Configuring the Central PIX Firewall, HQ-PIX, for VPN Tunneling
Both remote sites connect to the Reston location using VPN tunneling. The VPN protects the
traffic coming from the remote sites. The following steps define the VPN characteristics on
HQ-PIX:
Step 1 Configure an Internet Security Association and Key Management
Protocol (ISAKMP) policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Step 2 Configure a preshared key and associate it with the peers (Houston and
Minneapolis):
isakmp key C2!#ghi address 192.168.3.2
isakmp key B2!#def address 192.168.2.2
Step 3 Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
Step 4 Create an access list:
access-list 130 permit ip 10.10.10.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list 130 permit ip 172.16.31.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list 120 permit ip 10.10.10.0 255.255.255.0 10.20.10.0
255.255.255.0
access-list 120 permit ip 172.16.31.0 255.255.255.0 10.20.10.0
255.255.255.0
Step 5 Define a crypto map for both Houston and Minneapolis:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 120
crypto map Dukem-Map 20 set peer 192.168.2.2
crypto map Dukem-Map 20 set transform-set myset
crypto map Dukem-Map 30 ipsec-isakmp
crypto map Dukem-Map 30 match address 130
crypto map Dukem-Map 30 set peer 192.168.3.2
crypto map Dukem-Map 30 set transform-set myset
Step 6 Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
Step 7 Specify that IPSec traffic is implicitly trusted (permitted):
sysopt connection permit-ipsec
Step 8 Configure a NAT 0 policy so that traffic between the offices is excluded
from NAT:
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list VPN permit ip 10.10.10.0 255.255.255.0 10.20.10.0
255.255.255.0
access-list VPN permit ip 172.16.31.0 255.255.255.0 10.20.10.0
255.255.255.0
nat (inside) 0 access-list VPN