CIsco pix configuration

First we need to make sure the PIX has 3DES enabled.

pixfirewall# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfirewall up 157 days 5 hours

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000b.4605.d319, irq 10
1: ethernet1: address is 000b.4605.d31a, irq 11
2: ethernet2: address is 0002.b3b3.2e54, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled

If the "VPN-3DES-AES" line above does not show "Enabled", you need to install the PIX 3DES key. This is now available free from Cisco here for all PIX firewalls (click 3DES/AES Encryption License). Do NOT use DES for a VPN if you want it to be cryptographically secure. DES is only slightly better than transmitting in clear text.

Next we'll see if any VPN configurations are in place on the PIX.

pixfirewall# sh isakmp policy

Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

If you only see the default policy, there are no VPN's configured. This document cannot be followed verbatim if you have current VPN's (though you should be able to figure it out, just be careful not to break your existing VPN's with any duplicate names).

Allow IPSec connections to the PIX

pixfirewall(config)# sysopt connection permit-ipsec

Enable ISAKMP on the outside interface (where "outside" is the name of the internet-facing interface)

pixfirewall(config)# isakmp enable outside

isakmp policy command on PIX

pixfirewall(config)# isakmp policy ?
Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig>
isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des>
isakmp policy %lt;priority> hash %lt;md5|sha>
isakmp policy %lt;priority> group %lt;1|2|5>
isakmp policy %lt;priority> lifetime %lt;seconds>

Now we need to configure the ISAKMP policy on the PIX. Enter the following commands in configure mode:

isakmp policy 10 authen pre-share
isakmp policy 10 encrypt 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400    

This policy uses pre-shared keys as authenticator, 3DES encryption, md5 hashing, group 2, and 86400 second lifetime.

Now we need to define the pre-shared key for this connection. (1.1.1.1 = public IP address of m0n0wall, qwertyuiop is the shared key, randomly generate something to use for your configuration)

isakmp key qwertyuiop address 1.1.1.1 netmask 255.255.255.255

Now we need to create an access list defining what traffic can cross this tunnel.

access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

Define transform set for this connection called "monovpnset"

crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac

Define security association lifetime

crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

Now to set up the actual connection, the crypto map "monovpnmap". (where 1.1.1.1 is the public IP address of the m0n0wall device)

crypto map monovpnmap 10 ipsec-isakmp
crypto map monovpnmap 10 set peer 1.1.1.1
crypto map monovpnmap 10 set transform-set monovpnset
crypto map monovpnmap 10 match address monovpn

These lines specify type of VPN (ipsec-isakmp), peer IP address (1.1.1.1), transform set to be used (monovpnset, defined above), and that packets matching the access list "monovpn" created above should traverse this VPN connection.

Last step is to tell the PIX to not use NAT on the packets using this VPN connection and route them instead.

First we'll see if anything is currently routed.

pixfirewall# sh nat
nat (inside) 0 access-list no-nat

Look for "nat (interface) 0 ..." commands. The above means any traffic matching access list "no-nat" will routed, not translated. In this instance, we are adding to a current access list (if you use a DMZ, you likely have something similar to this set up).

access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

If you do not have a "nat (interface) 0 ..." command in your "sh nat" output, you can use the above two lines to create a "no-nat" access list. You then have to apply it with the "nat (interface-name) 0 access-list no-nat" command (replacing "interface-name" with the name of your LAN interface).