[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] VPN Cisco PIX and FW1 V4.0 would it work ?
Here
is a config I had lying around for pix to fw1
Firewall-1 to PIX VPN using Preshared Secrets Example
PIX
Configuration
The
PIX is configured as follows:
PIX
515 with PIXOS 5.31.
The
PIX is configured for this example as a onsite PIX which uses PAT to access
Internet Services and a VPN for connectivity to either a hosting center or
remote business location for a given company. There is no reason
why the roles of the two Firewall products can not be reversed. Actual
PIX configuration
nameif
ethernet0 outside security0
nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names name 192.1.1.1 PIX name 172.16.2.168 RPIX access-list 101 permit ip 172.16.0.0 255.255.0.0 10.0.1.0 255.255.255.0 access-list 101 permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0 access-list 102 permit ip 10.0.1.0 255.255.255.0 172.16.0.0 255.255.0.0 pager lines 24 logging on no logging timestamp no logging standby no logging console no logging monitor no logging buffered logging trap debugging no logging history logging facility 20 logging queue 512 logging host inside 172.16.1.122 interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu intf2 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside PIX 255.255.255.0 ip address inside RPIX 255.255.0.0 ip address intf2 127.0.0.1 255.255.255.255 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address intf2 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 failover ip address intf5 0.0.0.0 arp timeout 14400 global (outside) 1 192.1.1.3 nat (inside) 0 access-list 101 nat (inside) 1 10.0.1.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 192.1.1.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-sha-hmac crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 101 crypto map newmap 10 set peer 192.1.1.2 crypto map newmap 10 set transform-set myset crypto map newmap interface outside isakmp enable outside isakmp key cisco123 address 192.1.1.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 terminal width 80 Note: Statements in bold are specific to VPN
configuration
Nokia Configuration The
Nokia configuration is detailed below:
Nokia
IP330, IPSO 3.3 and Checkpoint Firewall-1 4.1 Service Pack 3
The
default static route points to 192.1.1.1
Actual
Nokia Configuration
Policy
Properties - under encryption tab change IKE SA timeout to
1440
Objects Defined
Name Object Type IP Description Behind-nokia Network 10.0.1.0
/24 Network behind the Nokia Firewall
Behind-pix Network 172.16.0.0
/16 Network behind the PIX
Nokia Firewall (internal gateway) 192.1.1.2
outside
(10.0.1.1 inside) Checkpoint Firewall Object PIX Firewall (external gateway) 192.1.1.1
outside
(172.16.2.168 inside) PIX Firewall Object Firewall Rulebase Source Destination Service Action Description
Behind-nokia Behind-pix
Behind-pix Behind-Nokia Any Encrypt*
Any Any Any Drop Cleanup
rule
*Note: Right Click on Encrypt and select the following: Click IKE and select ESP as the Transform
Ensure that DES, SHA1 is selected. The peer gateway can be any or a specified gateway Firewall Encryption
Nokia Firewall Object
Select VPN window -> IKE -> Select DES -> SHA1 and key in
preshared secret
Note: Support Aggressive Mode and Support Key Exchange for Subnets
should be checked
PIX Firewall Object
Select VPN window -> IKE -> Select DES -> SHA1 and key in
preshared secret
Note: Support Aggressive Mode and Support Key Exchange for Subnets
should be checked
Windows Configuration
The Windows 2000 Clients in the testing were running Windows 2000 SP1
172.16.1.122 had a static route for network 10.0.1.0 /24 via the PIX inside
interface 172.16.2.168
10.0.1.2 had a static route to network 172.16.0.0 /16 via the Nokia inside
interface 10.0.1.1
Switch
A Cisco 1548 Switch was used for testing.
Tests conducted
Note: All tests were carried out with No existing connection
Test Result Comments
Icmp from 172.16.1.122 to 10.0.1.2 VPN created and worked Icmp from 10.0.1.2 to 172.16.1.122 VPN created and worked Net use from 172.16.1.122 to 10.0.1.2 VPN created and worked Net use from 10.0.1.2 to 172.16.1.122 VPN created and worked Policy installed during VPN session onto Nokia VPN tunnel remained stable Note: When doing ICMP testing, a standard ping may timeout, a repeat
ping
works due to time taken to create tunnel. This leads to the conclusion that for some applications, a timeout increase is desirable. Attachment:
smime.p7s
|