Topology:
PIX 6.X Configuration:
ip address outside 10.99.99.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0
access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500
access-group acl-out in interface outside
isakmp enable outside
isakmp enable inside
isakmp nat-traversal
PIX 7.X and up Configuration:
interface Ethernet0
nameif outside
security-level 0
ip address 10.99.99.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 10.99.99.12 10.1.1.2 netmask 255.255.255.255 0 0
access-list acl-out permit esp host 10.99.99.2 host 10.99.99.12
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq isakmp
access-list acl-out permit udp host 10.99.99.2 host 10.99.99.12 eq 4500
access-group acl-out in interface outside
Notes:
Configuration is very straighforward. Permit the traffic through an access-list, like how you would when permitting any other traffic. For IPSEC, permit ESP, ISAKMP, and UDP4500.
References:
PIX6: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
PIX 7:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml
No comments:
Post a Comment