CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید












  • Task 5: Configuring a VPN Between HQ and Remote Sites


    The two remote sites communicate with the Reston location (HQ-PIX) using VPN connections that traverse the Internet. To enable these VPNs, you must define the VPN characteristics at the headquarters location, as well as at the remote sites. Configuring the VPN connections between HQ-PIX and the two remote sites (MN-PIX and HOU-PIX) involves the following tasks:

    • Configuring the central PIX Firewall, HQ-PIX, for VPN tunneling

    • Configuring the Houston PIX Firewall, HOU-PIX, for VPN tunneling

    • Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN tunneling


    Note

    The VPN tunnels shown in this example enable the two remote sites (Houston and Minneapolis) to communicate with the main location at Reston. If the two remote sites also must be able to communicate with each other, you would also need to establish a VPN tunnel from HOU-PIX to MN-PIX. This example assumes that the two remote sites need to communicate only with the main location and not with each other.


    Configuring the Central PIX Firewall, HQ-PIX, for VPN Tunneling


    Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX.


    Step 1.

    Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy:


    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000

    Step 2.

    Configure a preshared key and associate it with the peers (Houston and Minneapolis):


    isakmp key C2!#ghi address 192.168.3.2
    isakmp key B2!#def address 192.168.2.2

    Step 3.

    Configure the supported IPSec transforms:


    crypto ipsec transform-set myset esp-des esp-md5-hmac

    Step 4.

    Create an access list:


    access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0
    255.255.255.0
    access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0
    255.255.255.0
    access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0
    255.255.255.0
    access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0
    255.255.255.0

    Step 5.

    Define a crypto map for both Houston and Minneapolis:


    crypto map Dukem-Map 20 ipsec-isakmp
    crypto map Dukem-Map 20 match address 120
    crypto map Dukem-Map 20 set peer 192.168.2.2
    crypto map Dukem-Map 20 set transform-set myset
    crypto map Dukem-Map 30 ipsec-isakmp
    crypto map Dukem-Map 30 match address 130
    crypto map Dukem-Map 30 set peer 192.168.3.2
    crypto map Dukem-Map 30 set transform-set myset

    Step 6.

    Apply the crypto map to the outside interface:


    crypto map Dukem-Map interface outside

    Step 7.

    Specify that IPSec traffic is implicitly trusted (permitted):


    sysopt connection permit-ipsec

    Step 8.

    Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:


    access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0
    255.255.255.0
    access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0
    255.255.255.0
    access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0
    255.255.255.0
    access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0
    255.255.255.0
    nat (inside) 0 access-list VPN



    Example 20-6 shows the complete configuration for the HQ-PIX.

    Example 20-6. HQ PIX Firewall Configuration



    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security80
    nameif ethernet3 failover security90
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KPPU encrypted
    hostname HQ-PIX
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    names
    access-list acl-out permit tcp any host 192.168.1.4 eq smtp
    access-list acl-out permit tcp any host 192.168.1.5 eq www
    access-list acl-out permit tcp any host 192.168.1.6 eq ftp
    !--- Traffic to HOU-PIX:
    access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
    access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0
    !--- Traffic to MN-PIX:
    access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
    access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
    !--- Do not Network Address Translate (NAT) traffic to other branches:
    access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
    access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
    access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0
    access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0
    pager lines 24
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    no logging buffered
    logging trap
    no logging history
    logging facility 20
    logging queue 512
    logging host DMZ 172.16.31.7
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.1.2 255.255.255.0
    ip address inside 10.10.10.1 255.255.255.0
    ip address DMZ 172.16.31.1 255.255.255.0
    ip address failover 1.1.1.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 192.168.1.3
    failover ip address inside 10.10.10.2
    failover ip address DMZ 172.16.31.2
    arp timeout 14400
    global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0
    global (outside) 1 192.168.1.152 netmask 255.255.255.0
    nat (inside) 1 10.10.10.0 255.255.255.0
    !--- Do not NAT traffic to other PIXes:
    nat (inside) 0 access-list VPN
    static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0
    static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0
    static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0
    access-group acl-out in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.1.1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    h323 0:05:00 sip 0:30:00 sip-media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server TACACS+ (inside) host 10.10.10.7 tacpass
    aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+
    aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    !--- Traffic to HOU-PIX:
    crypto map Dukem-Map 20 ipsec-isakmp
    crypto map Dukem-Map 20 match address 120
    crypto map Dukem-Map 20 set peer 192.168.3.2
    crypto map Dukem-Map 20 set transform-set myset
    !--- Traffic to MN-PIX:
    crypto map Dukem-Map 30 ipsec-isakmp
    crypto map Dukem-Map 30 match address 130
    crypto map Dukem-Map 30 set peer 192.168.2.2
    crypto map Dukem-Map 30 set transform-set myset
    crypto map Dukem-Map interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.3.2 netmask 255.255.255.255
    isakmp key ******** address 192.168.2.2 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:fb446986bcad922ec40de6346e9e2729
    : end


    Configuring the Houston PIX Firewall, HOU-PIX, for VPN Tunneling


    Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site:


    Step 1.

    Configure an ISAKMP policy:


    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000

    Step 2.

    Configure a preshared key and associate it with the peer (HQ-PIX):


    isakmp key A1!#abc address 192.168.1.2

    Step 3.

    Configure the supported IPSec transforms:


    crypto ipsec transform-set myset esp-des esp-md5-hmac

    Step 4.

    Create an access list:


    access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0
    255.255.255.0
    access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0
    255.255.255.0

    Step 5.

    Define a crypto map for HQ-PIX:


    crypto map Dukem-Map 20 ipsec-isakmp
    crypto map Dukem-Map 20 match address 110
    crypto map Dukem-Map 20 set peer 192.168.1.2
    crypto map Dukem-Map 20 set transform-set myset

    Step 6.

    Apply the crypto map to the outside interface:


    crypto map Dukem-Map interface outside

    Step 7.

    Specify that IPSec traffic is implicitly trusted (permitted):


    sysopt connection permit-ipsec

    Step 8.

    Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:


    access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0
    255.255.255.0
    access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0
    255.255.255.0
    nat (inside) 0 access-list VPN


    Example 20-7 shows the Houston PIX configuration.

    Example 20-7. Houston PIX Firewall Configuration



    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KPPU encrypted
    hostname HOU-PIX
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    names
    !--- Traffic to Reston HQ:
    access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0
    !--- Do not NAT traffic to Reston HQ:
    access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0
    pager lines 24
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    no logging buffered
    logging trap 6
    no logging history
    logging facility 20
    logging queue 512
    logging host 192.168.1.8
    interface ethernet0 100full
    interface ethernet1 100full
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.3.2 255.255.255.0
    ip address inside 10.30.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    arp timeout 14400
    global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0
    global (outside) 1 192.168.3.252 netmask 255.255.255.0
    nat (inside) 1 10.30.10.0 255.255.255.0
    !--- Do not NAT traffic to Reston HQ:
    nat (inside) 0 access-list VPN
    route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    h323 0:05:00 sip 0:30:00 sip-media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    !--- Traffic to Reston HQ:
    crypto map Dukem-Map 10 ipsec-isakmp
    crypto map Dukem-Map 10 match address 110
    crypto map Dukem-Map 10 set peer 192.168.1.2
    crypto map Dukem-Map 10 set transform-set myset
    crypto map Dukem-Map interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.1.2 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:b23cc9772a79ea76d711ea747f182a5f


    Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN Tunneling


    Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site:


    Step 1.

    Configure an ISAKMP policy:


    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000

    Step 2.

    Configure a preshared key and associate it with the peer (HQ-PIX):


    isakmp key A1!#abc address 192.168.1.2

    Step 3.

    Configure the supported IPSec transforms:


    crypto ipsec transform-set myset esp-des esp-md5-hmac

    Step 4.

    Create an access list:


    access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0
    255.255.255.0
    access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0
    255.255.255.0

    Step 5.

    Define a crypto map for HQ-PIX:


    crypto map Dukem-Map 20 ipsec-isakmp
    crypto map Dukem-Map 20 match address 110
    crypto map Dukem-Map 20 set peer 192.168.1.2
    crypto map Dukem-Map 20 set transform-set myset

    Step 6.

    Apply the crypto map to the outside interface:


    crypto map Dukem-Map interface outside

    Step 7.

    Specify that IPSec traffic be implicitly trusted (permitted):


    sysopt connection permit-ipsec

    Step 8.

    Configure a NAT 0 policy so that traffic between the offices is excluded from NAT:


    access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0
    255.255.255.0
    access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0
    255.255.255.0
    nat (inside) 0 access-list VPN


    Example 20-8 shows the configuration for the Minneapolis PIX Firewall.

    Example 20-8. Minneapolis PIX Firewall Configuration



    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KPPU encrypted
    hostname MN-PIX
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 1720
    fixup protocol rsh 514
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    names
    !--- Traffic to Reston HQ:
    access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0
    !--- Do not NAT traffic to Reston HQ:
    access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0
    access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0
    pager lines 24
    logging on
    no logging timestamp
    no logging standby
    no logging console
    no logging monitor
    no logging buffered
    logging trap 6
    no logging history
    logging facility 20
    logging queue 512
    logging host outside 192.168.1.8
    interface ethernet0 100full
    interface ethernet1 100full
    mtu outside 1500
    mtu inside 1500
    ip address outside 192.168.2.2 255.255.255.0
    ip address inside 10.20.10.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside 0.0.0.0
    failover ip address inside 0.0.0.0
    arp timeout 14400
    global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0
    global (outside) 1 192.168.2.252 netmask 255.255.255.0
    nat (inside) 1 10.20.10.0 255.255.255.0
    !--- Do not NAT traffic to Reston HQ:
    nat (inside) 0 access-list VPN
    route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
    h323 0:05:00 sip 0:30:00 sip-media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    !--- Traffic to Reston HQ:
    crypto map Dukem-Map 10 ipsec-isakmp
    crypto map Dukem-Map 10 match address 110
    crypto map Dukem-Map 10 set peer 192.168.1.2
    crypto map Dukem-Map 10 set transform-set myset
    crypto map Dukem-Map interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    telnet timeout 5
    ssh timeout 5
    terminal width 80
    Cryptochecksum:d962d33d245ad89fb7c9b4f0db3c2dc0


    Verifying and Troubleshooting


    After you configure the PIX for VPNs, the next step is to verify the configuration. The show, clear , and debug commands are used to verify and troubleshoot your configuration.

    show Commands


    • show crypto ipsec sa Displays the current status of the IPSec security associations. This is useful in determining whether traffic is being encrypted.

    • show crypto isakmp sa Displays the current state of the Internet Key Exchange (IKE) security associations.


    Debug Commands


    If you have problems establishing any of the VPN tunnels, use the following commands for troubleshooting:


    Step 1.

    If you are connected to the PIX by the console port, enable debugging on the console using this command:


    logging console debugging

    If you are connected to the PIX by Telnet, enable debugging using this command:


    logging monitor debugging

    Step 2.

    To view debug information related to the VPN configuration, use the following commands:

    • debug crypto ipsec Used to debug IPSec processing

    • debug crypto isakmp Used to debug ISAKMP processing

    • debug crypto engine Used to display debug messages about crypto engines, which perform encryption and decryption


    Step 3.

    To clear security associations (SAs), use the following commands in the PIX configuration mode:

    • clear [crypto] ipsec sa Deletes the active IPSec SAs. The keyword crypto is optional.

    • clear [crypto] isakmp sa Deletes the active IKE SAs. The keyword crypto is optional.




    • / 191