Вы находитесь на странице: 1из 21

15.06.

2009



CSP VPN Gate. 3.0


CSP RVPN. 3.0

CSP VPN Gate CSM

CSP VPN Gate


Cisco Security Manager
CSM ................................................................ 3
.................................................... 4
Site to Site VPN ................................................................ 5
Interfaces .......................................................................... 6
Platform ............................................................................. 6
................................... 8
.................................... 9

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM


CSP VPN Gate CSP RVPN
, ,
CSP
VPN Gate CSP VPN Gate, .
Cisco Security Manager 3.2 (CSM), Cisco Security
Management Suite,
CSP VPN Gate.
CSM CSP VPN
Gate 3.0. CSP VPN Gate CSM
.
Cisco Security Management Suite Cisco MARS
.

CSM
CSM Cisco Security
Manager Client.
CSP VPN Gate CSM SSH.
CSM SSH 1 2,
SSH 2.
SSL, CSM , .
CSM SSH :
Tools -> Security Manager Administration
Device Communication
Transport Protocol (IOS Router) SSH
Save Close
Add Device From
Network (File -> New Device -> Add Device From Network).
,
CSM (Policy -> Discover Policies on Device).
CSM Cisco
Router 2811 IOS v.12.4(13a).

,
, ,
CSP VPN Gate.
CSM,
CSP VPN Gate.

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM


Firewall
Access Rules.
Access Rules /
:
Source, Destination, Subnet
IP-
UDP TCP
.

:

ICMP ,
ICMP
( Services),
UDP TCP (,
HTTP HTTPS, SNMP SNMP-TRAP).
.
, (,
HTTP, IPSec-ESP, SNMP) ,
;

:
ICMP
UDP TCP :


any

lt, gt, neq. eq
, .
Access Rule
Advanced:
Traffic Direction In ( :
,
);
: Enable Logging
(IOS), Options (IOS) Fragment Established ..

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM

Site to Site VPN


Site to Site VPN :
(Hub and Spoke VPN)
- (Point to Point VPN)
(Full Mesh VPN).
Hub and Spoke VPN
.
IPSec Technology Regular IPSec (GRE
).
Site to Site
VPN. Edit VPN Policies.
IKE Proposal
IKE Proposal Authentication
Certificate Preshared Key;
34.11.94 28147-89
: Hash MD5, Encryption
DES.
IPSec Proposal
IPSec Transform Sets
: ESP Hash AH Hash
MD5, ESP Encryption DES
, Compression

Reverse Route.
Public Key Infrastructure
Authentication Certificate CA PKI Enrollment/CA Information -(Enter
Manually)
SCEP
enrollment,
. , ,
CSM
Authentication Certificate
Revocation Check Support: Checking Not Performed, CRL Check
Required, CRL Check Attempted.
OSCP Check .
VPN Global Settings
ISAKMP Settings / IPSec Settings
ISAKMP Settings :
/ Enable Keepalive
Interval Retry, Periodic (Router
except 7600)
Identity
.
IPSec Settings :
/ Enable Lifetime
Lifetime sec. Lifetime Kbytes
CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM


.
NAT Settings
General Settings/ Fragmentation Settings
DF Bit
Enable Fragmentation before
Encryption VPN
,
IPsec .
, CSM
,
.

Interfaces
Interfaces Cisco-.
CSM . ,
Internal External .
:
, Device
Properties
Policy Object Overrides -> Interface Roles.

Platform
Platform.
Device Admin :
Accounts and Credentials
Device Access
Hostname
Accounts and Credentials
Enable Password
Encryption Service
Device Access / SNMP
Permissions
:
;
Read-Write, Read-Only
Access Control Lists
Trap Receiver
:
Configure Traps
SNMP traps,
cs_console, CSM, snmpserver enable traps
CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM


Trap Receiver
SNMP Version 3. 1
2c.
Logging
Logging Setup
/ Enable Logging.

Trap / Trap Level
: Logging Buffer, Rate Limit, Origin Id
.
Syslog Servers

Forward Messages in XML
Format.
Routing Static Routing:
Static Routing
Permanent route
Distance Metric.

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM


1. , CSP VPN
Gate CSM, .
,
, CSM CSP
VPN Gate.
, , CSM
,
, ip local pool crypto
isakmp policy.
,
CSM .
, , :
CSM
CSM
- FullMesh, Hub and Spoke, Point to Point
, , SSH

, , identity .
CSM,

.
, ,
crypto isakmp client configuration address-pool local, CSM
.
2. .

: CSM ,
, , VPN Topology,
( Deploy)
. , , -
,
CSM. :
crypto isakmp
identity dn
CSM, VPN Global Setings Identity
Distinguished Name
CSM crypto isakmp
identity
VPN Topology
, crypto isakmp
identity address ( ),
, .
3. CSP VPN Gate Rollback,
,
(Tools / Configuration Archive).

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM

CSP VPN Gate 3.0.


.
.

Cisco Security Manager


(ip ), Cisco
Security Manager, .

CSP VPN Gate CSM


CSP VPN Gate CSM
File -> New Device:
Add Device From Network
Identity IP Type. IP Address, Display Name (
), OS Type.
IP Type Static, IP-Address 10.0.34.11, OS Type IOS
Discover Device Settings
.
Primary Credentials Username, Password
( ) Confirm.
, Enable Password
Confirm.
, Username cscons, Password csp, Confirm
csp.
HTTP Credentials :
HTTP Port 80, HTTPS Port 443, Mode HTTPS.
Finish

CSP VPN Gate IP- 10.0.34.12.


Site to Site VPN
Point to Point VPN.
IPSec Technology Regular IPSec ( 1)
CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

CSP VPN Gate CSM

1
,
: CSP VPN Gate 10.0.34.11 CSP
VPN Gate 10.0.34.12 ( 2).

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

10

CSP VPN Gate CSM



VPN Interface Protected Networks:
VPN Interface FastEthernet0/0,
Peer IP Address VPN Interface IP Address
Protected Networks FastEthernet0/1.
3.

3
Finish. VPN Cisco Security Manager
Devices ( 4).

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

11

CSP VPN Gate CSM

4
Edit VPN Policies, Site-ToSite VPN Manager ( 5) VPNs,
:
IKE Proposal
IPSec Proposal
Preshared Key
VPN Global Settings
,
Public Key Infrastructure.

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

12

CSP VPN Gate CSM

IKE
IKE : ,
; ;
; Diffie-Hellman; SA.
( 6)
Priority - 10
Encryption Algorithm des,
CSP VPN Gate
28147-89.
Hash Algorithm MD5,
CSP VPN Gate
34.11-94.
Modulus Group 2 (Diffie-Hellman Group 2)
Lifetime 3600 .
Authentication Method Preshared Key

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

13

CSP VPN Gate CSM

IPSec
IPSec :
Transform Set ( 7)

7
- Mode
tunnel
CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

14

CSP VPN Gate CSM


ESP Encryption des,
CSP VPN Gate
28147-89.
ESP Hash Algorithm md5,
CSP VPN Gate
34.11-94.
( 8):
Crypto Map Type Static
Enable Perfect Forward Secrecy. Modulus
Group 2.
Lifetime 3600 .
Lifetime 4608000 kbytes

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

15

CSP VPN Gate CSM

Preshared Key
.
Main Mode Address. Main Mode
Address Type Peer Address. ( 9)

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

16

CSP VPN Gate CSM

VPN Global Settings


VPN ISAKMP/IPSec Settings
( 10)
ISAKMP Settings
Enable Keepalive
Keepalive Interval Retry
Identity Address
IPSec Settings
Enable Lifetime
Lifetime 3600
4608000

10

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

17

CSP VPN Gate CSM


General Settings ( 11)
Fragmentation Settings
Fragmentation Mode (IOS) No Fragmentation
DF Bit Copy
Enable Split Tunneling

11

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

18

CSP VPN Gate CSM

VPN Summary
VPN CSP VPN Gate
VPN Summary ( 12)

12

Tools -> Preview Configuration.

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

19

CSP VPN Gate CSM


Tools Deployment Manager

13
( 13) Deploy.
, (
14). CSM ,
, .

14
CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

20

CSP VPN Gate CSM

Deploy,
. ,
( 15),
.

15

CSP VPN Gate

Copyright S-Terra CSP 2003 -2009

21