hi chris. what's the title of this book? or isbn#?
"Chris Larson" <[EMAIL PROTECTED]> wrote in message
009AE8FD8584D3119A2E0008C7F4A8492A63@WEBSERVER">news:009AE8FD8584D3119A2E0008C7F4A8492A63@WEBSERVER...
> Are you trying to use NAT with the tunnel?
>
> I find the stuff on CCO about VPN to be overkill, so I will include a
piece
> of a Chapter on VPN I wrote for Syngress media, that I may simplify what
you
> found on CCO for pix to pix VPN. You can take it or leave it, but the
config
> should work just replace the addresses I have in the text with your own.
>
>
>
> Extranet Solution Example
>
> Figure 4.3
>
>
> We have taken care of our remote office so let’s take a look at adding a
> business partner communicating through the Internet. This will be very
> similar to the previous scenario. Most companies would do this on the
> firewall or a special VPN concentrator (we will discuss this later) for
> security reasons. This being the case, in this scenario we will look at
> configuring PIX to PIX firewall VPN. You could do this on the router, and
> would follow the same principles as in the previous scenario. You could
use
> the same pre-shared key with different ISAKMP and IPSEC policies if you
> wish, however It is advisable NOT to use the same key for different peers
> for security reasons.
> Configuring the PIX firewall for VPN can be done in many different ways.
You
> can configure the a VPN to use the NAT address of the inside or DMZ hosts
or
> you can configure the PIX to allow your peer to use the actual IP of the
> inside or DMZ hosts. The latter is the simpler of the two and is what we
> will be configuring here. Just keep I mind that you can use NAT when
> configuring a firewall VPN if needed. Let’s start with the corporate
> firewall.
>
> Preparing your Perimeter Router
> If you are explicitly blocking traffic on your perimeter router, it may be
> necessary to build an access list allowing IPSEC protocols through to the
> firewall. This can be done by permitting the ahp and esp protocol types
and
> udp isakmp port. Example:
> access-list 100 permit ahp host 172.1.16.1 host 192.168.52.1
> access-list 100 permit esp host 172.1.16.1 host 192.168.52.1
> access-list 100 permit udp host 172.1.16.1 host 192.168.52.1 eq isakmp
>
>
> 1. First we need to configure the firewall to allow IPSEC connections.
> If we don’t explicitly allow IPSEC connections then we must use the
conduit
> command to allow IPSEC traffic to flow to the destination. For our
> configuration we will implicitly allow IPSEC connetions with the following
> command.
>
> Sysopt connection permit-ipsec
>
>
>
>
>
> 2. Define an list specifying what needs to be encrypted. In this case
> we will encrypt all communications between networks. If you wanted to only
> allow and encrypt data between a single host on Corporate and a single
host
> on the Business prtnet network you would define that here in this
> access-list. The list should have the inside source of your network and
> inside destination of the remote.
>
>
> Access-list 100 permit ip 10.2.3.0 0.0.0.255 192.168.50.0 0.0.0.255
>
>
> 3. This states that anything passing the list should not have to use
> NAT. This command does not get applied to any interface but is associated
> with the crypto map so that only traffic that is already encrypted uses
this
> feature.
>
> Nat (inside) 0 access-list 100
>
> 4. Like the router based VPN you must define a transform-set to tell
> the firewall what type of algorithm to use for encryption and
> authentication.
>
> Crypto ipsec transform-set myset esp-des esp-md5-hmac
>
> 5. Now define your crypto map to allow IPSEC keys and security
> association negotiation to be done using ISAKMP
>
> Crypto map mymap 5 ipsec-isakmp
>
> 6. This tells the firewall that traffic matching access-list 100 should
> use this crypto map.
>
> Crypto map mymap 5 match address 100
>
> 7. Set the address of your peer encrypting device.
>
> Crypto map mymap 5 set peer 172.16.16.1
>
> 8. Configure the crypto map to use the transform set you created in
> step 4.
>
> Crypto map mymap 5 set transform-set myset
>
> 9. Configure the firewall to use the crypto map on traffic passing the
> outside interface.
>
> Crypto map mymap interface outside
>
> 10. To use ISAKMP for SA negotiation you must enable ISAKMP on the
> particular interface where it will be used.
>
> Isakmp enable outside
>
> 11. Define the pre-shared key to be used and the peer that you will be
> negotiating with. The peer or your firewall must have a compatible policy.
> Refer to the IOS section to see what makes a policy compatible.
>
> Isakmp key partnetsecret address 172.16.16.1 netmask 255.255.255.255
>
> 12. Configure the firewall to use the IP address to identify it’s peer
> or peers.
>
> Isakmp identity address
>
> 13. Configure the ISAKMP policy to use the pre-shared key for
> authentication.
>
> Isakmp policy 10 authentication pre-share
>
> 14. Configure your ISAKMP policy to use 56 bit des for encryption
>
> Isakmp policy 10 encryption des
>
> 15. Configure ISAKMP to use MD5 as the hash algorithm for passing the
> key and SA info.
>
> Isakmp policy 10 hash md5
>
> 16. Configure ISAKMP to use Diffie-Hellman 1
>
> Isakmp policy 10 group 1
>
> 17. The next configuration command tells the firewall the lifetime of
> the SA. When this expires the firewall will re-negotiate the SA.
>
> Isakmp policy 10 lifetime 86400
>
>
> The business partner must have a similar configuration on it’s firewall.
>
>
> 1. Configure the list defining what traffic will get encrypted. Remember
> this is the inside source and inside destination of the traffic.
>
>
> Access-list 100 permit ip 192.168.50.0 0.0.0.255 10.2.3.0 0.0.0.255
>
> 3. Use the NAT 0 command so that traffic passing the list can use the
> real IP of the destination as opposed to a NAT or Static address.
>
> Nat (inside) 0 access-lsit 110
>
> 4. Define the algorythm’s you will be using in your transform-set
>
> Crypto ipsec transform-set myset esp-des esp-md5-hmac
>
> 5. Begin defining your crypto map be telling the router that you will
> want to use ISAKMP to negotiate SA’s.
>
> Crypto map mymap 5 ipsec-isakmp
>
> 6. Associate the list created in step 1 to your crypto map
>
> Crypto map mymap 5 match address 110
>
> 7. Define your peer encrypting devices address.
>
> Crypto map mymap 5 set peer
>
> 8. Associate the transfor-set to the crypto map.
>
> Crypto map mymap 5 set transform-set myset
>
> 9. Configure the crypto map to the outside interface.
>
> Crypto map mymap interface outside
>
> 10. Enable ISAKMP on the outside interface
>
> Isakmp enable outside
>
> 11. Configure the pre-shared key and the peer with whom you will be
> authenticating
>
> Isakmp key partnetsecret address 10.0.0.0 netmask 255.255.255.255
>
> 12. Configure the device so that ISAKMP identities use ip addresses
>
> Isakmp identity address
>
> 13. Configure ISAKMP to use the pre-shared key
>
> Isakmp policy 10 authentication pre-share
>
> 14. Configure ISAKMP to use 56bit DES encryption for key exchange and SA’s
>
> Isakmp policy 10 encryption des
>
> 15. Configure ISAKMP to use the MD5 hash
>
> Isakmp policy 10 hash md5
>
> 16. Use diffie-hellman 1
>
> Isakmp policy 10 group 1
>
> 17. Configure security association lifetime for 86400 seconds.
>
> Isakmp policy 10 lifetime 86400
>
>
>
>
>
>
> -----Original Message-----
> From: gwakin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 09, 2000 5:02 PM
> To: [EMAIL PROTECTED]
> Subject: pix-to-pix tunnel...somebody make it work!!!
>
>
> Fellow Professionals-
>
> I'm attempting this folly for the second time after giving up on it in
> April, seeing as how my WAN provider STILL can't complete a frame
> circuit between Austin and Denver.
> My current config is a near copy of the sample config listed on CCO-
> only it passes nothing; no SA, no pre-shared key, NOTHING. Following
> the hitcount on the local PIX (running 5.1.2 software) I see my access
> list 100 with a hitcount of 0. Checking the remote PIX I see the same
> thing on access list 100- no hits. My PIX sits behind a 1605 gateway
> rotuer and in front of a 3640 host router, with my remote configured
> similarly except that the host router is a 4700. NAT is running on both
> firewalls, and both firewalls can serve remote VPN clients with
> pre-shared keys- but no tunnel.
> Has anyone experienced a similar situation, or can anyone apply enough
> IPSec/VPN expertise to make this work? I will submit my configs as
> needed.
>
> GWA
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
