Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1



Similar documents
Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

2.0 HOW-TO GUIDELINES

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Configuring the Cisco Secure PIX Firewall with a Single Intern

Internet. SonicWALL IP SEV IP IP IP Network Mask

Configuring the Cisco PIX Firewall for SSH by Brian Ford

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

GregSowell.com. Mikrotik VPN

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

Lab Configure a PIX Firewall VPN

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

LAN-Cell to Cisco Tunneling

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

IPsec VPN Application Guide REV:

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

LAN-Cell 3 to Cisco ASA 5500 VPN Example

Configuring Remote Access IPSec VPNs

REMOTE ACCESS VPN NETWORK DIAGRAM

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks


Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

Deploying IPSec VPN in the Enterprise

Packet Tracer Configuring VPNs (Optional)

Triple DES Encryption for IPSec

VPN Configuration Guide. Cisco ASA 5500 Series

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

IPSec tunnel APLICATION GUIDE

Katana Client to Linksys VPN Gateway

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Cisco 1841 MyDigitalShield BYOG Integration Guide

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

ISG50 Application Note Version 1.0 June, 2011

Configuring the PIX Firewall with PDM

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

How To Industrial Networking

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

VPN SECURITY POLICIES

Securing Networks with PIX and ASA

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

VPN. VPN For BIPAC 741/743GE

C H A P T E R Management Cisco SAFE Reference Guide OL

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Understanding the Cisco VPN Client

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

IP Office Technical Tip

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuring L2TP over IPsec

Introduction to Security and PIX Firewall

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Module 6 Configure Remote Access VPN

Configure ISDN Backup and VPN Connection

Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1)

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Virtual Private Network (VPN)

Lab a Configure Remote Access Using Cisco Easy VPN

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

IPSec Pass through via Gateway to Gateway VPN Connection

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Firewall Troubleshooting

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Using PIX Firewall in SOHO Networks

Lecture 17 - Network Security

Cisco ASA Configuration Guidance

Cisco SA 500 Series Security Appliance

Windows XP VPN Client Example

Most Common DMVPN Troubleshooting Solutions

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Transcription:

Prepared by SonicWALL, Inc. 09/20/2001 Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable with Cisco PIX using IKE as shown below. Advanced setups are possible but are not covered in this document. This tech-note assumes the reader has a working knowledge of Cisco PIX management tools and SonicWALL appliance configuration. This tech-note describes the required steps to set-up a compatible Security Association on both Cisco PIX and SonicWALL products. Technical Notes: SonicWALL has tested VPN interoperability with Cisco PIX 506 version 5.1(3) and SonicWALL Pro 6.0.1.1 using the following VPN Security Association information: Keying Mode: IKE IKE Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1 ID_Type: IP subnet Encryption and Data Integrity: ESP DES or ESP 3DES with MD5 EXAMPLE: The network configuration shown below is used in the example VPN configuration. The example will configure a VPN using 3DES encryption with MD5 and without PFS. Cisco PIX 10.0.31.131 Internet SonicWALL IP 10.0.31.102 IP 192.168.204.1 IP 192.168.170.1 Network 192.168.204.0 Mask 255.255.255.0 Network 192.168.170.0 Mask 255.255.255.0 Page 1 of 5

SonicWALL Configuration On the SonicWALL, create an SA. 1. Change the IPSec Keying Mode to IKE using pre-shared secret. 2. Name your SA. (In this example Cisco) 3. Fill in the IPSec gateway (in this example 10.0.31.131) 4. Select ESP DES HMAC MD5 or ESP 3DES HMAC MD5 (in this example ESP 3DES HMAC MD5) 5. Enter your Shared Secret, (In this example sonicwall) 6. Fill in the appropriate Destination Network (in this example 192.168.204.0) and Subnet Mask (in this example 255.255.255.0) A Sample Screen shot from SonicWALL firmware version 6.0.1.1 is displayed below Page 2 of 5

CISCO PIX Configuration In order to configure the SA on the PIX, you must be logged into the enable/configure terminal mode. For more details on logging into your Cisco Product and configuring settings, please refer to the Cisco documentation available online at http://www.cisco.com Once you are logged into the enable/configure terminal, use the commands below to setup a SA complimentary to the SA setup on the SonicWALL as shown above in the screen shot. The commands below are not a complete guide to configuring a Cisco PIX product, but are intended only to guide existing Cisco users. Refer to the Cisco documentation (www.cisco.com) for more information regarding the commands below. COMMANDS FOR CISCO PIX Command Description Set ACCESS LIST access-list pixtosw permit ip 192.168.204.0 Specifies the inside and destination networks 255.255.255.0 192.168.170.0 255.255.255.0 Nat (inside) 0 access-list pixtosw This turns NAT off for packets coming from the VPN tunnel Define IPSec parameters sysopt connection permit-ipsec Specifies that IPSec traffic be implicitly trusted (Allowed) crypto ipsec transform-set strong A transform set is an acceptable combination of security esp-3des esp-md5-hmac protocols and algorithms Here you can specify if you want to use ESP with authentication and DES or 3DES. crypto map tosonicwall 20 ipsec-isakmp Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. 20 is the number assigned to the crypto map entry crypto map tosonicwall 20 match address To specify an extended access list for a crypto map entry pixtosw crypto map tosonicwall 20 set peer To specify an IPSec peer in a crypto map entry, 10.0.31.102 crypto map tosonicwall 20 set transform-set To specify which transform sets can be used with the crypto strong map entry crypto map tosonicwall interface outside Evaluates traffic going through the outside interface isakmp enable outside isakmp key sonicwall address 10.0.31.102 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share Define ISAKMP parameters isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 This specifies DH group 1 isakmp policy 20 lifetime 28800 To configure a pre-shared authentication key, use the isakmp key global configuration command. In this case the preshared secret is sonicwall ISAKMP identity PIX uses when participating in IPSec. To specify the authentication method within an IKE policy, use the authentication (IKE policy) ISAKMP policy configuration command. To specify the encryption algorithm within an IKE policy To specify the hash algorithm within an IKE policy This commands sets the life time intervals before IKE is renegotiated. The value 28800 can be changed. Page 3 of 5

To Test the VPN tunnel: From the PC behind the Cisco PIX firewall, try to ping 192.168.170.1 From the PC behind the SonicWALL, try to ping 192.168.204.1 Trouble Shooting Tips: Use the Log Viewer on the Cisco PIX and the SonicWALL to determine if IKE negotiation has started. If IKE negotiation is complete but pings timeout, the Cisco PIX host computer may need route configuration. Test for connectivity to the Internet. From a machine behind the SonicWALL, ping yahoo.com. On the PIX, enter the following two commands. This will allow ping access from the LAN to the Internet. Access-list acl_out permit icmp any any Access-group in interface outside From a machine behind the PIX, ping yahoo.com Example PIX configuration File: : Saved : PIX Version 5.3(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXXXXXX encrypted passwd XXXXXXXXXXXXXXXX encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names access-list pixtosw permit ip 192.168.204.0 255.255.255.0 192.168.170.0 255.255.255.0 no pager no logging on interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 10.0.31.131 255.255.0.0 ip address inside 192.168.204.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 10.0.31.132 nat (inside) 0 access-list pixtosw nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 10.0.0.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute Page 4 of 5

aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server outside 10.0.31.129 / floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto map tosonicwall 20 ipsec-isakmp crypto map tosonicwall 20 match address pixtosw crypto map tosonicwall 20 set peer 10.0.31.102 crypto map tosonicwall 20 set transform-set strong crypto map tosonicwall interface outside isakmp enable outside isakmp key sonicwall address 10.0.31.102 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 28800 telnet 10.0.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:43014c32dceffcb0d1ad55164ba95087 : end Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information