© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1111© 2003, Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-2
Module 14
PIX VPN
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-3
Learning Objectives
Upon completion of this module, you will be able to perform the following tasks:• Identify how the PIX Firewall enables a secure VPN.
• Identify the tasks to configure PIX Firewall IPSec support.
• Identify the commands to configure PIX Firewall IPSec support.
• Configure a VPN between PIX Firewalls.
• Describe the Cisco VPN Client.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-4
Overview
This module will cover the creation and configuration of secure VPNs. VPNs are a very useful tool in securing traffic between two remote networks. Both site-to-site and remote access VPNs will be covered.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-5
Key Terms
• IPSec
• IKE
• DES, 3DES, AES
• SHA-1, MD5
• RSA
• Digital Certificates
• Pre-shared keys
• Diffie-Hellman
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-6
The PIX Firewall Enables a Secure VPN
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-7
PIX Firewall VPN Topologies
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-8
IPSec Enables PIX Firewall VPN Features
• Data confidentiality
• Data integrity
• Data authentication
• Anti-replay
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-9
What Is IPSec?
IETF standard that enables encrypted communication between peers
• Consists of open standards for securing private communications.
• Network layer encryption ensuring data confidentiality, integrity, and authentication.
• Scales from small to very large networks.
• Included in PIX Firewall version 5.0 and later.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-10
IPSec Standards Supported by the PIX Firewall
• IPSec (IP Security protocol)
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)
• Data Encryption Standard (DES)
• Triple DES (3DES)
• Diffie-Hellman (DH)
• Message Digest 5 (MD5)
• Secure Hash Algorithm (SHA)
• Ravist, Shamir, Adelman signatures (RSA)
• Certificate Authorities (CA)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-11
IPSec Configuration Tasks
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-12
Task 1—Prepare to Configure VPN Support
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-13
IPSec Configuration Tasks Overview
• Task 1—Prepare to configure VPN support.
• Task 2—Configure IKE parameters.
• Task 3—Configure IPSec parameters.
• Task 4—Test and verify VPN configuration.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-14
Task 1—Prepare to Configure VPN Support
• Step 1—Determine the IKE (IKE phase one) policy.
• Step 2—Determine the IPSec (IKE phase two) policy.
• Step 3—Ensure that the network works without encryption.
• Step 4—Implicitly permit IPSec packets to bypass PIX Firewall access lists, access groups, and conduits.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-15
Plan for IKE
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-16
IKE Phase One Policy Parameters
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-17
Determine IKE Phase One Policy
IKE SA lifetime
Authentication method
Encryption algorithm
Hash algorithm
Site 1
86,400 seconds
DES
SHA
Site 2
DES
SHA
Pre-share
Parameter
768-bit D-HKey exchange
Pre-share
768-bit D-H
86,400 seconds
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-18
Plan for IPSec
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-19
Determine IPSec (IKE Phase Two) Policy
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-20
Ensure the Network Works
pixfirewall# ping 172.30.2.2
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-21
Ensure ACLs do not Block IPSec Traffic
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-22
Task 2—Configure IKE Parameters
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-23
Step 1—Enable or Disable IKE
• Enables or disables IKE on the PIX Firewall interfaces.
• IKE is enabled by default.
• Disable IKE on interfaces not used for IPSec.
isakmp enable interface-name
pixfirewall (config)#
pixfirewall(config)# isakmp enable outside
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-24
Step 2—Configure an IKE Phase One Policy
• Creates a policy suite grouped by priority number.
• Creates policy suites that match peers.
• Can use default values.
pixfirewall(config)# isakmp policy 10 encryption des
pixfirewall(config)# isakmp policy 10 hash sha
pixfirewall(config)# isakmp policy 10 authentication pre-share
pixfirewall(config)# isakmp policy 10 group 1
pixfirewall(config)# isakmp policy 10 lifetime 86400
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-25
isakmp key keystring address peer-address [netmask]
pixfirewall(config)#
Step 3—Configure the IKE Pre-shared Key
• Pre-shared keystring must be identical at both peers.
• Use any combination of alphanumeric characters up to 128 bytes for keystring.
• Specify peer-address as a host or wildcard address.
• Easy to configure, yet is not scalable.
pixfirewall(config)# isakmp key cisco123 address 192.168.6.2
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-26
pixfirewall# show isakmp policyProtection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limitDefault protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Step 4—Verify IKE Phase One Policies
• Displays configured and default IKE protection suites.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-27
Task 3—Configure IPSec Parameters
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-28
access-list acl_ID {deny | permit} protocol source_addr source_mask destination_addr destination_mask
pixfirewall(config)#
Step 1—Configure Interesting Traffic
• permit = encrypt
• deny = do not encrypt
• access-list selects IP traffic by address, network, or subnet
pixfirewall# access-list 101 permit ip host 192.168.1.10 host 192.168.6.10
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-29
pix1(config)# show staticstatic (inside,outside) 192.168.1.10 10.0.1.11 netmask
255.255.255.255 0 0
pix1(config)# show access-listaccess-list 110 permit ip host 192.168.1.10 host 192.168.6.10
PIX1
pix6(config)# show staticstatic (inside,outside) 192.168.6.10 10.0.6.11 netmask
255.255.255.255 0 0
pix2(config)# show access-listaccess-list 101 permit ip host 192.168.6.10 host 192.168.1.10
PIX6
Example Crypto ACLs
• Lists should always be symmetrical.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-30
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
pixfirewall(config)#
Step 2—Configure an IPSec Transform Set
• Sets are limited to up to one AH and up to two ESP transforms.
• Default mode is tunnel.
• Configure matching sets between IPSec peers.
pix1(config)# crypto ipsec transform-set pix6 esp-des
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-31
Available IPSec Transforms
ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-32
Step 3—Configure the Crypto Map
• Specifies IPSec (IKE phase two) parameters.
• Map names and sequence numbers group entries into a policy.
pixfirewall(config)# crypto map MYMAP 10 ipsec-isakmp
pixfirewall(config)# crypto map MYMAP 10 match address 101
pixfirewall(config)# crypto map MYMAP 10 set peer 192.168.6.2
pixfirewall(config)# crypto map MYMAP 10 set transform-set pix6
pixfirewall(config)# crypto map MYMAP 10 set pfs group1
pixfirewall(config)# crypto map MYMAP 10 set security-association lifetime seconds 28800
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-33
crypto map map-name interface interface-name
pixfirewall(config)#
Step 4—Apply the Crypto Map to an Interface
• Applies the crypto map to an interface.
• Activates IPSec policy.
pixfirewall(config)# crypto map MYMAP interface outside
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-34
pix1(config)# show crypto map
Crypto Map "peer2" 10 ipsec-isakmp Peer = 192.168.2.2 access-list 101 permit ip host 192.168.1.11 host 192.168.2.11 (hitcnt=0) Current peer: 192.168.2.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, }
Example Crypto Map for PIX1
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-35
pix2(config)# show crypto map
Crypto Map "peer1" 10 ipsec-isakmp Peer = 192.168.1.2 access-list 101 permit ip host 192.168.2.11 host 192.168.1.11 (hitcnt=0) Current peer: 192.168.1.2 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, }
Example Crypto Map for PIX2
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-36
Task 4—Test and Verify VPN Configuration
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-37
Task 4—Test and Verify VPN Configuration
• Verify ACLs and interesting traffic.show access-list
• Verify correct IKE configuration. show isakmpshow isakmp policy
• Verify correct IPSec configuration.show crypto ipsec transform-set
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-38
Task 4—Test and Verify VPN Configuration (cont.)
• Verify the correct crypto map configuration.show crypto map
• Clear the IPSec SA.clear crypto ipsec sa
• Clear the IKE SA.clear crypto isakmp sa
• Debug IKE and IPSec traffic through thePIX Firewall.debug crypto ipsecdebug crypto isakmp
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-39
The Cisco VPN Client
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-40
Topology Overview
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-41
Cisco VPN Client Features
• Support for Windows ME, Windows 2000, and Windows XP
• Data compression
• Split tunneling
• User authentication by way of VPN central-site device
• Automatic VPN Client configuration
• Internal MTU adjustment
• CLI to the VPN Dialer
• Start Before Logon
• Software update notifications from the VPN device upon connection
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-42
PIX Firewall to VPN ClientPre-Shared Example
pixfirewall# write terminal
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0
255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip local pool MYPOOL 10.0.20.1-10.0.20.254
nat (inside) 0 access-list 80
route outside 0 0 192.168.0.1
aaa-server MYTACACS protocol tacacs+
aaa-server MYTACACS (inside) host 10.0.0.10 tacacskey timeout 5
aaa authentication include any inbound 0 0 0 0 MYTACACS
sysopt connection permit-ipsec
crypto ipsec transform-set AAADES esp-des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set AAADES
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-43
PIX Firewall to VPN Client Pre-Shared Example (cont.)
pixfirewall# write terminal
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER client authentication MYTACACS
crypto map VPNPEER interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup TRAINING address-pool MYPOOL
vpngroup TRAINING idle-time 1800
vpngroup TRAINING password ********
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-44
VPN Client to PIX Firewall Example
• A new connection entry named vpnpeer0 iscreated.
• The remote server IPis the PIX Firewall outside interface.
vpnpeer0
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-45
VPN Client to PIX Firewall Example (cont.)
• The group name matches the vpngroup name in the PIX Firewall.
• The password is the pre-shared key and must match the vpngroup password.
• You can use the digital certificate for authentication.
TRAINING
TRAINING
TRAINING
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-46
PIX Firewall Assigns the IP Address to the VPN Client
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-47
Scale PIX Firewall VPNs
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-48
CA Server Fulfilling Requests from IPSec Peers
Each IPSec peer individually enrolls with the CA server.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-49
Enroll a PIX Firewallwith a CA
• Configure CA support
• Generate public or private keys
• Authenticate the CA
• Request signed certificates from the CA
• CA administrator verifies request and sends signed certificates
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-50
Summary
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-51
Summary
• The PIX Firewall enables a secure VPN.
• IPSec configuration tasks include configuring IKE and IPSec parameters.
• CAs enable scaling to a large number of IPSec peers.
• Remote users can establish secure VPN tunnels between PCs running Cisco VPN Client software and any Cisco VPN-enabled product, such as the PIX Firewall, that supports the Unified Client framework.
525252© 2003, Cisco Systems, Inc. All rights reserved.