PIX515E configuration for VPN & Internet access

Discussion in 'Cisco' started by Benson, Oct 20, 2004.

  1. Benson

    Benson Guest

    Hi,

    I have a network with PIX515E, which is used to create an internet(WAN
    ), a company network ( LAN ), and a dmz for internet servers.

    Recently, our US HQ requires a VPN betwork offices, so we need to form
    a VPN between two PIX515E.


    I would like to know how I can set up the VPN in PIX515E, and also let
    the company users can access to the network resource in US office (
    via VPN ) and access to the internet( the local ISP ), and the
    internet servers are working as usual.


    Thank you
     
    Benson, Oct 20, 2004
    #1
    1. Advertising

  2. In article <>,
    Benson <> wrote:
    :I have a network with PIX515E, which is used to create an internet(WAN
    :), a company network ( LAN ), and a dmz for internet servers.

    :Recently, our US HQ requires a VPN betwork offices, so we need to form
    :a VPN between two PIX515E.

    :I would like to know how I can set up the VPN in PIX515E, and also let
    :the company users can access to the network resource in US office (
    :via VPN ) and access to the internet( the local ISP ), and the
    :internet servers are working as usual.

    Somethink like this, assuming that your office and HQ will both
    be using your internal IP range when talking to each other through
    the VPN. Below, anything in MixedCase is an arbitrary name,
    and XX.XX.XX.XX is the external IP address of the HQ's vpn server,
    YY.YY.YY.00 is the subnet that HQ uses internally, and
    ZZ.ZZ.ZZ.00 is the subnet that you use internally. I will
    assume both of you are using /24's internally (255.255.255.0).
    I will also assume that you have PIX 6.3(1) or later and so can
    support AES. Change TSea256m and delete isakmp policy 7 if you
    are not at 6.3(1) yet.


    names
    name XX.XX.XX.XX HQvpnEndpoint
    name YY.YY.YY.00 HQinternalSubnet
    name ZZ.ZZ.ZZ.00 LocalSubnet

    : note: these must be two different access-lists even though their
    : contents are the same for this simple scenario.

    access-list DoNotNat permit ip LocalSubnet 255.255.255.0 HQinternalSubnet 255.255.255.0

    access-list TrafficToTunnel permit ip LocalSubnet 255.255.255.0 HQinternalSubnet 255.255.255.0

    nat (inside) 0 access-list DoNotNat

    : use AH authentication, AES-256 as the ESP encryption, and MD5-HMAC
    : as the ESP authentication
    crypto ipsec transform-set TSaEa256m ah-sha-hmac esp-aes-256 esp-md5-hmac

    crypto map VpnMap 1000 ipsec-isakmp
    crypto map VpnMap 1000 match address TrafficToTunnel
    crypto map VpnMap 1000 set peer HQvpnEndpoint
    crypto map VpnMap 1000 set transform-set TSaEa256m

    crypto map VpnMap interface outside


    isakmp identify hostname
    isakmp enable outside

    isakmp key ThisIsASecretSharedKeyThatNoOneWillEverGuess address HQvpnEndpoint netmask 255.255.255.255 no-xauth no-config-mode

    : AES is 6.3(1) and later
    isakmp policy 7 authentication pre-share
    isakmp policy 7 encryption aes-256
    isakmp policy 7 hash sha
    isakmp policy 7 group 5
    isakmp policy 7 lifetime 86400

    : 3DES
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption 3des
    isakmp policy 8 hash sha
    isakmp policy 8 group 2
    isakmp policy 8 lifetime 86400

    : better DES
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption des
    isakmp policy 9 hash sha
    isakmp policy 9 group 2
    isakmp policy 9 lifetime 86400

    : lesser DES
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400

    --
    Entropy is the logarithm of probability -- Boltzmann
     
    Walter Roberson, Oct 20, 2004
    #2
    1. Advertising

  3. "Walter Roberson" <-cnrc.gc.ca> skrev i en meddelelse
    news:cl6a8g$914
    > : use AH authentication, AES-256 as the ESP encryption, and MD5-HMAC
    > : as the ESP authentication
    > crypto ipsec transform-set TSaEa256m ah-sha-hmac esp-aes-256 esp-md5-hmac
    >


    Did you ever wonder why all Cisco CCO sample configs are without AH ?
    Why is this, you think ?
    What is the hatch with AH, since Cisco doesnt mention it that offen in
    samples ?

    > crypto map VpnMap 1000 ipsec-isakmp
    > crypto map VpnMap 1000 match address TrafficToTunnel
    > crypto map VpnMap 1000 set peer HQvpnEndpoint
    > crypto map VpnMap 1000 set transform-set TSaEa256m
    >
    > crypto map VpnMap interface outside
    >
    >


    Maybe a sysopt conn permit ipsec is needed aswell. - Depends...

    Best Regards
    Martin
     
    Martin Bilgrav, Oct 21, 2004
    #3
  4. In article <41779401$0$13726$>,
    Martin Bilgrav <bilgravATimageDOTdk> wrote:
    :Did you ever wonder why all Cisco CCO sample configs are without AH ?
    :Why is this, you think ?
    :What is the hatch with AH, since Cisco doesnt mention it that offen in
    :samples ?

    It doesn't play nicely with NAT, and it's probably easier to leave
    it out than to explain to people over and over again why the examples
    don't work for them.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
     
    Walter Roberson, Oct 21, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matt
    Replies:
    2
    Views:
    2,166
    Mark Green
    Apr 15, 2004
  2. teteja
    Replies:
    0
    Views:
    447
    teteja
    Nov 19, 2006
  3. Replies:
    2
    Views:
    989
    Walter Roberson
    Aug 22, 2007
  4. Giuen
    Replies:
    0
    Views:
    1,001
    Giuen
    Sep 12, 2008
  5. Tony2Time
    Replies:
    0
    Views:
    1,289
    Tony2Time
    Jun 23, 2011
Loading...

Share This Page