Task 5: Configuring a VPN Between HQ and Remote SitesThe two remote sites communicate with the Reston location (HQ-PIX) using VPN connections that traverse the Internet. To enable these VPNs, you must define the VPN characteristics at the headquarters location, as well as at the remote sites. Configuring the VPN connections between HQ-PIX and the two remote sites (MN-PIX and HOU-PIX) involves the following tasks:
Note The VPN tunnels shown in this example enable the two remote sites (Houston and Minneapolis) to communicate with the main location at Reston. If the two remote sites also must be able to communicate with each other, you would also need to establish a VPN tunnel from HOU-PIX to MN-PIX. This example assumes that the two remote sites need to communicate only with the main location and not with each other. Configuring the Central PIX Firewall, HQ-PIX, for VPN TunnelingBoth remote sites connect to the Reston location using VPN tunneling. The VPN protects the traffic coming from the remote sites. The following steps define the VPN characteristics on HQ-PIX.
Example 20-6 shows the complete configuration for the HQ-PIX. Example 20-6. HQ PIX Firewall Configurationnameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 DMZ security80 nameif ethernet3 failover security90 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KPPU encrypted hostname HQ-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list acl-out permit tcp any host 192.168.1.4 eq smtp access-list acl-out permit tcp any host 192.168.1.5 eq www access-list acl-out permit tcp any host 192.168.1.6 eq ftp !--- Traffic to HOU-PIX: access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0 !--- Traffic to MN-PIX: access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- Do not Network Address Translate (NAT) traffic to other branches: access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0 255.255.255.0 access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap no logging history logging facility 20 logging queue 512 logging host DMZ 172.16.31.7 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.2 255.255.255.0 ip address inside 10.10.10.1 255.255.255.0 ip address DMZ 172.16.31.1 255.255.255.0 ip address failover 1.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 192.168.1.3 failover ip address inside 10.10.10.2 failover ip address DMZ 172.16.31.2 arp timeout 14400 global (outside) 1 192.168.1.12-192.168.1.150 netmask 255.255.255.0 global (outside) 1 192.168.1.152 netmask 255.255.255.0 nat (inside) 1 10.10.10.0 255.255.255.0 !--- Do not NAT traffic to other PIXes: nat (inside) 0 access-list VPN static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0 static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0 static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0 access-group acl-out in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip-media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server TACACS+ (inside) host 10.10.10.7 tacpass aaa authentication include ftp inside 0.0.0.0 0.0.0.0 TACACS+ aaa authentication include telnet inside 0.0.0.0 0 0.0.0.0 TACACS+ no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to HOU-PIX: crypto map Dukem-Map 20 ipsec-isakmp crypto map Dukem-Map 20 match address 120 crypto map Dukem-Map 20 set peer 192.168.3.2 crypto map Dukem-Map 20 set transform-set myset !--- Traffic to MN-PIX: crypto map Dukem-Map 30 ipsec-isakmp crypto map Dukem-Map 30 match address 130 crypto map Dukem-Map 30 set peer 192.168.2.2 crypto map Dukem-Map 30 set transform-set myset crypto map Dukem-Map interface outside isakmp enable outside isakmp key ******** address 192.168.3.2 netmask 255.255.255.255 isakmp key ******** address 192.168.2.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:fb446986bcad922ec40de6346e9e2729 : end Configuring the Houston PIX Firewall, HOU-PIX, for VPN TunnelingSimilar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on HOU-PIX at the Houston remote site:
Example 20-7 shows the Houston PIX configuration. Example 20-7. Houston PIX Firewall Configurationnameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KPPU encrypted hostname HOU-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names !--- Traffic to Reston HQ: access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap 6 no logging history logging facility 20 logging queue 512 logging host 192.168.1.8 interface ethernet0 100full interface ethernet1 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.3.2 255.255.255.0 ip address inside 10.30.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.3.12-192.168.3.250 netmask 255.255.255.0 global (outside) 1 192.168.3.252 netmask 255.255.255.0 nat (inside) 1 10.30.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: nat (inside) 0 access-list VPN route outside 0.0.0.0 0.0.0.0 192.168.3.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip-media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to Reston HQ: crypto map Dukem-Map 10 ipsec-isakmp crypto map Dukem-Map 10 match address 110 crypto map Dukem-Map 10 set peer 192.168.1.2 crypto map Dukem-Map 10 set transform-set myset crypto map Dukem-Map interface outside isakmp enable outside isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:b23cc9772a79ea76d711ea747f182a5f Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN TunnelingSimilar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN characteristics at each of the remote sites. The following steps outline the commands necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site:
Example 20-8 shows the configuration for the Minneapolis PIX Firewall. Example 20-8. Minneapolis PIX Firewall Configurationnameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KPPU encrypted hostname MN-PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names !--- Traffic to Reston HQ: access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap 6 no logging history logging facility 20 logging queue 512 logging host outside 192.168.1.8 interface ethernet0 100full interface ethernet1 100full mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.2 255.255.255.0 ip address inside 10.20.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 global (outside) 1 192.168.2.12-192.168.2.250 netmask 255.255.255.0 global (outside) 1 192.168.2.252 netmask 255.255.255.0 nat (inside) 1 10.20.10.0 255.255.255.0 !--- Do not NAT traffic to Reston HQ: nat (inside) 0 access-list VPN route outside 0.0.0.0 0.0.0.0 192.168.2.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip-media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac !--- Traffic to Reston HQ: crypto map Dukem-Map 10 ipsec-isakmp crypto map Dukem-Map 10 match address 110 crypto map Dukem-Map 10 set peer 192.168.1.2 crypto map Dukem-Map 10 set transform-set myset crypto map Dukem-Map interface outside isakmp enable outside isakmp key ******** address 192.168.1.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:d962d33d245ad89fb7c9b4f0db3c2dc0 Verifying and TroubleshootingAfter you configure the PIX for VPNs, the next step is to verify the configuration. The show, clear , and debug commands are used to verify and troubleshoot your configuration. show Commands
Debug CommandsIf you have problems establishing any of the VPN tunnels, use the following commands for troubleshooting: |