Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall



Similar documents
Configuring the Cisco Secure PIX Firewall with a Single Intern

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Application Notes SL1000/SL500 VPN with Cisco PIX 501

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

2.0 HOW-TO GUIDELINES

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Configuring the Cisco PIX Firewall for SSH by Brian Ford

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Lab Configure a PIX Firewall VPN

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

PIX/ASA 7.x with Syslog Configuration Example

GregSowell.com. Mikrotik VPN

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

LAN-Cell to Cisco Tunneling

Configuring the PIX Firewall with PDM

Troubleshooting the Firewall Services Module


Cisco ASA, PIX, and FWSM Firewall Handbook

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

Introduction to Security and PIX Firewall

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Troubleshooting the Firewall Services Module

Securing Networks with PIX and ASA

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

Scenario: IPsec Remote-Access VPN Configuration

Deploying IPSec VPN in the Enterprise

BorderWare Firewall Server 7.1. Release Notes

Understanding the Cisco VPN Client

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Lab assignment #2 IPSec and VPN Tunnels (Document version 1.1)

PIX/ASA: Allow Remote Desktop Protocol Connection through the Security Appliance Configuration Example

Cisco Secure PIX Firewall with Two Routers Configuration Example

Most Common DMVPN Troubleshooting Solutions

Configuring Logging. Information About Logging CHAPTER

Configuring Static and Dynamic NAT Simultaneously

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

VPN. VPN For BIPAC 741/743GE

IP Office Technical Tip

Configuring Remote Access IPSec VPNs

Lab a Configure Remote Access Using Cisco Easy VPN

Lecture 17 - Network Security

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

21.4 Network Address Translation (NAT) NAT concept

Cisco 1841 MyDigitalShield BYOG Integration Guide

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Triple DES Encryption for IPSec

IPsec VPN Application Guide REV:

Firewall Troubleshooting

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Cisco Which VPN Solution is Right for You?

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

REMOTE ACCESS VPN NETWORK DIAGRAM

Cisco Configuring Commonly Used IP ACLs

Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

HOWTO: How to configure IPSEC gateway (office) to gateway

Module 6 Configure Remote Access VPN

Funkwerk UTM Release Notes (english)

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

About Cisco PIX Firewalls

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Configure ISDN Backup and VPN Connection

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Configuring a VPN between a Sidewinder G2 and a NetScreen

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Network Security 2. Module 6 Configure Remote Access VPN

Implementing Cisco IOS Network Security

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Internet. SonicWALL IP SEV IP IP IP Network Mask

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Sample Configuration Using the ip nat outside source list C

Sample Configuration Using the ip nat outside source static

ISG50 Application Note Version 1.0 June, 2011

Transcription:

IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to

irewall Table of Contents Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall...1 Cisco has announced the end of sales for the Cisco VPN 5000 Series Concentrators. For more information, please see the End of Sales Announcement...1 Introduction...1 Hardware and Software Versions...1 Network Diagram...1 Configurations...2 debug and show Commands...4 Tools Information...5 Related Information...5 i

Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall Cisco has announced the end of sales for the Cisco VPN 5000 Series Concentrators. For more information, please see the End of Sales Announcement. Introduction Hardware and Software Versions Network Diagram Configurations PIX VPN 5000 debug and show Commands Tools Information Related Information Introduction This document gives an overview of the configuration required to allow a Cisco Secure PIX Firewall and a Cisco VPN 500x Concentrator to open an IPSec LAN to LAN tunnel. For information about how to establish basic connectivity, or for reference on configuration syntax, please consult the VPN 5000 Concentrator documentation and the PIX documentation. Hardware and Software Versions This configuration was developed and tested using the software and hardware versions below. PIX Software release 5.1(2) VPN 5002 Concentrator with the 5.2.15US and 6.0.20US software releases Note: The configuration for the 6.0.20US software release is differentiated with by two asterisks (**). Network Diagram

Configurations PIX Configuration : PIX Version 5.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names! Create crypto access list to specify interesting IPSec traffic! for packets from PIX inside network to VPN 5002. access list 100 permit ip 40.40.40.0 255.255.255.0 10.10.10.0 255.255.255.0! Exempt IPSec traffic from using NAT from PIX to VPN 5002. access list 101 permit ip 40.40.40.0 255.255.255.0 10.10.10.0 255.255.255.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 100.1.1.80 255.255.255.0 ip address inside 40.40.40.1 255.255.255.0 arp timeout 14400! Exempt IPSec traffic from using NAT from PIX to VPN 5002 (access list 101). nat (inside) 0 access list 101 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 100.1.1.20 1 timeout xlate 3:00:00 conn 1:00:00 half closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa server TACACS+ protocol tacacs+ aaa server RADIUS protocol radius no snmp server location no snmp server contact

snmp server community public no snmp server enable traps floodguard enable! Create IPSec transform set named "myset" using DES for ESP! and ESP with the MD5 (HMAC variant) authentication algorithm! with transport mode. Note that Authentication Header is not used. crypto ipsec transform set myset esp des esp md5 hmac! Create crypto map "newmap" and assign sequence number 10, which is used! to rank multiple entries within one crypto map set (the lower the sequence! number, the higher the priority). Use IKE to establish Security Associations;! use IPSec for traffic specified in access list 100. Specify VPN 5002 as remote! IPSec peer, and assign transform set "myset" for policy information. crypto map newmap 10 ipsec isakmp crypto map newmap 10 match address 100 crypto map newmap 10 set peer 100.1.1.20 crypto map newmap 10 set transform set myset! Evaluate traffic going through outside interface against the crypto map! "newmap" to determine whether it needs to be protected. crypto map newmap interface outside! Enable IPSec IKE on outside interface. isakmp enable outside! Specify pre shared key and remote peer (VPN 5002) for SA negotiation. isakmp key cisco123 address 100.1.1.20 netmask 255.255.255.255! Use IP address for ISAKMP identity during IKE negotiation. isakmp identity address! Use pre shared key for IKE, DES encryption, MD5, Diffie Hellman Group type 1! (768 bit) and SA lifetime of 1000 seconds. isakmp policy 10 authentication pre share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 telnet timeout 5 terminal width 80 Cryptochecksum:21e462e1e749c3138288bfe7ede24ed4 : end [OK] VPN 5000 Configuration [ IP Ethernet 0:0 ] = Routed SubnetMask = 255.255.255.0 IPAddress = 10.10.10.1 [ IP Ethernet 1:0 ] = Routed SubnetMask = 255.255.255.0 IPAddress = 100.1.1.20 [ General ] DeviceName = "rtp5002" IPSecGateway(**VPNGateway)= 100.1.1.80 EthernetAddress = 00:00:a5:e9:c8:00 DeviceType = VPN 5002/8 Concentrator ConfiguredOn = Timeserver not configured ConfiguredFrom = Command Line, from Console [ IP Static ] 40.40.40.0 255.255.255.0 vpn 1 1 [ Tunnel Partner VPN 1 ] LocalAccess = "10.10.10.0/24"

Peer = "40.40.40.0/24" = Main Transform = esp(md5,des) KeyManage = Auto (**Reliable) SharedKey = "cisco123" BindTo = "ethernet 1:0" Partner = 100.1.1.80 **InactivityTimeout = 120 **TunnelType = IPSec **KeepaliveInterval = 120 **KeyLifeSecs = 3500 **Certificates = Off [ IP VPN 1 ] Numbered [ IKE Policy ] Protection = Off = Routed = MD5_DES_G1 [ VPN Group "rtp" ] DNSPrimaryServer = 100.100.100.100 BindTo = "ethernet 1:0" StartIPAddress = 10.10.10.50 IPNet = 10.10.10.0/24 Transform = esp(md5,des) MaxConnections = 10 [ VPN Users ] omar config="rtp" sharedkey="letmein" Configuration size is 1388 out of 65500 bytes. debug and show Commands Before attempting any debug commands, please see Important Information on Debug Commands. VPN 5000 Debug show sys log buffer View previously buffered events. vpn trace dump all Shows information about all matching VPN connections, including information about the time, the VPN number, the real IP address of the peer, which scripts have been run, and in the case of an error, the routine and line number of the software code where the error occurred. PIX Debug debug crypto ipsec Displays errors during Phase 2. debug crypto isakmp Displays errors during Phase 1. debug crypto engine Displays information from the crypto engine.

VPN 5000 show Commands show vpn partners Shows the following information: the VPN port number to which the peer is connected; the tunnel peer's IP address; the UDP port for the connection; whether the tunnel peer is connected to this concentrator's Tunnel Partner Default section instead of a specific Tunnel Partner section; the IP address used as the local endpoint of the tunnel; and how long the partners have been connected. show vpn statistics Shows the following information for Users and Partners, and the total for both: current active connections; currently negotiating connections; the highest number of concurrent active connections since the last reboot; the total number of successful connections since the last reboot; the number of tunnel starts; the number of tunnels for which there were no errors; and the number of tunnels with errors. PIX show Commands show crypto ipsec sa Shows Phase 2 security associations. show crypto isakmp sa Shows Phase 1 security associations. show crypto engine Shows information regarding encrypted and decrypted packets. Tools Information For additional resources, refer to Cisco TAC Tools for VPN Technologies and Cisco TAC Tools for Security Technologies. Related Information Cisco VPN 5000 Series Concentrators End of Sales Announcement VPN Top Issues Cisco VPN 5000 Concentrator and Client Technical Tips Cisco VPN 5000 Concentrator Product Support Pages Cisco VPN 5000 Client Product Support Pages IP Security (IPSec) Product Support Pages PIX Top Issues PIX IPSec Configuration Guide Documentation for PIX Firewall More PIX Firewall Technical Tips PIX Command Reference Security Product Field Notices (including PIX) PIX Product Support Page Requests for Comments (RFCs) All contents are Copyright 1992 2002 Cisco Systems Inc. All rights reserved. Important Notices and Privacy Statement. Updated: Jul 08, 2002 Document ID: 14094

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information