Basic Site to Site VPN with pre-shared key

Posted on November 19, 2010

0



In the following example I configured a basic L2L VPN between 2 PIX firewall with pre-shared key. The Firewalls has different software versions, the sp2 is an old 6.3.4 version firewall (no more support..).

sp1 (Cisco PIX Security Appliance Software Version 7.1(2), PIX-515E)
E0 – ssw fa0/20
E1 – ssw fa0/12

sp2 (Cisco PIX Firewall Version 6.3(4), PIX-501)
E0 – ssw fa0/24
E1 – ssw fa0/16

my pc (Windows XP)
vlan 20

ssw (IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA2, cisco WS-C2950-24)
Fa0/20 – vlan 30
Fa0/12 – vlan 20
Fa0/24 – vlan 30
Fa0/16 – vlan 40

Topology:

SP1 configuration:

hostname sp1
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 30.30.30.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 50.50.50.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
!
! Specify the NAT ACL for traffic that should be encrypted, but not translated.
!
access-list inside_nat0_outbound extended permit ip 50.50.50.0 255.255.255.0 40.40.40.0 255.255.255.0
!
! Specify the Crypto ACL for traffic that should be encrypted.
!
access-list outside_cryptomap_20 extended permit ip 50.50.50.0 255.255.255.0 40.40.40.0 255.255.255.0
pager lines 24
logging console debugging
mtu inside 1500
mtu outside 1500
no failover
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
!
! Specify the identity NAT ACL for traffic that should be encrypted.
!
nat (inside) 0 access-list inside_nat0_outbound
!
! Specify the route for the other LAN. In this case it is the outside IP of the VPN peer.
!
route outside 40.40.40.0 255.255.255.0 30.30.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
! Specify the Crypto ipsec transform set used for your crypto map.
!
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
!
! Specify your crypto map.
!
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 30.30.30.2
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
!
! Specify your isakmp map.
!
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!
! Specify your crypto map.
!
tunnel-group 30.30.30.2 type ipsec-l2l
tunnel-group 30.30.30.2 ipsec-attributes
pre-shared-key mysecretkey
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global

SP2 configuration:

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname sp2
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
!
! Specify the NAT ACL for traffic that should be encrypted, but not translated.
!
access-list inside_nat0_outbound permit ip 40.40.40.0 255.255.255.0 50.50.50.0 255.255.255.0
!
! Specify the Crypto ACL for traffic that should be encrypted.
!
access-list outside_cryptomap_20 permit ip 40.40.40.0 255.255.255.0 50.50.50.0 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 30.30.30.2 255.255.255.0
ip address inside 40.40.40.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
!
! Specify the identity NAT ACL for traffic that should be encrypted.
!
nat (inside) 0 access-list inside_nat0_outbound
!
! Specify the route for the other LAN. In this case it is the outside IP of the VPN peer.
!
route outside 50.50.50.0 255.255.255.0 30.30.30.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
!
! Enable the VPN traffic. With this command we globally enable the FW terminated VPN traffics on interfaces
!
sysopt connection permit-ipsec
!
! Specify the Crypto ipsec transform set used for your crypto map.
!
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
!
! Specify your crypto map.
!
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 30.30.30.1
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
!
! Specify your isakmp map.
!
isakmp enable outside
isakmp key mysecretkey address 30.30.30.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80

Comment:

The PIX 7 OS accepts isakmp key <key> address <ip address> netmask <netmask> command, but it converts to tunnel-group … command format.

Advertisements
Posted in: ASA, Cisco, Security, VPN