Activity Objective:
In this activity, you will
configure a security appliance for a site-to-site VPN. After completing
this activity, you will be
able to meet these objectives:
- Prepare to configure VPN support
- Configure IKE parameters
- Configure IPSec parameters
- Test and verify the IPSec configuration
Task 1: Prepare to Configure VPN Support
Complete the following
steps to prepare for the IKE and IPSec configuration. For this task, you will
use default values unless you are directed to enter a specific value. Your IKE
policy will use pre-shared keys. Your IPSec policy will use ESP mode with DES
encryption.
Verify that a static
translation is configured from a global IP address on the outside interface to
the internal host.
pixP(config)# show run static
static (dmz,outside) 192.168.P.11 bastionhost netmask
255.255.255.255 0 0
static (inside,outside) 192.168.P.10 insidehost
netmask
255.255.255.255 0 0
Verify that an ACL permitting web access to your
inside host has been configured.
pixP(config)# show
access-list
Verify that ACLIN is bound to the outside interface.
pixP(config)# show run
access-group
access-group ACLIN in interface outside
access-group ACLDMZ in
interface dmz
Ensure that you can establish a web connection between
pods from the student PCs using the static and ACL.
Enable the PIX security appliance to implicitly permit
any packet from an IPSec tunnel, and bypass checking with an associated access-group
command for IPSec connections.
pixP(config)# sysopt
connection permit-ipsec
Task 2: Configure IKE Parameters
Ensure that IKE is enabled on the outside interface.
pixP(config)# isakmp
enable outside
Set the IKE identity.
pixP(config)# isakmp
identity address
Configure a basic IKE policy using pre-shared keys for
authentication.
pixP(config)# isakmp
policy 10 authentication pre-share
Configure the tunnel group type.
pixP(config)# tunnel-group
192.168.Q.2 type ipsec-l2l
Enter the tunnel-group ipsec-attributes submode.
pixP(config)# tunnel-group
192.168.Q.2 ipsec-attributes
Enter the pre-shared key.
pixP(config-ipsec)# pre-shared-key
cisco123
Task 3: Configure IPSec (IKE Phase 2) Parameters
Create an ACL to select traffic to protect. The ACL
should protect IP traffic between student PC networks.
pixP(config-ipsec)# access-list 101 permit ip host
192.168.P.10 host
192.168.Q.10
View your ACL.
pix1(config)# show
access-list
Configure an IPSec transform set (IKE Phase 2
parameters) to use ESP and DES. Use the transform set name pixQ.
pixP(config)# crypto ipsec transform-set pixQ
esp-des
Create a crypto map by
completing the following substeps:
Create a crypto map entry. Use a map name of peerQ and
assign the ACL to the crypto map.
pixP(config)# crypto map
peerQ 10 match address 101
Define the peer. The peer IP address should be set to
the peer outside interface IP address.
pixP(config)# crypto map
peerQ 10 set peer 192.168.Q.2
Specify the transform set used to reach the peer. Use
the transform set name you configured
in Substep 2.
pixP(config)# crypto map
peerQ 10 set transform-set pixQ
Apply the crypto map set to the outside interface.
pixP(config)# crypto map
peerQ interface outside
Task 4: Test and Verify the IPSec Configuration
Verify the IKE policy that you just created. Note the
default values.
pixP(config)# show run
crypto isakmp
Verify the tunnel group that you just created.
pixP(config)# show run
tunnel-group
Verify the crypto map ACL.
pixP(config)# show run
access-list 101
Verify that the IPSec parameters (IKE Phase 2) are
correct.
pixP(config)# show run
crypto ipsec
Verify that the crypto map configuration is correct.
pix1(config)# show run
crypto map
Turn on debugging for IPSec and ISAKMP.
pixP(config)# debug crypto ipsec
pixP(config)# debug
crypto isakmp
Clear the IPSec SA by using the following command:
pixP(config)# clear
crypto ipsec sa
Enable logging to the console.
pixP(config)# logging enable
pixP(config)# logging
console debug
Ensure that traffic between peers is being encrypted
by completing the following substeps:
1. Examine the ISAKMP SA. Note the IKE peer and tunnel
type as well as the state.
pixP(config)# show crypto isakmp sa
2. Disable logging to the console.
pixP(config)# no logging console debug
3. Examine the IPSec SAs. Note the number of packets
encrypted and decrypted.
pixP(config)# show crypto ipsec sa
4. Generate additional traffic by clicking the Reload
button of your web browser.
5. Examine the IPSec SAs again. Note that the packet
counters have increased incrementally.
pixP(config)# show crypto ipsec sa
Task 5: Clear the IPSec Configuration
Clear your IPSec SAs with the clear crypto ipsec sa
command.
pixP(config)# clear crypto ipsec sa
Remove all isakmp command statements from your
configuration with the clear
configure isakmp command.
pixP(config)# clear config isakmp
Remove the previously configured transform set from
your configuration with the
clear configure ipsec command.
pixP(config)# clear config ipsec
Remove all tunnel-group command statements from
your configuration with the
clear configure tunnel-group command.
pixP(config)# clear config tunnel-group
Remove all parameters entered through the crypto
map command with the clear
configure crypto map command.
pixP(config)# clear config crypto map
0 comments
Post a Comment