06-10-2010 05:00 AM - edited 03-11-2019 10:57 AM
Scenario:
I need help setting up a “Business to Business (B2B)” connection from a vendor to host facility (may also be called a shared IPSEC Tunnel?). I want to add this new tunnel configuration without impacting the current setup on the PIX. Not that it matters, but the vendor has a PIX 501 and the Facility has an ASA5400. Anyhow, I have been provided the following information from the host facility:
TUNNEL INFORMATION:
Vendor Public IP = 216.x.x.x
Vendor Network Range = 10.129.64.0/30
Facility Public IP = 199.x.x.x
Facility Network Range = 170.x.x.x/25
SHARED IPSEC TUNNEL PARAMETERS:
Exchange mode = Main mode
Shared secret = TBD
Phase I: DH Group = 2; Encrypt = 3DES-168; Auth = SHA-1/HMAC-160; Life = 86400
Phase II: Protocol = ESP; Encrypt = 3DES-168; Auth = ESP/SHA-1/HMAC-160; Life = 28800; PFS = Off
NAT INFORMATION:
Nat Location = Vendor Network
ORIGINAL PACKET - Source Destination = Vendor Private Net
ORIGINAL PACKET – Destination Source = Facility Private Net
TRANSLATED PACKET – Source Destination = 10.129.64.1
TRANSLATED PACKET – Destination Source = SAME
TRAFFIC FLOW INFORMATION:
10.129.64.1:80 >>>>>>>>>>>>>>> 170.x.x.x-x
The current Vendor PIX configuration is as follows:
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname ABCFW
domain-name ABC
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any interface outside eq 1000
access-list outbound permit tcp any any
access-list outbound permit ip any any
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.100 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 90
Cryptochecksum:c6306a443489be5bb87ba40040712770
: end
Any help would be greatly appreciated!
06-10-2010 06:32 AM
Hello Mike,
This link shows you the configuration that you need on the PIX to configure the Site-to-Site IPsec tunnel. (it also shows a VPN client configuration).
Let us know if you have any questions.
Federico.
06-10-2010 06:43 PM
Ensure your pix501 has the 3des license. You can check this with show version.
Here is what you needed to add on the vendor firewall
##################
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
! Complete the ip address below for facility FW
crypto map newmap 10 set peer 199.x.x.x
crypto map newmap 10 set transform-set myset
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
access-list 110 permit ip 10.129.64.0 255.255.255.252 170.x.x.x 255.255.255.128
nat (inside) 0 access-list 110
! Complete the ip address below for facility FW
isakmp key TBD address 199.x.x.x
! Where TBD is whatever key matches with the facility FW
! Apply this configuration below last
! if you run into problems
! just reissue the two commands below with "no" in front of them
! to disable the vpn configuration
crypto map newmap interface outside
isakmp enable outside
###############
Then of course the Facility firewall will need to have the mirrored configuration on their end for the vpn to work.
Regards,
06-14-2010 02:50 AM
Thank you for taking the time to review my config. I will definitely try what you have suggested and report back with score (probably next week). Thanks again!
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide