Task 5: Configuring a VPN Between HQ and Remote Sites The two remote sites communicate with the Reston location (HQ-PIX) using VPN connections that traverse the Internet. To enable these VPNs, you must define the VPN characteristics at the headquarters location, as well as at the remote sites. Configuring the VPN connections between HQ-PIX and the two remote sites (MN-PIX and HOU-PIX) involves the following tasks:- Configuring the central PIX Firewall, HQ-PIX, for VPN tunneling
- Configuring the Houston PIX Firewall, HOU-PIX, for VPN tunneling
- Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN tunneling
NoteThe VPN tunnels shown in this example enable the two remote sites (Houston and Minneapolis) to communicate with the main location at Reston. If the two remote sites also must be able to communicate with each other, you would also need to establish a VPN tunnel from HOU-PIX to MN-PIX. This example assumes that the two remote sites need to communicate only with the main location and not with each other.
Configuring the Central PIX Firewall, HQ-PIX, for VPN Tunneling Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX.
Step 1. | Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy: isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000
| Step 2. | Configure a preshared key and associate it with the peers (Houston and Minneapolis): isakmp key C2!#ghi address 192.168.3.2 isakmp key B2!#def address 192.168.2.2
| Step 3. | Configure the supported IPSec transforms: crypto ipsec transform-set myset esp-des esp-md5-hmac
| Step 4. | Create an access list: access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
| Step 5. | Define a crypto map for both Houston and Minneapolis: crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 120 crypto map Dukem-Map 20 set peer 192.168.2.2 crypto map Dukem-Map 20 set transform-set myset crypto map Dukem-Map 30 ipsec-isakmp crypto map Dukem-Map 30 match address 130 crypto map Dukem-Map 30 set peer 192.168.3.2 crypto map Dukem-Map 30 set transform-set myset
| Step 6. | Apply the crypto map to the outside interface: crypto map Dukem-Map interface outside
| Step 7. | Specify that IPSec traffic is implicitly trusted (permitted): sysopt connection permit-ipsec
| Step 8. | Configure a NAT 0 policy so that traffic between the offices is excluded from NAT: access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 nat (inside) 0 access-list VPN
|
Example 20-6 shows the complete configuration for the HQ-PIX.Example 20-6. HQ PIX Firewall Configuration
nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security80 nameif ethernet3 failover security90 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KPPU encrypted hostname HQ-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list acl-out permit tcp any host 192.168.1.4 eq smtp access-list acl-out permit tcp any host 192.168.1.5 eq www access-list acl-out permit tcp any host 192.168.1.6 eq ftp !--- Traffic to HOU-PIX: access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0 !--- Traffic to MN-PIX: access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- Do not Network Address Translate (NAT) traffic to other branches: access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap no logging history logging facility 20 logging queue 512 logging host DMZ 172.16.31.7 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 ip address DMZ 172.16.31.1 255.255.255.0 ip address failover 1.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 192.168.1.3 failover ip address inside 10.10.10.2 failover ip address DMZ 172.16.31.2 arp timeout 14400 global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0 global (outside) 1 192.168.1.152 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 !--- Do not NAT traffic to other PIXes: nat (inside) 0 access-list VPN static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0 static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0 static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0 access-group acl-out in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip-media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server TACACS+ (inside) host 10.10.10.7 tacpass aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+ aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+ no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to HOU-PIX: crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 120 crypto map Dukem-Map 20 set peer 192.168.3.2 crypto map Dukem-Map 20 set transform-set myset !--- Traffic to MN-PIX: crypto map Dukem-Map 30 ipsec-isakmp crypto map Dukem-Map 30 match address 130 crypto map Dukem-Map 30 set peer 192.168.2.2 crypto map Dukem-Map 30 set transform-set myset crypto map Dukem-Map interface outside isakmp enable outside isakmp key ******** address 192.168.3.2 netmask 255.255.255.255 isakmp key ******** address 192.168.2.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:fb446986bcad922ec40de6346e9e2729 : end
Configuring the Houston PIX Firewall, HOU-PIX, for VPN Tunneling Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site:
Step 1. | Configure an ISAKMP policy: isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000
| Step 2. | Configure a preshared key and associate it with the peer (HQ-PIX): isakmp key A1!#abc address 192.168.1.2
| Step 3. | Configure the supported IPSec transforms: crypto ipsec transform-set myset esp-des esp-md5-hmac
| Step 4. | Create an access list: access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0
| Step 5. | Define a crypto map for HQ-PIX: crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 110 crypto map Dukem-Map 20 set peer 192.168.1.2 crypto map Dukem-Map 20 set transform-set myset
| Step 6. | Apply the crypto map to the outside interface: crypto map Dukem-Map interface outside
| Step 7. | Specify that IPSec traffic is implicitly trusted (permitted): sysopt connection permit-ipsec
| Step 8. | Configure a NAT 0 policy so that traffic between the offices is excluded from NAT: access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0 nat (inside) 0 access-list VPN
|
Example 20-7 shows the Houston PIX configuration.Example 20-7. Houston PIX Firewall Configuration
nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KPPU encrypted hostname HOU-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names !--- Traffic to Reston HQ: access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap 6 no logging history logging facility 20 logging queue 512 logging host 192.168.1.8 interface ethernet0 100full interface ethernet1 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.3.2 255.255.255.0 ip address inside 10.30.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0 global (outside) 1 192.168.3.252 netmask 255.255.255.0 nat (inside) 1 10.30.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: nat (inside) 0 access-list VPN route outside 0.0.0.0 0.0.0.0 192.168.3.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip-media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to Reston HQ: crypto map Dukem-Map 10 ipsec-isakmp crypto map Dukem-Map 10 match address 110 crypto map Dukem-Map 10 set peer 192.168.1.2 crypto map Dukem-Map 10 set transform-set myset crypto map Dukem-Map interface outside isakmp enable outside isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:b23cc9772a79ea76d711ea747f182a5f
Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN Tunneling Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site:
Step 1. | Configure an ISAKMP policy: isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000
| Step 2. | Configure a preshared key and associate it with the peer (HQ-PIX): isakmp key A1!#abc address 192.168.1.2
| Step 3. | Configure the supported IPSec transforms: crypto ipsec transform-set myset esp-des esp-md5-hmac
| Step 4. | Create an access list: access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0
| Step 5. | Define a crypto map for HQ-PIX: crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 110 crypto map Dukem-Map 20 set peer 192.168.1.2 crypto map Dukem-Map 20 set transform-set myset
| Step 6. | Apply the crypto map to the outside interface: crypto map Dukem-Map interface outside
| Step 7. | Specify that IPSec traffic be implicitly trusted (permitted): sysopt connection permit-ipsec
| Step 8. | Configure a NAT 0 policy so that traffic between the offices is excluded from NAT: access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0 nat (inside) 0 access-list VPN
|
Example 20-8 shows the configuration for the Minneapolis PIX Firewall.Example 20-8. Minneapolis PIX Firewall Configuration
nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KPPU encrypted hostname MN-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names !--- Traffic to Reston HQ: access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap 6 no logging history logging facility 20 logging queue 512 logging host outside 192.168.1.8 interface ethernet0 100full interface ethernet1 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.2 255.255.255.0 ip address inside 10.20.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0 global (outside) 1 192.168.2.252 netmask 255.255.255.0 nat (inside) 1 10.20.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: nat (inside) 0 access-list VPN route outside 0.0.0.0 0.0.0.0 192.168.2.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip-media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to Reston HQ: crypto map Dukem-Map 10 ipsec-isakmp crypto map Dukem-Map 10 match address 110 crypto map Dukem-Map 10 set peer 192.168.1.2 crypto map Dukem-Map 10 set transform-set myset crypto map Dukem-Map interface outside isakmp enable outside isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:d962d33d245ad89fb7c9b4f0db3c2dc0
Verifying and Troubleshooting After you configure the PIX for VPNs, the next step is to verify the configuration. The show, clear , and debug commands are used to verify and troubleshoot your configuration.show Commands
- show crypto ipsec sa Displays the current status of the IPSec security associations. This is useful in determining whether traffic is being encrypted.
- show crypto isakmp sa Displays the current state of the Internet Key Exchange (IKE) security associations.
Debug Commands If you have problems establishing any of the VPN tunnels, use the following commands for troubleshooting:
Step 1. | If you are connected to the PIX by the console port, enable debugging on the console using this command: logging console debugging
If you are connected to the PIX by Telnet, enable debugging using this command: logging monitor debugging
| Step 2. | To view debug information related to the VPN configuration, use the following commands:- debug crypto ipsec Used to debug IPSec processing
- debug crypto isakmp Used to debug ISAKMP processing
- debug crypto engine Used to display debug messages about crypto engines, which perform encryption and decryption
| Step 3. | To clear security associations (SAs), use the following commands in the PIX configuration mode:- clear [crypto] ipsec sa Deletes the active IPSec SAs. The keyword crypto is optional.
- clear [crypto] isakmp sa Deletes the active IKE SAs. The keyword crypto is optional.
|
|