Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Cisco Secure PIX Firewall Advanced Exam Certification Guide - Cisco press.pdf
15.78 Mб

188Chapter 10: Virtual Private Networks

Manual IPSec, which requires you to manually configure each peer. This method is not recommended by Cisco, because it does not allow for key exchanges and therefore would be rather easy to decrypt, given enough time and traffic. Obviously, manual IPSec is not a scalable solution.

IKE, which dynamically negotiates your SA using preshared keys or digital certificates. Preshared keys still require you to manually enter a preshared key into each IPSec peer.

IKE with digital certificates is the most dynamic solution that lets IKE negotiate your IPSec SA and a CA server authenticating each peer. This system is completely dynamic, very secure, and very scalable.

PPPoE Support

Cisco PIX Firewall software version 6.2 supports Point-to-Point Protocol over Ethernet (PPPoE). PPPoE provides a standard method of using PPP authentication over an Ethernet network and is used by many Internet service providers (ISPs) to grant client machine access to their networks, commonly through DSL. PPPoE is supported only on the outside interfaces of the PIX 501 and PIX 506/506E.

Step 1
Step 2
Step 3
Step 4

Foundation Summary 189

Foundation Summary

There are three different VPN types: access, intranet, and extranet. Access VPNs are used for remote users and normally require client software. Intranet and extranet VPNs are configured as site-to-site VPNs.

VPN peers need to authenticate each other and negotiate the IPSec SA. The negotiation is completed automatically using IKE. The authentication is completed using preshared keys, RSA signatures (certificates), or RSA nonces. To configure IKE on the PIX, you use the following commands:

isakmp policy:

Configures the authentication type.

Configures the message encryption algorithm.

Configures the message integrity algorithm.

Configures the key exchange parameters.

Defines the SA lifetime (reinitiates the Diffie-Hellman key exchange).

isakmp enable—Applies the ISAKMP policy to an interface, allowing that interface to receive UDP500 traffic.

isakmp identity—Identifies the local peer by IP address or host name.

isakmp key—If you’re using a preshared key, define the key and the peer (by IP address or host name).

After you configure IKE, you are ready to configure IPSec. Follow these steps:

Configure access-list so that the PIX knows what traffic should be encrypted.

Create transform-sets to define the encryption and integrity to be used for the session.

Define ipsec security-association lifetime (optional) to reduce the opportunity of others to crack your encryption.

Configure crypto-map:

Define SA negotiation (manual or IKE).

Apply access-list to crypto-map.

Apply transform-set to crypto-map.

Identify the SA peer by IP address or host name.

Apply crypto-map to an interface.

190 Chapter 10: Virtual Private Networks

Three commands (and many options for each) are available to troubleshoot VPN connectivity:

show—Displays the current configuration or current SA status.

clear—Removes the current configuration or setting (usually used to regenerate the connection).

debug—Allows you to see ongoing sessions and key negotiations.

Cisco VPN Client is used to connect remote users to internal resources via an encrypted tunnel. The package handles all the negotiation and encryption and can operate using any connection to the Internet.

To develop a scalable VPN solution, you must implement a dynamic means of authentication. The most effective and scalable method today is the use of IKE and certification authorities.

Q&A 191


The questions in this section are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.

The answers to these questions can be found in Appendix A.

1What is the default lifetime if not defined in isakmp policy?

2Do your transform sets have to match exactly on each peer?

3True or false: The X509v3 standard applies to the ESP header’s format.

4What is the difference between the isakmp lifetime and the crypto-map lifetime?

5What command do you use to delete any active SAs?

6What is the command for defining a preshared key?

7What is the first thing you should check if you are unable to establish a VPN?

8What is the function of the access list with regard to VPNs?

9What PIX firewalls support PPPoE?