© 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 2 : PIX Configuration APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow PIX Advanced Road Show Agenda • Six Primary Commands • VPN Configuration • PDM 2.0 © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow The Six Primary Commands © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow PIX Firewall Primary Commands There are six primary configuration commands for the PIX Firewall: • nameif • interface • ip address • nat • global • route © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Command 1: nameif pixfirewall(config)# nameif hardware_id if_name security_level • The nameif command assigns a name to each perimeter interface on the PIX Firewall and specifies its security level. pixfirewall(config)# nameif ethernet2 dmz sec50 © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Command 2: interface pixfirewall(config)# interface hardware_id hardware_speed • The interface command configures the type and capability of each perimeter interface. pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# interface ethernet1 10 pixfirewall(config)# interface ethernet2 100 © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Command 3: ip address pixfirewall(config)# ip address if_name ip_address [netmask] • The ip address command assigns an IP address to each interface. pixfirewall(config)# pixfirewall(config)# ip address dmz 172.16.0.1 255.255.255.0 © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Command 4: nat pixfirewall(config)# nat [(if_name)] nat_id local_ip [netmask] • The nat command shields IP addresses on the inside network from the outside network. pixfirewall(config)# pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Command 5: global pixfirewall(config)# global[(if_name)] nat_id {global_ip[-global_ip] [netmask global_mask]} | interface • Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 • When internal hosts access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20– 192.168.0.254 range © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Three Interfaces with NAT Inside host, and web and FTP server Backbone, web, FTP, and TFTP server e0 outside .2 security level 0 e2 dmz .1 security level 50 e1 inside .1 security level 100 172.26.26.50 Internet Pod perimeter router .1 192.168.0.0/24 172.16.0.0/24 Bastion host, and web and FTP server PIX Firewall .3 10.0.0.0 /24 .2 pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0 pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0 • Inside users can start outbound connections to both the DMZ and the Internet. • The nat (dmz) command gives DMZ services access to the Internet. • The global (dmz) command gives inside users access to the web server on the DMZ. [...]... network, or subnet © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Example Crypto ACLs Site 1 10.0.1 .3 PIX1 PIX2 Site 2 Internet e0 192.168.1.2 e0 192.168.2.2 10.0.2 .3 PIX1 pix1 (config)# show static static (inside,outside) 192.168.1.10 10.0.1 .3 netmask 255.255.255.255 0 0 pix1 (config)# show access-list access-list 110 permit ip host 192.168.1.10 host 192.168.2.10 PIX2 pix2 (config)# show static... consume more resources on pix © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Step 4—Apply the Crypto Map to an Interface pixfirewall(config)# crypto map map-name interface interface-name • Applies the crypto map to an interface • Activates IPSec policy © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Example Crypto Map for PIX1 PIX1 Site 1 10.0.1 .3 PIX2 Internet e0 192.168.1.2... 10.0.2 .3 pix1 (config)# show crypto map Crypto Map "peer2" 10 ipsec-isakmp Peer = 192.168.2.2 access-list 101 permit ip host 192.168.1 .3 host 192.168.2 .3 (hitcnt=0) Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2 , } © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Example Crypto Map for PIX2 PIX1 Site 1 10.0.1 .3 PIX2 ... through the PIX Firewall debug crypto ipsec debug crypto isakmp © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow PDM 2.0 Overview © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow What Is PDM? • PDM is a browser-based configuration tool designed to help configure and monitor your PIX Firewall Internet SSL secure tunnel © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow PDM... 2 10.0.2 .3 pix2 (config)# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = 192.168.1.2 access-list 101 permit ip host 192.168.2 .3 host 192.168.1 .3 (hitcnt=0) Current peer: 192.168.1.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1 , } © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Test and Verify VPN Configuration © 20 03, Cisco... to the PIX Firewall buffer • The PIX Firewall can forward Syslog messages to any Syslog server © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow VPN Configuration Configure IKE Parameters © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Step 1—Enable or Disable IKE pixfirewall(config)# isakmp enable interface-name • Enables or disables IKE on the PIX Firewall interfaces • IKE is... and then copied to the PIX Firewall via TFTP • Works with SSL to ensure secure communication with the PIX Firewall © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow PDM’s PIX Firewall Requirements A PIX Firewall must meet the following requirements to run PDM: • You must have version 6.0 installed on the PIX Firewall before using PDM If you are using a new (version 6.0) PIX Firewall, you have... bits) ESP transform using 3DES cipher(168 bits) ESP transform using HMAC-MD5 auth ESP transform using HMAC-SHA auth VPN Roadshow Step 3 Configure the Crypto Map Pixfirewall(config)#crypto ipsec transform-set TRANSFORM1 espdes esp-sha-hmac pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp pixfirewall(config)# crypto map map-name seq-num match address access-list-name pixfirewall(config)# crypto... (768 bit) 86400 seconds, no volume limit • Displays configured and default IKE protection suites © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow VPN Configuration Configure IPSec Parameters © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Step 1—Configure Interesting Traffic pixfirewall(config)# access-list access-list-name {deny | permit} ip source source-netmask destination... enabled • Browser support for SSL must be enabled © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Supported Platforms • Windows • SUN Solaris • Linux © 20 03, Cisco Systems, Inc All rights reserved VPN Roadshow Configure the PIX Firewall to Use PDM • Before you can use or install PDM, you need to enter the following information on the PIX Firewall via a console terminal: – Password – Time . reserved. VPN Roadshow PIX Advanced Road Show Agenda • Six Primary Commands • VPN Configuration • PDM 2.0 © 20 03, Cisco Systems, Inc. All rights reserved. VPN Roadshow The Six Primary Commands © 20 03, . © 20 03, Cisco Systems, Inc. All rights reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 2 : PIX Configuration APAC Channels Technical Operations © 20 03, Cisco Systems,. protection suites © 20 03, Cisco Systems, Inc. All rights reserved. VPN Roadshow VPN Configuration Configure IPSec Parameters © 20 03, Cisco Systems, Inc. All rights reserved. VPN Roadshow Step 1—Configure