Saturday, March 8, 2008

PIX 6.X: Simple PIX-to-PIX VPN Tunnel

Secnario:
Typical site-to-site / LAN-to-LAN VPN tunnel between the respective inside networks of two PIX 6.X devices.

Topology:

192.168.201.0 --- PIX1 <=======> PIX2 --- 192.168.202.0

- PIX1.outside = 10.199.248.46
- PIX1.inside = 192.168.201.1
- PIX2.outside = 10.199.248.47
- PIX2. inside = 192.168.202.1

- VPN between 192.168.201.0/24 network and 192.168.202.0/24

PIX1 Configuration:
access-list VPN permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 192.168.202.0 255.255.255.0

nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
management inside

isakmp identity address
isakmp nat-traversal
isakmp key CISCO123 address 10.199.248.47 netmask 255.255.255.255 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 10.199.248.47
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface outsideisakmp enable outside

PIX2 Configuration:
access-list VPN permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list NONAT permit ip 192.168.202.0 255.255.255.0 192.168.201.0 255.255.255.0

nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
management inside

isakmp identity addressisakmp nat-traversal
isakmp key CISCO123 address 10.199.248.46 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address VPN
crypto map MYMAP 10 set peer 10.199.248.46
crypto map MYMAP 10 set transform-set MYSET

crypto map MYMAP interface outside
isakmp enable outside

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)