Thursday, March 27, 2008
IOS: %CRYPTO-4-PKT_REPLAY_ERR replay check failed
%CRYPTO-4-PKT_REPLAY_ERR : [chars] connection id=[dec]
IOS 12.4 --> Syslogs --> CRYPTO Messages
http://www.cisco.com/en/US/products/ps6350/products_system_message_guide_chapter09186a0080462676.html#wp164939
Error Message:
%CRYPTO-4-PKT_REPLAY_ERR : [chars] connection id=[dec]
Explanation: The replay processing has failed. The failed replay processing may be a temporarycondition caused by the wait for new SAs to be established. In the inbound case, this error might also be caused by an actual replay attack. This activity can be considered a hostile event.
Recommended Action: If the problem appears to be more than a transient one, contact the peer administrator.
CSCeg43855 - Router generated traffic causes anti-replay errors
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeg43855&Submit=Search
Symptoms: An encrypting router may send traffic that is locally originated (such as keepalive packets or routing update packets) out of order after the packets have been encrypted. Because of the anti-replay check failure, these packets are dropped on the receiving router.
Conditions: This symptom is observed when a multipoint GRE (mGRE) and IPSec tunnel is built between two routers.
Workaround: Turn off packet authentication for the configured IPSec transform.
Further Problem Description: On a Cisco 7200 series that functions as the receiving router, you can observe the symptom in the output of the show crypto ipsec sa detail or show pas isa interface command.
IOS 12.4 --> IPSec Anti-Replay Window: Expanding and Disabling
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad4.html
Troubleshooting Tips:
If your replay window size has not been set to a number that is high enough for the number of packets received, you will receive a system message such as the following:
*Nov 17 19:27:32.279: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=1
The above message is generated when a received packet is judged to be outside the anti-replay window.
Additional Notes:
If there's no interruption of service, it could just be a normal and temporary condition, especially if the SAs (IPSEC tunnels) are still being established.
Otherwise, I suggest setting the anti-replay window to, say, 1024.
crypto ipsec security-association replay window-size 1024
Take note that the above command is introduced in 12.3(14)T; older versions do not support this command.
IOS: %HW_VPN-1-HPRXERR Packet Encryption/Decryption Errors
%HW_VPN-1-HPRXERR : [chars]: Packet Encryption/Decryption error, status=[int]
CSCdt40220 - AIM encryption produces Packet Encryption/Decryption error
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdt40220&Submit=Search
Symptoms:
A router displays one of the following error messages:
HW_VPN-1-HPRXERR: Hardware VPN0/2: Packet Encryption/Decryption error, status=4612
This is a notification message seen on the console of the DECRYPTING PEER that tells the user that IPSEC packets have been received out of order. Re-ordering can occur in one of 3 places:
1. encrypting peer
2. network
3. decrypting peer
Only in rare cases can this occur in the decrypting peer.
The only known way for this to occur in the decrypting peer is for a packet to be bumped to process switch while the following packets from the same tunnel are fast or cef switched. This could happen if the packet is fragmented and needs re-assembly.
The following lists some of the common scenarios that might introduce out-of-order IPSEC packets. These scenrios are considered normal behaviors:
1. Fragmentation - the decrypting peer uses process switching to fragmented packets. To minimize the impact of this, Look-Ahead-Fragmentation should be enabled. This feature was added to IOS via CSCdw77514.
2. QoS: QoS scheduling mechanism happening after IPSec encryption could cause packets in the same IPsec SAs to be transmitted out-of-order.
3. Pak_priority: pak_priority is an internal flag set by the IOS to some of the router generated packets that are considered critical, e.g., routing updates, interface keepalives. When output interface queue is congested, router will honor the pak_priority flags to make sure the high priority packets are transmitted first. So in the GRE over IPsec and dynamic routing protocol design, the ESP packets could become out-of-order if the egress interface is congested and the router has to transmit the encrypted routing update first.
Conditions:
Either of the messages may be displayed depending on whether Authentication Header (AH) or Encapsulation Protocol (ESP) encapsulation is used. In addition, the ah_seq_fail or esp_seq_fail error counts increment in the output of the show crypto engine accelerator statistic privileged EXEC command.
Workaround:
- Set the maximum transmission unit (MTU) size of inbound streams to less than 1400 bytes.
- enable Look-Ahead-Fragmentation
WORKAROUND:
1. Adjust the interface MTU (preferably below 1400):
interface type mod/port
ip mtu byte
2. Adjust Fragmentation (See Pre-Fragmentation for IPSEC VPNs):
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encryption
-- OR --
crypto ipsec df-bit clear
interface type mod/port
crypto ipsec fragmentation before-encryption
REFERENCES:
Pre-fragmentation for IPSec VPNs
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080115533.html
CSCdt40220 - AIM encryption produces Packet Encryption/Decryption error
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdt40220&Submit=Search
Symptoms:
A router displays one of the following error messages:
HW_VPN-1-HPRXERR: Hardware VPN0/2: Packet Encryption/Decryption error, status=4612
This is a notification message seen on the console of the DECRYPTING PEER that tells the user that IPSEC packets have been received out of order. Re-ordering can occur in one of 3 places:
1. encrypting peer
2. network
3. decrypting peer
Only in rare cases can this occur in the decrypting peer.
The only known way for this to occur in the decrypting peer is for a packet to be bumped to process switch while the following packets from the same tunnel are fast or cef switched. This could happen if the packet is fragmented and needs re-assembly.
The following lists some of the common scenarios that might introduce out-of-order IPSEC packets. These scenrios are considered normal behaviors:
1. Fragmentation - the decrypting peer uses process switching to fragmented packets. To minimize the impact of this, Look-Ahead-Fragmentation should be enabled. This feature was added to IOS via CSCdw77514.
2. QoS: QoS scheduling mechanism happening after IPSec encryption could cause packets in the same IPsec SAs to be transmitted out-of-order.
3. Pak_priority: pak_priority is an internal flag set by the IOS to some of the router generated packets that are considered critical, e.g., routing updates, interface keepalives. When output interface queue is congested, router will honor the pak_priority flags to make sure the high priority packets are transmitted first. So in the GRE over IPsec and dynamic routing protocol design, the ESP packets could become out-of-order if the egress interface is congested and the router has to transmit the encrypted routing update first.
Conditions:
Either of the messages may be displayed depending on whether Authentication Header (AH) or Encapsulation Protocol (ESP) encapsulation is used. In addition, the ah_seq_fail or esp_seq_fail error counts increment in the output of the show crypto engine accelerator statistic privileged EXEC command.
Workaround:
- Set the maximum transmission unit (MTU) size of inbound streams to less than 1400 bytes.
- enable Look-Ahead-Fragmentation
WORKAROUND:
1. Adjust the interface MTU (preferably below 1400):
interface type mod/port
ip mtu byte
2. Adjust Fragmentation (See Pre-Fragmentation for IPSEC VPNs):
crypto ipsec df-bit clear
crypto ipsec fragmentation before-encryption
-- OR --
crypto ipsec df-bit clear
interface type mod/port
crypto ipsec fragmentation before-encryption
REFERENCES:
Pre-fragmentation for IPSec VPNs
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080115533.html
PIX/ASA 7.X: Policy NAT
TOPOLOGY:
10.10.10.10 ---- YourASA ======= RemoteDevice ---- 20.20.20.20
SCENARIO:
- Host 10.10.10.10 is translated to 172.16.0.10 when going to host 20.20.20.20 (VPN traffic)
- Host 10.10.10.10 is translated through NAT/PAT normally elsewhere.
CONFIGURATION:
access-list NONAT permit ip host 172.16.0.10 host 20.20.20.20
access-list VPN10 permit ip host 172.16.0.10 host 20.20.20.20
access-list POLICY_NAT extended permit ip host 10.10.10.10 host 20.20.20.20
static (inside, outside) 172.16.0.10 acl POLICY_NAT
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
global (outside) 1 in interface
...
! DEFINE PHASE1 / ISAKMP PARAMETERS !
! DEFINE PHASE2 / IPSEC PARAMETERS !
...
crypto map OUTSIDE_MAP 10 match address VPN10
...
crypto map OUTSIDE_MAP interface outside
isakmp enable outside
NOTES:
In the above example, note that the source IP address of the VPN traffic is the translated IP address (172.16.0.10), not the inside/original source address.
The static statement is evaluated first before the crypto match statement. Hence, if the traffic matches acl "POLICY_NAT", the traffic is translated first, before it will be evaluated against the crypto map policy. (See NAT Order of Operation)
Due to the software requirements, this is available only to ASA and PIX capable of supporting 7.x and later.
REFERENCES:
PIX/ASA 7.X: Policy NAT:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
NAT Order of Operation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
10.10.10.10 ---- YourASA ======= RemoteDevice ---- 20.20.20.20
SCENARIO:
- Host 10.10.10.10 is translated to 172.16.0.10 when going to host 20.20.20.20 (VPN traffic)
- Host 10.10.10.10 is translated through NAT/PAT normally elsewhere.
CONFIGURATION:
access-list NONAT permit ip host 172.16.0.10 host 20.20.20.20
access-list VPN10 permit ip host 172.16.0.10 host 20.20.20.20
access-list POLICY_NAT extended permit ip host 10.10.10.10 host 20.20.20.20
static (inside, outside) 172.16.0.10 acl POLICY_NAT
nat (inside) 0 access-list NONAT
nat (inside) 1 0 0
global (outside) 1 in interface
...
! DEFINE PHASE1 / ISAKMP PARAMETERS !
! DEFINE PHASE2 / IPSEC PARAMETERS !
...
crypto map OUTSIDE_MAP 10 match address VPN10
...
crypto map OUTSIDE_MAP interface outside
isakmp enable outside
NOTES:
In the above example, note that the source IP address of the VPN traffic is the translated IP address (172.16.0.10), not the inside/original source address.
The static statement is evaluated first before the crypto match statement. Hence, if the traffic matches acl "POLICY_NAT", the traffic is translated first, before it will be evaluated against the crypto map policy. (See NAT Order of Operation)
Due to the software requirements, this is available only to ASA and PIX capable of supporting 7.x and later.
REFERENCES:
PIX/ASA 7.X: Policy NAT:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
NAT Order of Operation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Tuesday, March 25, 2008
PIX: Dynamic Site-to-Site IPSEC Configuration
SCENARIO:
Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.
This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).
Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.
TOPOLOGY:
10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0
STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24
CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.
PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2
PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5
STATIC PIX 6.X:
access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.0/7.1:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.2:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto isakmp nat-traversal
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside
DYNAMIC PIX 6.X:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.0/7.1:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.2:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
crypto isakmp identity hostname
crypto isakmp nat-traversal
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
REFERENCE
PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.
This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).
Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.
TOPOLOGY:
10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0
STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24
CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.
PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2
PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5
STATIC PIX 6.X:
access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.0/7.1:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
isakmp enable outside
STATIC PIX 7.2:
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP
crypto isakmp nat-traversal
crypto isakmp identity address
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside
DYNAMIC PIX 6.X:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.0/7.1:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity hostname
isakmp nat-traversal
isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
DYNAMIC PIX 7.2:
access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
crypto isakmp identity hostname
crypto isakmp nat-traversal
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY
crypto map DYNAMIC_MAP interface outside
isakmp enable outside
REFERENCE
PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Wednesday, March 12, 2008
IPSEC Checklist and Best Practices
Basic Checklist for VPN Configuration:
- IP address of the static VPN peers
- IP addresses/networks that will be tunneled
--> networks behind each VPN peer (site-to-site)
--> network behind VPN and pool (remote access)
- PHASE I / ISAKMP parameters
--> authentication (pre-shared key/certificate)
--> encryption (DES, 3DES, AES)
--> hash (SHA, MD5)
--> group (2, 5)
- PHASE II / IPSEC Parameters
--> transform set
- VPN Group (remote access only)
--> VPN Group Name
--> VPN Group Password
_____________________________________________________
Best Practices:
* MIRROR TRAFFIC: The traffic (IP addresses/networks) defined on the two VPN peers should be mirror images of each other. That is, the source and destination on one end becomes the destination and source on the other end, respectively. Example:
10.10.10.0 ---- PIX1 ======== PIX2 ---- 20.20.20.0
access-list PIX1_TUNNEL permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list PIX2_TUNNEL permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
* SEPARATE ACLS for NAT and CRYPTO: (For Cisco PIX/ASA): To facilitate expansion, define the same traffic twice; one used for defining the tunnel traffic (in the crypto map match statement), and another for preventing the translation of this traffic (nat (inside) 0 or similar statement). Here's a scenario showing the advantage of having separate access-lists:
(Note: The ASCII drawing below best viewed using Courier New)
PIX2 --- 20.20.20.0
+
+
PIX1 --- 10.10.10.0
+
+
PIX3 --- 30.30.30.0
PIX1 Configuration
access-list NONAT permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list NONAT permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
nat (inside) 0 access-list NONAT
access-list TUNNEL1-2 permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list TUNNEL1-3 permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
crypto map MYMAP 10 match address TUNNEL1-2
crypto map MYMAP 20 match address TUNNEL1-3
What if you need to form another tunnel to a new network, 40.40.40.0, behind another device, PIX4?
* CHANGES to LIVE VPN TUNNELS: When crypto and/or isakmp statements are changed while a VPN tunnel exists, chances are, the device where the change was made will hang. To avoid this, (1) disable the tunnel on the interface and (2) tear down existing tunnels before doing any changes.
* PRE-SHARED KEY FIRST, BEFORE CERTIFICATES: When configuring IPSEC tunnels using digital certificates, it is best to configure first using pre-shared keys. This way, you can eliminate all the errors which does not involve certificates. Later, when errors occur after placing certificates, you only need to deal with the certificate-part of the configuration. (Unless, of course, if you messed up the basic configurations somehow while adding the certificates.)
* ORDER of CRYPTO MAP POLICIES: For devices with both static and dynamic crypto map configurations, ensure that the static ones are evaluated first (usually, by specifying a lower sequence number) before the dynamic ones. Otherwise, all static tunnel configurations are useless as they will NEVER be used.
* NO XAUTH for SITE-TO-SITE with REMOTE ACCESS: For devices with both Site-to-Site and Remote Access VPN, ensure that extended authentication (XAUTH) is disabled for the site-to-site configuration. This is a common issue: a working VPN device cannot form L2L tunnel after adding remote access configurations.
- IP address of the static VPN peers
- IP addresses/networks that will be tunneled
--> networks behind each VPN peer (site-to-site)
--> network behind VPN and pool (remote access)
- PHASE I / ISAKMP parameters
--> authentication (pre-shared key/certificate)
--> encryption (DES, 3DES, AES)
--> hash (SHA, MD5)
--> group (2, 5)
- PHASE II / IPSEC Parameters
--> transform set
- VPN Group (remote access only)
--> VPN Group Name
--> VPN Group Password
_____________________________________________________
Best Practices:
* MIRROR TRAFFIC: The traffic (IP addresses/networks) defined on the two VPN peers should be mirror images of each other. That is, the source and destination on one end becomes the destination and source on the other end, respectively. Example:
10.10.10.0 ---- PIX1 ======== PIX2 ---- 20.20.20.0
access-list PIX1_TUNNEL permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list PIX2_TUNNEL permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
* SEPARATE ACLS for NAT and CRYPTO: (For Cisco PIX/ASA): To facilitate expansion, define the same traffic twice; one used for defining the tunnel traffic (in the crypto map match statement), and another for preventing the translation of this traffic (nat (inside) 0 or similar statement). Here's a scenario showing the advantage of having separate access-lists:
(Note: The ASCII drawing below best viewed using Courier New)
PIX2 --- 20.20.20.0
+
+
PIX1 --- 10.10.10.0
+
+
PIX3 --- 30.30.30.0
PIX1 Configuration
access-list NONAT permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list NONAT permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
nat (inside) 0 access-list NONAT
access-list TUNNEL1-2 permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list TUNNEL1-3 permit ip 10.10.10.0 255.255.255.0 30.30.30.0 255.255.255.0
crypto map MYMAP 10 match address TUNNEL1-2
crypto map MYMAP 20 match address TUNNEL1-3
What if you need to form another tunnel to a new network, 40.40.40.0, behind another device, PIX4?
* CHANGES to LIVE VPN TUNNELS: When crypto and/or isakmp statements are changed while a VPN tunnel exists, chances are, the device where the change was made will hang. To avoid this, (1) disable the tunnel on the interface and (2) tear down existing tunnels before doing any changes.
* PRE-SHARED KEY FIRST, BEFORE CERTIFICATES: When configuring IPSEC tunnels using digital certificates, it is best to configure first using pre-shared keys. This way, you can eliminate all the errors which does not involve certificates. Later, when errors occur after placing certificates, you only need to deal with the certificate-part of the configuration. (Unless, of course, if you messed up the basic configurations somehow while adding the certificates.)
* ORDER of CRYPTO MAP POLICIES: For devices with both static and dynamic crypto map configurations, ensure that the static ones are evaluated first (usually, by specifying a lower sequence number) before the dynamic ones. Otherwise, all static tunnel configurations are useless as they will NEVER be used.
* NO XAUTH for SITE-TO-SITE with REMOTE ACCESS: For devices with both Site-to-Site and Remote Access VPN, ensure that extended authentication (XAUTH) is disabled for the site-to-site configuration. This is a common issue: a working VPN device cannot form L2L tunnel after adding remote access configurations.
PIX 7.0: Simple Remote Access VPN
TOPOLOGY:
192.168.201.0 ---- PIX --- (( INTERNET )) ---- home_user
VPN Client Pool = 172.16.1.1 to 172.16.1.254
PIX 7.0/7.1 CONFIGURATION:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
tunnel-group REMOTEACCESS type ipsec-ra
tunnel-group REMOTEACCESS general-attributes
address-pool CLIENTPOOL
tunnel-group REMOTEACCESS ipsec-attributes
pre-shared-key CISCO123
group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
wins-server value 10.1.1.3
dns-server value 10.1.1.3
vpn-idle-timeout 30
crypto map MYMAP interface outside
isakmp enable outside
PIX 7.2 CONFIGURATION:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto isakmp identity address
crypto isakmp nat-traversal
crypto isakmp policy 200
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
tunnel-group REMOTEACCESS type ipsec-ra
tunnel-group REMOTEACCESS general-attributes
address-pool CLIENTPOOL
tunnel-group REMOTEACCESS ipsec-attributes
pre-shared-key CISCO123
group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
wins-server value 10.1.1.3
dns-server value 10.1.1.3
crypto map MYMAP interface outside
isakmp enable outside
192.168.201.0 ---- PIX --- (( INTERNET )) ---- home_user
VPN Client Pool = 172.16.1.1 to 172.16.1.254
PIX 7.0/7.1 CONFIGURATION:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
tunnel-group REMOTEACCESS type ipsec-ra
tunnel-group REMOTEACCESS general-attributes
address-pool CLIENTPOOL
tunnel-group REMOTEACCESS ipsec-attributes
pre-shared-key CISCO123
group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
wins-server value 10.1.1.3
dns-server value 10.1.1.3
vpn-idle-timeout 30
crypto map MYMAP interface outside
isakmp enable outside
PIX 7.2 CONFIGURATION:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto isakmp identity address
crypto isakmp nat-traversal
crypto isakmp policy 200
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
tunnel-group REMOTEACCESS type ipsec-ra
tunnel-group REMOTEACCESS general-attributes
address-pool CLIENTPOOL
tunnel-group REMOTEACCESS ipsec-attributes
pre-shared-key CISCO123
group-policy REMOTEACCESS internal
group-policy REMOTEACCESS attributes
wins-server value 10.1.1.3
dns-server value 10.1.1.3
crypto map MYMAP interface outside
isakmp enable outside
Saturday, March 8, 2008
PIX 6.X: Simple Remote Access VPN
Scenario:
User from internet should access the inside/corporate network 192.168.201.0. This is the perhaps the simplest remote access VPN scenario there is.
Topology:
192.168.201.0 ---- PIX --- (( INTERNET )) ---- home_user
VPN Client Pool = 172.16.1.1 to 172.16.1.254
Configuration:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400
isakmp key CISCO123 address 0.0.0.0 netmask 0.0.0.0
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
vpngroup VPNCLIENT address-pool CLIENTPOOL
vpngroup VPNCLIENT dns-server 4.2.2.2
vpngroup VPNCLIENT wins-server 24.24.24.24
vpngroup VPNCLIENT default-domain CISCO.COM
vpngroup VPNCLIENT idle-time 1800
vpngroup VPNCLIENT password CISCO123
vpngroup VPNCLIENT split-tunnel SPLIT
crypto map MYMAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080884c2f.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
User from internet should access the inside/corporate network 192.168.201.0. This is the perhaps the simplest remote access VPN scenario there is.
Topology:
192.168.201.0 ---- PIX --- (( INTERNET )) ---- home_user
VPN Client Pool = 172.16.1.1 to 172.16.1.254
Configuration:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400
isakmp key CISCO123 address 0.0.0.0 netmask 0.0.0.0
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
vpngroup VPNCLIENT address-pool CLIENTPOOL
vpngroup VPNCLIENT dns-server 4.2.2.2
vpngroup VPNCLIENT wins-server 24.24.24.24
vpngroup VPNCLIENT default-domain CISCO.COM
vpngroup VPNCLIENT idle-time 1800
vpngroup VPNCLIENT password CISCO123
vpngroup VPNCLIENT split-tunnel SPLIT
crypto map MYMAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080884c2f.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
PIX/ASA 7.X: Simple PIX-to-PIX VPN Tunnel
Secnario:
Typical site-to-site / LAN-to-LAN VPN tunnel between the respective inside networks of two PIX 7.X devices.
Topology:
10.10.1.0 ---- ThisPIX ========= OtherPix ---- 10.10.2.0
ThisPix.inside = 10.10.1.1
ThisPix.outside = 192.168.10.2
OtherPix.inside = 10.10.2.0
OtherPix.outside = 192.168.10.1
VPN Tunnel between 10.10.1.0/24 and 10.10.2.0/24
Configuration:
[The following only includes the configuration for the "ThisPix" device. The configuration of the "OtherPix" should be the "mirror-image" of that of "ThisPix" (that is, source address becomes destination address, and vice versa, while others, such as the PHASE1 properties are the same).]
[Also, note that several syntax changes have been made from one version to another. It is best to consult the "Command Reference Guide" for the PIX/ASA version running and/or use the "?" command from the command prompt.
PIX 7.0:
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list VPN20 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
crypto ipsec transform-set MY-ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address VPN20
crypto map OUTSIDE_MAP 20 set peer 192.168.10.1
crypto map OUTSIDE_MAP 20 set transform-set MY-ESP-AES-256-SHA
isakmp nat-traversal
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
tunnel-group 192.168.10.1 type ipsec-l2l
tunnel-group 192.168.10.1 ipsec-attributes pre-shared-key CISCO
crypto map OUTSIDE_MAP interface outside
isakmp enable outside
PIX 7.2:
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list VPN20 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address VPN20
crypto map OUTSIDE_MAP 20 set peer 192.168.10.1
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-256-SHA
isakmp nat-traversal
isakmp identity address
isakmp policy 10
authentication pre-share
encryption aes-256
hash sha group 5 lifetime 86400
tunnel-group 192.168.10.1 type ipsec-l2l
tunnel-group 192.168.10.1 ipsec-attributes
pre-shared-key CISCO
crypto map OUTSIDE_MAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml
Typical site-to-site / LAN-to-LAN VPN tunnel between the respective inside networks of two PIX 7.X devices.
Topology:
10.10.1.0 ---- ThisPIX ========= OtherPix ---- 10.10.2.0
ThisPix.inside = 10.10.1.1
ThisPix.outside = 192.168.10.2
OtherPix.inside = 10.10.2.0
OtherPix.outside = 192.168.10.1
VPN Tunnel between 10.10.1.0/24 and 10.10.2.0/24
Configuration:
[The following only includes the configuration for the "ThisPix" device. The configuration of the "OtherPix" should be the "mirror-image" of that of "ThisPix" (that is, source address becomes destination address, and vice versa, while others, such as the PHASE1 properties are the same).]
[Also, note that several syntax changes have been made from one version to another. It is best to consult the "Command Reference Guide" for the PIX/ASA version running and/or use the "?" command from the command prompt.
PIX 7.0:
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list VPN20 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
crypto ipsec transform-set MY-ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address VPN20
crypto map OUTSIDE_MAP 20 set peer 192.168.10.1
crypto map OUTSIDE_MAP 20 set transform-set MY-ESP-AES-256-SHA
isakmp nat-traversal
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
tunnel-group 192.168.10.1 type ipsec-l2l
tunnel-group 192.168.10.1 ipsec-attributes pre-shared-key CISCO
crypto map OUTSIDE_MAP interface outside
isakmp enable outside
PIX 7.2:
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list VPN20 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address VPN20
crypto map OUTSIDE_MAP 20 set peer 192.168.10.1
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-256-SHA
isakmp nat-traversal
isakmp identity address
isakmp policy 10
authentication pre-share
encryption aes-256
hash sha group 5 lifetime 86400
tunnel-group 192.168.10.1 type ipsec-l2l
tunnel-group 192.168.10.1 ipsec-attributes
pre-shared-key CISCO
crypto map OUTSIDE_MAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml
PIX 6.X: Simple PIX-to-PIX VPN Tunnel
Secnario:
Typical site-to-site / LAN-to-LAN VPN tunnel between the respective inside networks of two PIX 6.X devices.
Topology:
192.168.201.0 --- PIX1 <=======> PIX2 --- 192.168.202.0
- PIX1.outside = 10.199.248.46
- PIX1.inside = 192.168.201.1
- PIX2.outside = 10.199.248.47
- PIX2. inside = 192.168.202.1
- VPN between 192.168.201.0/24 network and 192.168.202.0/24
PIX1 Configuration:
access-list VPN permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
management inside
isakmp identity address
isakmp nat-traversal
isakmp key CISCO123 address 10.199.248.47 netmask 255.255.255.255 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 10.199.248.47
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outsideisakmp enable outside
PIX2 Configuration:
access-list VPN permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list NONAT permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
management inside
isakmp identity addressisakmp nat-traversal
isakmp key CISCO123 address 10.199.248.46 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 10.199.248.46
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
Typical site-to-site / LAN-to-LAN VPN tunnel between the respective inside networks of two PIX 6.X devices.
Topology:
192.168.201.0 --- PIX1 <=======> PIX2 --- 192.168.202.0
- PIX1.outside = 10.199.248.46
- PIX1.inside = 192.168.201.1
- PIX2.outside = 10.199.248.47
- PIX2. inside = 192.168.202.1
- VPN between 192.168.201.0/24 network and 192.168.202.0/24
PIX1 Configuration:
access-list VPN permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
management inside
isakmp identity address
isakmp nat-traversal
isakmp key CISCO123 address 10.199.248.47 netmask 255.255.255.255 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 10.199.248.47
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outsideisakmp enable outside
PIX2 Configuration:
access-list VPN permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list NONAT permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
management inside
isakmp identity addressisakmp nat-traversal
isakmp key CISCO123 address 10.199.248.46 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 10.199.248.46
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
Thursday, March 6, 2008
PIX/ASA: Permit Pass-through IPSEC traffic
This is a scenario in which the PIX with NAT is not the VPN/IPSEC peer; it just serves as a pass-through VPN device.
Topology:
PIX 6.X Configuration:
ip address outside 10.99.99.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0
access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500
access-group acl-out in interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal
PIX 7.X and up Configuration:
interface Ethernet0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0
access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500
access-group acl-out in interface outside
Notes:
Configuration is very straighforward. Permit the traffic through an access-list, like how you would when permitting any other traffic. For IPSEC, permit ESP, ISAKMP, and UDP4500.
References:
PIX6: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
PIX 7:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
Topology:
PIX 6.X Configuration:
ip address outside 10.99.99.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0
access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500
access-group acl-out in interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal
PIX 7.X and up Configuration:
interface Ethernet0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0
access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500
access-group acl-out in interface outside
Notes:
Configuration is very straighforward. Permit the traffic through an access-list, like how you would when permitting any other traffic. For IPSEC, permit ESP, ISAKMP, and UDP4500.
References:
PIX6: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
PIX 7:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
Tuesday, March 4, 2008
PIX 7.X: SSH/Telnet on the Inside and Outside Interface
To manage it remotely, you need to configure PIX 7.X to permit incoming SSH and/or Telnet connections to it. Note that since Telnet sends all information including passwords in clear text, SSH is preferred the method.
Configuration Tasks:
1. Specify credentials:
passwd mypassword
-- or --
username myusername password mypassword
aaa authentication ssh local
2. [SSH only] Generate RSA key pair:
crypto key zeroize rsa
crypto key generate rsa modulus 1024
Note: The "zeroize" command is there just in case a previous RSA key has already been generated previously. You can set the modulus to any other value aside from 1024. The larger the modulus, the more secure the RSA key.
3. Specify the hosts allowed to connect to the PIX:
ssh 0 0 inside
ssh 10.199.248.0 255.255.255.0 outside
-- or --
telnet 0 0 inside
telnet 10.199.248.0 255.255.255.0 outside
Note: Syntax parameters for either case is: source_ip_address subnet_mask source_interface. The 0 0 above indicates "any".
4. [Optional] Specify the telnet/ssh session timeout:
ssh timeout 10
-- or --
telnet timeout 10
Reference:
For further reading, I suggest the following URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
Configuration Tasks:
1. Specify credentials:
passwd mypassword
-- or --
username myusername password mypassword
aaa authentication ssh local
2. [SSH only] Generate RSA key pair:
crypto key zeroize rsa
crypto key generate rsa modulus 1024
Note: The "zeroize" command is there just in case a previous RSA key has already been generated previously. You can set the modulus to any other value aside from 1024. The larger the modulus, the more secure the RSA key.
3. Specify the hosts allowed to connect to the PIX:
ssh 0 0 inside
ssh 10.199.248.0 255.255.255.0 outside
-- or --
telnet 0 0 inside
telnet 10.199.248.0 255.255.255.0 outside
Note: Syntax parameters for either case is: source_ip_address subnet_mask source_interface. The 0 0 above indicates "any".
4. [Optional] Specify the telnet/ssh session timeout:
ssh timeout 10
-- or --
telnet timeout 10
Reference:
For further reading, I suggest the following URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
PIX 6.X: SSH/Telnet on the Inside and Outside Interface
To manage it remotely, you need to configure PIX 6.X to permit incoming SSH and/or Telnet connections to it. Note that since Telnet sends all information including passwords in clear text, SSH is preferred the method.
Network Diagram:
Configuration Tasks:
1. Specify credentials:
passwd mypassword
-- or --
username myusername password mypassword
2. [SSH only] Generate RSA key pair:
ca zeroize rsa
ca gen rsa key 1024
ca save all
Note: The "zeroize" command is there just in case a previous RSA key has already been generated. You can set the modulus to any other value aside from 1024. The larger the modulus, the more secure the RSA key.
3. Specify the hosts allowed to connect to the PIX:
ssh 0 0 inside
ssh 10.199.248.0 255.255.255.0 outside
-- or --
telnet 0 0 inside
telnet 10.199.248.0 255.255.255.0 outside
Note: Syntax parameters for either case is: source_ip_address subnet_mask source_interface. The 0 0 above indicates "any".
4. [Optional] Specify the telnet/ssh session timeout:
ssh timeout 10
-- or --
telnet timeout 10
Network Diagram:
Configuration Tasks:
1. Specify credentials:
passwd mypassword
-- or --
username myusername password mypassword
2. [SSH only] Generate RSA key pair:
ca zeroize rsa
ca gen rsa key 1024
ca save all
Note: The "zeroize" command is there just in case a previous RSA key has already been generated. You can set the modulus to any other value aside from 1024. The larger the modulus, the more secure the RSA key.
3. Specify the hosts allowed to connect to the PIX:
ssh 0 0 inside
ssh 10.199.248.0 255.255.255.0 outside
-- or --
telnet 0 0 inside
telnet 10.199.248.0 255.255.255.0 outside
Note: Syntax parameters for either case is: source_ip_address subnet_mask source_interface. The 0 0 above indicates "any".
4. [Optional] Specify the telnet/ssh session timeout:
ssh timeout 10
-- or --
telnet timeout 10
Basic PIX Configuration
This should be your most basic configuration if you want your PIX to have internet access, assuming there are no other blocking/filtering device that exists between the PIX and the internet:
Topology:
PIX inside: 192.168.102.254 /24
PIX outside: 10.199.248.50 /24
ISP/default gateway: 10.199.248.254 /24
PIX 6.X Configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 10.199.248.50 255.255.255.0
ip address inside 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3 1
PIX 7.X Configuration
interface Ethernet0
no shutdown
nameif outside
ip address 10.199.248.50 255.255.255.0
interface Ethernet1
no shutdown
nameif inside
ip address 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3
Notes:
Slight difference when dealing with different PIX OS, but principle is the same. First, configure the interfaces. Next, configure translation (shown here is the simplest NAT). Lastly, configure default route.
Topology:
PIX inside: 192.168.102.254 /24
PIX outside: 10.199.248.50 /24
ISP/default gateway: 10.199.248.254 /24
PIX 6.X Configuration:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 10.199.248.50 255.255.255.0
ip address inside 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3 1
PIX 7.X Configuration
interface Ethernet0
no shutdown
nameif outside
ip address 10.199.248.50 255.255.255.0
interface Ethernet1
no shutdown
nameif inside
ip address 192.168.102.254 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0 0
route outside 0 0 10.199.248.3
Notes:
Slight difference when dealing with different PIX OS, but principle is the same. First, configure the interfaces. Next, configure translation (shown here is the simplest NAT). Lastly, configure default route.
Welcome to my new project!
I've decided to put up a blog that will serve as my "dump site" of things I have learned about computer networking throughout the years.
I have two objectives here:
1. Preserve what I know; can't keep track of everything, especially since industry is changing every few years or so; why maintain all the papers and training materials when I keep them online, right?
2. Knowledge Sharing; I learn, you learn, everyone learns, everyone happy. :)
My initial posts will be everything I learned in my current and previous jobs. If you have any comments, suggestions, requests, or whatever, please feel free to email me at: raabad@gmail.com.
That's all for now. I'll post whatever I can post ASAP.
Cheers! :)
I have two objectives here:
1. Preserve what I know; can't keep track of everything, especially since industry is changing every few years or so; why maintain all the papers and training materials when I keep them online, right?
2. Knowledge Sharing; I learn, you learn, everyone learns, everyone happy. :)
My initial posts will be everything I learned in my current and previous jobs. If you have any comments, suggestions, requests, or whatever, please feel free to email me at: raabad@gmail.com.
That's all for now. I'll post whatever I can post ASAP.
Cheers! :)
Subscribe to:
Posts (Atom)