© 2003, cisco systems, inc. all rights reserved. fns 1.0—14-1 111 © 2003, cisco systems, inc....
TRANSCRIPT
![Page 1: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/1.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1111© 2003, Cisco Systems, Inc. All rights reserved.
![Page 2: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/2.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-2
Module 14
PIX VPN
![Page 3: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/3.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-3
Learning Objectives
Upon completion of this module, you will be able to perform the following tasks:• Identify how the PIX Firewall enables a secure VPN.
• Identify the tasks to configure PIX Firewall IPSec support.
• Identify the commands to configure PIX Firewall IPSec support.
• Configure a VPN between PIX Firewalls.
• Describe the Cisco VPN Client.
![Page 4: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/4.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-4
Overview
This module will cover the creation and configuration of secure VPNs. VPNs are a very useful tool in securing traffic between two remote networks. Both site-to-site and remote access VPNs will be covered.
![Page 5: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/5.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-5
Key Terms
• IPSec
• IKE
• DES, 3DES, AES
• SHA-1, MD5
• RSA
• Digital Certificates
• Pre-shared keys
• Diffie-Hellman
![Page 6: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/6.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-6
The PIX Firewall Enables a Secure VPN
![Page 7: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/7.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-7
PIX Firewall VPN Topologies
![Page 8: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/8.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-8
IPSec Enables PIX Firewall VPN Features
• Data confidentiality
• Data integrity
• Data authentication
• Anti-replay
![Page 9: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/9.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-9
What Is IPSec?
IETF standard that enables encrypted communication between peers
• Consists of open standards for securing private communications.
• Network layer encryption ensuring data confidentiality, integrity, and authentication.
• Scales from small to very large networks.
• Included in PIX Firewall version 5.0 and later.
![Page 10: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/10.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-10
IPSec Standards Supported by the PIX Firewall
• IPSec (IP Security protocol)
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)
• Data Encryption Standard (DES)
• Triple DES (3DES)
• Diffie-Hellman (DH)
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA)
• Ravist, Shamir, Adelman signatures (RSA)
• Certificate Authorities (CA)
![Page 11: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/11.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-11
IPSec Configuration Tasks
![Page 12: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/12.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-12
Task 1—Prepare to Configure VPN Support
![Page 13: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/13.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-13
IPSec Configuration Tasks Overview
• Task 1—Prepare to configure VPN support.
• Task 2—Configure IKE parameters.
• Task 3—Configure IPSec parameters.
• Task 4—Test and verify VPN configuration.
![Page 14: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/14.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-14
Task 1—Prepare to Configure VPN Support
• Step 1—Determine the IKE (IKE phase one) policy.
• Step 2—Determine the IPSec (IKE phase two) policy.
• Step 3—Ensure that the network works without encryption.
• Step 4—Implicitly permit IPSec packets to bypass PIX Firewall access lists, access groups, and conduits.
![Page 15: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/15.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-15
Plan for IKE
![Page 16: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/16.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-16
IKE Phase One Policy Parameters
![Page 17: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/17.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-17
Determine IKE Phase One Policy
IKE SA lifetime
Authentication method
Encryption algorithm
Hash algorithm
Site 1
86,400 seconds
DES
SHA
Site 2
DES
SHA
Pre-share
Parameter
768-bit D-HKey exchange
Pre-share
768-bit D-H
86,400 seconds
![Page 18: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/18.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-18
Plan for IPSec
![Page 19: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/19.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-19
Determine IPSec (IKE Phase Two) Policy
![Page 20: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/20.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-20
Ensure the Network Works
pixfirewall# ping 172.30.2.2
![Page 21: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/21.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-21
Ensure ACLs do not Block IPSec Traffic
![Page 22: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/22.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-22
Task 2—Configure IKE Parameters
![Page 23: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/23.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-23
Step 1—Enable or Disable IKE
• Enables or disables IKE on the PIX Firewall interfaces.
• IKE is enabled by default.
• Disable IKE on interfaces not used for IPSec.
isakmp enable interface-name
pixfirewall (config)#
pixfirewall(config)# isakmp enable outside
![Page 24: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/24.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-24
Step 2—Configure an IKE Phase One Policy
• Creates a policy suite grouped by priority number.
• Creates policy suites that match peers.
• Can use default values.
pixfirewall(config)# isakmp policy 10 encryption des
pixfirewall(config)# isakmp policy 10 hash sha
pixfirewall(config)# isakmp policy 10 authentication pre-share
pixfirewall(config)# isakmp policy 10 group 1
pixfirewall(config)# isakmp policy 10 lifetime 86400
![Page 25: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/25.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-25
isakmp key keystring address peer-address [netmask]
pixfirewall(config)#
Step 3—Configure the IKE Pre-shared Key
• Pre-shared keystring must be identical at both peers.
• Use any combination of alphanumeric characters up to 128 bytes for keystring.
• Specify peer-address as a host or wildcard address.
• Easy to configure, yet is not scalable.
pixfirewall(config)# isakmp key cisco123 address 192.168.6.2
![Page 26: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/26.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-26
pixfirewall# show isakmp policyProtection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step 4—Verify IKE Phase One Policies
• Displays configured and default IKE protection suites.
![Page 27: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/27.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-27
Task 3—Configure IPSec Parameters
![Page 28: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/28.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-28
access-list acl_ID {deny | permit} protocol source_addr source_mask destination_addr destination_mask
pixfirewall(config)#
Step 1—Configure Interesting Traffic
• permit = encrypt
• deny = do not encrypt
• access-list selects IP traffic by address, network, or subnet
pixfirewall# access-list 101 permit ip host 192.168.1.10 host 192.168.6.10
![Page 29: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/29.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-29
pix1(config)# show staticstatic (inside,outside) 192.168.1.10 10.0.1.11 netmask
255.255.255.255 0 0
pix1(config)# show access-listaccess-list 110 permit ip host 192.168.1.10 host 192.168.6.10
PIX1
pix6(config)# show staticstatic (inside,outside) 192.168.6.10 10.0.6.11 netmask
255.255.255.255 0 0
pix2(config)# show access-listaccess-list 101 permit ip host 192.168.6.10 host 192.168.1.10
PIX6
Example Crypto ACLs
• Lists should always be symmetrical.
![Page 30: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/30.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-30
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
pixfirewall(config)#
Step 2—Configure an IPSec Transform Set
• Sets are limited to up to one AH and up to two ESP transforms.
• Default mode is tunnel.
• Configure matching sets between IPSec peers.
pix1(config)# crypto ipsec transform-set pix6 esp-des
![Page 31: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/31.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-31
Available IPSec Transforms
ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth
![Page 32: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/32.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-32
Step 3—Configure the Crypto Map
• Specifies IPSec (IKE phase two) parameters.
• Map names and sequence numbers group entries into a policy.
pixfirewall(config)# crypto map MYMAP 10 ipsec-isakmp
pixfirewall(config)# crypto map MYMAP 10 match address 101
pixfirewall(config)# crypto map MYMAP 10 set peer 192.168.6.2
pixfirewall(config)# crypto map MYMAP 10 set transform-set pix6
pixfirewall(config)# crypto map MYMAP 10 set pfs group1
pixfirewall(config)# crypto map MYMAP 10 set security-association lifetime seconds 28800
![Page 33: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/33.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-33
crypto map map-name interface interface-name
pixfirewall(config)#
Step 4—Apply the Crypto Map to an Interface
• Applies the crypto map to an interface.
• Activates IPSec policy.
pixfirewall(config)# crypto map MYMAP interface outside
![Page 34: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/34.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-34
pix1(config)# show crypto map
Crypto Map "peer2" 10 ipsec-isakmp Peer = 192.168.2.2 access-list 101 permit ip host 192.168.1.11 host 192.168.2.11 (hitcnt=0) Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, }
Example Crypto Map for PIX1
![Page 35: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/35.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-35
pix2(config)# show crypto map
Crypto Map "peer1" 10 ipsec-isakmp Peer = 192.168.1.2 access-list 101 permit ip host 192.168.2.11 host 192.168.1.11 (hitcnt=0) Current peer: 192.168.1.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, }
Example Crypto Map for PIX2
![Page 36: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/36.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-36
Task 4—Test and Verify VPN Configuration
![Page 37: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/37.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-37
Task 4—Test and Verify VPN Configuration
• Verify ACLs and interesting traffic.show access-list
• Verify correct IKE configuration. show isakmpshow isakmp policy
• Verify correct IPSec configuration.show crypto ipsec transform-set
![Page 38: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/38.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-38
Task 4—Test and Verify VPN Configuration (cont.)
• Verify the correct crypto map configuration.show crypto map
• Clear the IPSec SA.clear crypto ipsec sa
• Clear the IKE SA.clear crypto isakmp sa
• Debug IKE and IPSec traffic through thePIX Firewall.debug crypto ipsecdebug crypto isakmp
![Page 39: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/39.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-39
The Cisco VPN Client
![Page 40: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/40.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-40
Topology Overview
![Page 41: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/41.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-41
Cisco VPN Client Features
• Support for Windows ME, Windows 2000, and Windows XP
• Data compression
• Split tunneling
• User authentication by way of VPN central-site device
• Automatic VPN Client configuration
• Internal MTU adjustment
• CLI to the VPN Dialer
• Start Before Logon
• Software update notifications from the VPN device upon connection
![Page 42: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/42.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-42
PIX Firewall to VPN ClientPre-Shared Example
pixfirewall# write terminal
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0
255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip local pool MYPOOL 10.0.20.1-10.0.20.254
nat (inside) 0 access-list 80
route outside 0 0 192.168.0.1
aaa-server MYTACACS protocol tacacs+
aaa-server MYTACACS (inside) host 10.0.0.10 tacacskey timeout 5
aaa authentication include any inbound 0 0 0 0 MYTACACS
sysopt connection permit-ipsec
crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
![Page 43: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/43.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-43
PIX Firewall to VPN Client Pre-Shared Example (cont.)
pixfirewall# write terminal
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER client authentication MYTACACS
crypto map VPNPEER interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup TRAINING address-pool MYPOOL
vpngroup TRAINING idle-time 1800
vpngroup TRAINING password ********
![Page 44: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/44.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-44
VPN Client to PIX Firewall Example
• A new connection entry named vpnpeer0 iscreated.
• The remote server IPis the PIX Firewall outside interface.
vpnpeer0
![Page 45: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/45.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-45
VPN Client to PIX Firewall Example (cont.)
• The group name matches the vpngroup name in the PIX Firewall.
• The password is the pre-shared key and must match the vpngroup password.
• You can use the digital certificate for authentication.
TRAINING
TRAINING
TRAINING
![Page 46: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/46.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-46
PIX Firewall Assigns the IP Address to the VPN Client
![Page 47: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/47.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-47
Scale PIX Firewall VPNs
![Page 48: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/48.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-48
CA Server Fulfilling Requests from IPSec Peers
Each IPSec peer individually enrolls with the CA server.
![Page 49: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/49.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-49
Enroll a PIX Firewallwith a CA
• Configure CA support
• Generate public or private keys
• Authenticate the CA
• Request signed certificates from the CA
• CA administrator verifies request and sends signed certificates
![Page 50: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/50.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-50
Summary
![Page 51: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/51.jpg)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-51
Summary
• The PIX Firewall enables a secure VPN.
• IPSec configuration tasks include configuring IKE and IPSec parameters.
• CAs enable scaling to a large number of IPSec peers.
• Remote users can establish secure VPN tunnels between PCs running Cisco VPN Client software and any Cisco VPN-enabled product, such as the PIX Firewall, that supports the Unified Client framework.
![Page 52: © 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved](https://reader035.vdocuments.net/reader035/viewer/2022062518/56649e425503460f94b34a3d/html5/thumbnails/52.jpg)
525252© 2003, Cisco Systems, Inc. All rights reserved.