|
|
This chapter provides network diagrams and the configuration instructions to create them. Further information about the commands in the configurations can be found in "Command Reference."
This chapter includes the following sections:
In this example, two PIX Firewall units are used to create a Virtual Private Network (VPN) between the networks on each PIX Firewall unit's inside interface. This network is part of an intranet.
In this example, the VPN is created without the use of IKE or a CA. Pre-shared keys are used.
This section includes the following topics:
Follow these steps to program the PIX Firewall 1 unit for IPSec:
Step 2 Create the access-list entries to select traffic for this policy.
 |
Note For manual keying, only one access-list permit command statement is permitted in the configuration. |
Step 3 Create the transform set for the crypto command statement entry.
Step 4 Define cryptographic state informations. These include SPI, and the necessary keys for manual keying and policy negotiation for ISAKMP.
Step 5 Repeat Steps 1-4 for each group of policies.
Step 6 Associate the crypto map command statement with an interface.
Table 9-1 lists the configuration for PIX Firewall 1.
| Configuration | Description |
|---|---|
nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto | PIX Firewall provides nameif and interface command statements for the interfaces in the default configuration. |
ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 | Identify the IP addresses for both interfaces. |
enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall | Default values for the privileged mode password and host name. |
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 | Default values that assign a port value for each service that the PIX Firewall provides special handling for. |
no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 | Default settings to disable failover. |
names pager lines 24 | Default settings that let you use text strings instead of IP addresses, which makes your configuration easier to read, and sets the screen output so 24 lines display at a time before you are prompted to continue. |
no logging timestamp logging console debugging logging monitor errors logging buffered errors no logging trap logging facility 20 | Enable syslog output to the console to receive debugging messages. |
mtu outside 1500 mtu inside 1500 | Default Ethernet MTU settings. |
arp timeout 14400 | Default value for the ARP timeout set to 14,400 seconds (four hours). Entries are kept in the ARP table for four hours before they are flushed. |
nat (inside) 1 0 0 | Permit all inside users to start outbound connections using the translated IP addresses from the global pool. |
global (outside) 1 192.168.1.100-192.168.1.150 | Create a pool of global addresses that translated addresses use when they exit the firewall from the protected networks to the unprotected networks. The global command statement is associated with a nat command statement by the nat_ID, which in this example is 1. |
static (inside,outside) 192.168.128.3 10.1.1.3 netmask 255.255.255.255 0 0 | Create an inbound access address on the outside of the intranet on the 192.168.128.0 network so that the 10.1.1.3 server on PIX Firewall 1 is accessible from that network. |
no rip outside passive no rip outside default no rip inside passive no rip inside default | Default settings to disable RIP listening and broadcasting. |
route outside 0.0.0.0 0.0.0.0 192.168.1.49 1 | Establish a default route on the outside interface so that packets are routed to the router on the outside interface. |
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute | Default timeout settings. |
no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps | Default settings that disable SNMP access. |
sysopt connection tcpmss 1380 | |
sysopt connection permit-ipsec | Enable IPSec traffic to bypass the check of conduit or access-group command statements. If you disable this option, you need to add a conduit command statement to your configuration to allow the required set of IPSec traffic. |
crypto map mymap 10 ipsec-manual | Create a crypto map called "mymap" and specify with the ipsec-manual option that IKE will not be used to establish the IPSec security association. |
crypto ipsec transform-set myset ah-md5-hmac esp-des crypto map mymap 10 set transform-set myset | Establish the transform set as myset, enable MD5 AH, and enable ESP with 56-bit DES encryption. Then associate the transform set with the crypto map entry. |
access-list 10 permit ip host 192.168.128.3 host 209.165.200.225 | Permit IP traffic and permit IP access from some external host on another network. |
crypto map mymap 10 match address 10 | Associate the map entry with the access list. |
crypto map mymap 10 set peer 192.168.1.100 | Establish PIX Firewall 2 as the peer. When IKE is not used, as in this example, only one peer is specified. |
crypto map mymap 10 set session-key inbound ah 400 123456789A123456789A123456789A12 | Establish the inbound AH session key. The SPI (security parameter index) is set to 400 and the string of characters after the SPI is the session key specified in hexadecimal. |
crypto map mymap 10 set session-key outbound ah 300 123456789A123456789A123456789A12 | Establish the outbound AH session key. The SPI is set to 300 and the string of characters after the SPI is the session key specified in hexadecimal. |
crypto map mymap 10 set session-key inbound esp 400 cipher abcd1234abcd1234 | Establish the inbound ESP session key. The SPI is set to 400. The cipher option indicates that the key string that follows the option is to be used with the ESP encryption transform. |
crypto map mymap 10 set session-key outbound esp 300 cipher abcd1234abcd1234 | Establish the outbound ESP session key. The SPI is set to 300 and the cipher and authenticator keys are set to the same values as the inbound command statement. |
telnet timeout 5 terminal width 80 | Default values for the duration in minutes that a Telnet console session can be idle before being logged off, and for the number of characters wide that display during the console session. |
crypto map mymap interface outside | Apply the crypto map set to the interface through which IPSec traffic will flow. |
Follow these steps to program the PIX Firewall 2 unit for IPSec:
Step 2 Create the access-list entries to select traffic for this policy.
|
Note For manual keying, only one access-list permit command statement is permitted in the configuration. |
Step 3 Create the transform set for the crypto command statement entry.
Step 4 Define cryptographic state informations. These include SPI, and the necessary keys for manual keying and policy negotiation for ISAKMP.
Step 5 Repeat Steps 1-4 for each group of policies.
Step 6 Associate the crypto map command statement with an interface.
Table 9-2 lists the configuration for PIX Firewall 2.
| Configuration | Description |
|---|---|
nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto | PIX Firewall provides nameif and interface command statements for the interfaces in the default configuration. |
ip address outside 209.165.201.3 255.255.255.224 ip address inside 10.0.0.3 255.255.255.0 | Identify the IP addresses for both interfaces. |
enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall | Default values for the privileged mode password and host name. |
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 | Default values that assign a port value for each service that the PIX Firewall provides special handling for. |
no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 | Default settings to disable failover. |
names pager lines 24 | Default settings that let you use text strings instead of IP addresses, which makes your configuration easier to read, and sets the screen output so 24 lines display at a time before you are prompted to continue. |
no logging timestamp logging console debugging logging monitor errors logging buffered errors no logging trap logging facility 20 | Enable syslog output to the console to receive debugging messages. |
mtu outside 1500 mtu inside 1500 | Default Ethernet MTU settings. |
arp timeout 14400 | Default value for the ARP timeout set to 14,400 seconds (four hours). Entries are kept in the ARP table for four hours before they are flushed. |
nat (inside) 1 0 0 | Permit all inside users to start outbound connections using the translated IP addresses from the global pool. |
static (inside,outside) 209.165.200.225 10.0.0.3 netmask 255.255.255.255 0 0 | Create a static mapping between the inside host and an external address beyond the outside router. |
access-list 10 permit ip host 209.165.200.225 host 192.168.128.3 | Permit access to the static mapping from the 192.168.128.0 network outside the router. |
route outside 0.0.0.0 0.0.0.0 192.168.1.49 1 route inside 10.0.0.0 255.255.255.0 10.0.0.3 1 | Create the default route to the outside router, and a static route to send packets on the inside interface. |
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute | Default timeout settings. |
no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps | Default settings that disable SNMP access. |
no rip outside passive no rip outside default no rip inside passive no rip inside default | Default settings to disable RIP listening and broadcasting. |
crypto map mymap 10 ipsec-manual | Create a crypto map called "mymap" and specify with the ipsec-manual option that IKE will not be used to establish the IPSec security association. |
crypto ipsec transform-set myset ah-md5-hmac esp-des crypto map mymap 10 set transform-set myset | Establish the transform set as myset, enable MD5 AH, and enable ESP with 56-bit DES encryption. Then associate the transform set with the crypto map entry. The transform set is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list. Because IKE is not used to establish security associations, a single transform set must be used. The transform set is not negotiated. |
sysopt connection tcpmss 1380 | Set the TCP maximum segment size to 1380 bytes. This is recommended for data over the encrypted VPN channel. This value is set by default but does not display in the default configuration. |
crypto map mymap 10 match address 10 | Associate the map entry with the access list. |
crypto map mymap 10 set peer 192.168.1.1 | Establish PIX Firewall 1 as the peer. When IKE is not used, as in this example, only one peer is specified. |
crypto map mymap 10 set session-key inbound ah 300 123456789A123456789A123456789A12 | Establish the inbound AH session key. The SPI (security parameter index) is set to 300 and the string of characters after the SPI is the session key specified in hexadecimal. The SPI for PIX Firewall 2 is opposite of the values specified for PIX Firewall 1 (PIX Firewall 1 has an inbound SPI of 400 and an outbound SPI of 300). |
crypto map mymap 10 set session-key outbound ah 400 123456789A123456789A123456789A12 | Establish the outbound AH session key. The SPI is set to 400 and the string of characters after the SPI is the session key specified in hexadecimal. |
crypto map mymap 10 set session-key inbound esp 300 cipher abcd1234abcd1234 | Establish the inbound ESP session key. The SPI is set to 300. The cipher option indicates that the key string that follows the option is to be used with the ESP encryption transform. |
crypto map mymap 10 set session-key outbound esp 400 cipher abcd1234abcd1234 | Establish the outbound ESP session key. The SPI is set to 400 and the cipher and authenticator keys are set to the same values as the inbound command statement. |
telnet timeout 5 terminal width 80 | Default values for the duration in minutes that a Telnet console session can be idle before being logged off, and for the number of characters wide that display during the console session. |
This section includes the following topics:
This example uses the network diagram shown in Figure 9-1.
Follow these steps to configure PIX Firewall 1:
hostname NewYork
Step 2 Define the domain name:
domain-name example.com
Step 3 Create a net static:
static (inside,outside) 192.168.12.0 192.168.12.0 netmask 255.255.255.0
Step 4 Configure an ISAKMP policy:
isakmp enable outside isakmp policy 9 authentication pre-share isakmp policy 9 encr 3des
Step 5 Configure pre-shared key and associate with the peer:
crypto isakmp key cisco1234 address 209.165.200.229
Step 6 Configure the supported IPSec transforms:
crypto ipsec transform-set strong esp-3des esp-sha-hmac
Step 7 Create an access list:
access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
Step 8 Define a crypto map:
crypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set transform-set strong crypto map toSanJose 20 set peer 209.165.200.229
Step 9 Apply the crypto map to the outside interface:
crypto map toSanJose interface outside
Step 10 Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
Table 9-3 lists the configuration for PIX Firewall 1.
| Configuration | Description |
|---|---|
nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto | PIX Firewall provides nameif and interface command statements for the interfaces in the default configuration. |
enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted | Default values for the privileged mode password and the Telnet password. |
hostname NewYork | Define a host name for the PIX Firewall. |
domain-name example.com | Set the domain name. |
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 | Default fixup protocol values that define port usage. |
names pager lines 24 no logging on | Default values that let you use names instead of IP addresses, display 24 lines of text before you are prompted to continue, and disable syslog output. |
mtu outside 1500 mtu inside 1500 | Set the maximum transmission unit values for the Ethernet interfaces. |
ip address outside 209.165.201.8 255.255.255.224 ip address inside 192.168.12.1 255.255.255.0 | The IP addresses for each PIX Firewall interface. |
no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 | Default values to disable failover. |
arp timeout 14400 | Default value specifying that the ARP cache be reinitialized every four hours. |
nat 0 access-list 90 access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0 | The nat 0 access-list command statement lets you exempt traffic that is matched by the access-list command statement from the NAT services. Adaptive Security remains in effect with the nat 0 access-list command. The access-list command statement permits IP traffic on all hosts on the inside network to be accessed by the hosts on PIX Firewall 2. |
no rip outside passive no rip outside default rip inside passive no rip inside default | Default values to disable RIP listening or broadcasting. However, the inside interface does listen for RIP broadcasts. |
route outside 0.0.0.0 0.0.0.0 209.165.201.7 1 | Specify the router on the outside interface for default routes. |
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute | Default timer values. |
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius | Default values that permit access to the TACACS+ or RADIUS protocols; however, AAA is not used in this configuration. |
no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps | Default values to disable SNMP access. |
crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set peer 209.165.200.229 crypto map toSanJose 20 set transform-set strong crypto map toSanJose interface outside | Define the crypto map transforms, specify ISAKMP access, match the map to the access list (both use ID 90 to be associated), set the tunnel peer to be the outside interface IP address of PIX Firewall 2 (209.165.200.229), and apply the crypto map to the outside interface. |
isakmp enable outside isakmp key cisco1234 address 209.165.200.229 netmask 255.255.255.255 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des | Configure the ISAKMP policy. |
sysopt connection permit-ipsec | Specify that IPSec traffic be implicitly trusted (permitted). |
telnet timeout 5 terminal width 80 | Default values for how long a Telnet console session can be idle and that a console session should display up to 80 characters wide on the console computer. |
Follow these steps to configure PIX Firewall 2:
hostname SanJose
Step 2 Define the domain name:
domain-name example.com
Step 3 Create a net static:
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
Step 4 Configure the ISAKMP policy:
isakmp enable outside isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des
Step 5 Configure a pre-shared key and associate it with the peer:
crypto isakmp key cisco1234 address 209.165.201.8
Step 6 Configure IPSec supported transforms:
crypto ipsec transform-set strong esp-3des esp-sha-hmac
Step 7 Create an access list:
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
Step 8 Define a crypto map:
crypto map newyork 10 ipsec-isakmp crypto map newyork 10 match address 80 crypto map newyork 10 set transform-set strong crypto map newyork 10 set peer 209.165.201.8
Step 9 Apply the crypto map to an interface:
crypto map newyork interface outside
Step 10 Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
Table 9-4 lists the configuration for PIX Firewall 2.
| Configuration | Description |
|---|---|
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 perimeter security40 | PIX Firewall provides nameif command statements for interfaces in the default configuration. In addition, the default configuration provides default names for the perimeter interfaces, but in this case, the configuration requires different names and security levels for the perimeter interfaces. |
enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted | Default values for the privileged mode password and the Telnet password. |
hostname SanJose | Define a host name for the PIX Firewall. |
domain-name example.com | Set the domain name. |
fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 | Default fixup protocol values that define port usage. |
names pager lines 24 no logging on | Default values that let you use names instead of IP addresses, display 24 lines of text before you are prompted to continue, and disable syslog output. |
interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto | Default interface definitions indicating that each Ethernet interface has automatic sensing capabilities to determine line speed and duplex. |
mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu perimeter 1500 | Set the maximum transmission unit values for the Ethernet interfaces. |
ip address outside 209.165.200.229 255.255.255.224 ip address inside 10.0.0.1 255.0.0.0 ip address dmz 192.168.101.1 255.255.255.0 ip address perimeter 192.168.102.1 255.255.255.0 | The IP addresses for each PIX Firewall interface. |
no failover failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address perimeter 0.0.0.0 | Default values to disable failover. |
arp timeout 14400 | Default value specifying that the ARP cache be reinitialized every four hours. |
nat 0 access-list 80 access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0 | The nat 0 access-list command statement lets you to exempt traffic that is matched by the access-list command statement from the NAT services. Adaptive Security remains in effect with the nat 0 access-list command. The access-list command statement permits IP traffic on all hosts on the inside network to be accessed by the hosts on PIX Firewall 1. |
no rip outside passive no rip outside default no rip inside passive no rip inside default no rip dmz passive no rip dmz default no rip perimeter passive no rip perimeter default | Default values to disable RIP listening or broadcasting. |
route outside 0.0.0.0 0.0.0.0 209.165.200.228 1 | Specify the router on the outside interface for default routes. |
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute | Default timer values. |
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius | Default values that permit access to the TACACS+ or RADIUS protocols; however, AAA is not used in this configuration. |
no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps | Default values to disable SNMP access. |
crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto map newyork 10 ipsec-isakmp crypto map newyork 10 match address 80 crypto map newyork 10 set peer 209.165.201.8 crypto map newyork 10 set transform-set strong crypto map newyork interface outside | Define the crypto map transforms, specify ISAKMP access, match the map to the access list (both use ID 80 to be associated), set the tunnel peer to be the outside interface IP address of the PIX Firewall 1 (209.165.201.8), and apply the crypto map to the outside interface. |
isakmp enable outside isakmp key cisco1234 address 209.165.201.8 netmask 255.255.255.255 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des | Configure the ISAKMP policy. |
sysopt connection permit-ipsec | Specify that IPSec traffic be implicitly trusted (permitted). |
telnet timeout 5 terminal width 80 | Default values for how long a Telnet console session can be idle, and that a console session should display up to |
Posted: Thu Aug 31 19:47:09 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.