CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

CCSP Cisco Secure PIX Firewall Advanced Exam Certification Guide, Second Edition [Electronic resources] - نسخه متنی

Greg Bastien; Earl Carter; Christian Degu

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید












  • Scenario


    This scenario gives you the opportunity to configure three locations (New York, Los Angeles, and Atlanta) for a site-to-site fully meshed VPN. The configurations for the three locations are listed with specific items missing. By reviewing the network layout and each firewall configuration you will find the items that are missing from the individual firewall configurations.


    VPN Configurations


    Clearly, the most detail-oriented and time-consuming portion of configuring VPNs is ensuring that both peers have matching configurations. This task usually becomes more complicated because you might have access to only one peer and are relying on someone else to configure the other end. A single discrepancy between the configurations can prevent the key exchange from completing or prevent encryption from occurring. It is best to compare the configurations on both peers before attempting the connection rather than trying to troubleshoot the VPN after an unsuccessful connection.

    In this scenario, you are working as a consultant and have been assigned the task of configuring a full-mesh VPN between corporate headquarters and two branch offices. Figure 11-7 shows the layout of each network and how the VPNs are to connect.


    Figure 11-7. VPN Network Layout

    The three locations have all provided their current PIX configurations, but each has a significant amount of information missing. It is your responsibility to complete each of the configurations and ensure that they are correct. Example 11-10 shows the configuration for the corporate headquarters in Los Angeles:

    Example 11-10. PIX Configuration for Los Angeles



    1. : Saved
    2. :
    3. PIX Version 6.3(3)
    4. nameif ethernet0 outside security0
    5. nameif ethernet1 inside security100
    6. nameif ethernet2 DMZ security70
    7. enable password HtmvK15kjhtlyfvcl encrypted
    8. passwd Kkjhlkf1568Hke encrypted
    9. hostname LosAngeles
    10. domain-name www.Chapter11.com
    11. fixup protocol ftp 21
    12. fixup protocol http 80
    13. fixup protocol h323 1720
    14. fixup protocol rsh 514
    15. fixup protocol smtp 25
    16. fixup protocol sqlnet 1521
    17. fixup protocol sip 5060
    18. fixup protocol skinny 2000
    19. names
    20. access-list inbound permit icmp any host 192.168.1.10
    21. access-list inbound permit tcp any host 192.168.1.10 eq www
    22. access-list inbound permit tcp any host 192.168.1.10 eq 443
    23. access-list inbound permit tcp any host 192.168.1.11 eq www
    24. access-list inbound permit tcp any host 192.168.1.11 eq 443
    25. access-list inbound permit tcp any host 192.168.1.12 eq www
    26. access-list inbound permit tcp any host 192.168.1.12 eq 443
    27. access-list inbound permit tcp any host 192.168.1.13 eq ftp
    28. access-list inbound permit tcp any host 192.168.1.13 eq 443
    29. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
    30. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
    31. _____________________________________________________________________________
    32. _____________________________________________________________________________
    33. _____________________________________________________________________________
    34. pager lines 24
    35. logging on
    36. logging timestamp
    37. interface ethernet0 auto
    38. interface ethernet1 auto
    39. interface ethernet2 auto
    40. mtu outside 1500
    41. mtu inside 1500
    42. ip address outside 192.168.1.1 255.255.255.0
    43. ip address inside 10.10.10.1 255.255.255.0
    44. ip address DMZ 172.16.1.1 255.255.255.0
    45. failover
    46. failover timeout 0:00:00
    47. failover poll 15
    48. failover ip address outside 192.168.1.2
    49. failover ip address inside 10.10.10.2
    50. failover ip address DMZ 172.16.1.2
    51. arp timeout 14400
    52. global (outside) 1 192.168.1.20-250
    53. nat (inside) 1 0.0.0.0 0.0.0.0
    54. nat (inside) 0 access-list VPN
    55. static (inside,DMZ) 10.10.10.240 10.10.10.240 netmask 255.255.255.255 0 0
    56. static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
    57. static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
    58. static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
    59. static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
    60. access-group inbound in interface outside
    61. access-group DMZ in interface DMZ
    62. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
    63. timeout xlate 3:00:00
    64. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
    sip 0:30:00 sip_media 0:02:00
    65. timeout uauth 0:05:00 absolute
    66. aaa-server TACACS+ protocol tacacs+
    67. aaa-server RADIUS protocol radius
    68. no snmp-server location
    69. no snmp-server contact
    70. snmp-server community public
    71. no snmp-server enable traps
    72. floodguard enable
    73. sysopt connection permit-ipsec
    74. no sysopt route dnat
    75. crypto ipsec transform-set
    76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    77. ____________________________________________________________________
    78. ____________________________________________________________________
    79. ____________________________________________________________________
    80. crypto map Chapter11 10 set transform-set Chapter11
    81. crypto map Chapter11 20 ipsec-isakmp
    82. _____________________________________________________________________
    83. _____________________________________________________________________
    84. _____________________________________________________________________
    85. crypto map Chapter11 interface outside
    86. _____________________________________________________________________
    87. _____________________________________________________________________
    88. _____________________________________________________________________
    89. _____________________________________________________________________
    90. _____________________________________________________________________
    91. _____________________________________________________________________
    92. _____________________________________________________________________
    93. _____________________________________________________________________
    94. _____________________________________________________________________
    95. terminal width 80
    96. Cryptochecksum:e0clmj3546549637cbsFds54132d5

    Example 11-11 shows the configuration for the Boston branch office.

    Example 11-11. PIX Configuration for Boston



    1. : Saved
    2. :
    3. PIX Version 6.3(3)
    4. nameif ethernet0 outside security0
    5. nameif ethernet1 inside security100
    6. nameif ethernet2 DMZ security70
    7. enable password ksjfglkasglc encrypted
    8. passwd kjngczftglkacytiur encrypted
    9. hostname Boston
    10. domain-name www.Chapter11.com
    11. fixup protocol ftp 21
    12. fixup protocol http 80
    13. fixup protocol smtp 25
    14. fixup protocol skinny 2000
    15. names
    16. access-list inbound permit icmp any host 192.168.2.10
    17. access-list inbound permit tcp any host 192.168.2.10 eq www
    18. access-list inbound permit tcp any host 192.168.2.10 eq 443
    19. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
    20. access-list___________________________________________________________________
    21. access-list___________________________________________________________________
    22. access-list___________________________________________________________________
    23. access-list___________________________________________________________________
    24. pager lines 24
    25. logging on
    26. logging timestamp
    27. interface ethernet0 auto
    28. interface ethernet1 auto
    29. interface ethernet2 auto
    30. mtu outside 1500
    31. mtu inside 1500
    32. ip address outside 192.168.2.1 255.255.255.0
    33. ip address inside 10.10.2.1 255.255.255.0
    34. ip address DMZ 172.16.2.1 255.255.255.0
    35. arp timeout 14400
    36. global (outside) 1 192.168.2.20-200
    37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    38. nat (inside) 0 access-list VPN
    39. static (inside,DMZ) 10.10.2.240 10.10.2.240 netmask 255.255.255.255 0 0
    40. static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
    41. access-group inbound in interface outside
    42. access-group DMZ in interface DMZ
    43. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
    44. timeout xlate 3:00:00
    45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    46. timeout uauth 0:05:00 absolute
    47. aaa-server TACACS+ protocol tacacs+
    48. aaa-server RADIUS protocol radius
    49. no snmp-server location
    50. no snmp-server contact
    51. snmp-server community public
    52. no snmp-server enable traps
    53. floodguard enable
    54. ___________________________________________________________
    55. ___________________________________________________________
    56. ___________________________________________________________
    57. crypto map Chapter11 10 ipsec-isakmp
    58. crypto map Chapter11 10 match address LosAngeles
    59. _____________________________________________
    60. crypto map Chapter11 10 set transform-set Chapter11
    61. crypto map Chapter11 20 ipsec-isakmp
    62. crypto map Chapter11 20 match address Atlanta
    63. crypto map Chapter11 20 set peer 192.168.3.1
    64. _____________________________________________
    65. _____________________________________________
    66. isakmp enable outside
    67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
    68. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
    69. isakmp identity address
    70. isakmp policy 20 authentication pre-share
    71. _____________________________________________
    72. _____________________________________________
    73. _____________________________________________
    74. _____________________________________________
    75. terminal width 80
    76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

    Example 11-12 shows the configuration for the Atlanta branch office.

    Example 11-12. PIX Configuration for Atlanta



    1. : Saved
    2. :
    3. PIX Version 6.3(3)
    4. nameif ethernet0 outside security0
    5. nameif ethernet1 inside security100
    6. nameif ethernet2 DMZ security70
    7. enable password ksjfglkasglc encrypted
    8. passwd kjngczftglkacytiur encrypted
    9. hostname Atlanta
    10. domain-name www.Chapter11.com
    11. fixup protocol ftp 21
    12. fixup protocol http 80
    13. fixup protocol smtp 25
    14. fixup protocol skinny 2000
    15. names
    16. access-list inbound permit icmp any host 192.168.3.10
    17. access-list inbound permit tcp any host 192.168.3.10 eq www
    18. access-list inbound permit tcp any host 192.168.3.10 eq 443
    19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
    20. access-list________________________________________________________________
    21. access-list________________________________________________________________
    22. access-list________________________________________________________________
    23. access-list________________________________________________________________
    24. pager lines 24
    25. logging on
    26. logging timestamp
    27. interface ethernet0 auto
    28. interface ethernet1 auto
    29. interface ethernet2 auto
    30. mtu outside 1500
    31. mtu inside 1500
    32. ip address outside 192.168.3.1 255.255.255.0
    33. ip address inside 10.10.3.1 255.255.255.0
    34. ip address DMZ 172.16.3.1 255.255.255.0
    35. arp timeout 14400
    36. global (outside) 1 192.168.3.20-200
    37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    38. nat (inside) 0 access-list VPN
    39. static (inside,DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0
    40. static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
    41. access-group inbound in interface outside
    42. access-group DMZ in interface DMZ
    43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
    44. timeout xlate 3:00:00
    45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    46. timeout uauth 0:05:00 absolute
    47. aaa-server TACACS+ protocol tacacs+
    48. aaa-server RADIUS protocol radius
    49. no snmp-server location
    50. no snmp-server contact
    51. snmp-server community public
    52. no snmp-server enable traps
    53. floodguard enable
    54. sysopt connection permit-ipsec
    55. crypto ipsec transform-set_____________________________________________________
    56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    57. crypto map Chapter11 10 ipsec-isakmp
    58. crypto map_____________________________________________________________________
    59. crypto map_____________________________________________________________________
    60. crypto map Chapter11 10 set transform-set Chapter11____________________________
    61. crypto map_____________________________________________________________________
    62. crypto map_____________________________________________________________________
    63. crypto map_____________________________________________________________________
    64. crypto map Chapter11 20 set transform-set Chapter11____________________________
    65. crypto map_____________________________________________________________________
    66. isakmp_________________________________________________________________________
    67. isakmp key ********____________________________________________________________
    68. isakmp key_____________________________________________________________________
    69. isakmp identity address________________________________________________________
    70. isakmp policy 20_______________________________________________________________
    71. isakmp policy 20 encryption 3des
    72. isakmp policy 20 hash md5
    73. isakmp policy 20 group 2
    74. isakmp policy 20 lifetime 86400
    75. terminal width 80
    76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

    Each line of the configuration is numbered, and certain lines have not been completed. Your job is to complete the lines and verify each configuration against the configuration of the VPN peer. The following sections give the blank lines for each configuration. The completed configurations are listed at the end of the chapter, along with a full description of each element from the configuration in Los Angeles. You will not find all the information needed to complete the configuration on a single firewall. Remember that the configurations must match on each end of the VPN.

    Los Angeles Configuration


    Fill in the missing lines in Example 11-10:

    Line 31:________________________________________________________________

    Line 32:________________________________________________________________

    Line 33:________________________________________________________________

    Line 77:________________________________________________________________

    Line 78:________________________________________________________________

    Line 79:_________________________________________________________________

    Line 82:_________________________________________________________________

    Line 83:_________________________________________________________________

    Line 84:_________________________________________________________________

    Line 86:________________________________________________________________

    Line 87:________________________________________________________________

    Line 88:________________________________________________________________

    Line 89:________________________________________________________________

    Line 90:________________________________________________________________

    Line 91:________________________________________________________________

    Line 92:________________________________________________________________

    Line 93:________________________________________________________________

    Line 94:________________________________________________________________


    Boston Configuration


    Fill in the missing lines in Example 11-11:

    Line 20:________________________________________________________________

    Line 21:________________________________________________________________

    Line 22:________________________________________________________________

    Line 23:________________________________________________________________

    Line 54:________________________________________________________________

    Line 55:________________________________________________________________

    Line 56:________________________________________________________________

    Line 59:________________________________________________________________

    Line 64:________________________________________________________________

    Line 65:________________________________________________________________

    Line 71:________________________________________________________________

    Line 72:________________________________________________________________

    Line 73:________________________________________________________________

    Line 74:________________________________________________________________


    Atlanta Configuration


    Fill in the missing lines in Example 11-12:

    Line 20:________________________________________________________________

    Line 21:________________________________________________________________

    Line 22:________________________________________________________________

    Line 23:________________________________________________________________

    Line 55:________________________________________________________________

    Line 58:________________________________________________________________

    Line 59:________________________________________________________________

    Line 61:________________________________________________________________

    Line 62:________________________________________________________________

    Line 63:________________________________________________________________

    Line 65:________________________________________________________________

    Line 66:________________________________________________________________

    Line 67:________________________________________________________________

    Line 68:________________________________________________________________

    Line 70:________________________________________________________________



    Completed PIX Configurations


    To reduce confusion, it is a good idea to use a common naming convention when creating access lists, transforms, and crypto maps. Example 11-13 shows the completed configuration for the Los Angeles headquarters.

    Example 11-13. Completed Configuration for Los Angeles



    1. : Saved
    2. :
    3. PIX Version 6.3(3)
    4. nameif ethernet0 outside security0
    5. nameif ethernet1 inside security100
    6. nameif ethernet2 DMZ security70
    7. enable password HtmvK15kjhtlyfvcl encrypted
    8. passwd Kkjhlkf1568Hke encrypted
    9. hostname LosAngeles
    10. domain-name www.Chapter11.com
    11. fixup protocol ftp 21
    12. fixup protocol http 80
    13. fixup protocol h323 1720
    14. fixup protocol rsh 514
    15. fixup protocol smtp 25
    16. fixup protocol sqlnet 1521
    17. fixup protocol sip 5060
    18. fixup protocol skinny 2000
    19. names
    20. access-list inbound permit icmp any host 192.168.1.10
    21. access-list inbound permit tcp any host 192.168.1.10 eq www
    22. access-list inbound permit tcp any host 192.168.1.10 eq 443
    23. access-list inbound permit tcp any host 192.168.1.11 eq www
    24. access-list inbound permit tcp any host 192.168.1.11 eq 443
    25. access-list inbound permit tcp any host 192.168.1.12 eq www
    26. access-list inbound permit tcp any host 192.168.1.12 eq 443
    27. access-list inbound permit tcp any host 192.168.1.13 eq ftp
    28. access-list inbound permit tcp any host 192.168.1.10 eq 443
    29. access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
    30. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
    31. access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
    32. access-list Boston permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
    33. access-list Atlanta permit ip 10.10.10.0 255.255.255.0 10.10.3.0 255.255.255.0
    34. pager lines 24
    35. logging on
    36. logging timestamp
    37. interface ethernet0 auto
    38. interface ethernet1 auto
    39. interface ethernet2 auto
    40. mtu outside 1500
    41. mtu inside 1500
    42. ip address outside 192.168.1.1 255.255.255.0
    43. ip address inside 10.10.10.1 255.255.255.0
    44. ip address DMZ 172.16.1.1 255.255.255.0
    45. failover
    46. failover timeout 0:00:00
    47. failover poll 15
    48. failover ip address outside 192.168.1.2
    49. failover ip address inside 10.10.10.2
    50. failover ip address DMZ 172.16.1.2
    51. arp timeout 14400
    52. global (outside) 1 192.168.1.20-192.168.1.250
    53. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    54. nat (inside) 0 access-list VPN
    55. static (inside,DMZ) 10.10.10.240 10.10.10.240 netmask 255.255.255.255 0 0
    56. static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
    57. static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
    58. static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
    59. static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
    60. access-group inbound in interface outside
    61. access-group DMZ in interface DMZ
    62. route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
    63. timeout xlate 3:00:00
    64. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00
    sip 0:30:00 sip_media 0:02:00
    65. timeout uauth 0:05:00 absolute
    66. aaa-server TACACS+ protocol tacacs+
    67. aaa-server RADIUS protocol radius
    68. no snmp-server location
    69. no snmp-server contact
    70. snmp-server community public
    71. no snmp-server enable traps
    72. floodguard enable
    73. sysopt connection permit-ipsec
    74. no sysopt route dnat
    75. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac
    76. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    77. crypto map Chapter11 10 ipsec-isakmp
    78. crypto map Chapter11 10 match address Boston
    79. crypto map Chapter11 10 set peer 192.168.2.1
    80. crypto map Chapter11 10 set transform-set Chapter11
    81. crypto map Chapter11 20 ipsec-isakmp
    82. crypto map Chapter11 20 match address Atlanta
    83. crypto map Chapter11 20 set peer 192.168.3.1
    84. crypto map Chapter11 20 set transform-set Chapter11
    85. crypto map Chapter11 interface outside
    86. isakmp enable outside
    87. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
    88. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
    89. isakmp identity address
    90. isakmp policy 20 authentication pre-share
    91. isakmp policy 20 encryption 3des
    92. isakmp policy 20 hash md5
    93. isakmp policy 20 group 2
    94. isakmp policy 20 lifetime 86400
    95. terminal width 80
    96. Cryptochecksum:e0clmj3546549637cbsFds54132d5

    Example 11-14 shows the completed configuration for the Boston branch office.

    Example 11-14. Completed Configuration for Boston



    1. : Saved
    2. :
    3. PIX Version 6.3(3)
    4. nameif ethernet0 outside security0
    5. nameif ethernet1 inside security100
    6. nameif ethernet2 DMZ security70
    7. enable password ksjfglkasglc encrypted
    8. passwd kjngczftglkacytiur encrypted
    9. hostname Boston
    10. domain-name www.Chapter11.com
    11. fixup protocol ftp 21
    12. fixup protocol http 80
    13. fixup protocol smtp 25
    14. fixup protocol skinny 2000
    15. names
    16. access-list inbound permit icmp any host 192.168.2.10
    17. access-list inbound permit tcp any host 192.168.2.10 eq www
    18. access-list inbound permit tcp any host 192.168.2.10 eq 443
    19. access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
    20. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.10.0 255.255.255.0
    21. access-list VPN permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
    22. access-list LosAngeles permit ip 10.10.2.0 255.255.255.0 10.10.10.0
    255.255.255.0
    23. access-list Atlanta permit ip 10.10.2.0 255.255.255.0 10.10.3.0 255.255.255.0
    24. pager lines 24
    25. logging on
    26. logging timestamp
    27. interface ethernet0 auto
    28. interface ethernet1 auto
    29. interface ethernet2 auto
    30. mtu outside 1500
    31. mtu inside 1500
    32 ip address outside 192.168.2.1 255.255.255.0
    33. ip address inside 10.10.2.1 255.255.255.0
    34. ip address DMZ 172.16.2.1 255.255.255.0
    35. arp timeout 14400
    36. global (outside) 1 192.168.2.20-192.168.2.200
    37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    38. nat (inside) 0 access-list VPN
    39. static (inside,DMZ) 10.10.2.240 10.10.2.240 netmask 255.255.255.255 0 0
    40. static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
    41. access-group inbound in interface outside
    42. access-group DMZ in interface DMZ
    43. route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
    44. timeout xlate 3:00:00
    45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    46. timeout uauth 0:05:00 absolute
    47. aaa-server TACACS+ protocol tacacs+
    48. aaa-server RADIUS protocol radius
    49. no snmp-server location
    50. no snmp-server contact
    51. snmp-server community public
    52. no snmp-server enable traps
    53. floodguard enable
    54. sysopt connection permit-ipsec
    55. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac
    56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    57. crypto map Chapter11 10 ipsec-isakmp
    58. crypto map Chapter11 10 match address LosAngeles
    59. crypto map Chapter11 10 set peer 192.168.1.1
    60. crypto map Chapter11 10 set transform-set Chapter11
    61. crypto map Chapter11 20 ipsec-isakmp
    62. crypto map Chapter11 20 match address Atlanta
    63. crypto map Chapter11 20 set peer 192.168.3.1
    64. crypto map Chapter11 20 set transform-set Chapter11
    65. crypto map Chapter11 interface outside
    66. isakmp enable outside
    67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
    68. isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
    69. isakmp identity address
    70. isakmp policy 20 authentication pre-share
    71. isakmp policy 20 encryption 3des
    72. isakmp policy 20 hash md5
    73. isakmp policy 20 group 2
    74. isakmp policy 20 lifetime 86400
    75. terminal width 80
    76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5

    Example 11-15 shows the completed configuration for the Atlanta branch office.

    Example 11-15. Completed Configuration for Atlanta



    1. : Saved
    2. :
    3. PIX Version 6.3(3)
    4. nameif ethernet0 outside security0
    5. nameif ethernet1 inside security100
    6. nameif ethernet2 DMZ security70
    7. enable password ksjfglkasglc encrypted
    8. passwd kjngczftglkacytiur encrypted
    9. hostname Atlanta
    10. domain-name www.Chapter11.com
    11. fixup protocol ftp 21
    12. fixup protocol http 80
    13. fixup protocol smtp 25
    14. fixup protocol skinny 2000
    15. names
    16. access-list inbound permit icmp any host 192.168.3.10
    17. access-list inbound permit tcp any host 192.168.3.10 eq www
    18. access-list inbound permit tcp any host 192.168.3.10 eq 443
    19. access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
    20. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
    21. access-list VPN permit ip 10.10.3.0 255.255.255.0 10.10.10.0 255.255.255.0
    22. access-list LosAngeles permit ip 10.10.3.0 255.255.255.0 10.10.10.0
    255.255.255.0
    23. access-list Boston permit ip 10.10.3.0 255.255.255.0 10.10.2.0 255.255.255.0
    24. pager lines 24
    25. logging on
    26. logging timestamp
    27. interface ethernet0 auto
    28. interface ethernet1 auto
    29. interface ethernet2 auto
    30. mtu outside 1500
    31. mtu inside 1500
    32. ip address outside 192.168.3.1 255.255.255.0
    33. ip address inside 10.10.3.1 255.255.255.0
    34. ip address DMZ 172.16.3.1 255.255.255.0
    35. arp timeout 14400
    36. global (outside) 1 192.168.3.20-192.168.3.200
    37. nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    38. nat (inside) 0 access-list VPN
    39. static (inside,DMZ) 10.10.3.240 10.10.3.240 netmask 255.255.255.255 0 0
    40. static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
    41. access-group inbound in interface outside
    42. access-group DMZ in interface DMZ
    43. route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
    44. timeout xlate 3:00:00
    45. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
    46. timeout uauth 0:05:00 absolute
    47. aaa-server TACACS+ protocol tacacs+
    48. aaa-server RADIUS protocol radius
    49. no snmp-server location
    50. no snmp-server contact
    51. snmp-server community public
    52. no snmp-server enable traps
    53. floodguard enable
    54. sysopt connection permit-ipsec
    55. crypto ipsec transform-set Chapter11 esp-3des esp-md5-hmac
    56. crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
    57. crypto map Chapter11 10 ipsec-isakmp
    58. crypto map Chapter11 10 match address LosAngeles
    59. crypto map Chapter11 10 set peer 192.168.1.1
    60. crypto map Chapter11 10 set transform-set Chapter11
    61. crypto map Chapter11 20 ipsec-isakmp
    62. crypto map Chapter11 20 match address Boston
    63. crypto map Chapter11 20 set peer 192.168.2.1
    64. crypto map Chapter11 20 set transform-set Chapter11
    65. crypto map Chapter11 interface outside
    66. isakmp enable outside
    67. isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
    68. isakmp key ******** address 192.168.2.1 netmask 255.255.255.255
    69. isakmp identity address
    70. isakmp policy 20 authentication pre-share
    71. isakmp policy 20 encryption 3des
    72. isakmp policy 20 hash md5
    73. isakmp policy 20 group 2
    74. isakmp policy 20 lifetime 86400
    75. terminal width 80
    76. Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5


    How the Configuration Lines Interact


    Figure 11-8 shows the completed configuration for Los Angeles, with a brief explanation for each entry. Note that each entry is connected to one or more other entries on the right. This diagram depicts how the lines of the configuration are dependent on each other. Keep this in mind when trying to troubleshoot a VPN configuration. It might help you to find which line is missing or incorrectly configured.


    Figure 11-8. LA Configuration with Comments


    • / 191