Understanding Cisco Easy VPN

Easy VPN Remote

Cisco Easy VPN Remote enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN 3000 series hardware/software clients to act as remote VPN Clients. They receive security policies from an Easy VPN Server. This minimizes the need for manual configuration tasks. Easy VPN Remote provides for automated, centralized management of the following:

• Tunnel parameter negotiation (addresses, algorithms, and duration)
• Tunnel establishment according to set parameters
• Automatic creation of Network Address Translation (NAT) and Port Address Translation (PAT) as well as any needed access control lists (ACL)
• User authentication
• Security key management for encryption and decryption
• Tunneled data authentication, encryption, and decryption

Easy VPN Remote supports three modes of operation:

• Client—Specifies that NAT or PAT be used so that end stations at the remote end of the VPN tunnel do not use IP addresses in the space of the destination server. The needed security associations (SA) are created automatically for IP addresses assigned to remote hosts.
• Network Extension—Specifies that remote-end hosts use IP addresses that are fully routable and reachable by the destination network over the tunnel connection so that they form a single logical network. In such cases, PAT is not used, to allow remote-end PCs direct access to destination network services and applications.
• Network Extension Plus—Identical to Network Extension mode with the additional capability of being able to request an IP address via mode configuration and automatically assign it to an available loopback interface. The IPsec SAs for this IP address are automatically created.
• Client mode is relatively simple and is used on a regular basis in countless deployments.

In the figure, the hosts at the teleworker’s home are all addressed with RFC 1918 addresses, as are the destination resources at the corporate office site. RFC 1918 addresses are non-routable addresses within the public Internet; however, NAT/PAT allow them to be translated and routed across. With the VPN connection running in Client mode, routing information can pass between the customer premises equipment (CPE) and the corporate office site.

Network Extension mode is very similar in concept to Client mode. So long as the addresses in the teleworker subnet are fully routable and unique within the corporate infrastructure, Figure 16-1 can also be said to be an example of Network Extension mode. If not, there will need to be a NAT/PAT operation performed at the VPN Server to pass traffic into the corporate network and back to the teleworker premises.