VPN With Pre-Shared Keys - Page 6
The listing of this configuration follows. This is virtually the same configuration as the previous example, with a few minor changes. First, you have to implement a global pool for use with NAT for data traveling to the branch office. Second, you have to remove the lines associated with the nat 0 command for data traveling to the branch office. Third, you have to create a new access list called nattobranch, which is used by NAT to change the source address of the packets so that these packets appear to originate from the 192.168.1.0/24 network.
hostname mainofficepix nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 172.30.1.1 255.255.255.0 ip address inside 10.1.1.1 255.255.255.0 global (outside) 1 192.168.1.1-192.168.1.253 global (outside) 1 192.168.1.254 access-list nattobranch permit ip 10.1.1.0 255.255.255.0 192.168.2.1 255.255.255.0 nat (inside) 1 access-list nattobranch sysopt connection permit-ipsec crypto ipsec transform-set maintransformset esp-des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address nattobranch crypto map mymap 10 set peer 172.30.2.1 crypto map mymap 10 set transform-set maintransformset crypto map mymap interface outside isakmp enable outside isakmp key mysharedkey address 172.30.2.1 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 768
This chapter has shown how to configure the PIX Firewall in many different ways. It started with the most basic form before moving to a more realistic configuration. This realistic configuration, allowing users through to specific services, should prove adequate for most companies that do not require the use of a DMZ.
The chapter then moved on to explore using single and multiple DMZs, along with AAA services and other examples of connections possible with the PIX Firewall. These configurations provide examples that are applicable to larger organizations.