7-14 Crypto Map Configuration
CiscoASA(config)# crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
The Cisco security appliance limits you to one crypto map per interface. If there is a need to configure multiple VPN tunnels, use the same crypto map name with a different sequence number. However, the security appliance evaluates a VPN tunnel with the lowest sequence number first.
Step 11: Applying the Crypto Map to an Interface
The next step in setting up a remote-access tunnel is to bind the crypto map to an interface. In Example 7-15, the crypto map, IPSec_map, is applied to the outside interface of the security appliance.
Example 7-15 Applying a Crypto Map to the Outside Interface
CiscoASA# configure terminalCiscoASA(config)# crypto map IPSec_map interface outside
Step 12: Configuring Traffic Filtering
If you trust all your private networks, including all your remote VPN clients, you can configure the security appliance to permit all decrypted IPSec packets to pass through it without inspecting them against the configured ACL. This is done with the use of the sysopt connection permit-vpn command, as shown in Example 7-16.
Example 7-16 sysopt Configuration to Bypass Traffic Filtering
CiscoASA(config)# sysopt connection permit-vpn
If NAT is configured on the security appliance but you do not want to change the source IP address of traffic going over the VPN tunnel, you need to configure the NAT exempt rules. You must create an access list to specify what traffic the NAT engine should bypass. Example 7-17 shows an access list that is permitting the VPN traffic from 10.10.0.0/16 to the pool of addresses in 10.10.200.0/24.
Example 7-17 Access List to Bypass NAT
CiscoASA(config)#access-list nonat extended permit ip 10.10.0.0 255.255.0.0
10.10.200.0 255.255.255.0
After defining the access list, the next step is to configure the nat 0 command. Example 7-18 demonstrates how to configure the nat 0 statement if the private LAN that is being protected is toward the inside interface.
Example 7-18 Configuration of NAT 0 Access List
CiscoASA(config)# nat (inside) 0 access-list nonat
VPN Configuration on the Cisco VPN Client
The VPN client is set up identically to the process discussed in Chapter 6 in the section "VPN Configuration on the Cisco VPN client." Refer to Chapter 6 for configuration assistance with the VPN client.
NAC Configuration on the Cisco Security Appliances
This section discusses the configuration of NAC-related parameters on the security appliances. These parameters are applied after a VPN tunnel is established. The following four steps are required in configuring NAC on the security appliances:
Step 1 Set up the NAC global parameters.
Step 2 Configure NAC authentication.
Step 3 Enable NAC on user groups.
Step 4 Configure the NAC exception list.
This section discusses these configuration steps.
Step 1: Setting Up NAC Global Parameters
The first step in setting up NAC on the security appliances is to ensure that the global NAC parameters are properly configured. You can modify the default values of these parameters from the global configuration mode, as shown in Example 7-19, by using the eou commands.
Example 7-19 Available EOU Parameters in Global Configuration Mode
CiscoASA(config)# eou ?configure mode commands/options: allow Enable/Disable clientless authentication clientless Clientless host configuration max-retry Set maximum number of times an EAP over UDP message is retransmitted port Set EAP over UDP port number timeout Set EAP over UDP timeout values
In Example 7-20, some of the NAC EAP over UDP (EOU) parameters are modified from their default values. The Retransmission Timer is modified from 3 seconds to 5 seconds. When the security appliance sends an EOU packet to the VPN client, it waits for 5 seconds before resending another request. This way, the VPN clients that use dialup connections to connect to the Internet can reply to the security appliance within a reasonable time. If a response is not received, the security appliance sends another request and starts the retransmission timer. The security appliance sends the EAPoUDP packets three times (eou max-retry 3) before failing the communication and initiating the hold timer. The hold time of 180 seconds ensures that no EAPoUDP requests are sent to the VPN client for 180 seconds (3 minutes). As soon as this timer expires, the security appliance initiates EAPoUDP communication with the VPN client and goes through the process discussed in Chapter 6 in the section "Architectural Overview of NAC on Cisco VPN 3000 Concentrators." EAPoUDP communication is done on UDP port 21862. It is recommended that you not change this port unless there is a port conflict in your network.
Example 7-20 Modifying EOU Parameters
CiscoASA(config)# eou max-retry 3CiscoASA(config)# eou port 21862CiscoASA(config)# eou timeout retransmit 5CiscoASA(config)# eou timeout hold-period 180
For agentless hosts, you can enable the clientless authentication and specify a username and password. The user authentication credential is sent to the RADIUS server for proper action, such as applying appropriate ACLs or requesting an audit server to scan the host. In Example 7-21, a clientless user named clientless is set up with a password of cisco123cisco. It is recommended that clientless machines such as guest hosts and contractors' computers not be given access to the trusted network of the company. Therefore, the RADIUS server can send a downloadable ACL to be applied to the VPN clients that do not have a CTA agent installed.
Example 7-21 EOU Clientless Authentication
CiscoASA(config)# eou allow clientlessCiscoASA(config)# eou clientless username clientlessCiscoASA(config)# eou clientless password cisco123cisco
If clientless authentication is not enabled, the security appliance applies a default ACL, discussed in step 3. Traffic from the VPN client is subject to this ACL based on the permit and deny entries. The active VPN clients are periodically challenged to determine whether posture validation can be done on the client machine based on the configured value of the hold timer.
Additionally, you can use Adaptive Security Device Manager (ASDM) to manage a security appliance. ASDM provides an easy-to-navigate graphical interface to set up and monitor the different features that a Cisco security appliance provides. You can configure the NAC global parameters under Configuration > VPN > NAC, as shown in Figure 7-3.
NAC Global Parameters in ASDM
Step 2: Configuring NAC Authentication
For NAC posture validation, a RADIUS server must be defined under the tunnel group. The RADIUS server is available only for the remote-access tunnel groups: IPSec and L2TP over IPSec. If you don't define at least one RADIUS server for the NAC posture-validation process, the sessions will not get authenticated. A RADIUS server is mapped to the tunnel group by using the nac-authentication-server-group command followed by the server tag name. In Example 7-22, a RADIUS server is mapped to a NAC-Group tunnel group as Radius.
Example 7-22 NAC Authentication Using RADIUS
CiscoASA(config)# tunnel-group NAC-Group general-attributesCiscoASA(config-tunnel-general)# nac-authentication-server-group Radius
In ASDM, the NAC authentication can be configured under the Authentication tab of the Edit Tunnel Group window by navigating to Configuration > VPN > General > Tunnel Group, as shown in Figure 7-4.
NAC Authentication in ASDM
Step 3: Enabling NAC on a User Group-Policy
When a VPN tunnel is established, the security appliance initiates the posture-validation process. During this process, a default ACL is applied on the users to restrict traffic. The security appliance also applies this default ACL if the EAPoUDP communication fails between the client and the ACS server. The purpose of this default ACL is to ensure that remote users do not send unnecessary traffic until their posture is fully validated. You want this ACL to be as restrictive as possible. Therefore, it is recommended that you configure the appropriate inbound and outbound access-control entries (ACEs) to pass necessary packets and deny all other traffic passing through the security appliance. As shown in Example 7-23, an ACL is defined to allow the remote-access users to communicate with the ACS server and the DNS server, and vice versa. All other communication is dropped by the implicit deny of an ACL. This ACL is mapped to the NAC process under the user group-policy by using the nac-default-acl command. The user group-policy name is SecureMeGrp.
Example 7-23 Default ACL for NAC
CiscoASA(config)# access-list NAC-default permit ip host 10.10.20.181 10.10.200.0 255.255.255.0CiscoASA(config)# access-list NAC-default permit udp any eq 53 10.10.200.0 255.255.255.0CiscoASA(config)# access-list NAC-default permit ip 10.10.200.0 255.255.255.0 host 10.10.20.181CiscoASA(config)# access-list NAC-default permit udp 10.10.200.0 255.255.255.0 any eq 53CiscoASA(config)# group-policy SecureMeGrp attributesCiscoASA(config-group-policy)# nac-default-acl value NAC-default
Note - The NAC default ACL should allow traffic to pass from the VPN clients to the DNS server, and vice versa.
The security appliance supports two timers after successfully completing posture validation for the VPN clients. Both of these timers are configured under the user group-policy, as shown in Example 7-24: