• View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
  • View more of our photos
Cisco PIX: Site-to-Site VPN Print E-mail
Articles and Blogs - Cisco Encounter
Written by Joel Gacosta   
Monday, 30 March 2009 14:13

PIX-to-PIX VPN config sample (Applicable for Cisco PIX running ver 6.x)
Pix A Tunnel IP: 202.138.162.2
Pix A Network: 192.168.111.0/24

Pix B Tunnel IP: 66.7.250.242
Pix B Network: 192.168.200.0/24 

Configuring Pix A: 
 IKE and IPSec Configuration 
1. Configure IKE for Preshared Keys:

isakmp enable outside

Create policy to use 3des encryption and md5 hashing and a Diffie-Hellman group2(1024 bit):
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Issue the isakmp key (must match with peer) and assign a peer address:

isakmp key ******* address 66.7.250.242 netmask 255.255.255.255 no-xauth no-config-mode 


2. Configure IPSec:
Access-list to allow local network to access remote network:

access-list 101 permit ip 192.168.111.0 255.255.255.0 192.168.200.0 255.255.255.0

Configure IPSec transformation-set a unique name must be chosen for the transform set (ie ESP-3DES-MD5):

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


Assign crypto maps. Must assign a map name and a sequence number to create crypto map and define its parameters:

crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 66.7.250.242
crypto map outside_map 20 set transform-set ESP-3DES-MD5

After defining crypto map, apply it to an interface:

crypto map outside_map interface outside 


3. Configure NAT:
This command tells PIX not to NAT any traffic deemed as interesting for IPSec:

access-list NoNAT permit ip 192.168.111.0 255.255.255.0 192.168.200.0 255.255.255.0
nat (inside) 0 access-list NoNAT 

4. Configure PIX System Options
This command will permit all inbound IPSec authenticated cipher sessions:

sysopt connection permit-ipsec

 

Run the CLI command (priviledge mode) to Check Status for
formation of tunnel:

show crypto isakmp sa

formation of packets encapsulated/encrypted and so forth:

show crypto ipsec sa 
 

Troubleshooting Commands:

The command below reset the IPSec SAs after failed attempts to negotiate a VPN tunnel (must be in global config mode):

clear crypto ipsec sa

The command below resets the ISAKMP SAs after failed attempts to negotiate a VPN tunnel (must be in global config mode):

clear crypto isakmp sa

Comments (0)
Tags:
 
AddThis Social Bookmark Button

SpotLight

Upcoming Release

Facebook FanBox

Search Websites

Web
Gacosta.Net
Intelletrace
MyEvents-Online