vpn roadshow module 3 pix

Command 1: nameifpixfirewallconfig# nameif hardware_id if_name security_level • The nameif command assigns a name to each perimeter interface on the PIX Firewall and specifies its securi

Cisco VPN Partner Technical Development

Module 2 : PIX Configuration

APAC Channels Technical Operations

PIX Advanced Road Show Agenda

• Six Primary Commands

• VPN Configuration

• PDM 2.0

The Six Primary Commands

PIX Firewall Primary Commands

There are six primary configuration commands for the PIX Firewall:

Command 1: nameif

pixfirewall(config)#

nameif hardware_id if_name security_level

• The nameif command assigns a name to each perimeter interface on the PIX Firewall and specifies its security

level.

dmz sec50

Command 2: interface

pixfirewall(config)#

interface hardware_id hardware_speed

• The interface command configures the type and capability of each perimeter interface.

pixfirewall(config)# interface ethernet0 auto

pixfirewall(config)# interface ethernet1 10

pixfirewall(config)# interface ethernet2 100

Command 3: ip address

pixfirewall(config)#

ip address if_name ip_address [netmask]

• The ip address command assigns an IP address to each interface.

pixfirewall(config)#

pixfirewall(config)# ip address dmz

172.16.0.1 255.255.255.0

Command 5: global

pixfirewall(config)#

global[(if_name)] nat_id {global_ip[-global_ip]

[netmask global_mask]} | interface

• Works with the nat command to assign a registered or public IP

address to an internal host when accessing the outside network

through the firewall

pixfirewall(config)# global (outside) 1

192.168.0.20-192.168.0.254

• When internal hosts access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20–

192.168.0.254 range

Three Interfaces with NAT

Inside host, and web and FTP server

Backbone, web, FTP, and TFTP server

e0 outside 2 security level 0

e2 dmz 1 security level 50 e1 inside 1

security level 100 172.26.26.50

Internet Pod perimeter router

.1

192.168.0.0/24 172.16.0.0/24

Bastion host, and web and FTP server PIX Firewall

.3 10.0.0.0 /24

Command 6: route

route if_name ip_address netmask gateway_ip

[metric]

pixfirewall(config)#

• The route command defines a static or default route for an interface.

0.0.0.0 192.168.0.1 1

any Syslog server.

VPN Configuration Configure IKE Parameters

Step 1—Enable or Disable IKE

isakmp enable interface-name

pixfirewall(config)#

Firewall interfaces

for IPSec

Step 2—Configure an IKE Phase One Policy

Internet Key Exchange (IKE) negotiates the IPSec security associations This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP shared keys In phase

1, IKE creates an authenticated, secure channel between the two ISAKMP peers which is called the ISAKMP Security Association.

pixfirewall(config)# isakmp policy priority

pixfirewall(config)# isakmp policy priority group 1|2

pixfirewall(config)# isakmp policy priority lifetime

seconds

• Creates a policy suite grouped by priority number

• Creates policy suites that match peers

• Can use default values

Step 3—Configure the IKE Pre-shared Key

isakmp key keystring address peer-address

[netmask]

pixfirewall(config)#

• Pre-shared keystring must be identical at both peers

• Use any combination of alphanumeric characters up to

128 bytes for keystring

• Specify peer-address as a host or wildcard address

• Easy to configure, yet is not scalable

Step 4—Verify IKE Phase One Policies

pixfirewall# show isakmp policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

• Displays configured and default IKE protection suites

VPN Configuration Configure IPSec Parameters

Step 1—Configure Interesting Traffic

access-list access-list-name {deny | permit} ip

source source-netmask destination destination-netmask

pixfirewall(config)#

• permit = encrypt

• deny = do not encrypt

• access-list selects IP traffic by address, network, or subnet

Example Crypto ACLs

pix1(config)# show static

static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255

0 0

pix1(config)# show access-list

access-list 110 permit ip host 192.168.1.10 host 192.168.2.10

PIX1

pix2(config)# show static

static (inside,outside) 192.168.2.10 10.0.2.3 netmask 255.255.255.255

0 0

PIX2

Step 2—Configure an IPSec Transform Set

In phase 2, IKE negotiates the security associations, and generates the required key material for IPSec.

crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]

pixfirewall(config)#

• Sets are limited to up to one AH and up to two ESP transforms

• Default mode is tunnel

• Configure matching sets between IPSec peers

Available IPSec Transforms

ah-md5-hmac AH-HMAC-MD5 transform

ah-sha-hmac AH-HMAC-SHA transform

esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth

esp-sha-hmac ESP transform using HMAC-SHA auth

Step 3—Configure the Crypto Map

esp-des esp-sha-hmac

access-list-name

hostname | ip-address

transform-set transform-name1 [transform-name2, transform-

transform-set-name9]

| group2]

security-association lifetime seconds seconds | kilobytes kilobytes

• Specifies IPSec (IKE phase two) parameters

• Map names and sequence numbers group entries into a policy

• Perfect Forward Secrecy re-calculates DH Public/Private Keys on

Step 4—Apply the Crypto Map to an

Interface

crypto map map-name interface interface-name

pixfirewall(config)#

• Applies the crypto map to an interface

• Activates IPSec policy

Example Crypto Map for PIX1

pix1(config)# show crypto map

Crypto Map "peer2" 10 ipsec-isakmp

Example Crypto Map for PIX2

pix2(config)# show crypto map

Crypto Map "peer1" 10 ipsec-isakmp

Test and Verify VPN Configuration

Test and Verify VPN Configuration

• Verify ACLs and interesting traffic show access-list

• Verify correct IKE configuration show isakmp

show isakmp policy

• Verify correct IPSec configuration show crypto ipsec transform-set

Test and Verify VPN Configuration (cont.)

• Verify the correct crypto map configuration show crypto map

Verify tunnel state

• Show crypto engine connection active

• Clear the IPSec SA clear crypto sa

• Clear the IKE SA clear isakmp

• Debug IKE and IPSec traffic through the PIX Firewall

debug crypto ipsec debug crypto isakmp

PDM 2.0 Overview

What Is PDM?

• PDM is a browser-based configuration tool

designed to help configure and monitor your PIX Firewall

Internet SSL secure tunnel

PDM Features

• Works with PIX Firewall software versions 6.0 and higher.

• Can operate on PIX Firewall models 506, 515, 525, and

535.

• Implemented in Java to provide robust, real-time

monitoring.

• Runs on a variety of platforms.

• Does not require a plug-in software installation.

• Comes preloaded into Flash memory on new

PIX Firewalls running versions 6.0 and higher.

• For upgrading from a previous version of PIX Firewall, it can be downloaded from Cisco and then copied to the

PIX Firewall via TFTP.

PDM’s PIX Firewall Requirements

A PIX Firewall must meet the following

requirements to run PDM:

• You must have version 6.0 installed on the PIX Firewall before using PDM If you are using a new (version 6.0)

PIX Firewall, you have all the requirements

• You must have an activation key that enables DES or the more secure 3DES, which PDM requires for support of the SSL protocol

• You must have at least 8 MB of Flash memory on the

PIX Firewall.

• Ensure that your configuration is less than 100 KB

(approximately 1500 lines) Configurations over 100 KB cause PDM performance degradation

PDM’s Browser Requirements

To access PDM from a browser,you must meet the following requirements:

• JavaScript and Java must be enabled

• Browser support for SSL must be enabled

Supported Platforms

• SUN Solaris

• Linux

Configure the PIX Firewall to Use PDM

• Before you can use or install PDM, you need to enter the following information on the PIX Firewall via a console terminal:

• Inside network mask: 255.255.255.0

• Host name: pixP

• Domain name: cisco.com

• IP address of host running PIX Device Manager:

10.0.P.11

Using PDM to Configure

the PIX Firewall

Access Rules Tab

• From the Access Rules tab, you can view, edit, add, and delete ACLs and bind them

to interfaces You can also create service groups and view, enable, or disable Java and ActiveX filtering.

Translation Rules Tab

• From the Translation Rules tab, you can view, edit, create and delete static and dynamic address translation rules.

Hosts/Networks Tab

• From the Hosts/Networks tab, you can view, edit, add, or delete hosts, networks, and network groups.

System Properties Tab

From the System

Properties tab, you can

configure the following:

Interface Graphs Panel

counts and bit

rates, for each

enabled

interface on the

PIX Firewall

Tools and Options

The following are among

the tasks you can perform

from the drop-down menus

in PDM’s main window:

• Enable the Preview

Commands Before

Sending to PIX option,

which enables you to

preview any proposed