Thursday, March 6, 2008

PIX/ASA: Permit Pass-through IPSEC traffic

This is a scenario in which the PIX with NAT is not the VPN/IPSEC peer; it just serves as a pass-through VPN device.

Topology:


PIX 6.X Configuration:
ip address outside 10.99.99.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0

access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500

access-group acl-out in interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal



PIX 7.X and up Configuration:
interface Ethernet0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!

global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0

access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500

access-group acl-out in interface outside

Notes:
Configuration is very straighforward. Permit the traffic through an access-list, like how you would when permitting any other traffic. For IPSEC, permit ESP, ISAKMP, and UDP4500.

References:
PIX6: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
PIX 7:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml

No comments: