FNS10 Mod14

For review only.
Please do not distribute

DRAFT May 2003. All rights reserved.
© 2003, Cisco Systems, Inc. All rights

© 2003,
reserved.
Cisco Systems, Inc. All rights reserved. FNS 1.0—14-11
Module 14
PIX VPN
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-2

Learning Objectives
For review only. Please do not distribute

Upon completion of this chapter, you will be

able to perform the following tasks:
• Identify how the PIX Firewall enables a secure VPN.
• Identify the tasks to configure PIX Firewall IPSec
support.
• Identify the commands to configure PIX Firewall
IPSec support.
• Configure a VPN between PIX Firewalls.
• Describe the Cisco VPN Client.

Overview

This module will cover the creation and

configuration of secure VPNs. VPNs are a very
useful tool in securing traffic between two
remote networks. Both site-to-site and remote
access VPNs will be covered.

Key terms
• IPSec

• IKE
• DES, 3DES, AES
• SHA-1, MD5
• RSA
• Digital Certificates
• Pre-shared keys
• Diffie-Hellman

The PIX Firewall
Enables a Secure VPN

PIX Firewall VPN Topologies


IPSec Enables PIX Firewall
VPN Features

• Data confidentiality
• Data integrity
• Data authentication
• Anti-replay

What Is IPSec?
IETF standard that enables
encrypted communication

between peers
• Consists of open standards
for securing
private communications.
• Network layer encryption
ensuring data
confidentiality, integrity, and
authentication.
• Scales from small to very
large networks.
• Included in PIX Firewall
version 5.0 and later.

IPSec Standards Supported
by the PIX Firewall
• IPSec (IP Security protocol)

– Authentication Header (AH)

– Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)
• Data Encryption Standard (DES)
• Triple DES (3DES)
• Diffie-Hellman (DH)
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA)
• Ravist, Shamir, Adelman signatures (RSA)
• Certificate Authorities (CA)

IPSec Configuration Tasks

Task 1—Prepare to
Configure VPN Support

IPSec Configuration
Tasks Overview

• Task 1—Prepare to configure VPN support.

• Task 2—Configure IKE parameters.
• Task 3—Configure IPSec parameters.
• Task 4—Test and verify VPN configuration.

Task 1—Prepare to
Configure VPN Support
• Step 1—Determine the IKE (IKE phase one)

policy.
• Step 2—Determine the IPSec (IKE phase two)
policy.
• Step 3—Ensure that the network works without
encryption.
• Step 4—Implicitly permit IPSec packets to
bypass PIX Firewall access lists, access groups,
and conduits.

FNS 1.0—14-15
Plan for IKE
© 2003, Cisco Systems, Inc. All rights reserved.

IKE Phase One
Policy Parameters


Determine IKE
Phase One Policy

Parameter Site 1 Site 2

Encryption algorithm DES DES
Hash algorithm SHA SHA
Authentication method Preshare Preshare
Key exchange 768bit DH 768bit DH
IKE SA lifetime 86,400 seconds 86,400 seconds

FNS 1.0—14-18
Plan for IPSec
© 2003, Cisco Systems, Inc. All rights reserved.

Determine IPSec
(IKE Phase Two) Policy


Ensure the Network works

pixfirewall# ping 172.30.2.2

Ensure ACLs do not block IPSec traffic


Task 2—Configure IKE
Parameters

Step 1—Enable or Disable IKE

Pixfirewall (config)#
isakmp enable interface-name
• Enables or disables IKE on the
PIX Firewall interfaces.
• IKE is enabled by default.
• Disable IKE on interfaces not used
for IPSec.
pixfirewall(config)# isakmp enable outside

Step 2—Configure an IKE
Phase One Policy
pixfirewall(config)# isakmp policy 10

encryption des

pixfirewall(config)# isakmp policy 10 hash

sha
authentication pre-share
pixfirewall(config)# isakmp policy 10 group 1
lifetime 86400
• Creates a policy suite grouped by priority number.
• Creates policy suites that match peers.
• Can use default values.

Step 3—Configure the IKE
Pre-shared Key
pixfirewall(config)#

isakmp key keystring address peer-address

[netmask]
• Pre-shared keystring must be identical at both peers.
• Use any combination of alphanumeric characters up
to 128 bytes for keystring.
• Specify peer-address as a host or wildcard address.
• Easy to configure, yet is not scalable.
pixfirewall(config)# isakmp key cisco123

address 192.168.6.2

Step 4—Verify IKE
Phase One Policies
pixfirewall# show isakmp policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
• Displays configured and default IKE protection suites.

Task 3—Configure
IPSec Parameters

Step 1—Configure
Interesting Traffic

access-list acl_ID {deny | permit} protocol

source_addr source_mask destination_addr
destination_mask
• permit = encrypt
• deny = do not encrypt
• access-list selects IP traffic by address, network, or subnet
pixfirewall# access-list 101 permit ip host

192.168.1.10 host 192.168.6.10

Example Crypto ACLs

PIX1
pix1(config)# show static
static (inside,outside) 192.168.1.10 10.0.1.11 netmask
255.255.255.255 0 0
pix1(config)# show access-list
access-list 110 permit ip host 192.168.1.10 host 192.168.6.10
PIX6
pix6(config)# show static
static (inside,outside) 192.168.6.10 10.0.6.11 netmask
255.255.255.255 0 0
pix2(config)# show access-list
access-list 101 permit ip host 192.168.6.10 host 192.168.1.10
• Lists should always be symmetrical.

Step 2—Configure an
IPSec Transform Set

crypto ipsec transform-set transform-set-name

transform1 [transform2 [transform3]]
• Sets are limited to up to one AH and up to two ESP
transforms.
• Default mode is tunnel.
• Configure matching sets between IPSec peers.
pix1(config)# crypto ipsec transform-set

pix6 esp-des

Available IPSec Transforms

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform
esp-des ESP transform using DES cipher (56 bits)
esp-3des ESP transform using 3DES cipher(168 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth

Step 3—Configure the Crypto Map
pixfirewall(config)# crypto map MYMAP 10 ipsec-isakmp

pixfirewall(config)# crypto map MYMAP 10 match address 101

pixfirewall(config)# crypto map MYMAP 10 set peer
192.168.6.2
pixfirewall(config)# crypto map MYMAP 10 set transform-set
pix6
pixfirewall(config)# crypto map MYMAP 10 set pfs group1
pixfirewall(config)# crypto map MYMAP 10 set security-
association lifetime seconds 28800
• Specifies IPSec (IKE phase two) parameters.

• Map names and sequence numbers group entries into a policy.

Step 4—Apply the
Crypto Map to an Interface

crypto map map-name interface interface-name
• Applies the crypto map to an interface.
• Activates IPSec policy.
pixfirewall(config)# crypto map MYMAP

interface outside

Example Crypto Map for PIX1

pix1(config)# show crypto map
Crypto Map "peer2" 10 ipsec-isakmp

Peer = 192.168.2.2
access-list 101 permit ip host 192.168.1.11 host 192.168.2.11 (hitcnt=0)
Current peer: 192.168.2.2
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ pix2, }

Example Crypto Map for PIX2

pix2(config)# show crypto map
Crypto Map "peer1" 10 ipsec-isakmp

Peer = 192.168.1.2
access-list 101 permit ip host 192.168.2.11 host 192.168.1.11 (hitcnt=0)
Current peer: 192.168.1.2
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ pix1, }

Task 4—Test and Verify
VPN Configuration

Task 4—Test and Verify
VPN Configuration

• Verify ACLs and interesting traffic.

show access-list
• Verify correct IKE configuration.
show isakmp
show isakmp policy
• Verify correct IPSec configuration.
show crypto ipsec transform-set

Task 4—Test and Verify VPN
Configuration (cont.)
• Verify the correct crypto map

configuration.
show crypto map
• Clear the IPSec SA.
clear crypto ipsec sa
• Clear the IKE SA.
clear crypto isakmp sa
• Debug IKE and IPSec traffic through the
PIX Firewall.
debug crypto ipsec
debug crypto isakmp
The Cisco VPN Client

Topology Overview


Cisco VPN Client Features
• Support for Windows ME, Windows 2000, and

Windows XP.

• Data compression.
• Split tunneling.
• User authentication by way of VPN central-site device.
• Automatic VPN Client configuration.
• Internal MTU adjustment.
• CLI to the VPN Dialer.
• Start Before Logon.
• Software update notifications from the VPN device upon
connection.

PIX Firewall to VPN Client
Pre-Shared Example
pixfirewall# write terminal

access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0

255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip local pool MYPOOL 10.0.20.1-10.0.20.254
nat (inside) 0 access-list 80
route outside 0 0 192.168.0.1
aaa-server MYTACACS protocol tacacs+
aaa-server MYTACACS (inside) host 10.0.0.10 tacacskey timeout 5
aaa authentication include any inbound 0 0 0 0 MYTACACS
sysopt connection permit-ipsec
crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set AAADES

PIX Firewall to VPN Client
Pre-Shared Example (cont.)
pixfirewall# write terminal

crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER client authentication MYTACACS
crypto map VPNPEER interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup TRAINING address-pool MYPOOL
vpngroup TRAINING idle-time 1800
vpngroup TRAINING password ********

VPN Client to
PIX Firewall Example

• A new connection entry

named vpnpeer0 is
created.
• The remote server IP vpnpeer0
is the PIX Firewall
outside interface.

VPN Client to PIX Firewall
Example (cont.)

• The group name matches

the vpngroup name in the
PIX Firewall.
• The password is the TRAINING
pre-shared key and must TRAINING
match the vpngroup TRAINING
password.
• You can use the digital
certificate for
authentication.

PIX Firewall Assigns the
IP Address to the VPN Client


Scale PIX Firewall VPNs

CA Server Fulfilling
Requests from IPSec Peers

Each IPSec peer individually enrolls with the CA server.

Enroll a PIX Firewall
with a CA

• Configure CA support.
• Generate public or private keys.
• Authenticate the CA.
• Request signed certificates from the CA.
• CA administrator verifies request and
sends signed certificates.

Summary

Summary
• The PIX Firewall enables a secure VPN.

• IPSec configuration tasks include configuring

IKE and IPSec parameters.
• CAs enable scaling to a large number of IPSec
peers.
• Remote users can establish secure VPN tunnels
between PCs running Cisco VPN Client software
and any Cisco VPN-enabled product, such as the
PIX Firewall, that supports the Unified Client
framework.

© 2003, Cisco Systems, Inc. All rights reserved. 52

FNS10 Mod14

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FNS10 Mod14

Uploaded by

Copyright:

Available Formats

For review only.

Please do not distribute

© 2003, Cisco Systems, Inc. All rights

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-2

For review only. Please do not distribute

Upon completion of this chapter, you will be

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-3

For review only. Please do not distribute

This module will cover the creation and

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-4

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-5

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-6

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-7

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-8

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-9

• IPSec (IP Security protocol)

For review only. Please do not distribute

– Authentication Header (AH)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-10

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-11

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-12

For review only. Please do not distribute

• Task 1—Prepare to configure VPN support.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-13

• Step 1—Determine the IKE (IKE phase one)

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-14

© 2003, Cisco Systems, Inc. All rights reserved.

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-16

For review only. Please do not distribute

Parameter Site 1 Site 2

Hash algorithm SHA SHA

Authentication method Pre­share Pre­share

Key exchange 768­bit D­H 768­bit D­H

IKE SA lifetime 86,400 seconds 86,400 seconds

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-17

© 2003, Cisco Systems, Inc. All rights reserved.

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-19

For review only. Please do not distribute

pixfirewall# ping 172.30.2.2

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-20

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-21

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-22

For review only. Please do not distribute

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-23

pixfirewall(config)# isakmp policy 10

For review only. Please do not distribute

pixfirewall(config)# isakmp policy 10 hash

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-24

For review only. Please do not distribute

isakmp key keystring address peer-address

pixfirewall(config)# isakmp key cisco123

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-25

pixfirewall# show isakmp policy

For review only. Please do not distribute

Authentication method Preshare Preshare

Key exchange 768bit DH 768bit DH