Resumen del contenido incluido en la página 1
CHAPTER
17
Configuring Virtual Private Networks
The Cisco VPN Client for Cisco Unified IP Phones adds another option for customers attempting to
solve the remote telecommuter problem by complementing other Cisco remote telecommuting offerings.
• Easy to Deploy—All settings configured via CUCM administration.
� Easy to Use—After configuring the phone within the Enterprise, the user can take it home and plug
it into their broadband router for instant connectivity, without any difficult menus
Resumen del contenido incluido en la página 2
Chapter 17 Configuring Virtual Private Networks Configuring the VPN Feature Table 17-1 VPN Configuration Checklist Configuration Steps Notes and Related Procedures Step 1 Set up the VPN concentrators for For configuration information, refer to the documentation for the each VPN Gateway. VPN concentrator; such the following: � SSL VPN Client (SVC) on ASA with ASDM Configuration Example http://www.cisco.com/en/US/products/ps6120/products_conf iguration_example09186a008071c428.shtml No
Resumen del contenido incluido en la página 3
Chapter 17 Configuring Virtual Private Networks IOS configuration requirements Table 17-1 VPN Configuration Checklist Configuration Steps Notes and Related Procedures Step 6 Add the VPN Group and VPN In Cisco Unified Communications Manager Administration, Profile to a Common Phone choose Device > Device Settings > Common Phone Profile. For Profile. more information, see the “Common Phone Profile Configuration” chapter in the Cisco Unified Communications Manager Administration Guid
Resumen del contenido incluido en la página 4
Chapter 17 Configuring Virtual Private Networks Configuring IOS for VPN client on IP phone router(config-if)# duplex auto router(config-if)# speed auto router(config-if)# no shutdown router#show ip interface brief (shows interfaces summary) b. Configure static and default routes. router(config)# ip route < mask> < gateway_ip> Example: router(config)# ip route 10.10.10.0 255.255.255.0 192.168.1.1 Step 2 Generate and register the necessary certificates for Cisco Unified Commu
Resumen del contenido incluido en la página 5
Chapter 17 Configuring Virtual Private Networks Sample IOS configuration summary Router(config)# crypto key generate rsa general-keys label Router(config)# crypto pki trustpoint Router(ca-trustpoint)# enrollment selfsigned Router(config-ca-trustpoint)# fqdn Router(config-ca-trustpoint)# subject-name CN=, CN= Router(ca-trustpoint)#authorization username subjectname commonname Router(ca-trustpoint)# crypto pk
Resumen del contenido incluido en la página 6
Chapter 17 Configuring Virtual Private Networks Sample IOS configuration summary aaa new-model ! ! aaa authentication login default local aaa authentication login webvpn local aaa authorization exec default local ! aaa session-id common ! clock timezone CST -6 clock summer-time CDT recurring ! crypto pki token default removal timeout 0 ! ! Define trustpoints crypto pki trustpoint iosrcdnvpn-cert enrollment selfsigned serial-number subject-name cn=iosrcdnvpn-cert r
Resumen del contenido incluido en la página 7
Chapter 17 Configuring Virtual Private Networks Sample IOS configuration summary hidekeys username admin privilege 15 password 0 vpnios username test privilege 15 password 0 adgjm username usr+ privilege 15 password 0 adgjm username usr# privilege 15 password 0 adgjm username test2 privilege 15 password 0 adg+jm username CP-7962G-SEP001B0CDB38FE privilege 15 password 0 adgjm ! redundancy ! ! !--- Configure interface. Generally one interface to internal network and one outs
Resumen del contenido incluido en la página 8
Chapter 17 Configuring Virtual Private Networks Sample IOS configuration summary ip address 10.89.79.140 port 443 ! ssl configuration ssl encryption aes128-sha1 ssl trustpoint iosrcdnvpn-cert inservice ! ! webvpn context for User and Password authentication webvpn context UserPasswordContext title "User-Password authentication" ssl authenticate verify all ! ! policy group UserPasswordGroup functions svc-enabled hide-url-bar timeout idle 3600 svc
Resumen del contenido incluido en la página 9
Chapter 17 Configuring Virtual Private Networks ASA configuration requirements authentication certificate ca trustpoint CiscoMfgCert inservice ! end ASA configuration requirements Before you create an ASA configuration for VPN client on IP phone, complete the following steps: Step 1 Install ASA software (version 8.0.4 or later) and compatible ASDM Step 2 Install a compatible anyconnect package Step 3 Activate License a. Show features of the current license. show activation-ke
Resumen del contenido incluido en la página 10
Chapter 17 Configuring Virtual Private Networks Configuring ASA for VPN client on IP phone � CallManager - Authenticating the Cisco UCM during TLS handshake (Only required for mixed-mode clusters) � Cisco_Manufacturing_CA - Authenticating IP phones with a Manufacturer Installed Certificate (MIC). � CAPF - Authenticating IP phones with an LSC. To import these Cisco Unified Communications Manager certificates a. From the Cisco Unified Communications Manager OS Administration web page
Resumen del contenido incluido en la página 11
Chapter 17 Configuring Virtual Private Networks Sample ASA configuration summary Copy the text from the terminal and save it as a .pem file and upload it to the Managing Certificate part of the CUCM. Step 3 Configure the VPN feature. You can use the Sample IOS configuration summary bellow to guide you with the configuration. Note To use the phone with both certificate and password authentication, create a user with the phone MAC address. Username matching is case sensitive. For exa
Resumen del contenido incluido en la página 12
Chapter 17 Configuring Virtual Private Networks Sample ASA configuration summary no nameif security-level 100 no ip address ! interface Management0/0 shutdown nameif management security-level 100 no ip address management-only ! !--- Boot image of ASA boot system disk0:/asa821-k8.bin ftp mode passive !--- Clock settings clock timezone CST -6 clock summer-time CDT recurring !--- DNS configuration dns domain-lookup outside dns server-group DefaultDNS name-server 64.101.128.56 d
Resumen del contenido incluido en la página 13
Chapter 17 Configuring Virtual Private Networks Sample ASA configuration summary timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside http redirect outside 80 no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 !--- AS
Resumen del contenido incluido en la página 14
Chapter 17 Configuring Virtual Private Networks Sample ASA configuration summary !--- Group-policy group-policy GroupPhoneWebvpn internal group-policy GroupPhoneWebvpn attributes banner none vpn-simultaneous-logins 10 vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol IPSec svc webvpn default-domain value nw048b.cisco.com address-pools value Webvpn_POOL webvpn svc dtls enable svc keep-installer installed svc keepalive 120 svc rekey time 4 svc rekey me
Resumen del contenido incluido en la página 15
Chapter 17 Configuring Virtual Private Networks Sample ASA configuration summary ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname conte
Resumen del contenido incluido en la página 16
Chapter 17 Configuring Virtual Private Networks Sample ASA configuration summary Cisco Unified Communications Manager Security Guide 17-16 OL-24124-01