Cisco VPN 3000 User Manual page 251

13
C H A P T E R
Policy Management
Managing a VPN, and protecting the integrity and security of network resources, includes carefully
designing and implementing policies that govern who can use the VPN, when, and what data traffic can
flow through it. User management deals with "who can use it"; see the User Management section for
that discussion. Policy management deals with "when" and "what data traffic can flow through it"; this
section covers those topics.
You configure "when" under Access Hours , and it's simple: when can remote users access the VPN.
You configure "what data traffic can flow through it" under Traffic Management , and it's a bit more
complex. The Cisco VPN 3000 Concentrator hierarchy is straightforward, however: you use filters that
consist of rules; and for IPSec rules, you apply Security Associations (SAs). Therefore, you first
construct (configure) rules and SAs, then use them to construct filters.
Basically, a filter determines whether to forward or drop a data packet coming through the system. It
examines the data packet according to one or more rules—direction, source address, destination address,
ports, and protocol—which determine whether to forward, apply IPSec and forward, or drop. And it
examines the rules in the order they are arranged on the filter.
You apply filters to Ethernet interfaces, and thus govern all traffic through an interface. You also apply
filters to groups and users, and thus govern tunneled traffic through an interface.
With IPSec, the VPN Concentrator negotiates Security Associations during tunnel establishment that
govern authentication, key management, encryption, encapsulation, etc. Thus IPSec also determines how
to transform a data packet before forwarding it. You apply Security Associations to IPSec rules when
you include those rules in a filter, and you apply SAs to groups and users.
The VPN Concentrator also lets you create network lists, which are lists of network addresses that are
treated as a single object. These lists simplify the configuration of rules for complex networks. You can
also use them to configure split tunneling for groups and users, and to configure IPSec LAN-to-LAN
connections.
To fully configure the VPN Concentrator, you should first develop policies (network lists, rules, SAs,
and filters), since they affect Ethernet interfaces, groups, and users. And once you have developed
policies, we recommend that you configure and apply filters to interfaces before you configure groups
and users.
Traffic management on the VPN Concentrator also includes NAT (Network Address Translation)
functions that translate private network addresses into legitimate public network addresses. Again, you
develop rules to configure and use NAT.
VPN 3000 Concentrator Series User Guide 13-1