Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX200605-01



Similar documents
Technical Document. Creating a VPN. GTA Firewall to Linksys Cable/DSL Router TDVPNLINKSYS

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TDVPNWGSOHO

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Configuring GTA Firewalls for Remote Access

GB-OS Version 6.2. Configuring IPv6. Tel: Fax Web:

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

Installing the IPSecuritas IPSec Client

GB-OS. Certificate Management. Tel: Fax Web:

Installing the Shrew Soft VPN Client

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

GNAT Box VPN and VPN Client

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Installing the SSL Client for Linux

GTA SSL Client & Browser Configuration

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

VPN Configuration Guide. Cisco ASA 5500 Series

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Shrew Soft VPN Client Configuration for GTA Firewalls

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

2.0 HOW-TO GUIDELINES

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

REMOTE ACCESS VPN NETWORK DIAGRAM

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Lab Configure a PIX Firewall VPN

GregSowell.com. Mikrotik VPN

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

HOWTO: How to configure IPSEC gateway (office) to gateway

Cyberoam IPSec VPN Client Configuration Guide Version 4

Interoperability Guide

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

VPNC Interoperability Profile

Configuring IKEv2 VPN for Mac OS X Remote Access to a GTA Firewall

How To Industrial Networking

Configuring the PIX Firewall with PDM

LAN-Cell to Cisco Tunneling

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

VPN SECURITY POLICIES

IPsec VPN Application Guide REV:

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Triple DES Encryption for IPSec

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Lab a Configure Remote Access Using Cisco Easy VPN

VPN Configuration Guide. Cisco Small Business (Linksys) WRVS4400N / RVS4000

IPSec VPN Client Installation Guide. Version 4

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Katana Client to Linksys VPN Gateway

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Installation Guide Supplement

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

Configuring a VPN for Dynamic IP Address Connections

Defender 5.7. Remote Access User Guide

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

TABLE OF CONTENTS NETWORK SECURITY 2...1

Packet Tracer Configuring VPNs (Optional)

SWsoft, Inc. Plesk VPN. Administrator's Guide. Plesk 7.5 Reloaded

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

VPNC Interoperability Profile

axsguard Gatekeeper IPsec XAUTH How To v1.6

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Radius Integration Guide Version 9

GB-OS. Firewall. Version 3.7. User s Guide SOFTWARE GBUG

Nokia Mobile VPN How to configure Nokia Mobile VPN for Cisco ASA with PSK/xAuth authentication

GB-OS Version 5.3. GTA SSL Sentinel. Tel: Fax Web:

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

RF550VPN and RF560VPN

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Configuring Remote Access IPSec VPNs

Creating a Client-To-Site VPN. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs.

What information will you find in this document?

Understanding the Cisco VPN Client

VPN Tracker for Mac OS X

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Virtual Private Network (VPN)

7. Configuring IPSec VPNs

Configure IPSec VPN Tunnels With the Wizard

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Chapter 4 Virtual Private Networking

VPN Quick Configuration Guide. Astaro Security Gateway V8

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring SonicOS for Microsoft Azure

Citrix Access Gateway Enterprise Edition Citrix Access Gateway Plugin for Java User Guide. Citrix Access Gateway 8.1, Enterprise Edition

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Transcription:

Technical Document Creating a VPN GTA Firewall to Cisco PIX 501 TDVPNPIX200605-01

Contents Introduction 1 Encryption and Authentication Methods 1 IP Addresses Used in Examples 1 Documentation 2 Additional Documentation 2 GTA Firewall Configuration 4 Configuring the Encryption Object 4 Configuring the VPN Object 5 Configuring the IPSec Tunnel 6 Cisco PIX Configuration 8

I n t r o d u c t i o n This document is written for the firewall administrator who has both a GTA firewall and a Cisco PIX 501 operating on a network that requires a VPN (Virtual Private Network) to utilize both firewalls. Documentation was developed using a GTA firewall running GB-OS 4.0 and a Cisco PIX 501 running firmware version 6.1(1). This document is written under the assumption that the reader has a strong working knowledge of TCP/IP, GB-OS and Cisco firewall administration. Note The example configuration in this document assumes both firewalls have static IP addresses. E n c r y p t i o n a n d A u t h e n t i c a t i o n M e t h o d s The following methods of encryption and authentication are supported for this configuration: Table 1.1: Supported Encyption and Authentication Methods Field Name Supported Encryption DES or 3DES Supported Authentication SHA1 or MD5 Supported Key Groups Diffie-Hellman Group 1 or 2 Field Value I P A d d r e s s e s U s e d i n E x a m p l e s The following IP addresses are used as examples in this document: Table 1.2: IP Addresses Used in Examples Field Name GTA Firewall External 199.120.255.78 Protected Network 192.168.71.0/24 Cisco PIX 501 External 199.120.225.77 Protected Network 192.168.70.0/24 Field Value Technical Document Introduction

D o c u m e n t a t i o n A few conventions are used in this document to help you recognize specific elements of the text. If you are viewing this guide in PDF format, color variations may also be used to emphasize notes, warnings and new sections. Bold Italics Italics Blue Underline Small Caps Monospace Font Condensed Bold Bold Small Caps Emphasis Publications Clickable hyperlink (email address, web site or in-pdf link) On-screen field names On-screen text On-screen menus, menu items On-screen buttons, links A d d i t i o n a l D o c u m e n t a t i o n For instructions on installation, registration and setup of your GTA firewall, see the GB-OS User s Guide. For VPN setup and example configurations, see the VPN Option Guide. For optional features, see the appropriate feature guide. Manuals and other documentation can be found on the GTA website (www.gta.com). Documents on the website are either in plain text (*.txt) or Portable Document Format (*.pdf), which requires Adobe Acrobat. A free copy of the program can be obtained from www.adobe.com. 2 Technical Document Introduction

Technical Document Introduction 3

G TA F i r e w a l l C o n f i g u r a t i o n To configure your GTA firewall, log into the Web interface using an administrative account and follow the instructions below to setup up a GTA firewall to Cisco PIX 501. Configuring the GTA firewall requires the completion of the following steps: 1. 2. 3. Configuring the Encryption Object Configuring the VPN Object Configuring the IPSec Tunnel Note GTA recommends that the NTP service be enabled on any GTA firewall using a VPN. C o n f i g u r i n g t h e E n c r y p t i o n O b j e c t To configure the encryption object, navigate to Configuration>System>Object Editor>Encryption Objects and click the New icon. Doing so will display the Edit Encryption Object screen. Enter the following settings to define the encryption object to be used by the VPN. Figure 2.1: Creating the Encryption Object Disable Name Description Field Name Encryption Method Hash Algorithm Key Group Table 2.1: Configuring the Encryption Object Unchecked Cisco Encryption Field Value Encryption object for GTA firewall to Cisco PIX VPN <DES> <HMAC-MD5> <Diffie-Hellman Group 1 (768 bits)> Click OK to return to the Encryption Objects screen and click the Save icon to save the new encryption object to the GTA firewall s configuration. Next, the VPN object must be configured. 4 Technical Document GTA Firewall Configuration

C o n f i g u r i n g t h e V P N O b j e c t To configure the VPN object to be used by the connection, navigate to Configuration>System>Object Editor>VPN Objects and click the New icon. Doing so will display the Edit VPN Object screen. Figure 2.2: Configuring the VPN Object Disable Name Description Phase I Field Name Exchange Mode Encryption Object Advanced Force Mobile Protocol Force NAT-T Protocol Lifetime DPD Interval Phase II Encryption Object Advanced Lifetime Table 2.2: Configuring the VPN Object Unchecked Cisco VPN Object Field Value VPN Object used in the GTA firewall to Cisco VPN <Main> <Cisco Encryption> As defined in Configuring the Encryption Object. Unchecked Unchecked 90 minutes 30 seconds <Cisco Encryption> As defined in Configuring the Encryption Object. 60 minutes Click OK to return to the VPN Objects screen and click the Save icon to save the new VPN object to the GTA firewall s configuration. Next, the IPSec tunnel must be configured. Technical Document GTA Firewall Configuration

C o n f i g u r i n g t h e I P S e c Tu n n e l To configure the IPSec tunnel, which will be utilizing the configured encryption and VPN objects, navigate to Configuration>VPN>IPSec Tunnels and click the New icon. Doing so will display the Edit IPSec Tunnel screen. Figure 2.3: Configuring the IPSec Tunnel Table 2.3: Configuring the IPSec Tunnel Field Name Field Value Disable Unchecked Description GTA firewall to Cisco PIX 501 VPN IPSec Mode <IKE> VPN Object <Cisco VPN Object > As defined in Configuring the VPN Object. Pre-shared Secret adcdef123456 The pre-shared secret must match on the Cisco PIX 501. Local Gateway Network <External> This is the external network s logical interface. <Protected Networks> This is the protected network s logical interface. Advanced Identity <IP Address> Remote Gateway 199.120.225.77 This is the IP address of the Cisco PIX 501 s remote gateway. Network <USER DEFINED>, 192.168.70.0/24 This is the IP address of the Cisco PIX 501 s protected network. Advanced Identity <IP Address> 6 Technical Document GTA Firewall Configuration

Click OK to return to the IPSec Tunnels screen. Under the Advanced tab, ensure that the Automatic Policies checkbox is enabled. By enabling automatic policies, the GTA firewall will generate the necessary VPN policies to allow traffic between the GTA firewall and the Cisco PIX 501. Figure 2.4: Enabling Automatic Policies Click the Save button to apply the VPN configuration to your GTA firewall. Next, it is necessary to configure the Cisco PIX 501. Technical Document GTA Firewall Configuration 7

C i s c o P I X C o n f i g u r a t i o n To configure your Cisco PIX 501, you will need to use the firewall s command line interface. You can either use SSH, telnet or the Command Line Interface in the Cisco PIX device manager. Note For more information on configuring your Cisco firewall, consult Cisco s documentation. In the following example from the Cisco PIX Command Line Interface, lines that begin with an exclamation point (!) are commented out.! Add access list to pass local traffic from local network to remote network access-list 160 permit ip 192.168.70.0 255.255.255.0 192.168.71.0 255.255.255.0! Disables NAT for connections bound for remote network. nat (inside) 0 access-list 160! Tells the PIX to trust ipsec information sysopt connection permit-ipsec crypto ipsec transform-set gb-set esp-des esp-md5-hmac crypto map gb-map 1 ipsec-isakmp crypto map gb-map 1 match address 160! Sets VPN peer to Address, external interface of the GTA firewall crypto map gb-map 1 set peer 199.120.225.76 crypto map gb-map 1 set transform-set gb-set! Set lifetime to a max of 3600 seconds crypto map gb-map 1 set security-association lifetime seconds 3600 crypto map gb-map interface outside isakmp enable outside! Set pre-shared keys for VPN isakmp key abcdef123456 address 199.120.225.78 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 5400 8 Technical Document Linksys Router Configuration

The Cisco PDM does not support the nat (inside) 0 access list command. The following dialog box will appear. This behavior is expected; click Yes to continue. Figure 3.1: Cisco PIX Response to Unsupported Command Your GTA firewall to Cisco PIX 501 VPN is now complete. You can test the VPN s functionality by pinging from a host on one protected network to a host on the other protected network. Technical Document Linksys Router Configuration

Copyright 1996-2006, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s web site for more information. GTA s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local GTA authorized channel partner. Tel: +1.407.380.0220 Email: support@gta.com Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GNAT Box, GB Commander and Surf Sentinel are registered trademarks of Global Technology Associates, Incorporated. GB-OS, RoBoX, GB- Ware and Firewall Control Center are trademarks of Global Technology Associates, Incorporated. Global Technology Associates and GTA are registered service marks of Global Technology Associates, Incorporated. The GTA Mobile VPN Client is licensed from TheGreenBow. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/. SurfControl is a registered trademark of SurfControl plc. Some products contain technology licensed from SurfControl plc. Some products include software developed by the OpenSSL Project (http://www.openssl.org/). Kaspersky Lab and Kaspersky Anti-Virus is licensed from Kaspersky Lab Int. Some products contain technology licensed from Kaspersky Lab Int. Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc. 3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com 10 Technical Document

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information