Saturday, March 8, 2008

PIX/ASA 7.X: Simple PIX-to-PIX VPN Tunnel

Secnario:
Typical site-to-site / LAN-to-LAN VPN tunnel between the respective inside networks of two PIX 7.X devices.

Topology:

10.10.1.0 ---- ThisPIX ========= OtherPix ---- 10.10.2.0

ThisPix.inside = 10.10.1.1
ThisPix.outside = 192.168.10.2

OtherPix.inside = 10.10.2.0
OtherPix.outside = 192.168.10.1

VPN Tunnel between 10.10.1.0/24 and 10.10.2.0/24

Configuration:
[The following only includes the configuration for the "ThisPix" device. The configuration of the "OtherPix" should be the "mirror-image" of that of "ThisPix" (that is, source address becomes destination address, and vice versa, while others, such as the PHASE1 properties are the same).]

[Also, note that several syntax changes have been made from one version to another. It is best to consult the "Command Reference Guide" for the PIX/ASA version running and/or use the "?" command from the command prompt.

PIX 7.0:

access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list VPN20 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec

crypto ipsec transform-set MY-ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address VPN20
crypto map OUTSIDE_MAP 20 set peer 192.168.10.1
crypto map OUTSIDE_MAP 20 set transform-set MY-ESP-AES-256-SHA

isakmp nat-traversal
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

tunnel-group 192.168.10.1 type ipsec-l2l
tunnel-group 192.168.10.1 ipsec-attributes pre-shared-key CISCO

crypto map OUTSIDE_MAP interface outside
isakmp enable outside

PIX 7.2:
access-list NONAT extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list VPN20 extended permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

nat (inside) 0 access-list NONAT
sysopt connection permit-vpn

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address VPN20
crypto map OUTSIDE_MAP 20 set peer 192.168.10.1
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-256-SHA

isakmp nat-traversal
isakmp identity address

isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha group 5 lifetime 86400

tunnel-group 192.168.10.1 type ipsec-l2l
tunnel-group 192.168.10.1 ipsec-attributes
 pre-shared-key CISCO

crypto map OUTSIDE_MAP interface outside
isakmp enable outside

Reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)