- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
192 Chapter 10: Virtual Private Networks
Scenario
VPN Configurations
Clearly the most detail-oriented and time-consuming portion of configuring VPNs is ensuring that both peers have matching configurations. This task usually becomes more complicated, because you might have access to only one peer and are relying on someone else to configure the other end. A single discrepancy between the configurations can prevent the key exchange from completing or prevent the encryption from occurring. It is best to compare the configurations on both peers before attempting the connection rather than trying to troubleshoot the VPN after an unsuccessful connection.
In this scenario, you are working as a consultant and have been assigned the task of configuring a full-mesh VPN between corporate headquarters and two branch offices. Figure 10-6 shows the layout of each network and how the VPNs are to connect.
Figure 10-6 VPN Network Layout
Boston Branch Office
DMZ 172.16.2.0/24
Inside 10.10.2.0/24
Outside192.168.2.1
|
|
|
|
|
|
|
Internet |
||||||
Corporate Headquarters |
|
|
|
|
|
|
|
||||||
|
(Los Angeles) |
|
|
Atlanta Branch Office |
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DMZ 172.16.1.0/24 |
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
Outside192.168.3.1 |
|
|
|||
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Inside 10.10.10.0/24 |
|
|
|
|
|
|
|
|
|
|
Inside 10.10.3.0/24 |
||
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outside |
|
|
|
DMZ 172.16.3.0/24 |
|
|||
|
|
|
|
|
FW1 192.168.1.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
FW2 192.168.1.2 |
|
|
|
|
|
|
|
VPN Configurations 193
The three locations have all provided their current PIX configurations, but each has a significant amount of information missing. It is your responsibility to complete each of the configurations and ensure that they are correct. Example 10-10 shows the configuration for the corporate headquarters in Los Angeles.
Example 10-10 PIX Configuration for Los Angeles
1.: Saved
2.:
3.PIX Version 6.2(2)
4.nameif ethernet0 outside security0
5.nameif ethernet1 inside security100
6.nameif ethernet2 DMZ security70
7.enable password HtmvK15kjhtlyfvcl encrypted
8.passwd Kkjhlkf1568Hke encrypted
9.hostname LosAngeles
10.domain-name www.Chapter10.com
11.fixup protocol ftp 21
12.fixup protocol http 80
13.fixup protocol h323 1720
14.fixup protocol rsh 514
15.fixup protocol smtp 25
16.fixup protocol sqlnet 1521
17.fixup protocol sip 5060
18.fixup protocol skinny 2000
19.names
20.access-list inbound permit icmp any host 192.168.1.10
21.access-list inbound permit tcp any host 192.168.1.10 eq www
22.access-list inbound permit tcp any host 192.168.1.10 eq 443
23.access-list inbound permit tcp any host 192.168.1.11 eq www
24.access-list inbound permit tcp any host 192.168.1.11 eq 443
25.access-list inbound permit tcp any host 192.168.1.12 eq www
26.access-list inbound permit tcp any host 192.168.1.12 eq 443
27.access-list inbound permit tcp any host 192.168.1.13 eq ftp
28.access-list inbound permit tcp any host 192.168.1.10 eq 443
29.access-list DMZ permit udp 172.16.1.0 255.255.255.0 host 10.10.10.240 eq ntp
30.access-list VPN permit ip 10.10.10.0 255.255.255.0 10.10.2.0 255.255.255.0
31._____________________________________________________________________________
32._____________________________________________________________________________
33._____________________________________________________________________________
34.pager lines 24
35.logging on
36.logging timestamp
37.interface ethernet0 auto
38.interface ethernet1 auto
39.interface ethernet2 auto
40.mtu outside 1500
41.mtu inside 1500
42.ip address outside 192.168.1.1 255.255.255.0
43.ip address inside 10.10.10.1 255.255.255.0
44.ip address DMZ 172.16.1.1 255.255.255.0
45.failover
46.failover timeout 0:00:00
continues
194 Chapter 10: Virtual Private Networks
Example 10-10 PIX Configuration for Los Angeles (Continued)
47.failover poll 15
48.failover ip address outside 192.168.1.2
49.failover ip address inside 10.10.10.2
50.failover ip address DMZ 172.16.1.2
51.arp timeout 14400
52.global (outside) 1 192.168.1.20-250
53.nat (inside) 1 0.0.0.0 0.0.0.0
54.nat (inside) 0 access-list VPN
55.static (DMZ,outside) 192.168.1.10 172.16.1.10 netmask 255.255.255.255 0 0
56.static (DMZ,outside) 192.168.1.11 172.16.1.11 netmask 255.255.255.255 0 0
57.static (DMZ,outside) 192.168.1.12 172.16.1.12 netmask 255.255.255.255 0 0
58.static (DMZ,outside) 192.168.1.13 172.16.1.13 netmask 255.255.255.255 0 0
59.access-group inbound in interface outside
60.access-group DMZ in interface DMZ
61.route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
62.timeout xlate 3:00:00
63.timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
64.timeout uauth 0:05:00 absolute
65.aaa-server TACACS+ protocol tacacs+
66.aaa-server RADIUS protocol radius
67.no snmp-server location
68.no snmp-server contact
69.snmp-server community public
70.no snmp-server enable traps
71.floodguard enable
72.sysopt connection permit-ipsec
73.no sysopt route dnat
74.crypto ipsec transform-set
75.crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
76.____________________________________________________________________
77.____________________________________________________________________
78.____________________________________________________________________
79.crypto map Chapter10 10 set transform-set Chapter10
80.crypto map Chapter10 20 ipsec-isakmp
81._____________________________________________________________________
82._____________________________________________________________________
83._____________________________________________________________________
84.crypto map Chapter10 interface outside
85._____________________________________________________________________
86._____________________________________________________________________
87._____________________________________________________________________
88._____________________________________________________________________
89._____________________________________________________________________
90._____________________________________________________________________
91._____________________________________________________________________
92._____________________________________________________________________
93._____________________________________________________________________
94.terminal width 80
95.Cryptochecksum:e0clmj3546549637cbsFds54132d5
VPN Configurations 195
Example 10-11 shows the configuration for the Boston branch office.
Example 10-11 PIX Configuration for Boston
1.: Saved
2.:
3.PIX Version 6.2(2)
4.nameif ethernet0 outside security0
5.nameif ethernet1 inside security100
6.nameif ethernet2 DMZ security70
7.enable password ksjfglkasglc encrypted
8.passwd kjngczftglkacytiur encrypted
9.hostname Boston
10.domain-name www.Chapter10.com
11.fixup protocol ftp 21
12.fixup protocol http 80
13.fixup protocol smtp 25
14.fixup protocol skinny 2000
15.names
16.access-list inbound permit icmp any host 192.168.2.10
17.access-list inbound permit tcp any host 192.168.2.10 eq www
18.access-list inbound permit tcp any host 192.168.2.10 eq 443
19.access-list DMZ permit udp 172.16.2.0 255.255.255.0 host 10.10.2.240 eq ntp
20.access-list
21.access-list
22.access-list
23.access-list
24.pager lines 24
25.logging on
26.logging timestamp
27.interface ethernet0 auto
28.interface ethernet1 auto
29.interface ethernet2 auto
30.mtu outside 1500
31.mtu inside 1500
32 ip address outside 192.168.2.1 255.255.255.0
33.ip address inside 10.10.2.1 255.255.255.0
34.ip address DMZ 172.16.2.1 255.255.255.0
35.arp timeout 14400
36.global (outside) 1 192.168.2.20-200
37.nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38.nat (inside) 0 access-list VPN
39.static (DMZ,outside) 192.168.2.10 172.16.2.10 netmask 255.255.255.255 0 0
40.access-group inbound in interface outside
41.access-group DMZ in interface DMZ
42.route outside 0.0.0.0 0.0.0.0 192.168.2.254 1
43.timeout xlate 3:00:00
44.timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
45.timeout uauth 0:05:00 absolute
46.aaa-server TACACS+ protocol tacacs+
47.aaa-server RADIUS protocol radius
48.no snmp-server location
49.no snmp-server contact
50.snmp-server community public
continues
196 Chapter 10: Virtual Private Networks
Example 10-11 PIX Configuration for Boston (Continued)
51.no snmp-server enable traps
52.floodguard enable
53.___________________________________________________________
54.___________________________________________________________
55.___________________________________________________________
56.crypto map Chapter10 10 ipsec-isakmp
57.crypto map Chapter10 10 match address LosAngeles
58._____________________________________________
59.crypto map Chapter10 10 set transform-set Chapter10
60.crypto map Chapter10 20 ipsec-isakmp
61.crypto map Chapter10 20 match address Atlanta
62.crypto map Chapter10 20 set peer 192.168.3.1
63._____________________________________________
64._____________________________________________
65.isakmp enable outside
66.isakmp key ******** address 192.168.1.1 netmask 255.255.255.255
67.isakmp key ******** address 192.168.3.1 netmask 255.255.255.255
68.isakmp identity address
69.isakmp policy 20 authentication pre-share
70._____________________________________________
71._____________________________________________
72._____________________________________________
73._____________________________________________
74.terminal width 80
75.Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5
Example 10-12 shows the configuration for the Atlanta branch office.
Example 10-12 PIX Configuration for Atlanta
1.: Saved
2.:
3.PIX Version 6.2(2)
4.nameif ethernet0 outside security0
5.nameif ethernet1 inside security100
6.nameif ethernet2 DMZ security70
7.enable password ksjfglkasglc encrypted
8.passwd kjngczftglkacytiur encrypted
9.hostname Atlanta
10.domain-name www.Chapter10.com
11.fixup protocol ftp 21
12.fixup protocol http 80
13.fixup protocol smtp 25
14.fixup protocol skinny 2000
15.names
16.access-list inbound permit icmp any host 192.168.3.10
17.access-list inbound permit tcp any host 192.168.3.10 eq www
18.access-list inbound permit tcp any host 192.168.3.10 eq 443
19.access-list DMZ permit udp 172.16.3.0 255.255.255.0 host 10.10.3.240 eq ntp
20.access-list
21.access-list
22.access-list
VPN Configurations 197
Example 10-12 PIX Configuration for Atlanta (Continued)
23.access-list
24.pager lines 24
25.logging on
26.logging timestamp
27.interface ethernet0 auto
28.interface ethernet1 auto
29.interface ethernet2 auto
30.mtu outside 1500
31.mtu inside 1500
32.ip address outside 192.168.3.1 255.255.255.0
33.ip address inside 10.10.3.1 255.255.255.0
34.ip address DMZ 172.16.3.1 255.255.255.0
35.arp timeout 14400
36.global (outside) 1 192.168.3.20-200
37.nat (inside) 1 0.0.0.0 0.0.0.0 0 0
38.nat (inside) 0 access-list VPN
39.static (DMZ,outside) 192.168.3.10 172.16.3.10 netmask 255.255.255.255 0 0
40.access-group inbound in interface outside
41.access-group DMZ in interface DMZ
42.route outside 0.0.0.0 0.0.0.0 192.168.3.254 1
43.timeout xlate 3:00:00
44.timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
45.timeout uauth 0:05:00 absolute
46.aaa-server TACACS+ protocol tacacs+
47.aaa-server RADIUS protocol radius
48.no snmp-server location
49.no snmp-server contact
50.snmp-server community public
51.no snmp-server enable traps
52.floodguard enable
53.sysopt connection permit-ipsec
54.crypto ipsec transform-set
55.crypto ipsec transform-set NothingNew esp-3des esp-sha-hmac
56.crypto map Chapter10 10 ipsec-isakmp
57.crypto map
58.crypto map
59.crypto map Chapter10 10 set transform-set Chapter10
60.crypto map
61.crypto map
62.crypto map
63.crypto map Chapter10 20 set transform-set Chapter10
64.crypto map
65.isakmp
66.isakmp key ********
67.isakmp key
68.isakmp identity address
69.isakmp policy 20
70.isakmp policy 20 encryption 3des
71.isakmp policy 20 hash md5
72.isakmp policy 20 group 2
73.isakmp policy 20 lifetime 86400
74.terminal width 80
75.Cryptochecksum:e0c04954fcabd239ae291d58fc618dd5
198 Chapter 10: Virtual Private Networks
Each line of the configuration is numbered, and certain lines have not been completed. Your job is to complete the lines and verify each configuration against the configuration of the VPN peer. The following sections give the blank lines for each configuration. The completed configurations are listed at the end of the chapter, along with a complete description of each element from the configuration in Los Angeles. You will not find all the information needed to complete the configuration on a single firewall. Remember that the configurations must match on each end of the VPN.
Los Angeles Configuration
Fill in the missing lines in Example 10-10:
Line 31: ___________________________________________________
Line 32: ___________________________________________________
Line 33: ___________________________________________________
Line 74: ___________________________________________________
Line 76: ___________________________________________________
Line 77: ___________________________________________________
Line 78: ___________________________________________________
Line 81: ___________________________________________________
Line 82: ___________________________________________________
Line 83: ___________________________________________________
Line 85: ___________________________________________________
Line 86: ___________________________________________________
Line 87: ___________________________________________________
Line 88: ___________________________________________________
Line 89: ___________________________________________________
Line 90: ___________________________________________________
Line 91: ___________________________________________________
Line 92: ___________________________________________________
Line 93: ___________________________________________________
VPN Configurations 199
Boston Configuration
Fill in the missing lines in Example 10-11:
Line 20: ___________________________________________________
Line 21: ___________________________________________________
Line 22: ___________________________________________________
Line 23: ___________________________________________________
Line 53: ___________________________________________________
Line 54: ___________________________________________________
Line 55: ___________________________________________________
Line 58: ___________________________________________________
Line 63: ___________________________________________________
Line 64: ___________________________________________________
Line 70: ___________________________________________________
Line 71: ___________________________________________________
Line 72: ___________________________________________________
Line 73: ___________________________________________________
Atlanta Configuration
Fill in the missing lines in Example 10-12:
Line 20: ___________________________________________________
Line 21: ___________________________________________________
Line 22: ___________________________________________________
Line 23: ___________________________________________________
Line 54: ___________________________________________________
Line 57: ___________________________________________________
Line 58: ___________________________________________________
Line 60: ___________________________________________________
Line 61: ___________________________________________________
Line 62: ___________________________________________________
200 Chapter 10: Virtual Private Networks
Line 64: ___________________________________________________
Line 65: ___________________________________________________
Line 66: ___________________________________________________
Line 67: ___________________________________________________
Line 69: ___________________________________________________