The Cisco PIX firewall series of products are very nice and range from the little entry-level PIX 501 to larger gigabit enterprise ready solutions. We normally use the PIX 501 and PIX 506 with 3DES and/or AES due to their cheap price and superior functionality and built-in VPN capability.
Normal configuration
The configuration I normally do is the following:
- Use static to map services from the outside address(es) to the inside address(es).
- Use an access-list to allow the trafic to pass from the outside interface to the inside interface. Normal services to map through are SMTP, HTTP, HTTPS and Lotus Notes (1352).
- Use an access-list to restrict users from accessing services other than HTTP, HTTPS and FTP though the firewall. No unwanted filesharing etc.
- Configure IPSEC VPN from all remote addreses to connect using 3DES and a shared secret. We use RADIUS to authenticate users connecting so they can use their Windows username and password.
The above is normally enough to solve the need of our customers as well as our setup even though there might be more than one site. Internally we have made the concious choice of not configuring VPN tunnels between sites since most users do not need to access services at other sites. The users that need access to other sites use the VPN client and hence know when they could affect other sites.
Site-2-site IPSEC VPN
This time I needed to configure a full site-2-site VPN tunnel that would allow users and servers at each site to transparently access services at the other site. It proved surprisingly easy to configure once I understood the way the PIX uses so-called “crypto maps” and once I got a hold of a good book called Cisco Security Specialists Guide to Pix Firewall.
To configure VPN access we use a dynamic crypto map which allows the PIX to create a crypto map per user once they connect. This is not however the desired setup for site-2-site configuration. Here you would like to know exactly what is going on. The dynamic crypto map should still be there to allow users from accessing the site using VPN.
Before you begin
Below I assume that all exising IPSEC related configuration has been removed such as crypto maps, transform sets and isakmp setup. To see any existing configuration enter enable mode (and configure terminal mode) and use the “sh crypto map”, “sh crypto ipsec transform-set” and “sh isakmp” commands.
The setup
I also assume you have two IP-segments you would like to connect. My IP-segments are the 192.168.1.0/24 segment and the 192.168.2.0/24 segments. Each end has a PIX 506/501 in front and the edge router allows all IP protocols to pass through to the PIX (incl. ESP and AH). Check with your ISP since some connections has these protocols blocked and only allow TCP and UDP traffic.
The configuration I show is the configuration from the 192.168.2.0/24 segment (source) to the 192.168.1.0/24 segment (target). The PIX in the source end has the public IP-address 2.2.2.2 and the public IP-address in the target end is 1.1.1.1 (the addresses are random).
To configure the PIX you need to add the following pieces of configuration.
-- allow IPSEC traffic through to the inside interface of the PIX -- unfiltered (this is not a security issue) sysopt connection permit-ipsec -- create a transform-set which basically means which protocols should we use crypto ipsec transform-set myset esp-3des esp-md5-hmac -- create client VPN config using dynamic crypto map referencing the transform-set. -- The priority is set to 50 to have it be the last of the two maps we end up creating crypto dynamic-map dynmap 10 set transform-set myset -- create a crypto map for the client using RADIUS authentication -- (be sure to also configure an aaa-server for this) crypto map pix-ny_map 50 ipsec-isakmp dynamic dynmap crypto map pix-ny_map client configuration address initiate crypto map pix-ny_map client configuration address respond crypto map pix-ny_map client authentication RADIUS -- create a pre-shared key IKE towards the target (1.1.1.1) isakmp key <shared secret> address 1.1.1.1 netmask 255.255.255.255 -- create an access-list to handle all trafic from 192.168.2.0 --> 192.168.1.0 access-list site2site_vpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 -- exclude NAT'ing the trafic handled by the access-list we just created nat 0 access-list site2site_vpn -- create a crypto map to pull everything together crypto map pix-ny_map 10 ipsec-isakmp -- add the addresses to match for this crypto map crypto map pix-ny_map 10 match address site2site_vpn -- set the peer for the tunnel crypto map pix-ny_map 10 set peer 1.1.1.1 -- define the transform set (the suite of protocols) to be used for our map crypto map pix-ny_map 10 set transform-set myset -- apply the crypto map to the outside interface (there can only be one map per interface) crypto map pix-ny_map interface outside -- if you use an access-list to restrict trafic from the internal interface -- to the outside you must allow the traffic from 192.168.2.0 to pass to 192.168.1.0 access-list inside permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Please note: You need to create the same configuration in the target end using the same shared secret! In the target end you need to specify another address for the peer (change 1.1.1.1 to 2.2.2.2) and swap the IP-segments in both the access-list commands (192.168.1.0 / 192.168.2.0).
Final words
Hopefully this will work for you and save you some hours of fustration. Please note though – you really want to read a primer on IPSEC before venturing into stuff like this to understand how IPSEC works. You might as well start at the wikipedia article.