Configuring the Houston PIX Firewall, HOU-PIX, for VPN Tunneling
Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN
characteristics at each of the remote sites. The following steps outline the commands
necessary to define the VPN characteristics on HOU-PIX at the Houston remote site:
Step 1 Configure an ISAKMP policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Step 2 Configure a preshared key and associate it with the peer (HQ-PIX):
isakmp key A1!#abc address 192.168.1.2
Step 3 Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
Step 4 Create an access list:
access-list 110 permit ip 10.30.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list 110 permit ip 10.30.10.0 255.255.255.0 172.16.31.0
255.255.255.0
Step 5 Define a crypto map for HQ-PIX:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 110
crypto map Dukem-Map 20 set peer 192.168.1.2
crypto map Dukem-Map 20 set transform-set myset
Step 6 Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
Step 7 Specify that IPSec traffic is implicitly trusted (permitted):
sysopt connection permit-ipsec
Step 8 Configure a NAT 0 policy so that traffic between the offices is excluded
from NAT:
access-list VPN permit ip 10.30.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list VPN permit ip 10.30.10.0 255.255.255.0 172.16.31.0
255.255.255.0
nat (inside) 0 access-list VPN
Example 20-7 shows the Houston PIX configuration.