VPN With Pre-Shared Keys - Page 6

By Cisco Press | Posted Oct 30, 2001
Page 6 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

The listing of this configuration follows. This is virtually the same configuration as the previous example, with a few minor changes. First, you have to implement a global pool for use with NAT for data traveling to the branch office. Second, you have to remove the lines associated with the nat 0 command for data traveling to the branch office. Third, you have to create a new access list called nattobranch, which is used by NAT to change the source address of the packets so that these packets appear to originate from the 192.168.1.0/24 network.

 hostname mainofficepix
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 interface ethernet0 auto
 interface ethernet1 auto
 mtu outside 1500
 mtu inside 1500
 ip address outside 172.30.1.1 255.255.255.0
 ip address inside 10.1.1.1 255.255.255.0
 global (outside) 1 192.168.1.1-192.168.1.253
 global (outside) 1 192.168.1.254
 access-list nattobranch permit ip 10.1.1.0 255.255.255.0 192.168.2.1 255.255.255.0
 nat (inside) 1 access-list nattobranch
 sysopt connection permit-ipsec
 crypto ipsec transform-set maintransformset esp-des esp-md5-hmac
 crypto map mymap 10 ipsec-isakmp
 crypto map mymap 10 match address nattobranch
 crypto map mymap 10 set peer 172.30.2.1
 crypto map mymap 10 set transform-set maintransformset
 crypto map mymap interface outside
 isakmp enable outside
 isakmp key mysharedkey address 172.30.2.1 netmask 255.255.255.255
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption des
 isakmp policy 10 hash md5
 isakmp policy 10 group 1
 isakmp policy 10 lifetime 768

Cisco Secure Internet Security Solutions -- Click to go to publisher's site Summary
This chapter has shown how to configure the PIX Firewall in many different ways. It started with the most basic form before moving to a more realistic configuration. This realistic configuration, allowing users through to specific services, should prove adequate for most companies that do not require the use of a DMZ.

The chapter then moved on to explore using single and multiple DMZs, along with AAA services and other examples of connections possible with the PIX Firewall. These configurations provide examples that are applicable to larger organizations.


Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter