Hi Chris,
Thanks for the contact info. BCRAN's ISBN is 1-928994-13-X Promote
shamelessly!! We expect it to be available at the beginning of October (it's
printing early Sept).
Sorry for the delay in getting the chapter back to you for revisions; the
tech editor currently has most of the book on his plate, and he's plowing
through it as best he can. If you have schedule constraints for revisions,
let me know asap and I'll make it a priority.
-----Original Message-----
From: Kenneth [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 10, 2000 10:36 PM
To: [EMAIL PROTECTED]
Subject: Re: pix-to-pix tunnel...somebody make it work!!!
hi chris. what's the title of this book? or isbn#?
"Chris Larson" <[EMAIL PROTECTED]> wrote in message
009AE8FD8584D3119A2E0008C7F4A8492A63@WEBSERVER">news:009AE8FD8584D3119A2E0008C7F4A8492A63@WEBSERVER...
> Are you trying to use NAT with the tunnel?
>
> I find the stuff on CCO about VPN to be overkill, so I will include a
piece
> of a Chapter on VPN I wrote for Syngress media, that I may simplify what
you
> found on CCO for pix to pix VPN. You can take it or leave it, but the
config
> should work just replace the addresses I have in the text with your own.
>
>
>
> Extranet Solution Example
>
> Figure 4.3
>
>
> We have taken care of our remote office so let's take a look at adding a
> business partner communicating through the Internet. This will be very
> similar to the previous scenario. Most companies would do this on the
> firewall or a special VPN concentrator (we will discuss this later) for
> security reasons. This being the case, in this scenario we will look at
> configuring PIX to PIX firewall VPN. You could do this on the router, and
> would follow the same principles as in the previous scenario. You could
use
> the same pre-shared key with different ISAKMP and IPSEC policies if you
> wish, however It is advisable NOT to use the same key for different peers
> for security reasons.
> Configuring the PIX firewall for VPN can be done in many different ways.
You
> can configure the a VPN to use the NAT address of the inside or DMZ hosts
or
> you can configure the PIX to allow your peer to use the actual IP of the
> inside or DMZ hosts. The latter is the simpler of the two and is what we
> will be configuring here. Just keep I mind that you can use NAT when
> configuring a firewall VPN if needed. Let's start with the corporate
> firewall.
>
> Preparing your Perimeter Router
> If you are explicitly blocking traffic on your perimeter router, it may be
> necessary to build an access list allowing IPSEC protocols through to the
> firewall. This can be done by permitting the ahp and esp protocol types
and
> udp isakmp port. Example:
> access-list 100 permit ahp host 172.1.16.1 host 192.168.52.1
> access-list 100 permit esp host 172.1.16.1 host 192.168.52.1
> access-list 100 permit udp host 172.1.16.1 host 192.168.52.1 eq isakmp
>
>
> 1. First we need to configure the firewall to allow IPSEC connections.
> If we don't explicitly allow IPSEC connections then we must use the
conduit
> command to allow IPSEC traffic to flow to the destination. For our
> configuration we will implicitly allow IPSEC connetions with the following
> command.
>
> Sysopt connection permit-ipsec
>
>
>
>
>
> 2. Define an list specifying what needs to be encrypted. In this case
> we will encrypt all communications between networks. If you wanted to only
> allow and encrypt data between a single host on Corporate and a single
host
> on the Business prtnet network you would define that here in this
> access-list. The list should have the inside source of your network and
> inside destination of the remote.
>
>
> Access-list 100 permit ip 10.2.3.0 0.0.0.255 192.168.50.0 0.0.0.255
>
>
> 3. This states that anything passing the list should not have to use
> NAT. This command does not get applied to any interface but is associated
> with the crypto map so that only traffic that is already encrypted uses
this
> feature.
>
> Nat (inside) 0 access-list 100
>
> 4. Like the router based VPN you must define a transform-set to tell
> the firewall what type of algorithm to use for encryption and
> authentication.
>
> Crypto ipsec transform-set myset esp-des esp-md5-hmac
>
> 5. Now define your crypto map to allow IPSEC keys and security
> association negotiation to be done using ISAKMP
>
> Crypto map mymap 5 ipsec-isakmp
>
> 6. This tells the firewall that traffic matching access-list 100 should
> use this crypto map.
>
> Crypto map mymap 5 match address 100
>
> 7. Set the address of your peer encrypting device.
>
> Crypto map mymap 5 set peer 172.16.16.1
>
> 8. Configure the crypto map to use the transform set you created in
> step 4.
>
> Crypto map mymap 5 set transform-set myset
>
> 9. Configure the firewall to use the crypto map on traffic passing the
> outside interface.
>
> Crypto map mymap interface outside
>
> 10. To use ISAKMP for SA negotiation you must enable ISAKMP on the
> particular interface where it will be used.
>
> Isakmp enable outside
>
> 11. Define the pre-shared key to be used and the peer that you will be
> negotiating with. The peer or your firewall must have a compatible policy.
> Refer to the IOS section to see what makes a policy compatible.
>
> Isakmp key partnetsecret address 172.16.16.1 netmask 255.255.255.255
>
> 12. Configure the firewall to use the IP address to identify it's peer
> or peers.
>
> Isakmp identity address
>
> 13. Configure the ISAKMP policy to use the pre-shared key for
> authentication.
>
> Isakmp policy 10 authentication pre-share
>
> 14. Configure your ISAKMP policy to use 56 bit des for encryption
>
> Isakmp policy 10 encryption des
>
> 15. Configure ISAKMP to use MD5 as the hash algorithm for passing the
> key and SA info.
>
> Isakmp policy 10 hash md5
>
> 16. Configure ISAKMP to use Diffie-Hellman 1
>
> Isakmp policy 10 group 1
>
> 17. The next configuration command tells the firewall the lifetime of
> the SA. When this expires the firewall will re-negotiate the SA.
>
> Isakmp policy 10 lifetime 86400
>
>
> The business partner must have a similar configuration on it's firewall.
>
>
> 1. Configure the list defining what traffic will get encrypted. Remember
> this is the inside source and inside destination of the traffic.
>
>
> Access-list 100 permit ip 192.168.50.0 0.0.0.255 10.2.3.0 0.0.0.255
>
> 3. Use the NAT 0 command so that traffic passing the list can use the
> real IP of the destination as opposed to a NAT or Static address.
>
> Nat (inside) 0 access-lsit 110
>
> 4. Define the algorythm's you will be using in your transform-set
>
> Crypto ipsec transform-set myset esp-des esp-md5-hmac
>
> 5. Begin defining your crypto map be telling the router that you will
> want to use ISAKMP to negotiate SA's.
>
> Crypto map mymap 5 ipsec-isakmp
>
> 6. Associate the list created in step 1 to your crypto map
>
> Crypto map mymap 5 match address 110
>
> 7. Define your peer encrypting devices address.
>
> Crypto map mymap 5 set peer
>
> 8. Associate the transfor-set to the crypto map.
>
> Crypto map mymap 5 set transform-set myset
>
> 9. Configure the crypto map to the outside interface.
>
> Crypto map mymap interface outside
>
> 10. Enable ISAKMP on the outside interface
>
> Isakmp enable outside
>
> 11. Configure the pre-shared key and the peer with whom you will be
> authenticating
>
> Isakmp key partnetsecret address 10.0.0.0 netmask 255.255.255.255
>
> 12. Configure the device so that ISAKMP identities use ip addresses
>
> Isakmp identity address
>
> 13. Configure ISAKMP to use the pre-shared key
>
> Isakmp policy 10 authentication pre-share
>
> 14. Configure ISAKMP to use 56bit DES encryption for key exchange and SA's
>
> Isakmp policy 10 encryption des
>
> 15. Configure ISAKMP to use the MD5 hash
>
> Isakmp policy 10 hash md5
>
> 16. Use diffie-hellman 1
>
> Isakmp policy 10 group 1
>
> 17. Configure security association lifetime for 86400 seconds.
>
> Isakmp policy 10 lifetime 86400
>
>
>
>
>
>
> -----Original Message-----
> From: gwakin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 09, 2000 5:02 PM
> To: [EMAIL PROTECTED]
> Subject: pix-to-pix tunnel...somebody make it work!!!
>
>
> Fellow Professionals-
>
> I'm attempting this folly for the second time after giving up on it in
> April, seeing as how my WAN provider STILL can't complete a frame
> circuit between Austin and Denver.
> My current config is a near copy of the sample config listed on CCO-
> only it passes nothing; no SA, no pre-shared key, NOTHING. Following
> the hitcount on the local PIX (running 5.1.2 software) I see my access
> list 100 with a hitcount of 0. Checking the remote PIX I see the same
> thing on access list 100- no hits. My PIX sits behind a 1605 gateway
> rotuer and in front of a 3640 host router, with my remote configured
> similarly except that the host router is a 4700. NAT is running on both
> firewalls, and both firewalls can serve remote VPN clients with
> pre-shared keys- but no tunnel.
> Has anyone experienced a similar situation, or can anyone apply enough
> IPSec/VPN expertise to make this work? I will submit my configs as
> needed.
>
> GWA
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> ___________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> ---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
