Professional Documents
Culture Documents
PIX VPN
• IPSec
• IKE
• DES, 3DES, AES
• SHA-1, MD5
• RSA
• Digital Certificates
• Pre-shared keys
• Diffie-Hellman
• Data confidentiality
• Data integrity
• Data authentication
• Anti-replay
between peers
• Consists of open standards
for securing
private communications.
• Network layer encryption
ensuring data
confidentiality, integrity, and
authentication.
• Scales from small to very
large networks.
• Included in PIX Firewall
version 5.0 and later.
policy.
• Step 2—Determine the IPSec (IKE phase two)
policy.
• Step 3—Ensure that the network works without
encryption.
• Step 4—Implicitly permit IPSec packets to
bypass PIX Firewall access lists, access groups,
and conduits.
Pixfirewall (config)#
isakmp enable interface-name
• Enables or disables IKE on the
PIX Firewall interfaces.
• IKE is enabled by default.
• Disable IKE on interfaces not used
for IPSec.
pixfirewall(config)# isakmp enable outside
pixfirewall(config)#
pixfirewall(config)#
PIX1
pix1(config)# show static
static (inside,outside) 192.168.1.10 10.0.1.11 netmask
255.255.255.255 0 0
pix1(config)# show access-list
access-list 110 permit ip host 192.168.1.10 host 192.168.6.10
PIX6
pix6(config)# show static
static (inside,outside) 192.168.6.10 10.0.6.11 netmask
255.255.255.255 0 0
pix2(config)# show access-list
access-list 101 permit ip host 192.168.6.10 host 192.168.1.10
pixfirewall(config)#
pixfirewall(config)#
crypto map map-name interface interface-name
• Applies the crypto map to an interface.
• Activates IPSec policy.
configuration.
show crypto map
• Clear the IPSec SA.
clear crypto ipsec sa
• Clear the IKE SA.
clear crypto isakmp sa
• Debug IKE and IPSec traffic through the
PIX Firewall.
debug crypto ipsec
debug crypto isakmp
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-38
The Cisco VPN Client
• Data compression.
• Split tunneling.
• User authentication by way of VPN central-site device.
• Automatic VPN Client configuration.
• Internal MTU adjustment.
• CLI to the VPN Dialer.
• Start Before Logon.
• Software update notifications from the VPN device upon
connection.
255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip local pool MYPOOL 10.0.20.1-10.0.20.254
nat (inside) 0 access-list 80
route outside 0 0 192.168.0.1
aaa-server MYTACACS protocol tacacs+
aaa-server MYTACACS (inside) host 10.0.0.10 tacacskey timeout 5
aaa authentication include any inbound 0 0 0 0 MYTACACS
sysopt connection permit-ipsec
crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
• Configure CA support.
• Generate public or private keys.
• Authenticate the CA.
• Request signed certificates from the CA.
• CA administrator verifies request and
sends signed certificates.