The latest network routers, software, management tools and information for enterprise IT administrators.

VPN With Pre-Shared Keys - Page 4

By Cisco Press

Page 4 of 6 | Back to Page 1

PIX-to-PIX Configuration
One advantage of using the PIX Firewall is that it has become a standard within the industry. As time passes, your business might acquire or become acquired by another company. To provide connectivity, you are faced with two choices: enabling VPNs over the Internet or using dedicated connections. Because one of the benefits of the PIX box is to allow secure VPNs, this section explores how to set up two PIX Firewalls between different locations through the Internet.

In this scenario, shown in Figure 4-10, assume that both companies trust each other totally. This means that you will not filter any traffic between the sites, and all hosts on both sites will be able to see all hosts on the other site. The peers use ISAKMP in Phase 1 to negotiate an IPSec connection in Phase 2.

Figure 4-12 PIX-to-PIX IPSec with ISAKMP Example

(Click image for larger view in a new window)

As shown in Figure 4-12, the main office uses an internal IP address of 10.1.1.1/24 with an IP address of 172.30.1.1 on the outside interface. The branch office uses an internal IP address of 10.2.1.1/24 and an IP address of 172.30.2.1 on the outside interface. The following is the configuration for the PIX Firewall at the main office. After the configuration, you will see a discussion of the commands used.

 hostname mainofficepix
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 interface ethernet0 auto
 interface ethernet1 auto
 mtu outside 1500
 mtu inside 1500
 ip address outside 172.30.1.1 255.255.255.0
 ip address inside 10.1.1.1 255.255.255.0
 access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0
 nat (inside) 0 access-list 100
 sysopt connection permit-ipsec
 crypto ipsec transform-set maintransformset esp-des esp-md5-hmac
 crypto map mymap 10 ipsec-isakmp
 crypto map mymap 10 match address 100
 crypto map mymap 10 set peer 172.30.2.1
 crypto map mymap 10 set transform-set maintransformset
 crypto map mymap interface outside
 isakmp enable outside
 isakmp key mysharedkey address 172.30.2.1 netmask 255.255.255.255
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption des
 isakmp policy 10 hash md5
 isakmp policy 10 group 1
 isakmp policy 10 lifetime 768

All of the preceding commands have been discussed previously within this chapter. There are only a few new items that you need to watch carefully to ensure that this configuration will work.

This article was originally published on Oct 30, 2001

jfreund@internet.com

Get the Latest Scoop with Networking Update Newsletter

Thanks for your registration, follow us on our social networks to keep up-to-date