Cisco CCNP Security 300-730 SVPN – Remote Access VPN

  • By
  • January 26, 2023
0 Comment

1. IPSEC vs SSL

Hello, guys. Welcome to a new video. And in this video, we are going to go over the difference between IPsec and NSL. So I have a PowerPoint. Yes, another PowerPoint. But I’m also going to reconfiguring. Like I said before, I’m not big on PowerPoint. I’m not good creating PowerPoints. But sometimes it’s good just to go where PowerPoint before going over a configuration so you guys can understand better, right? So IPsec versus SSL. The battle of VPNs. And let’s start. What is IPsec? Guys, what is IPsec? Well, IPsec stands for the Internet Protocol Security, aka IPsec. It’s a secure network protocol suite that authenticates and encrypt data packets in Internet.

And it’s a lot more than that. It has two important roles encryption, authentication, integrity, and also interplay. Yes. Again, IPsec can work in two modes transport mode and Turner mode, like I said on my video before. And it could be used either in IQB. One and IBM two. Cisco, I don’t think Cisco lets people implement IB One anymore. I think that’s like being disabled or removed from all the routers. Hopefully it is removed from all the routers. Hopefully nobody is using IB One because it’s not secure at all anymore. And that’s why we’re going to be configuring IPsec with IP Two in this video. What is the bad about IPsec? Well, I came up with some of them. One is that whenever you connect with an IPsec connection, IPsec is to give the remote computer direct access to the central network, making it a full member.

So that is something bad that IPsec does. It also depends how you configure that IPsec. Right. Also, remote users have access to any file storage locations, program printers, and backups exactly as if they were in the office. Right. Because it is a IPsec connection. When you connect to the network, you’re inside the network, you have access to all that. You have access to all that. Something else is you need a software installed for it to work. If you are from an end user perspective, you need to have either any connect or another VPN software installed in your computer.

And if you don’t have any rights when we are able to use IPsec, another thing that’s bad is IPsec requires a third party. Like I said before, it requires a third party client software. And it’s also more complicated and expensive to set up and maintain, because then you need to maintain the software. You need to maintain a lot more than just an SSL VPN connection. Right. And also, IPsec is well known for the high CPU usage. Therefore, you need to have a very expensive and good router if you’re going to have a side to side IPsec or anything running IPsec. It requires a lot of CPU usage.

They’re good about IPsec, right? There’s good stuff about IPsec. And also, if you guys know anything else, you can leave a comment on this video. I just came out with this. I used it on a fly, just whatever I remember from my brain. One is that it can be used for site to site and remote access VPNs. This is really good. So you can either implement the site to site and remote access. For SSL, you’re only able to do a remote access VPN. You cannot do a site to site if you’re able to do it. I want to see you do it. It also has the ability to use you can use certificates and also pressure key or use both with I version two, it provides confidentiality, integrity, interplay and authentication. Okay, so now this is going to be about SSL. So for SSL. It stands for Secure Sockets Layer. It’s Ipsec’s major rival has a VPN protocol. SSL gives user more specific access than IPsec. Rather than becoming a full member of the network, remote team members are granted access to particular applications. SSL protocol was replaced by a successor technology, TLS, which nobody, nobody uses that term really. Only if you know about only if you’re really talking about TLS instead of SSL, you are going to refer to TLS.

And in 2015 it was replaced by TLS in 2015. But the terms are interchangeable like I said, and incoming preliminary and SSL is still widely used. What is it bad about SSL? Well, it cannot be used for site to site. Like I said, you need to buy a certificate. It is possible to get a free SSL certificate, but this is not recommended for a lot of reasons. One will be that the CA is not going to address the CA by the browser. I bet you that. And mobile configuration is not easy because at first SSL certificates were primarily intended just for websites, for your computer security and not for mobile devices. That’s why it’s a little bit harder to do it for mobile devices.

They’re good. Well, SSL is already supported by the remote users browser. So you don’t need to install any application like IPsec. No need of a third party application like I said, even though we are going to be using one, but you don’t have to actually implement all of them. Yeah, I’m probably going to do that and it can be accessed from anywhere like I said, because you can just use it from the browser and it’s easier to set up than IPsec. A lot easier. I’m going to show you that and I will leave this up for my PowerPoint presentation. Thank you guys for watching that presentation. Now let’s go ahead and go to the good stuff, configuring stuff that I like. So I’m going to first set up the site site VPN connection between R three and R two. So first let’s go ahead and open the console. And I’m going to start with router three over here. Here are my now as you can see, I have everything configured, all the interfaces.

I set up some static routes and all that good stuff. So let’s start with this and we also are going to be the site to site implementation is going to be with IG version two. Therefore the first thing they need to do is configure a crypto IQ two curing they are going to be calling this let’s just call it curing. We need to add the pier which is going to be router two. This one right here, the address of it is 31 one or picture key local CCMP actually let’s just call it the local. It’s going to be R three pizza queue remote it’s going to be R two exit exit. After that is done, we need to go ahead and configure the ICU two profile and we are going to be calling this ipod two profile and insider here we need to do first you want to match the identity or you can do it. Doesn’t really need to be the first command but you can do it.

This command at any point you just have to configure. Identity of remote is going to be 31. Identity of the local address is 31 two. It’s this IP address right here. Then you want to do authentication. What are we going to be using authentication for the local is going to be using a prisoner key and authentication for the remote is also going to be an appear key. Then you want to add the curing local and renamed that curing. Let’s see if I miss anything. Put in the match identity authentication and we added the curing. So we are done with that exit. Now we need to go ahead and configure the crypto IPsec transform set call this TSET ESP a yes two five six ESP going to use an HMAC.

Let me do the crypto to configure the IPsec profile IPsec profile here we need to set the transform set which we name TSET and we also need to set the IGB two profile which we call IPsec profile IPsec or actually rename that IQB two profile. There we go. Now let’s go and configure the tunnel interface. Zero IP address it’s going to be 1010 one. Then we need to do the tonal mode IPsec or IP before tonal source gigabit two this one right here. Then we need to do the tunnel destination which is studied on 101. Good. After that is done we need to do the tunnel protection IPsec profile and we need to attach that IPsec profile here. Good exit. Then we can do a routerp ten no auto summary network one and two h 30245 just to add this network right here and we also need to add the network of the tunnel interface. Good. Now what we’re going to be doing let’s do shell run crypto section crypto and we are just going to copy and paste everything and I’m going to open a leaf pad because I don’t want to just go ahead and configure everything since we have to configure a lot of stuff. We are just going to replace this with this. This is going to be this local is R two. R three. Remote is going to be two.

Local is one and the rest is the same. Then let’s go do a show run so we can get the configuration of the tunnel interface. This one right here, we are going to configure tunnel. This tunnel one. The IP address is two gigabyte. Two is the same. Destination is two. And that’s going to configure eagrp. So for this one, we just need to replace this with two. Because for this we’re going to get this local interface. Let’s go ahead and copy everything. Let’s go into router two and let’s go ahead and paste all of it. No errors. The IRP should come up is the campus on show crypto Agu two SA. You see the Agu two SA is up and running. So that’s good. It is working. If we do show IP route, you can see that we have a route via the tunnel interface. So everything was configured correctly.

So crypto Ipsecsa, you can see it right here. It is working correctly. The peer 31 two, local 31. So it’s working correctly. So if we want to do 18 one and three eight dot three dot one. We’re going to repeat it a hundred times. Reduced crypto IPsec, I say you can see that it went up by 100. So we configured that IPsec connection so you guys could see how it is done and it was done. So now let’s just go ahead and I’m going to pause this video for a little bit because I got to do something. I’ll be right back, okay. And we got done that side to side tunnel and we got that out of the way. We configure that IPsec site to site tunnel with IC version two.

So now what we are going to be doing is we are going to be configuring SSL clientless VPN connection. So let’s go ahead and do that guys. And I’m going to be doing that from the as. From the asvm. So let’s go ahead and bring that bad boy up. Here we go. Let’s go ahead and connect to it. And you’re going to see how faster it is to configure SSL client Svpn connection from the ASM instead of a side to side VPN, which takes a lot of more CPU, a lot of more configuration, a lot more maintenance than just a client SSL remote connection. And before I do that, I need to configure that IP address on this Windows device. So let’s go ahead and do that since I haven’t done that. Also it looks like I don’t have any connect configure or I do. Let me go ahead and see. I do that’s good. Let’s go ahead and configure that IP address. This needs to be that three two and three one. Good. And after that has been configured, which you see if you’re able to do a ping. Two, one. Good. And also 21.

And I cannot think 21 and that’s because then I configure a static route phone router three. So let’s go ahead and do that. Config g IP route 221 10 to provide that zero. Send it to 29 one. Right. I believe that’s now where it is. I’m sorry for that. Let’s go ahead and remove that. It is because I don’t have a static route from the ASA. So the ASA you are able to get to the ASA but ASA is not allowed to get to us. So let’s go ahead and configure that the way that you do that you need to do an IP route. Actually now I’ll be route route, route to the outside zone. Send it to 21 two. There we go. Go ahead and negate this one and just add this one. Good. So now we should be able to paint 21. And there it is. Good. So now we are able to paint that. That’s good. Put the Windows device down. Refresh. Save it. So now we have a connection. So let’s go ahead and set up that site VPN and you guys are going to see how easy it is. Clientless VPN connection.

Next connection profile is going to be called SSL to the outside interface. No certificates or even you can do a self signed user certificate. We’re not going to do that. We are going to create any user. Ask her. Cisco, cisco. Addit next through policy. SSL policy BOOKMARKS. We’re going to add a bookmark so we can get to this website over here. So let’s go ahead and add a new one. BOOKMARKS. That’s how we’re going to call it. Add it a URL get or post method website. This is going to go to 192-16-8112 because it’s this website right here. Good at it. Next. And there we go. We are done. To finish. You see how AC was to set up that site to site or that SSL VPN connection instead of doing that site to site IPsec with aggression. Two. It took a long time. Producing the SSL was a lot easier. So let’s go ahead and go to the Windows device and see if we are able to access the ASA which is https 29 one one. There we go. It is telling me that it is not secure because we’re not using a trusted certificate. We are going to go into details, go into the page and here we go. SSLVPN service.

We are going to login, see if it works. And login fail. And I forgot to do something. Let’s go ahead and go to configuration remote access VPN. We are going to client SSL VPN group policies. And it is there. Let’s go ahead and save it. Let’s go ahead and go into connection profiles. Connection profiles enable into the outside. Let’s go ahead and change the password to Cisco. Cisco. See if that lets me on apply. Save it. Let’s verify the connection profile. SSL OPN policy. Enable client SSPN protocol using the local users. Now there’s a VPN. We don’t need to do that. So it is enable group policies. Verify that group policy is good. SSL client VPN. Let’s go ahead and reload this bad boy. Let’s go ahead and try to log in. Ask her Cisco.

And there we go. Now it is working for some reason. Now it’s working. And now let’s go ahead and go to the website. And there we go. We were able to access that website. So that’s how you set up the SSL clients VPN connection. And also like I said on my PowerPoint, you are also able to configure an IPsec or remote access VPN with IPsec and I version two. So let’s go ahead and do let’s actually do an interconnect VPN wizard and this one’s going to be called IPsec to the outside. Going to enable IPsec, no digital certificates or we need to do one.

Let’s go ahead and do a self sign. One self sign. Let’s go ahead and do cancel. Go ahead and delete it. Add a new one. Generous self sign. Good. Apply it next to image. Or we do need to add an image and I don’t think I have one. I do not. But if you go through this and you add your any connect profile on there it should be working but it’s not letting me do it. No, let’s just go ahead and add that. That’s fine. Let’s go ahead and click. Next we are going to add another one. We are going to call IPsec cisco. Cisco and add it next local. That’s good. Next we need to add a pool. IPsec pool. It’s going to start at 109 216810 all the way to 108 2168-1324. And this is the IP address that is going to be assigned to the Windows device once we connect to it. You’re not going to do that. Finish. Good. Let’s go ahead and see if IPsec is enabled.

Yes, it is enabled. IPsec enable. This one should be SSL enabled. Apply it. Save it. Looking good. So now let’s go ahead and go into the group policies. We have IPsec and it’s not assigned. It’s not assigned to let’s go and cancel. Assign the local user IPsec. Apply it. So that’s good. Save it. Now we should be able to connect to this ASA via remote access using IPsec and for us to be able to do that we need to have a client like I said before. So if you go over here and do an IP config to see my IP address, you’re going to see that is my IP address but once I connect to it I should get the IP address 110. So let’s go ahead and see if that works. Let’s go ahead and open any connect. We are going to connect to 21 connect and like I said, you saw that for SSL. We were able to connect to it because we just use a browser. But if you’re going to use IPsec, you do need to use a thirdparty software like the Cisco and Econnect Secure Mobility client, but for itself. You don’t need that. Cisco cyclots me in.

It’s not letting me in. As you can see, it doesn’t let me in. Let’s go ahead and connect to it again. Connect anyway, IPsec Cisco, and it doesn’t let me connect right now. That’s because I need to get the any connect profile, and let’s see if we’re able to just edit the one that we have over here. Let’s go to DBC c drive view. We need to go hidden files, program data, cisco interconnect profile. And we do not have any profiles in here, but what we’re going to be doing is let’s go ahead and power this off, and I’m going to add the one that I’m able to do it. I need to add my other Windows device, which is this one right here. Sorry, this bad boy out, and it’s not letting me delete this. Let’s go ahead and stop it. Delete this. And it’s now giving me a error. Thank you, GNS three. Let’s go ahead and start this up. See what happens if I start it up. Let’s go ahead and go into VMware. You can see that my Windows device is up and running, but this one doesn’t even delete doesn’t let me delete this link. I hate that.

Oh, there we go. It was deleted. Good. Actually, I’m just going to leave the host name, and we are just going to connect to it. Give me an error saying that the port is already in use. Okay, genius, you are winning today, but you are not going to win. Let’s go ahead and go to router three. It looks like it froze. Everything is frozen right now. Let’s go ahead and close everything.

Let’s try it again. Let’s go ahead and open router three. It doesn’t let me open router three. Okay, so GNS three wins. So I’m just going to have to leave this video right here in another video. I’m just going to show you the implementation. Look at that, gens. Three wins. And that’s why I like even G. And I did not use Evange you for this video because I do not have a Windows device or any server that I’m able to do that any connect client software. So this is it for this video, guys.

Comments
* The most recent comment are at the top

Interesting posts

The Growing Demand for IT Certifications in the Fintech Industry

The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »

CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared

In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »

The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?

If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »

SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification

As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »

CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?

The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »

Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?

The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »

img