Are you trying to use NAT with the tunnel?
I find the stuff on CCO about VPN to be overkill, so I will include a piece
of a Chapter on VPN I wrote for Syngress media, that I may simplify what you
found on CCO for pix to pix VPN. You can take it or leave it, but the config
should work just replace the addresses I have in the text with your own.
Extranet Solution Example
Figure 4.3
We have taken care of our remote office so let’s take a look at adding a
business partner communicating through the Internet. This will be very
similar to the previous scenario. Most companies would do this on the
firewall or a special VPN concentrator (we will discuss this later) for
security reasons. This being the case, in this scenario we will look at
configuring PIX to PIX firewall VPN. You could do this on the router, and
would follow the same principles as in the previous scenario. You could use
the same pre-shared key with different ISAKMP and IPSEC policies if you
wish, however It is advisable NOT to use the same key for different peers
for security reasons.
Configuring the PIX firewall for VPN can be done in many different ways. You
can configure the a VPN to use the NAT address of the inside or DMZ hosts or
you can configure the PIX to allow your peer to use the actual IP of the
inside or DMZ hosts. The latter is the simpler of the two and is what we
will be configuring here. Just keep I mind that you can use NAT when
configuring a firewall VPN if needed. Let’s start with the corporate
firewall.
Preparing your Perimeter Router
If you are explicitly blocking traffic on your perimeter router, it may be
necessary to build an access list allowing IPSEC protocols through to the
firewall. This can be done by permitting the ahp and esp protocol types and
udp isakmp port. Example:
access-list 100 permit ahp host 172.1.16.1 host 192.168.52.1
access-list 100 permit esp host 172.1.16.1 host 192.168.52.1
access-list 100 permit udp host 172.1.16.1 host 192.168.52.1 eq isakmp
1. First we need to configure the firewall to allow IPSEC connections.
If we don’t explicitly allow IPSEC connections then we must use the conduit
command to allow IPSEC traffic to flow to the destination. For our
configuration we will implicitly allow IPSEC connetions with the following
command.
Sysopt connection permit-ipsec
2. Define an list specifying what needs to be encrypted. In this case
we will encrypt all communications between networks. If you wanted to only
allow and encrypt data between a single host on Corporate and a single host
on the Business prtnet network you would define that here in this
access-list. The list should have the inside source of your network and
inside destination of the remote.
Access-list 100 permit ip 10.2.3.0 0.0.0.255 192.168.50.0 0.0.0.255
3. This states that anything passing the list should not have to use
NAT. This command does not get applied to any interface but is associated
with the crypto map so that only traffic that is already encrypted uses this
feature.
Nat (inside) 0 access-list 100
4. Like the router based VPN you must define a transform-set to tell
the firewall what type of algorithm to use for encryption and
authentication.
Crypto ipsec transform-set myset esp-des esp-md5-hmac
5. Now define your crypto map to allow IPSEC keys and security
association negotiation to be done using ISAKMP
Crypto map mymap 5 ipsec-isakmp
6. This tells the firewall that traffic matching access-list 100 should
use this crypto map.
Crypto map mymap 5 match address 100
7. Set the address of your peer encrypting device.
Crypto map mymap 5 set peer 172.16.16.1
8. Configure the crypto map to use the transform set you created in
step 4.
Crypto map mymap 5 set transform-set myset
9. Configure the firewall to use the crypto map on traffic passing the
outside interface.
Crypto map mymap interface outside
10. To use ISAKMP for SA negotiation you must enable ISAKMP on the
particular interface where it will be used.
Isakmp enable outside
11. Define the pre-shared key to be used and the peer that you will be
negotiating with. The peer or your firewall must have a compatible policy.
Refer to the IOS section to see what makes a policy compatible.
Isakmp key partnetsecret address 172.16.16.1 netmask 255.255.255.255
12. Configure the firewall to use the IP address to identify it’s peer
or peers.
Isakmp identity address
13. Configure the ISAKMP policy to use the pre-shared key for
authentication.
Isakmp policy 10 authentication pre-share
14. Configure your ISAKMP policy to use 56 bit des for encryption
Isakmp policy 10 encryption des
15. Configure ISAKMP to use MD5 as the hash algorithm for passing the
key and SA info.
Isakmp policy 10 hash md5
16. Configure ISAKMP to use Diffie-Hellman 1
Isakmp policy 10 group 1
17. The next configuration command tells the firewall the lifetime of
the SA. When this expires the firewall will re-negotiate the SA.
Isakmp policy 10 lifetime 86400
The business partner must have a similar configuration on it’s firewall.
1. Configure the list defining what traffic will get encrypted. Remember
this is the inside source and inside destination of the traffic.
Access-list 100 permit ip 192.168.50.0 0.0.0.255 10.2.3.0 0.0.0.255
3. Use the NAT 0 command so that traffic passing the list can use the
real IP of the destination as opposed to a NAT or Static address.
Nat (inside) 0 access-lsit 110
4. Define the algorythm’s you will be using in your transform-set
Crypto ipsec transform-set myset esp-des esp-md5-hmac
5. Begin defining your crypto map be telling the router that you will
want to use ISAKMP to negotiate SA’s.
Crypto map mymap 5 ipsec-isakmp
6. Associate the list created in step 1 to your crypto map
Crypto map mymap 5 match address 110
7. Define your peer encrypting devices address.
Crypto map mymap 5 set peer
8. Associate the transfor-set to the crypto map.
Crypto map mymap 5 set transform-set myset
9. Configure the crypto map to the outside interface.
Crypto map mymap interface outside
10. Enable ISAKMP on the outside interface
Isakmp enable outside
11. Configure the pre-shared key and the peer with whom you will be
authenticating
Isakmp key partnetsecret address 10.0.0.0 netmask 255.255.255.255
12. Configure the device so that ISAKMP identities use ip addresses
Isakmp identity address
13. Configure ISAKMP to use the pre-shared key
Isakmp policy 10 authentication pre-share
14. Configure ISAKMP to use 56bit DES encryption for key exchange and SA’s
Isakmp policy 10 encryption des
15. Configure ISAKMP to use the MD5 hash
Isakmp policy 10 hash md5
16. Use diffie-hellman 1
Isakmp policy 10 group 1
17. Configure security association lifetime for 86400 seconds.
Isakmp policy 10 lifetime 86400
-----Original Message-----
From: gwakin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 5:02 PM
To: [EMAIL PROTECTED]
Subject: pix-to-pix tunnel...somebody make it work!!!
Fellow Professionals-
I'm attempting this folly for the second time after giving up on it in
April, seeing as how my WAN provider STILL can't complete a frame
circuit between Austin and Denver.
My current config is a near copy of the sample config listed on CCO-
only it passes nothing; no SA, no pre-shared key, NOTHING. Following
the hitcount on the local PIX (running 5.1.2 software) I see my access
list 100 with a hitcount of 0. Checking the remote PIX I see the same
thing on access list 100- no hits. My PIX sits behind a 1605 gateway
rotuer and in front of a 3640 host router, with my remote configured
similarly except that the host router is a 4700. NAT is running on both
firewalls, and both firewalls can serve remote VPN clients with
pre-shared keys- but no tunnel.
Has anyone experienced a similar situation, or can anyone apply enough
IPSec/VPN expertise to make this work? I will submit my configs as
needed.
GWA
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
