« Return to Thread: Cisco PIX VPN question...
Re: Cisco PIX VPN question...
by Prabhu Gurumurthy
::
Rate this Message:
Dan Denton wrote:
>
> -----Original Message-----
> From: Dan Denton [mailto:ddenton@...]
> Sent: Monday, May 21, 2007 1:47 PM
> To: 'firewalls@...'
> Subject: Cisco PIX VPN question...
>
> Hello list...
>
> I have a PIX 506E and a PIX515E, each at a different location. Each firewall
> has a remote access VPN set up. I'd like to set up a point-to-point VPN
> connection between the two so users at one location won't have to use their
> VPN clients unless they're off site. Each firewall only has one outside and
> one inside interface. The 515E is running 7.0 and the 506E is running 6.3.
>
> Does anyone out there have experience on setting up the two vpn technologies
> simultaneously? I don't want to break the existing remote access vpn's.
>
> Dan Denton
>
>
>
>
Do you want to have remote access VPN users to traverse the tunnel too?
1. Define the ACL which needs to traverse the tunnel
remember three things:
a. the source must be local subnet/system
b. uni-directional ACL is fine (although PIX will take bi-directional),
because PIX is smart enough to allow the corresponding return traffic to plumb
through
c. If you have NAT enabled "enable NAT 0"
How:
assumption: Local subnet is 192.168.137.0/24, remote is 172.25.45.0/24
Local peer is 10.35.47.1 remote peer: 10.64.71.1
Note: PIX takes subnet mask not wild card bits, anything in caps, means it
is user defined.
Define object-groups, in this way it can be expanded to allow more subnets
to ride the tunnel.
object-group network LOCAL_VPN_SUBNET
network-object 192.168.137.0 255.255.255.0
exit
object-group network REMOTE_VPN_SUBNET
network-object 172.25.45.0 255.255.255.0
exit
access-list VPN_ACL permit ip object-group LOCAL_SUBNET object-group
REMOTE_SUBNET
enabling nat 0:
nat (inside) 0 access-list VPN_ACL
2. Define the ISAKMP policy, policy number are sequentially examined from (1 - X
)and correct policies are accepted
This is called PHASE 1, the SA (security association) is called "phase 1 sa"
Please remember the policy numbers are locally significant (it does not
bother the remote VPN concentrators)
How:
define a name, in that way you dont need to remember IP address
name 10.64.71.1 REMOTE_VPN_PEER
Remember if you pre 7.2 or 6.3 PIX OS version then this is the command set
On PIX 6.3:
isakmp key ******** address REMOTE_VPN_PEER netmask 255.255.255.255 no-xauth
On both pre 7.2 and 6.3
isakmp identity auto
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
If you need IKE NAT-T, then enable
isakmp nat-traversal 20
After 7.2 PIX OS:
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 1800
If you need IKE NAT-T, then enable
crypto isakmp nat-traversal 20
3. Define the transform set, this defines the encryption and optional
authentication to take place
How:
crypto ipsec transform-set VPN_SET esp-aes-256 esp-sha-hmac
encryption is AES using CBC, key length is 256
authentication is SHA1
4. Define the crypto map, again policy number are sequentially examined from (1
- X) the correct policies are accepted.
Note: If you want Remote access VPN too, please define the Remote access
crypto map policy to be something really higher like 65535, because it has
caused problems for me, when two crypto transform and ISAKMP policies match but
the ACL's dont match resulting in "IPSEC ERROR IN PHASE 2"
How:
crypto map VPN_MAP 1 match address VPN_ACL
crypto map VPN_MAP 1 set peer REMOTE_VPN_PEER
crypto map VPN_MAP 1 set transform-set VPN_SET
If you need PFS (Perfect Forward Secrecy) which is called DH group
then use:
crypto map VPN_MAP 1 set pfs group1
options for group are:
group1(768 bits), group2(1024 bits), group5(1536 bits)
Note: PIX 525/535 and ASA may have group7(2048), but I am not sure.
5. Define the Group policy like Pre-shared keys: (this is only for 7.x)
How:
Note: tunnel-group command does not take pre-defined names
example: tunnel-group REMOTE_VPN_PEER type ipsec-l2l is invalid.
tunnel-group 10.64.71.1 type ipsec-l2l
tunnel-group 10.64.71.1 ipsec-attributes
pre-shared-key TEST123
The other end is mirror image of the same, in your example you are using PIX
both ways, so this will be easy.
If you have any questions let me know.
Hope this helps
Prabhu
>
> -----Original Message-----
> From: Dan Denton [mailto:ddenton@...]
> Sent: Monday, May 21, 2007 1:47 PM
> To: 'firewalls@...'
> Subject: Cisco PIX VPN question...
>
> Hello list...
>
> I have a PIX 506E and a PIX515E, each at a different location. Each firewall
> has a remote access VPN set up. I'd like to set up a point-to-point VPN
> connection between the two so users at one location won't have to use their
> VPN clients unless they're off site. Each firewall only has one outside and
> one inside interface. The 515E is running 7.0 and the 506E is running 6.3.
>
> Does anyone out there have experience on setting up the two vpn technologies
> simultaneously? I don't want to break the existing remote access vpn's.
>
> Dan Denton
>
>
>
>
Do you want to have remote access VPN users to traverse the tunnel too?
1. Define the ACL which needs to traverse the tunnel
remember three things:
a. the source must be local subnet/system
b. uni-directional ACL is fine (although PIX will take bi-directional),
because PIX is smart enough to allow the corresponding return traffic to plumb
through
c. If you have NAT enabled "enable NAT 0"
How:
assumption: Local subnet is 192.168.137.0/24, remote is 172.25.45.0/24
Local peer is 10.35.47.1 remote peer: 10.64.71.1
Note: PIX takes subnet mask not wild card bits, anything in caps, means it
is user defined.
Define object-groups, in this way it can be expanded to allow more subnets
to ride the tunnel.
object-group network LOCAL_VPN_SUBNET
network-object 192.168.137.0 255.255.255.0
exit
object-group network REMOTE_VPN_SUBNET
network-object 172.25.45.0 255.255.255.0
exit
access-list VPN_ACL permit ip object-group LOCAL_SUBNET object-group
REMOTE_SUBNET
enabling nat 0:
nat (inside) 0 access-list VPN_ACL
2. Define the ISAKMP policy, policy number are sequentially examined from (1 - X
)and correct policies are accepted
This is called PHASE 1, the SA (security association) is called "phase 1 sa"
Please remember the policy numbers are locally significant (it does not
bother the remote VPN concentrators)
How:
define a name, in that way you dont need to remember IP address
name 10.64.71.1 REMOTE_VPN_PEER
Remember if you pre 7.2 or 6.3 PIX OS version then this is the command set
On PIX 6.3:
isakmp key ******** address REMOTE_VPN_PEER netmask 255.255.255.255 no-xauth
On both pre 7.2 and 6.3
isakmp identity auto
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
If you need IKE NAT-T, then enable
isakmp nat-traversal 20
After 7.2 PIX OS:
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 1800
If you need IKE NAT-T, then enable
crypto isakmp nat-traversal 20
3. Define the transform set, this defines the encryption and optional
authentication to take place
How:
crypto ipsec transform-set VPN_SET esp-aes-256 esp-sha-hmac
encryption is AES using CBC, key length is 256
authentication is SHA1
4. Define the crypto map, again policy number are sequentially examined from (1
- X) the correct policies are accepted.
Note: If you want Remote access VPN too, please define the Remote access
crypto map policy to be something really higher like 65535, because it has
caused problems for me, when two crypto transform and ISAKMP policies match but
the ACL's dont match resulting in "IPSEC ERROR IN PHASE 2"
How:
crypto map VPN_MAP 1 match address VPN_ACL
crypto map VPN_MAP 1 set peer REMOTE_VPN_PEER
crypto map VPN_MAP 1 set transform-set VPN_SET
If you need PFS (Perfect Forward Secrecy) which is called DH group
then use:
crypto map VPN_MAP 1 set pfs group1
options for group are:
group1(768 bits), group2(1024 bits), group5(1536 bits)
Note: PIX 525/535 and ASA may have group7(2048), but I am not sure.
5. Define the Group policy like Pre-shared keys: (this is only for 7.x)
How:
Note: tunnel-group command does not take pre-defined names
example: tunnel-group REMOTE_VPN_PEER type ipsec-l2l is invalid.
tunnel-group 10.64.71.1 type ipsec-l2l
tunnel-group 10.64.71.1 ipsec-attributes
pre-shared-key TEST123
The other end is mirror image of the same, in your example you are using PIX
both ways, so this will be easy.
If you have any questions let me know.
Hope this helps
Prabhu
« Return to Thread: Cisco PIX VPN question...
| Free embeddable forum powered by Nabble | Forum Help |
