Tuesday, March 25, 2008

PIX: Dynamic Site-to-Site IPSEC Configuration

SCENARIO:

Configure a tunnel between 10.2.2.0/24 to 10.1.1.0/24, between one static and one dynamic VPN peers.

This is a typical scenario when one device has a dynamic "outside" IP address (such as DHCP).

Notes:
The configuration can be expanded to include remote access VPN on either peer;
The configuration can be expanded to include more than one dynamic peer;
In case of multiple VPN devices, there should always be at least one static peer.



TOPOLOGY:

10.2.2.0 --- STATIC ==== (( INTERNET )) ===== DYNAMIC ---- 10.1.1.0

STATIC.inside = 10.2.2.1/24
STATIC.outside = 203.1.1.1/24
DYNAMIC.outside = DHCP
DYNAMIC.inside = 10.1.1.1/24



CONFIGURATIONS:
- several possible simple configurations, depending on the PIX OS running on either device.

PHASE 1 / ISAKMP PARAMETERS:
- authentication = pre-shared key (MY_ISAKMP_KEY)
- encryption = 3DES
- hash = MD5
- group = 2

PHASE 2 / IPSEC PARAMETERS:
- ESP-3DES, ESP-MD5


STATIC PIX 6.X:

access-list NONAT permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 0.0.0.0 netmask 0.0.0.0 no-xauth

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

crypto map MY_STATIC_MAP interface outside
isakmp enable outside

STATIC PIX 7.0/7.1:

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity address
isakmp nat-traversal

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map MY_STATIC_MAP interface outside
isakmp enable outside


STATIC PIX 7.2:

access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-vpn

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map MY_STATIC_MAP 20 ipsec-isakmp dynamic DYN_MAP

crypto isakmp nat-traversal
crypto isakmp identity address

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map MY_STATIC_MAP interface outside
crypto isakmp enable outside

DYNAMIC PIX 6.X:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity hostname
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map DYNAMIC_MAP 10 ipsec-isakmp
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1
crypto map DYNAMIC_MAP 10 set transform-set ESP-3DES-MD5

crypto map DYNAMIC_MAP interface outside
isakmp enable outside


DYNAMIC PIX 7.0/7.1:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

isakmp identity hostname
isakmp nat-traversal

isakmp key MY_ISAKMP_KEY address 203.1.1.1 netmask 255.255.255.255

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1


tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map DYNAMIC_MAP interface outside
isakmp enable outside

DYNAMIC PIX 7.2:

access-list NONAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

crypto isakmp identity hostname
crypto isakmp nat-traversal

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN_MAP 1 set transform-set ESP-3DES-MD5
crypto map DYNAMIC_MAP 10 ipsec-isakmp dynamic DYN_MAP
crypto map DYNAMIC_MAP 10 match address VPN
crypto map DYNAMIC_MAP 10 set peer 203.1.1.1

tunnel-group MY_GROUP type ipsec-l2l
tunnel-group MY_GROUP general-attributes
tunnel-group MY_GROUP ipsec-attributes
pre-shared-key MY_ISAKMP_KEY

crypto map DYNAMIC_MAP interface outside
isakmp enable outside

REFERENCE

PIX 6: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml
PIX 7: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)