Application Notes SL1000/SL500 VPN with Cisco PIX 501



Similar documents
How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

Keying Mode: Main Mode with No PFS (perfect forward secrecy) SA Authentication Method: Pre-Shared key Keying Group: DH (Diffie Hellman) Group 1

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

Lab Configure a PIX Firewall VPN

Cisco 1841 MyDigitalShield BYOG Integration Guide

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Table of Contents. Cisco Configuring an IPSec LAN to LAN Tunnel for Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example


2.0 HOW-TO GUIDELINES

Configuring the Cisco Secure PIX Firewall with a Single Intern

Configuring the Cisco PIX Firewall for SSH by Brian Ford

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Packet Tracer Configuring VPNs (Optional)

Deploying IPSec VPN in the Enterprise

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Table of Contents. Cisco Configuring the PPPoE Client on a Cisco Secure PIX Firewall

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

PIX/ASA 7.x and above : Mail (SMTP) Server Access on Inside Network Configuration Example

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and SDM

ASA 8.X: Routing SSL VPN Traffic through Tunneled Default Gateway Configuration Example

Most Common DMVPN Troubleshooting Solutions

ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example

BONUS TUTORIAL CISCO ASA 5505 CONFIGURATION WRITTEN BY: HARRIS ANDREA ALL YOU NEED TO KNOW TO CONFIGURE AND IMPLEMENT THE BEST FIREWALL IN THE MARKET

REMOTE ACCESS VPN NETWORK DIAGRAM

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Troubleshooting IPSec Design and Implementation

Cisco to Juniper point-to-multipoint IPsec solution - spoke devices migration.

Cisco ASA 5505 IPSEC L2L Tunnel Failover Architecture for Bank of Smithtown Background and Installation Process/Testing Procedures

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

LAN-Cell to Cisco Tunneling

GregSowell.com. Mikrotik VPN

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

AlliedWare TM OS How To. Create a VPN between an Allied Telesis Router and a Cisco PIX Firewall. Introduction

LAN-Cell 3 to Cisco ASA 5500 VPN Example

iementor CCIE Service Provider Workbook v1.0 Lab13 Solutions: Layer 2 VPN II

Using PIX Firewall in SOHO Networks

IPSEC VPN CISCO DRAYTEK ADSL Kurulum Dökümanı

Using IPsec VPN to provide communication between offices

VPN Configuration Guide. Cisco ASA 5500 Series

Lab a Configure Remote Access Using Cisco Easy VPN

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

IPSec tunnel APLICATION GUIDE

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks

VPN. VPN For BIPAC 741/743GE

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

Module 6 Configure Remote Access VPN

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Application Note 25. Configure an IPsec VPN tunnel between a Digi Transport router and a Cisco router using Certificates and SCEP

C H A P T E R Management Cisco SAFE Reference Guide OL

VPN SECURITY POLICIES

Virtual Private Network (VPN)

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring the PIX Firewall with PDM

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Network Security 2. Module 2 Configure Network Intrusion Detection and Prevention

HOW TO CONFIGURE CISCO FIREWALL PART I

Triple DES Encryption for IPSec

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

Lab Configure Remote Access Using Cisco Easy VPN

Network Security 2. Module 6 Configure Remote Access VPN

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

Technical Document. Creating a VPN. GTA Firewall to Cisco PIX 501 TDVPNPIX

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Configuring L2TP over IPSec

Securing Networks with PIX and ASA

Introduction to Security and PIX Firewall

Configure ISDN Backup and VPN Connection

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Understanding the Cisco VPN Client

The information in this document is based on these software and hardware versions:

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Creating a VPN with overlapping subnets

An Introduction to IP Security (IPSec) Encryption

ASA 8.3 and Later: Enable FTP/TFTP Services Configuration Example

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

How To Industrial Networking

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Troubleshooting Cisco IOS and PIX Firewall-Based IPSec Implementations

Configuring Remote Access IPSec VPNs

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Dynamic routing protocols over IPSec tunnels between Palo Alto Networks and Cisco routers

Cisco ASA, PIX, and FWSM Firewall Handbook

Transcription:

Application Notes SL1000/SL500 VPN with Cisco PIX 501 Version 1.0 Copyright 2006, ASUSTek Computer, Inc. i

Revision History Version Author Date Status 1.0 Martin Su 2006/5/4 Initial draft Copyright 2006, ASUSTek Computer, Inc. ii

Table of Contents Revision History...ii Table of Contents...iii List of Figures...iii 1 Introduction...1 2 Network Setup...1 2.1 Setup Description...1 2.2 Setup CISCO PIX Firewall...1 2.2.1 Setup IP address of LAN interface...1 2.2.2 Setup IP address of WAN interface...1 2.2.3 Setup Routing Table...2 2.3 Setup SL1000/SL500 system...2 2.3.1 Setup IP address of LAN interface...2 2.3.2 Setup IP address of WAN interface...2 2.3.3 Setup Routing Table...3 3 Establish VPN Tunnel using Automatic Keying...3 3.1 Configure VPN Policy on PIX 501...3 3.2 Configure VPN Policy on SL1000/SL500...6 3.3 Verify VPN Tunnel Establishment...7 List of Figures Figure 2.1 Network Connections...1 Figure 2.2 Setup LAN port IP address on the PIX firewall...1 Figure 2.3 Setup WAN port IP address on the PIX firewall...1 Figure 2.4 Setup a default route to the PIX firewall...2 Figure 2.5 Setup LAN port IP address on the SL1000/SL500...2 Figure 2.6 Setup IP address of WAN interface on the SL1000/SL500...2 Figure 2.7 Verify WAN interface configurations on the SL1000/SL500...3 Figure 2.8 Setup a default route to the SL1000/SL500...3 Figure 3.1 Setup VPN policy on the PIX firewall...4 Figure 3.2 Verify VPN configurations on the PIX firewall...5 Figure 3.3 Configure VPN policy on the SL1000/SL500...6 Figure 3.4 Verify VPN configurations on the SL1000/SL500...6 Figure 3.5 Verify VPN tunnel establishment on the PIX firewall...8 Figure 3.6 Verify the VPN tunnel establishment on the SL1000/SL500...8 Copyright 2006, ASUSTek Computer, Inc. iii

1 Introduction This application note details the steps for creating an IPSec VPN tunnel between an ASUS Internet Security Router and a CISCO PIX Firewall device. It is assumed that both devices have static IP address on the WAN interface, and a default route configured. All settings and screen dumps contained in this document are taken from a CISCO PIX 501 device running firmware PIX Firewall Version 6.3(4), and an ASUS SL1000/SL500 running firmware 1.1.72A.410. 2 Network Setup This section describes how to setup the network to carry out the SL1000/SL500 and CISCO PIX 501 Network Configuration as illustrated in Figure 2.1. Cross Ethernet Cable WAN: 10.64.2.145 WAN: 10.64.2.130 LAN: 10.64.3.1 Internet Security Router LAN: 192.168.30.1 CISCO PIX501 PC2: 10.64.3.11 PC1: 192.168.30.2 Figure 2.1 Network Connections 2.1 Setup Description PC1 and PC2 are hosts in protected networks running Windows NT/98/2000/XP or Redhat Linux. Both SL1000/SL500 and PIX Firewall will protect their traffic from external network. NAT is not required for traffic between the two intranets, which can be transmitted using a VPN tunnel over the public Internet (in this setup example, a direct connection between two WAN interfaces serves as public network). However, NAT is required for connections to public Internet. 2.2 Setup CISCO PIX Firewall 2.2.1 Setup IP address of LAN interface pixfirewall# configure terminal pixfirewall(config)# ip address inside 192.168.30.1 255.255.255.0 Figure 2.2 Setup LAN port IP address on the PIX firewall 2.2.2 Setup IP address of WAN interface pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# ip address outside 10.64.2.130 255.255.255.0 Figure 2.3 Setup WAN port IP address on the PIX firewall Copyright 2006, ASUSTek Computer, Inc. Page 1

2.2.3 Setup Routing Table pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 10.64.2.145 Figure 2.4 Setup a default route to the PIX firewall 2.3 Setup SL1000/SL500 system 2.3.1 Setup IP address of LAN interface Figure 2.5 Setup LAN port IP address on the SL1000/SL500 2.3.2 Setup IP address of WAN interface Figure 2.6 Setup IP address of WAN interface on the SL1000/SL500 Copyright 2006, ASUSTek Computer, Inc. Page 2

Figure 2.7 Verify WAN interface configurations on the SL1000/SL500 2.3.3 Setup Routing Table Figure 2.8 Setup a default route to the SL1000/SL500 3 Establish VPN Tunnel using Automatic Keying 3.1 Configure VPN Policy on PIX 501 Step: 1 Configure access list rule and VPN policy pixfirewall(config)# access-list SL1000 permit ip 192.168.30.0 255.255.255.0 10.64.3.0 255.255.255.0 pixfirewall(config)# nat (inside) 0 access-list SL1000 pixfirewall(config)# sysopt connection permit-ipsec pixfirewall(config)# crypto ipsec transform-set set1 esp-3des esp-sha-hmac pixfirewall(config)# crypto ipsec security-association lifetime seconds 3600 pixfirewall(config)# crypto map tosl1000 20 ipsec-isakmp pixfirewall(config)# crypto map tosl1000 20 match address SL1000 pixfirewall(config)# crypto map tosl1000 20 set peer 10.64.2.145 pixfirewall(config)# crypto map tosl1000 20 set transform-set set1 pixfirewall(config)# crypto map tosl1000 interface outside pixfirewall(config)# isakmp enable outside pixfirewall(config)# isakmp key cwtest address 10.64.2.145 netmask 255.255.255.0 pixfirewall(config)# isakmp identity address pixfirewall(config)# isakmp policy 20 authentication pre-share pixfirewall(config)# isakmp policy 20 encryption 3des pixfirewall(config)# isakmp policy 20 hash sha pixfirewall(config)# isakmp policy 20 group 2 pixfirewall(config)# isakmp policy 20 lifetime 3600 Copyright 2006, ASUSTek Computer, Inc. Page 3

Figure 3.1 Setup VPN policy on the PIX firewall Step 2: Verify Configurations pix-firewall# show config : Saved : Written by enable_15 at 14:22:39.654 UTC Thu May 4 2006 PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix-firewall domain-name asus.com.tw fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list SL1000 permit ip 192.168.30.0 255.255.255.0 10.64.3.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10.64.2.130 255.255.255.0 ip address inside 192.168.30.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.10 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list SL1000 route outside 0.0.0.0 0.0.0.0 10.64.2.145 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute Copyright 2006, ASUSTek Computer, Inc. Page 4

aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.10 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set set1 esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map tosl1000 20 ipsec-isakmp crypto map tosl1000 20 match address SL1000 crypto map tosl1000 20 set peer 10.64.2.145 crypto map tosl1000 20 set transform-set set1 crypto map tosl1000 interface outside isakmp enable outside isakmp key ******** address 10.64.2.145 netmask 255.255.255.0 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:8213208c43a8ad0a01202a9686af3ed4 Figure 3.2 Verify VPN configurations on the PIX firewall Copyright 2006, ASUSTek Computer, Inc. Page 5

3.2 Configure VPN Policy on SL1000/SL500 Before configuring VPN, you need to enable VPN service in System Management->System Service first. Figure 3.3 Configure VPN policy on the SL1000/SL500 Figure 3.4 Verify VPN configurations on the SL1000/SL500 Copyright 2006, ASUSTek Computer, Inc. Page 6

3.3 Verify VPN Tunnel Establishment pix-firewall# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 10.64.2.130 10.64.2.145 QM_IDLE 0 1 pix-firewall# show crypto ipsec sa interface: outside Crypto map tag: tosl1000, local addr. 10.64.2.130 local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.64.3.0/255.255.255.0/0/0) current_peer: 10.64.2.145:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 12, #pkts encrypt: 12, #pkts digest 12 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.64.2.130, remote crypto endpt.: 10.64.2.145 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 5f4579cf inbound esp sas: spi: 0x991686ee(2568390382) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: tosl1000 sa timing: remaining key lifetime (k/sec): (74998/3472) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x5f4579cf(1598388687) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: tosl1000 Copyright 2006, ASUSTek Computer, Inc. Page 7

sa timing: remaining key lifetime (k/sec): (74999/3463) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: Figure 3.5 Verify VPN tunnel establishment on the PIX firewall Figure 3.6 Verify the VPN tunnel establishment on the SL1000/SL500 Copyright 2006, ASUSTek Computer, Inc. Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information