Cisco PIX 500 – IPSEC Site to Site VPNs (v6)

KB ID 0000611 

Problem

Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end.

Solution

PIX 500: Configure a site to site VPN from command line

1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure Terminal
PetesPIX(config)# 

[/box]

2. I’m assuming the network BEHIND the PIX 500 is 192.168.124.0/24 and the network at the far end of the tunnel is 192.168.123.0/24. So I’m going to create two ACL’s one to tell the PIX that this traffic should be encrypted, and the second to tell the PIX NOT to perform NAT on the VPN traffic.

Note: Yes I can use one ACL, but having two makes it easier to troubleshoot any VPN problems.

[box]

PetesPIX(config)# access-list VPN_CRYPTO_ACL permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0
PetesPIX(config)# access-list VPN_NO_NAT line 1 permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0

[/box]

3. Now I’ve got an ACL that will stop performing NAT I need to add it as a “Nat 0” (this means don’t perform NAT).

Note: Check to make sure you do not already have a nat(inside) 0 xxx command, if you do, use the SAME ACL that is already in use.

[box]

PetesPIX(config)# nat (inside) 0 access-list VPN_NO_NAT

[/box]

4. To set up all the VPN parameters you need to create a crypto map. In the example below I set the peer IP (the firewall at the other end of the tunnel), to 81.81.81.81. Then I tie it to the ACL I created earlier (VPN_CRYPTO_ACL). I’ve set the encryption and hashing used for the tunnel to 3DES and SHA (These will be used for IPSec (Phase 2)). Set the timeouts for the tunnel, and finally apply the cryptomap I’ve just created, to the outside interface.

[box]

PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set peer 81.81.81.81
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 match address VPN_CRYPTO_ACL
PetesPIX(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA
PetesPIX(config)# crypto map VPN_CRYPTO_MAP 20 set security-association lifetime seconds 28800 kilobytes 4608000
PetesPIX(config)# crypto map VPN_CRYPTO_MAP interface outside

[/box]

5. The next command lets VPN traffic bypass any other ACLs configured on the firewall.

[box]

PetesPIX(config)# sysopt connection permit-ipsec

[/box]

6. I’m using a “shared secret” that also needs to be setup on the other end of the tunnel. As I said earlier the peer IP is 81.81.81.81.

[box]

PetesPIX(config)# isakmp key 123456 address 81.81.81.81 netmask 255.255.255.255 no-xauth no-config-mode

[/box]

7. To establish the VPN phase 1 (ISAKMP) the devices at both ends of the tunnel need a matching ISAKMP policy. I’ve already set up my shared secret, the first line lets the other end know that’s how we will be communicating. Then once again I’m using 3DES and SHA. I’m telling the system to use Diffie Hellman group 2 for the secure key exchange, and then binding this policy to the outside interface.

Note: If you are interested on how all this stuff works see here

[box]

PetesPIX(config)# isakmp policy 20 authen pre-share
PetesPIX(config)# isakmp policy 20 encrypt 3des
PetesPIX(config)# isakmp policy 20 hash sha
PetesPIX(config)# isakmp policy 20 group 2
PetesPIX(config)# isakmp enable outside

[/box]

8. Then save the changes with a write mem command.

[box]

PetesPIX# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesPIX#

[/box]

PIX 500: Configure a site to site VPN from the PDM

1. To connect to the PDM you are going to need two things, an OLD browser (IE6) and an OLD version of Java. Select Wizards > VPN Wizard.

2. Site to Site > Next.

3. Set the Peer (Device at the other end of the tunnel) and a shared secret that you will also use at the other end > Next.

4. Set the policy that will be used for phase 1 > Next.

5. Now the phase 2 policy > Next

6. Enter the network behind the PIX > Next.

7. Enter the network at the far end of the tunnel > Finish.

8. Finish by saving the changes > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Set up a PIX Firewall with the PDM

PIX 506E and 501 Firewall Image and PDM Upgrade

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

KB ID 0001104 

Problem

I got sent to Holland this week to look at a firewall deployment, and while I was sat in the Airport, I was going over the job I had to do, when I realised the solution I had suggested had a problem see below;

My brief was to provide remote AnyConnect VPN into the network so the client could get their network setup, and manage things remotely. However as I drew the network out in my head I realised that the situation above was what was going to happen.

How was I going to fix that? Well firstly I thought ‘Just put 192.16.1.1 on the management firewall, and move .2 and .3 to the main firewalls’. Well thats fine, but it does not leave me room for expansion, or if the client needs to add remote access to a production network. (Which will be needed in the future).

Then I thought ‘Can I put a static route on the main firewalls to route 192.168.100.0/24 to the management firewall’. Which is a pretty horrible solution to be honest, I’m usually on my soap box saying things like ‘It’s a firewall NOT a router!’. When I have a routing question I don’t know the answer to I ring Steve.

He suggested that I’d done something similar for another customer on a project we had worked on. In that case I had NATTED the traffic to the egress interface for management traffic. This was AnyConnect traffic but the principle would be the same, could I translate all the incoming AnyConnect traffic to the inside of the Management firewall? If I could, it would be scalable and simple.

Important Note

The networking types will be looking at this problem and thinking, ‘why not just do all the LAN routing on the switches, and share a routing table between them – job done?’ Well at this point I didn’t know what the switches were, (and as it turns out there were not the best). And All the LAN routing was being done by something not on the diagram, I did not have access to.

I had an hour and a half to kill before the flight, so I fired up GNS3, and by the time I was called to the gate, I had a complete working AnyConnect Solution, ready to play with the NAT/PAT rules. Twenty minutes into the flight, I had it working, and proved it with WireShark.

Solution

In all honesty it’s probably taken longer to explain the requirements, than it will do to show you the solution.

Before proceeding make sure you have AnyConnect setup and configured, I’ve pretty much done ALL the hard work for you in the article below, I will use the same Object Group names in this article, as I did in the following one;

Cisco ASA 5500 AnyConnect Setup From Command Line

At this point your routing will be breaking the return traffic flow, but here’s a top tip, if you enable management on your inside interface, you should be able to ping its IP address from your remote client just to prove connectivity. (This is a standard troubleshooting step I do, as it replies even if the NAT rules are incorrect). To enable, simply do this;

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# management-access inside

[/box]

So if you followed my tutorial you will have a NAT rule that looks like this;

nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

This basically means DON’T NAT/PAT this traffic, so all IP addresses will be the same on all networks. We need to remove this and tell it to PAT remote AnyConnect VPN traffic to the ‘inside’ interface, to do that the command we need is;

nat (outside,inside) source dynamic OBJ-ANYCONNECT-SUBNET interface

Lets do that and clear the translations on the firewall.

[box]

Petes-ASA(config)# no nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
Petes-ASA(config)# nat (outside,inside) source dynamic OBJ-ANYCONNECT-SUBNET interface
Petes-ASA(config)# clear xlate

[/box]

If you are adamant you want to do this in the ASDM, here is what it looks like in there;

Now give it a test.

Footnote:

Here I have no ACLs applied, if you find you cannot access internal resources, you may not have ‘sysopt connection permit-vpn‘ in your config, (it’s a hidden command, so you wont see it). If so, you may need to allow ‘inbound’ traffic on the outside interface. Execute a packet trace, that will tell you.

Related Articles, References, Credits, or External Links

NA