This chapter looked at using the PIX Firewall with various
VPN implementations. The basic tasks and steps of configuring VPNs on the
firewall aren’t significantly different than working with router VPNs, although
the command syntax is unique.
Remember, basic VPN terms and technology were covered in Chapters 9 through
11, and they
should be reviewed before taking the certification exam.
This chapter looked at the tasks and steps involved in configuring
PIX IPSec. The steps and related commands are summarized in the following task
list.
Configuring
IPSec
Task 1. Prepare for IPSec
-
Step 1.1: Determine IKE (IKE phase one) policy
-
Step 1.2: Determine IPSec (IKE phase two) policy
-
Step 1.3: Check the current configuration
write terminal
show isakmp policy
show isakmp
-
Step 1.4: Ensure the network works without encryption
ping - all devices
-
Step 1.5: Ensure access control lists (ACLs) are compatible
with IPSec
show access-lists
sysopt connection permit-ipsec
Task 2. Configure IKE
-
Step 2.1: Enable or disable IKE
isakmp enable interface-name
-
Step 2.2: Create IKE Phase 1 policy
isakmp policy commands
encryption
hash
authentication
group
lifetime
-
Step 2.3: Configure pre-shared keys (preshared keys)
isakmp identity
name
isakmp key
-
Step 2.3: Configure pre-shared keys (CA Support)
hostname
domain-name
ca generate rsa key
ca identity
ca configure
ca authenticate
ca enroll
show ca certificate
-
Step 2.4: Verify the IKE configuration
show isakmp policy
show isakmp
show isakmp sa
Task 3. Configure IPSec
-
Step 3.1: Configure crypto ACLs to define interesting
traffic
access-list
-
Step 3.2: Configure transform set suites
crypto ipsec transform-set
-
Step 3.3: Configure global IPSec security association
lifetimes
crypto ipsec security-association lifetime
-
Step 3.4: Configure crypto maps
crypto map
ipsec-manual | ipsec-isakmp
match address acl-name
set peer
set transform-set
set pfs
set security-association lifetime
crypto dynamic-map
-
Step 3.5: Apply the crypto maps to the
terminating/originating interface
interface
crypto map interface
Task 4. Test and verify IPSec
-
Step 4.1: Display your configured IKE policies
show isakmp
show isakmp policy
-
Step 4.2: Display your configured transform sets
show crypto ipsec transform-set
-
Step 4.3: Display the current state of your IPSec SAs
show isakmp sa
show crypto ipsec security-association
lifetime
-
Step 4.4: View your configured crypto maps
show crypto map
-
Step 4.5: Debug IKE and IPSec traffic through the Cisco
IOS
debug crypto ipsec
debug crypto isakmp
Configuring
IPSec for RSA Encrypted Nonces
Task 1. Prepare for IPSec to determine a
detailed security policy for RSA encryption to include how to distribute the RSA
public keys.
Task 2. Configure RSA keys manually.
-
Step 2.1: Plan for RSA keys
-
Step 2.2: Configure the router’s host name and domain
name
hostname name
ip domain-name name
-
Step 2.3: Generate the RSA keys
crypto key generate rsa usage key
-
Step 2.4: Enter peer RSA public keys—Detail is important,
any mistake entering the keys will cause them not to work.
crypto key pubkey-chain
crypto key pubkey-chain rsa
addressed-key key address
named-key key
name
key-string string
-
Step 2.5: Verify the key configuration
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
-
Step 2.6: Manage RSA keys—Remove old keys to free up
space
crypto key zeroize rsa
Task 3. Configure ISAKMP for IPSec to select RSA
encryption as the authentication method in an ISAKMP policy.
Task 4. Configure IPSec—typically done the same
as in preshare.
Task 5. Test and verify IPSec and exercise
additional commands to view and manage RSA public keys.
Configuring CA
Support Tasks
Task 1. Prepare for IPSec
-
Step 1.1: Plan for CA support
Determine the type of CA server to use
Identify the CA server’s IP address, host name, and URL. Required
for Lightweight Directory Protocol (LDAP).
Identify the CA server administrator contact information.
-
Step 1.2: Determine IKE (IKE phase one) policy
-
Step 1.3: Determine IPSec (IKE phase two) policy
-
Step 1.4: Check the current configuration
show running-config
show crypto isakmp [policy]
show crypto map
-
Step 1.5: Ensure the network works without encryption
ping all devices
-
Step 1.6: Ensure access control lists (ACLs) are compatible
with IPSec
show access-lists
Task 2. Configure CA Support
-
Step 2.1: Manage the nonvolatile RAM (NVRAM) memory usage
(optional)
crypto ca certificate query
-
Step 2.2: Set the router’s time and date
clock timezone zone hours [minutes]
clock set hh:mm:ss day month year
clock set hh:mm:ss month day year
-
Step 2.3: Configure the router’s host name and domain
name
hostname name
ip domain-name name
ip host name address1 [address2. . . address8]
-
Step 2.4: Generate an RSA key pair—used to identify to the
remote VPN peer
crypto key generate rsa [usage key]
-
Step 2.5: Declare a CA
crypto ca identity name
-
Step 2.6: Authenticate the CA
crypto ca authenticate name
-
Step 2.7: Request your own certificate
crypto ca enroll name
-
Step 2.8: Save the configuration
copy run start
-
Step 2.9: Monitor and maintain CA interoperability
(optional)
Request a CRL
Delete your router’s RSA keys
Delete both public and private certificates from the
configuration
Delete peer’s public keys
crypto ca identity name
-
Step 2.10: Verify the CA support configuration
show crypto ca certificates
show crypto key {mypubkey | pubkey-chain}
rsa
Task 3. Configure IKE
-
Step 3.1: Enable or disable IKE
crypto isakmp enable
-
Step 3.2: Create IKE policies
crypto isakmp policy priority
-
Step 3.3: Configure preshared keys
crypto isakmp key and associated
commands
-
Step 3.4: Verify the IKE configuration
show crypto isakmp policy
show crypto isakmp sa
Task 4. Configure IPSec
-
Step 4.1: Configure transform set suites
crypto ipsec transform-set
-
Step 4.2: Configure global IPSec security association
lifetimes
crypto ipsec security-association lifetime
-
Step 4.3: Configure crypto ACLs
access-list
crypto map
-
Step 4.5: Apply the crypto maps to the
terminating/originating interface
interface
crypto map
Task 5. Test and verify IPSec
-
Step 5.1: Display your configured IKE policies
show crypto isakmp policy
-
Step 5.2: Display your configured transform sets
show crypto ipsec transform set
-
Step 5.3: Display the current state of your IPSec SAs
show crypto ipsec sa
-
Step 5.4: View your configured crypto maps
show crypto map
-
Step 5.5: Debug IKE and IPSec traffic through the Cisco
IOS
debug crypto ipsec
debug crypto isakmp
-
Step 5.6: Debug CA events
debug crypto key-exchange
debug crypto pki
The PIX Firewall OS version 6.2 introduced the Easy VPN Remote
device (client) for connecting to any Easy VPN Server. This implementation
greatly reduces configuration on the remote host and relies on the server
policies for configuration decisions.
Scaling PIX Firewall VPN solutions includes the basic device
features plus a variety of network management software applications to provide
Web-based, centralized, configuration, monitoring, and reporting. Example
applications include CiscoWorks VPN/ Security Management Solution (VMS), Cisco
Secure Policy Manager (CSPM), and Cisco PIX Device Manager (PDM), which is
covered in the next
chapter.
PPPoE client was introduced on the PIX Firewall with PIX OS
version 6.2. Point-to-Point Protocol over Ethernet (PPPoE) incorporates two
widely used and understood standards: PPP and Ethernet. The PPPoE specification
connects hosts on an Ethernet to the Internet through a common broadband medium,
such as DSL line, cable modem, or wireless device.
Sections
Comments (0 posted)
Syndication
