Configuring a Site-to-Site VPN cisco


Configuring a Site-to-Site VPN

For our exercise, let’s use our SecureCorp.com archetype arrangement architectonics to

build a VPN amid the Washington, D.C., PIX (PIX1) and the Prague PIX

(PIX2).To body a site-to-site IPsec VPN application the VPN wizard, baddest VPN

Wizard from the Wizards menu.The VPN Astrologer window appears, as apparent in

Figure 9.64.

Click the Armpit to Armpit VPN radio button and baddest alfresco from the Select

interface on which the VPN will be enabled pull-down list. Bang Abutting to

proceed to the Alien Armpit Peer window, apparent in Figure 9.65.

From this window, you can accept to use preshared keys or certificates. Using

digital certificates is a added defended VPN adit agreement than aggregate keys.

For simplicity, however, let’s configure the site-to-site VPN application preshared keys.

www.syngress.com

Figure 9.64 The VPN Astrologer Window

522 Chapter 9 • PIX Device Manager

Using our SecureCorp.com archetype architecture, blazon 192.168.2.2 in the

Peer IP Abode field.This is the alien IP abode of the PIX firewall named

PIX2, amid in Prague. Next, blazon an alphanumeric cord in the Pre-shared

Key and Reenter Key fields.This key cord should be at atomic eight characters

in breadth and should not be calmly guessable. Bethink the key entered in this

step, because you will be adapted to access it afresh back configuring the remote

PIX firewall. After you bang Next, the IKE Policy window appears, as apparent in

Figure 9.66.

Select adapted Encryption, Authentication, and DH Group settings

using the drop-down lists. It is important to bethink the specific settings you

select, because you will charge to body an identical agreement on the remote

PIX firewall.

NOTE

3DES, which enables stronger encryption capabilities, is alone available

with a 3DES authorization from Cisco.

www.syngress.com

Figure 9.65 The Alien Armpit Peer Window

PIX Device Manager • Chapter 9 523

Click Abutting to advance to the Transform Set window, apparent in Figure 9.67.

www.syngress.com

Figure 9.66 The IKE Policy Window

Figure 9.67 The Transform Set Window

524 Chapter 9 • PIX Device Manager

Similar to the IKE Policy window, the Transform Set awning permits you to

select Encryption and Authentication variables. Again, bethink your selections

for agreement on the alien PIX firewall, and bang Next.The abutting window

you see is the IPSec Traffic Selector window, apparent in Figure 9.68. From this

window, you will actuate the centralized addresses that will bisect the tunnel.

For the purposes of our exercise, we will use the absolute centralized arrangement as

the bounded armpit network. Alternatively, you could accept to alone admittance a subset of

addresses beyond the VPN. Bang the Browse button and baddest the centralized network

address, 172.20.0.0. Bang OK and, from the IPSec Traffic Selector

window, bang the -> button.The abode 172.20.0.0/16 should arise in the

Selected window. Bang Abutting to proceed.

Now that we accept accustomed the bounded armpit arrangement to be transported across

the VPN, we charge baddest the alien arrangement to which the VPN will connect.

The abutting window to arise is absolutely agnate to the one we aloof completed. From

this window, access the IP abode of the Prague centralized network, 172.16.0.0,

with a subnet affectation of 255.255.0.0.A popup window will appear, advertence that

there is no host/network for 172.16.0.0 in the PIX configuration.When

prompted, bang OK to add the new arrangement entry, and the Create Host/

www.syngress.com

Figure 9.68 The IPSec Traffic Selector Window

PIX Device Manager • Chapter 9 525

Network window appears. Complete the all-important fields in the Create Host/

Network window and bang OK. Bang the -> button to add the new arrangement to

the Selected window.

Finally, bang Finish to complete the VPN Astrologer and acknowledgment to the VPN tab.

Before you can use the VPN, you charge echo the agreement action on the

PIX firewall in Prague.This can be able via a PDM affair with the

remote firewall, via the command line, or application added Cisco software such as

CSPM.After finishing the alien firewall configuration, you are accessible to begin

testing and application the VPN.