Help with IPSEC tunnel on PIX 501

mikentosh · ‎06-10-2010

Scenario:

I need help setting up a “Business to Business (B2B)” connection from a vendor to host facility (may also be called a shared IPSEC Tunnel?). I want to add this new tunnel configuration without impacting the current setup on the PIX. Not that it matters, but the vendor has a PIX 501 and the Facility has an ASA5400. Anyhow, I have been provided the following information from the host facility:

TUNNEL INFORMATION:

Vendor Public IP = 216.x.x.x

Vendor Network Range = 10.129.64.0/30

Facility Public IP = 199.x.x.x

Facility Network Range = 170.x.x.x/25

SHARED IPSEC TUNNEL PARAMETERS:

Exchange mode = Main mode

Shared secret = TBD

Phase I: DH Group = 2; Encrypt = 3DES-168; Auth = SHA-1/HMAC-160; Life = 86400

Phase II: Protocol = ESP; Encrypt = 3DES-168; Auth = ESP/SHA-1/HMAC-160; Life = 28800; PFS = Off

NAT INFORMATION:

Nat Location = Vendor Network

ORIGINAL PACKET - Source Destination = Vendor Private Net

ORIGINAL PACKET – Destination Source = Facility Private Net

TRANSLATED PACKET – Source Destination = 10.129.64.1

TRANSLATED PACKET – Destination Source = SAME

TRAFFIC FLOW INFORMATION:

10.129.64.1:80 >>>>>>>>>>>>>>> 170.x.x.x-x

The current Vendor PIX configuration is as follows:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxx encrypted

hostname ABCFW

domain-name ABC

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit tcp any interface outside eq 3389

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any unreachable

access-list outside_in permit icmp any any source-quench

access-list outside_in permit tcp any interface outside eq 1000

access-list outbound permit tcp any any

access-list outbound permit ip any any

pager lines 24

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 216.x.x.x 255.255.255.252

ip address inside 192.168.1.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 1000 192.168.1.100 3389 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 216.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

ntp server 192.168.1.4 source inside

http server enable

http 192.168.1.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

username admin password xxxxxxxxxxxxxxxxx encrypted privilege 2

terminal width 90

Cryptochecksum:c6306a443489be5bb87ba40040712770

: end

Any help would be greatly appreciated!

Federico Coto Fajardo · ‎06-10-2010

Hello Mike,

This link shows you the configuration that you need on the PIX to configure the Site-to-Site IPsec tunnel. (it also shows a VPN client configuration).

Let us know if you have any questions.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml

Federico.

edadios · ‎06-10-2010

Ensure your pix501 has the 3des license. You can check this with show version.

Here is what you needed to add on the vendor firewall

##################

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
! Complete the ip address below for facility FW
crypto map newmap 10 set peer 199.x.x.x
crypto map newmap 10 set transform-set myset

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2

access-list 110 permit ip 10.129.64.0 255.255.255.252 170.x.x.x 255.255.255.128

nat (inside) 0 access-list 110

! Complete the ip address below for facility FW
isakmp key TBD address 199.x.x.x
! Where TBD is whatever key matches with the facility FW

! Apply this configuration below last
! if you run into problems
! just reissue the two commands below with "no" in front of them
! to disable the vpn configuration

crypto map newmap interface outside
isakmp enable outside

###############

Then of course the Facility firewall will need to have the mirrored configuration on their end for the vpn to work.

Regards,

mikentosh · ‎06-14-2010

Thank you for taking the time to review my config. I will definitely try what you have suggested and report back with score (probably next week). Thanks again!

Regards,