Task 5: Configuring a VPN Between HQ and Remote Sites
The two remote sites communicate with the Reston location (HQ-PIX) using VPN connections that traverse the Internet. To enable these VPNs, you must define the VPN characteristics at the headquarters location, as well as at the remote sites. Configuring the VPN connections between HQ-PIX and the two remote sites (MN-PIX and HOU-PIX) involves the following tasks:- Configuring the central PIX Firewall, HQ-PIX, for VPN tunneling
- Configuring the Houston PIX Firewall, HOU-PIX, for VPN tunneling
- Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN tunneling
NoteThe VPN tunnels shown in this example enable the two remote sites (Houston and Minneapolis) to communicate with the main location at Reston. If the two remote sites also must be able to communicate with each other, you would also need to establish a VPN tunnel from HOU-PIX to MN-PIX. This example assumes that the two remote sites need to communicate only with the main location and not with each other.
Configuring the Central PIX Firewall, HQ-PIX, for VPN Tunneling
Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX.
| Step 1. | Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
| | Step 2. | Configure a preshared key and associate it with the peers (Houston and Minneapolis):
isakmp key C2!#ghi address 192.168.3.2
isakmp key B2!#def address 192.168.2.2
| | Step 3. | Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
| | Step 4. | Create an access list:
access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0
255.255.255.0
access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0
255.255.255.0
| | Step 5. | Define a crypto map for both Houston and Minneapolis:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 120
crypto map Dukem-Map 20 set peer 192.168.2.2
crypto map Dukem-Map 20 set transform-set myset
crypto map Dukem-Map 30 ipsec-isakmp
crypto map Dukem-Map 30 match address 130
crypto map Dukem-Map 30 set peer 192.168.3.2
crypto map Dukem-Map 30 set transform-set myset
| | Step 6. | Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
| | Step 7. | Specify that IPSec traffic is implicitly trusted (permitted):
sysopt connection permit-ipsec
| | Step 8. | Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0
255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0
255.255.255.0
nat (inside) 0 access-list VPN
|
Example 20-6 shows the complete configuration for the HQ-PIX.Example 20-6. HQ PIX Firewall Configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security80
nameif ethernet3 failover security90
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KPPU encrypted
hostname HQ-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
access-list acl-out permit tcp any host 192.168.1.4 eq smtp
access-list acl-out permit tcp any host 192.168.1.5 eq www
access-list acl-out permit tcp any host 192.168.1.6 eq ftp
!--- Traffic to HOU-PIX:
access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0
!--- Traffic to MN-PIX:
access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
!--- Do not Network Address Translate (NAT) traffic to other branches:
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap
no logging history
logging facility 20
logging queue 512
logging host DMZ 172.16.31.7
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip address DMZ 172.16.31.1 255.255.255.0
ip address failover 1.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 192.168.1.3
failover ip address inside 10.10.10.2
failover ip address DMZ 172.16.31.2
arp timeout 14400
global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0
global (outside) 1 192.168.1.152 netmask 255.255.255.0
nat (inside) 1 10.10.10.0 255.255.255.0
!--- Do not NAT traffic to other PIXes:
nat (inside) 0 access-list VPN
static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+
aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Traffic to HOU-PIX:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 120
crypto map Dukem-Map 20 set peer 192.168.3.2
crypto map Dukem-Map 20 set transform-set myset
!--- Traffic to MN-PIX:
crypto map Dukem-Map 30 ipsec-isakmp
crypto map Dukem-Map 30 match address 130
crypto map Dukem-Map 30 set peer 192.168.2.2
crypto map Dukem-Map 30 set transform-set myset
crypto map Dukem-Map interface outside
isakmp enable outside
isakmp key ******** address 192.168.3.2 netmask 255.255.255.255
isakmp key ******** address 192.168.2.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:fb446986bcad922ec40de6346e9e2729
: end
Configuring the Houston PIX Firewall, HOU-PIX, for VPN Tunneling
Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site:
| Step 1. | Configure an ISAKMP policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
| | Step 2. | Configure a preshared key and associate it with the peer (HQ-PIX):
isakmp key A1!#abc address 192.168.1.2
| | Step 3. | Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
| | Step 4. | Create an access list:
access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0
255.255.255.0
| | Step 5. | Define a crypto map for HQ-PIX:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 110
crypto map Dukem-Map 20 set peer 192.168.1.2
crypto map Dukem-Map 20 set transform-set myset
| | Step 6. | Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
| | Step 7. | Specify that IPSec traffic is implicitly trusted (permitted):
sysopt connection permit-ipsec
| | Step 8. | Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:
access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0
255.255.255.0
nat (inside) 0 access-list VPN
|
Example 20-7 shows the Houston PIX configuration.Example 20-7. Houston PIX Firewall Configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KPPU encrypted
hostname HOU-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
!--- Traffic to Reston HQ:
access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0
!--- Do not NAT traffic to Reston HQ:
access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap 6
no logging history
logging facility 20
logging queue 512
logging host 192.168.1.8
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.3.2 255.255.255.0
ip address inside 10.30.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0
global (outside) 1 192.168.3.252 netmask 255.255.255.0
nat (inside) 1 10.30.10.0 255.255.255.0
!--- Do not NAT traffic to Reston HQ:
nat (inside) 0 access-list VPN
route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Traffic to Reston HQ:
crypto map Dukem-Map 10 ipsec-isakmp
crypto map Dukem-Map 10 match address 110
crypto map Dukem-Map 10 set peer 192.168.1.2
crypto map Dukem-Map 10 set transform-set myset
crypto map Dukem-Map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b23cc9772a79ea76d711ea747f182a5f
Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN Tunneling
Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site:
| Step 1. | Configure an ISAKMP policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
| | Step 2. | Configure a preshared key and associate it with the peer (HQ-PIX):
isakmp key A1!#abc address 192.168.1.2
| | Step 3. | Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
| | Step 4. | Create an access list:
access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0
255.255.255.0
| | Step 5. | Define a crypto map for HQ-PIX:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 110
crypto map Dukem-Map 20 set peer 192.168.1.2
crypto map Dukem-Map 20 set transform-set myset
| | Step 6. | Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
| | Step 7. | Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
| | Step 8. | Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:
access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0
255.255.255.0
nat (inside) 0 access-list VPN
|
Example 20-8 shows the configuration for the Minneapolis PIX Firewall.Example 20-8. Minneapolis PIX Firewall Configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KPPU encrypted
hostname MN-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
!--- Traffic to Reston HQ:
access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0
!--- Do not NAT traffic to Reston HQ:
access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap 6
no logging history
logging facility 20
logging queue 512
logging host outside 192.168.1.8
interface ethernet0 100full
interface ethernet1 100full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 10.20.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0
global (outside) 1 192.168.2.252 netmask 255.255.255.0
nat (inside) 1 10.20.10.0 255.255.255.0
!--- Do not NAT traffic to Reston HQ:
nat (inside) 0 access-list VPN
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip-media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Traffic to Reston HQ:
crypto map Dukem-Map 10 ipsec-isakmp
crypto map Dukem-Map 10 match address 110
crypto map Dukem-Map 10 set peer 192.168.1.2
crypto map Dukem-Map 10 set transform-set myset
crypto map Dukem-Map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:d962d33d245ad89fb7c9b4f0db3c2dc0
Verifying and Troubleshooting
After you configure the PIX for VPNs, the next step is to verify the configuration. The show, clear , and debug commands are used to verify and troubleshoot your configuration.show Commands
- show crypto ipsec sa Displays the current status of the IPSec security associations. This is useful in determining whether traffic is being encrypted.
- show crypto isakmp sa Displays the current state of the Internet Key Exchange (IKE) security associations.
Debug Commands
If you have problems establishing any of the VPN tunnels, use the following commands for troubleshooting:
| Step 1. | If you are connected to the PIX by the console port, enable debugging on the console using this command:
logging console debugging
If you are connected to the PIX by Telnet, enable debugging using this command:
logging monitor debugging
| | Step 2. | To view debug information related to the VPN configuration, use the following commands:- debug crypto ipsec Used to debug IPSec processing
- debug crypto isakmp Used to debug ISAKMP processing
- debug crypto engine Used to display debug messages about crypto engines, which perform encryption and decryption
| | Step 3. | To clear security associations (SAs), use the following commands in the PIX configuration mode:- clear [crypto] ipsec sa Deletes the active IPSec SAs. The keyword crypto is optional.
- clear [crypto] isakmp sa Deletes the active IKE SAs. The keyword crypto is optional.
|
|
لطفا منتظر باشید ...
