Keeping Your Cisco VPN Secure

In this excerpt from the book from the Cisco Press book, Cisco Secure Internet Security Solutions, we cover the configuration, commands and parameters for setting up your VPN and assuring its security using IPSec and Manual Keys.

By Cisco Press | Posted Oct 23, 2001
Page 1 of 4
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Cisco Secure Internet Security Solutions - Chapter 4
by Andrew Mason, Mark Newcomb

Cisco Secure PIX Firewall - Part 8
VPN with IPSec and Manual Keys

Cisco Secure Internet Security Solutions - click to go to publisher's site

IOS versions of the PIX prior to 5.0 used a connection method involving the Private Link Encryption Card to connect between two PIX Firewalls. This method is no longer supported; IPSec is used as the alternative. If your system is still using Version 4 or earlier of the Cisco PIX IOS, it is time to upgrade.

In this configuration, you will use IPSec to connect two networks over the Internet. You will also use manual keys for this example. In this example, your main corporate office uses an internal IP address of 10.1.1.0 with a 24-bit subnet mask, while your branch office uses 10.1.2.0 with a 24-bit subnet mask. (As with any interface accessible from the Internet, the outside interface of the PIX must have a routable IP address.) Figure 4-11 shows a diagram of how these networks are connected.

Figure 4-11 VPN with IPSec

(Click image for larger view in a new window)

You need to configure both PIX Firewalls to enable a secure tunnel between them. The configurations that follow show only the items associated with setting up the IPSec tunnels. You will see both configurations and then a discussion of the ramifications of using the commands. Keep in mind that these are examples and, therefore, do not have routable IP addresses on the outside interfaces. In real life, the outside interfaces would need routable IP addresses; inside the corporate LANs, the IP addresses do not need to be routable. The corporate PIX configuration changes are as follows:

 ip address outside 172.30.1.1 255.255.255.252
 access-list 20 permit 10.1.2.0 255.255.255.0
 crypto map mymap 10 ipsec-manual
 crypto map mymap 10 set transform-set myset
 crypto ipsec transform-set myset ah-md5-hmac esp-des
 crypto map mymap 10 match address 20
 crypto map mymap 10 set peer 172.30.1.2
 crypto map mymap 10 set session-key inbound ah 400
     aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 crypto map mymap 10 set session-key outbound ah 300
     bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 crypto map mymap 10 set session-key inbound esp 400 cipher
     cccccccccccccccccccccccccccccccc
 crypto map mymap 10 set session-key outbound esp 300 cipher
     dddddddddddddddddddddddddddddddd
 crypto map mymap interface outside
 sysopt connection permit-ipsec
The branch office PIX configuration changes are as follows:
 ip address outside 172.30.1.2 255.255.255.252
 access-list 20 permit 10.1.1.0 255.255.255.0
 crypto map mymap 10 ipsec-manual
 crypto map mymap 10 set transform-set myset
 crypto ipsec transform-set myset ah-md5-hmac esp-des
 crypto map mymap 10 match address 20
 crypto map mymap 10 set peer 172.30.1.1
 crypto map mymap 10 set session-key inbound ah 300
     bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
 crypto map mymap 10 set session-key outbound ah 400
     aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 crypto map mymap 10 set session-key inbound esp 300 cipher
     dddddddddddddddddddddddddddddddd
 crypto map mymap 10 set session-key outbound esp 400 cipher
     cccccccccccccccccccccccccccccccc
 crypto map mymap interface outside
 sysopt connection permit-ipsec
In this example, after assigning your outside IP addresses, you added an access list. Because you decided to use manual keys, this access list might contain only a single permit. If you used preshared keys, the access list could contain multiple permit statements. The access list is used to invoke your IPSec connection. When packets are sent to this address, your PIX establishes a connection with the peer, and all data traveling between the two is carried over your tunnel.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter