Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520



Similar documents
Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Configuring the Cisco Secure PIX Firewall with a Single Intern

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

2.0 HOW-TO GUIDELINES

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring the Cisco PIX Firewall for SSH by Brian Ford

GNAT Box VPN and VPN Client

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Lab Configure a PIX Firewall VPN

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

REMOTE ACCESS VPN NETWORK DIAGRAM

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

LAN-Cell to Cisco Tunneling

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

VPN Configuration Guide. Cisco ASA 5500 Series

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

VPN Tracker for Mac OS X

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Lab a Configure Remote Access Using Cisco Easy VPN

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

GregSowell.com. Mikrotik VPN

VPN SECURITY POLICIES

VPN. VPN For BIPAC 741/743GE

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example


Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Branch Office VPN Tunnels and Mobile VPN

How do I set up a branch office VPN tunnel with the Management Server?

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Fireware How To Network Configuration

Triple DES Encryption for IPSec

Lab Configure Remote Access Using Cisco Easy VPN

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Virtual Private Network (VPN)

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Understanding the Cisco VPN Client

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Using PIX Firewall in SOHO Networks

Configure ISDN Backup and VPN Connection

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

IPSec tunnel APLICATION GUIDE

How To Industrial Networking

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

IPSec. User Guide Rev 2.2

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Scenario: IPsec Remote-Access VPN Configuration

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Configuring the PIX Firewall with PDM

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

Cisco ASA Configuration Guidance

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

C H A P T E R Management Cisco SAFE Reference Guide OL

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Watchguard Firebox X Edge e-series

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

Cisco RV 120W Wireless-N VPN Firewall

Configuring Remote Access IPSec VPNs

Securing Networks with PIX and ASA

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

WatchGuard Mobile User VPN Guide

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

How to access peers with different VPN through IPSec. Tunnel

Network Security 2. Module 6 Configure Remote Access VPN

ISG50 Application Note Version 1.0 June, 2011

Packet Tracer Configuring VPNs (Optional)

How To Set Up Checkpoint Vpn For A Home Office Worker

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

LAN-Cell 3 to Cisco ASA 5500 VPN Example

Firewall Troubleshooting

BorderWare Firewall Server 7.1. Release Notes

Transcription:

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520 This document describes how to configure an IPSec tunnel with a WatchGuard Firebox II or Firebox III (software version 4.5 or later) at one end and the Cisco PIX 520 (software version 5.2.1) at the other. The following diagram illustrates the machines and addresses involved in the connection. The examples used in this document are taken from this set-up.

Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 This procedure describes how to configure a WatchGuard Firebox II, II Plus or II Fast VPN to create an IPSec Virtual Private Network (VPN) with a Cisco PIX 520 device at the other end of the tunnel. NOTE In the following documentation, Firebox is used to refer to the Firebox II or Firebox III family of WatchGuard firewalls. To configure the Firebox for an IPSec tunnel, use the WatchGuard Policy Manager to configure the IPSec gateway, tunnel, routing information, and enable the associated policy. For more information about configuring a Firebox for an IPSec VPN tunnel, consult the WatchGuard LiveSecurity System User Guide. Setting Up the Gateway You must first define the remote gateway of the Cisco PIX 520. From the WatchGuard Policy Manager: 1 Select Network => Branch Office VPN => IPSec. The IPSEC Configuration dialog box appears. 2 Click Gateways. Click Add. The IPSec Gateway dialog box appears 3 Enter the gateway information as described below: Name The name used to identify this gateway. 2 WatchGuard SOHO with VPN Manager 2.1

Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 Key Negotiation Type Select isakmp (dynamic). Remote Gateway IP The external IP address of the remote device that the Firebox will negotiate with when creating the IPSec tunnel. In this case, the PIX 520. Shared Key Similar to a password, this is used to authenticate both ends of the tunnel to each other; the shared key must be identical on both sites. 4 When you finish adding gateways, click OK. The Configure Gateways dialog box appears displaying the new gateway. 5 Click Tunnels to continue with Setting up the Tunnel (see below). Setting up the Tunnel A tunnel encapsulates packets between two gateways. It specifies encryption type, authentication method, or both. A tunnel also specifies endpoints these are the public, external addresses of the two devices. The following describes how to configure a tunnel using a gateway with the isakmp (dynamic) key negotiation type, which is required for creating a tunnel between a Firebox and a Cisco PIX 520. From the IPSec Configuration dialog box: 1 Click Tunnels. The Configure Tunnels dialog box appears. IPSec Tunnel Configuration 3

2 To add a new tunnel, click Add. The Select Gateway dialog box appears. 3 Click the gateway that you created in Setting Up the Gateway on page 2. Click OK. The Configure Tunnel dialog box appears. 4 Enter a tunnel name. The Policy Manager uses the tunnel name as an identifier. 5 Click the Dynamic Security tab. The Configure Tunnel dialog box appears. 6 Enter the following information: 4 WatchGuard SOHO with VPN Manager 2.1

Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 Type Select ESP (Encapsulated Security Payload). This must match the Security Association Proposal type on the PIX device. Authentication Select SHA1-HMAC (a 160-bit algorithm). This must match the authentication type on the PIX device. Encryption Select 3DES-CBC (168-bit). This must match the encryption level on the PIX device. 7 To have a new key generated periodically, check the box labelled Force Key Expiration. With this option, transparent to the user, the isakmp controller generates and negotiates a new key for each session. For no key expiration, enter 0 (zero) here. If you enable the Force key expiration box, set the number of kilobytes transferred or hours passed in the session before a new key is generated for continuation of the VPN session. 8 Click OK. The Configure Tunnels dialog box appears displaying the newly created tunnel. 9 After you add all tunnels for this gateway, click OK. The Configure Gateways dialog box appears. Creating an IPSec Policy Policies are sets of rules, much like static routes, for defining how IPSec traffic is routed through the tunnel. Policies are defined by their endpoints. These are not the same as tunnel or gateway endpoints they are the specific hosts, networks, or both behind the two IPSec devices (for our purposes, the Firebox and the Check Point FireWall-1), which communicate through the tunnel. NOTE You can configure an IPSec VPN tunnel to securely allow two computers to talk to each other (if you specify by host), or you can configure an IPSec VPN tunnel to securely allow two networks to talk to each other (if you specify by network). From the IPSec Configuration dialog box: 1 Click Add. The Edit Routing Policy dialog box appears. 2 Enter the following information: Local Host or Network. You can create a policy for a single host or an entire network behind the local device. Following our example, select Network and enter the network address of the private, internal network behind the Firebox, 192.168.3.0/24. IPSec Tunnel Configuration 5

Remote Host or Network. You can create a policy for a single host or an entire network behind the remote device. Following our example, select Network and enter the network address of the private, internal network behind the PIX, 10.10.10.0/24. Disposition This determines how the Firebox will handle traffic travelling between the tunnel endpoints. Select secure. Tunnel You can choose the tunnel you want to use between these networks. Following our example, select cisco_pix. 3 Click OK. The IPSec Configuration dialog box appears listing the newly created policy. Policies are initially listed in the order in which they were created. 4 Click OK again to close the IPSec Configuration dialog box. Creating Services The last step defines what services are going to be allowed through this tunnel. Users behind the Cisco PIX 520 are outside the trusted Firebox network; you must therefore configure the Firebox specifically to allow traffic through the VPN connection. A quick method is to create a host alias that corresponds to the remote VPN hosts, networks, or both. Either use this alias or individually enter the IP addresses when configuring the properties for the service or services you wish to allow. For more information on creating an alias, consult the WatchGuard LiveSecurity System User Guide. You can modify your Firebox security policy to allow the VPN traffic on a service-byservice basis. However, the easiest method is to create an Any service which allows all traffic over any port. From the Policy Manager: 1 Select Edit =>Add Service. 6 WatchGuard SOHO with VPN Manager 2.1

Configuring Firebox II for an IPSec Tunnel to a Cisco PIX 520 2 Expand Packet Filters. 3 Select the Any service. Click Add. The Add Service dialog box appears. 4 Click OK. The service s Properties dialog box appears. 5 At the Incoming tab, select Enabled and Allowed from the drop list. 6 Under From, click Add. 7 Click Add Other. The Add Member dialog box appears. 8 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the PIX. Following our example, 10.10.10.0/24. 9 Click OK. 10 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the From portion of the dialog box. 11 Under To, click Add. 12 Click Add Other. The Add Member dialog box appears. 13 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the Firebox. Following our example, 192.168.3.0/24. 14 Click OK. 15 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the To portion of the dialog box as well as the IP address of the From portion you entered earlier. IPSec Tunnel Configuration 7

16 Click the Outgoing tab. Select Enabled and Allowed from the drop list. 17 Under From, click Add. 18 Click Add Other. The Add Member dialog box appears. 19 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the Firebox. Following our example, 192.168.3.0/24. 20 Click OK. 21 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the From portion of the dialog box. 22 Under To, click Add. 23 Click Add Other. The Add Member dialog box appears. 24 At the Choose Type drop list, select Network IP Address and enter the IP address of the private, internal network behind the PIX. Following our example, 10.10.10.0/24. 25 Click OK. 26 Click OK. The service s Properties dialog box reappears. It should display the IP Address you entered in the To portion of the dialog box as well as the IP address of the From portion you entered earlier. 27 Click OK to close the Any Properties dialog box. Click Close to close the Add Service dialog box. 8 WatchGuard SOHO with VPN Manager 2.1

Configuring the Cisco PIX 520 for an IPSec Tunnel with a Firebox Saving the Configuration to the Firebox Finally, save the changes made to the configuration file to the Firebox. 1 Select File => Save => To Firebox. 2 Use the Firebox drop list to select the Firebox. 3 Enter the configuration (read/write) pass phrase. Click OK. The configuration file is saved first to the local hard drive and then to the primary area of the Firebox flash disk. You are prompted to reboot the Firebox. The new Firebox configuration will not be enabled until the Firebox is rebooted. Configuring the Cisco PIX 520 for an IPSec Tunnel with a Firebox This section describes how to configure the Cisco PIX 520 for a tunnel that has a WatchGuard Firebox at the other end. To create an IPSec tunnel between the Firebox and the Cisco PIX 520, you will need to add the following: Access Lists These are similar to the IPSec Routing Policies used by WatchGuard Products. They define on the PIX device which networks will communicate. Specifically, you will define a rule that allows traffic between the private, internal network behind the Firebox and the private, internal network behind the PIX device. Crypto Information This defines the parameters of both Phase 1 and Phase 2 of the IPSec negotiation, including what kind of encryption to use, the pre-shared key and tunnel expiration parameters. Traffic permissions You will need to instruct the PIX device to permit traffic from the IPSec tunnel through to the internal, local networks. If your PIX is also running NAT this will need to be disabled to permit traffic to pass through the tunnel to the remote network behind the Firebox. Defining Access Lists Add the following to your Cisco PIX configuration file: access-list 101 permit IP [IP address behind Pix][netmask] [IP address behind Firebox][netmask] access-list 101 permit IP [IP address behind Firebox][netmask] [IP address behind Pix][netmask] These lines instruct the PIX device to allow traffic between the two private, internal networks, protected by both the Firebox and the PIX. NOTE The numeric identifier in the example above, 101, is arbitrary and merely defines a unique rule for the PIX. Defining Crypto Information There are two sections to configure for actual data encryption, Phase 1 and Phase 2. IPSec Tunnel Configuration 9

NOTE The default settings on the Firebox for Phase 1 negotiations are DES, SHA1, and Diffie Helman group 1. These settings cannot be changed. Therefore, it is absolutely critical that the PIX 520 is configured to use DES, SHA1, and Diffie Helman group 1 for this Phase of the negotiation. Add the following to your Cisco PIX configuration file for Phase 1 negotiation: isakmp enable [interface name] isakmp key [pre-shared key] address [remote IP address] netmask [netmask] isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 NOTE The numeric identifier in the example above, 20, is arbitrary and merely defines a unique rule for the PIX. 1 The first line enables ISAKMP on an interface of the PIX device. In our example, outside. 2 The second line sets the pre-shared key and associates it with the peer, that is the remote host--the external, public IP of the Firebox. (The characters entered as the pre-shared key will be replaced with * when later queried.) 3 The third line specifies that IP addresses will be used for negotiations between peers. 4 The fourth line specifies that pre-shared keys will be used for authentication in Phase 1. 5 The fifth line sets encryption for Phase 1. This must match the settings on the Firebox for Phase 1 negotiation therefore it must be, des. 6 The sixth line sets the hash for Phase 1. This must match the settings on the Firebox for Phase 1 negotiation, therefore it must be sha. 7 The seventh line determines which Diffie Helman group will be used. This must match the settings on the Firebox, therefore it must be, group 1. 8 The eighth line sets the number of seconds after which the tunnel will be renegotiated. This is the default value of the Firebox. Add the following to your Cisco PIX configuration file for Phase 2 negotiation: crypto ipsec transform-set [transform name] [encryption] [hash] crypto map testmap 10 ipsec-[sa] crypto map testmap 10 match address [access list] crypto map testmap 10 set peer [peer IP address] crypto map testmap 10 set transform-set [transform name] crypto map testmap 10 set security-association lifetime seconds 360 kilobytes 8192 crypto map testmap interface [interface name] 10 WatchGuard SOHO with VPN Manager 2.1

The following is an example of the PIX configuration file with the Firebox IPSec tunnel additions: NOTE The identifier in the example above, testmap, is arbitrary and merely defines a unique rule for the PIX. 1 The first line defines a name, encryption, and hash type that will be used in the transform during Phase 2 negotiation. This must match the settings on the Firebox for Phase 2 negotiation. For example, crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac. 2 The second line defines how the Security Association (SA) will be created. For example, ISAKAMP. 3 The third line defines what traffic will be passed via the tunnel. For example, the traffic associated with access list 101 created earlier, crypto map testmap 10 match address 101. 4 The fourth line directs the PIX to the peer to use when negotiating this tunnel. This should be the External interface of the Firebox. For example, crypto map testmap 10 set peer 208.152.24.104. 5 The fifth line defines which Phase 2 transform to use. For example, the one we defined earlier, pixtransform. 6 The sixth line instructs the PIX to renegotiate the keys every hour and every 8 MB. These are the default values of the Firebox. 7 The seventh line associates all the above crypto information to an interface on the PIX device, for example, outside. All traffic on the outside interface will then be matched against the IPSec tunnel information you have defined. Any traffic matching these parameters will be encrypted and passed via the IPSec tunnel. 8 Save these additions to your PIX configuration. Permitting traffic through the IPSec tunnel Add the following to your Cisco PIX configuration file in order to permit traffic from the IPSec tunnel through the PIX and into your local network: sysopt connection permit-ipsec If you are using NAT on your PIX, then you MUST create a rule which disables NAT on traffic using the IPSec tunnel. Add the following to your Cisco PIX configuration file: nat 0 access-list 101 The following is an example of the PIX configuration file with the Firebox IPSec tunnel additions: PIX Version 5.2(1) nameif eithernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall IPSec Tunnel Configuration 11

fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list 101 permit ip 192.168.3.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 102 permit ip 192.168.3.0 255.255.255.0 10.10.10.0 255.255.255.0 pager lines 24 logging on logging timestamp no logging standby no logging console no logging monitor logging buffered debugging logging trap debugging no logging history logging facility 20 logging queue 512 logging host inside 10.10.10.21 6/1468 interface ethernet0 auto interface ehternet1 auto mtu outside 1500 mtu inside 1500 ip address outside 208.152.24.103 255.255.255.0 ip address inside 10.10.10.20 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 208.152.24.104 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public floodguard enable no sysopt route dnat crypto ipsec transform-set pixtransform esp-3des esp-sha-hmac crypto map testmap 10 ipsec-isakmp crypto map testmap 10 match address 101 crypto map testmap 10 set peer 208.152.24.104 crypto map testmap 10 set transform-set pixtransform crypto map testmap interface outside isakmp enable outside 12 WatchGuard SOHO with VPN Manager 2.1

The following is an example of the PIX configuration file with the Firebox IPSec tunnel additions: isakmp key ******** address 208.152.24.104 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 telnet 10.10.10.21 255.255.255.255 inside telnet timeout 15 ssh timeout 5 terminal width 80 Copyright and Patent Information Copyright 1998-2001 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, and LiveSecurity are either a trademark or registered trademark of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. DocVer B-4.6 Firebox to Cisco PIX-1 IPSec Tunnel Configuration 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information