Configuring the Minneapolis PIX Firewall, MN-PIX, for VPN Tunneling
Similar to configuring the VPN characteristics on HQ-PIX, you also must define the VPN
characteristics at each of the remote sites. The following steps outline the commands
necessary to define the VPN characteristics on MN-PIX at the Minneapolis remote site:
Step 1 Configure an ISAKMP policy:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Step 2 Configure a preshared key and associate it with the peer (HQ-PIX):
isakmp key A1!#abc address 192.168.1.2
Step 3 Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
sysopt connection permit-ipsec no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- Traffic to Reston HQ:
crypto map Dukem-Map 10 ipsec-isakmp
crypto map Dukem-Map 10 match address 110
crypto map Dukem-Map 10 set peer 192.168.1.2
crypto map Dukem-Map 10 set transform-set myset
crypto map Dukem-Map interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.2 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000 telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:b23cc9772a79ea76d711ea747f182a5f
Example 20-7 Houston PIX Firewall Configuration (Continued)
642 Chapter 20: Case Study and Sample Configuration
Step 4 Create an access list:
access-list 110 permit ip 10.20.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list 110 permit ip 10.20.10.0 255.255.255.0 172.16.31.0
255.255.255.0
Step 5 Define a crypto map for HQ-PIX:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 110
crypto map Dukem-Map 20 set peer 192.168.1.2
crypto map Dukem-Map 20 set transform-set myset
Step 6 Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
Step 7 Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
Step 8 Configure a NAT 0 policy so that traffic between the offices is excluded
from NAT:
access-list VPN permit ip 10.20.10.0 255.255.255.0 10.10.10.0
255.255.255.0
access-list VPN permit ip 10.20.10.0 255.255.255.0 172.16.31.0
255.255.255.0
nat (inside) 0 access-list VPN
Example 20-8 shows the configuration for the Minneapolis PIX Firewall.