Case Study: Configuring PIX Firewall IPSec for Preshared Keys
This case study illustrates how to configure IPSec as taught in this chapter in the hypothetical XYZ Company. Read the case study scenario, examine the topology diagram, and read the security policy. Then analyze the sample configuration to see how the security policy statements are enacted for the PIX Firewalls.
Case Study Scenario
XYZ Company wants to use PIX Firewalls to create a secure VPN over the Internet between sites. The company wants you to configure a secure VPN gateway using IPSec between two PIX Firewalls to use preshared keys and allow access to the Web server.
Topology
Figure 17-3 illustrates the portion of the XYZ network that is configured in this case study. Note that the focus here is on the PIX Firewall at each site.
Figure 17-3 XYZ Company Configures a Secure VPN Gateway Between PIX Firewalls
Network Security Policy
The network security policy that XYZ Company wants to implement is as follows:
Use the Internet to connect a branch office to the corporate network for casual traffic.
Authenticate data traffic between the corporate network and branch offices over the Internet to ensure that no one is inserting or changing packets in transit.
Use IKE preshared keys and MD5 for authentication.
Ensure data integrity of traffic between the corporate network and branch offices over the Internet using 56-bit DES encryption.
Encrypt Web traffic between internal NT servers at each site.
Sample Configuration for the PIX 1 Firewall
Examine the configuration example shown in Example 17-20 for the PIX 1 and PIX 2 Firewalls of the XYZ Company. The examples implement the network security policy statements related to IPSec network security. One possible configuration of the PIX Firewall for the specified security policy might look like the one shown in Example 17-20. You might choose to configure the PIX Firewall differently to enact the same security policy requirements. The configuration shown is for PIX 515s. Unused interfaces and other unrelated commands were deleted for brevity.
Example 17-20 PIX 1 Configuration Example
! Configures the IP addresses for each PIX Firewall interface. ip address outside 192.168.1.1 255.255.255.0 ip address inside 10.1.1.3 255.255.255.0 ip address dmz 192.168.11.1 255.255.255.0 global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0 ! Creates a global pool on the outside interface, enables NAT. nat (inside) 1 10.0.0.0 255.0.0.0 0 0 ! Creates a static translation between the global and the inside ! Windows NT server. static (inside,outside) 192.168.1.10 10.1.1.4 netmask 255.255.255.255 0 0 ! Crypto access list specifies that traffic between the internal Windows NT ! servers behind PIX Firewalls is encrypted. The source ! and destination IP addresses are the global IP addresses of the statics. ! The access lists for PIX 1 and PIX 2 are mirror images of each other. access-list 101 permit ip host 192.168.1.10 host 192.168.2.10 ! The conduits permit ICMP and Web access for testing. conduit permit icmp any any conduit permit tcp host 192.168.1.10 eq www any route outside 0.0.0.0 0.0.0.0 192.168.1.2 1 ! Enables IPSec to bypass access list, access, and conduit restrictions. sysopt connection permit-ipsec ! Defines a crypto map transform set to use esp-des. crypto ipsec transform-set pix2 esp-des crypto map peer2 10 ipsec-isakmp ! Defines the crypto map. crypto map peer2 10 match address 101 ! Defines the crypto map to point to the peer by specifying the peer PIX's ! outside interface IP address. crypto map peer2 10 set peer 192.168.2.1 ! Defines the crypto map to use the transform set. crypto map peer2 10 set transform-set pix2 ! Assigns the crypto map set to the outside PIX interface. ! As soon as the crypto map is assigned to the interface, the IKE and IPSec ! policy is active. crypto map peer2 interface outside ! Enables IKE on the outside interface. isakmp enable outside ! Defines the preshared IKE key. isakmp key cisco123 address 192.168.2.1 netmask 255.255.255.255 ! Defines the IKE policy to use preshared keys for authentication. isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha ! Specifies use of D-H group 1. Could have used D-H group 2 for stronger security ! along with translation esp-3des, but would require more CPU time to execute. isakmp policy 10 group 1 ! Specifies the IKE lifetime. isakmp policy 10 lifetime 86400
Sample Configuration for the PIX 2 Firewall
The example shown in Example 17-21 is a summary of the configuration for PIX 2.
Example 17-21 PIX 2 Configuration Example
! Configures the IP addresses for each PIX Firewall interface. ip address outside 192.168.2.1 255.255.255.0 ip address inside 10.2.1.3 255.255.255.0 ip address dmz 192.168.12.1 255.255.255.0 global (outside) 1 192.168.2.10-192.168.2.254 netmask 255.255.255.0 ! Creates a global pool on the outside interface, enables NAT. nat (inside) 1 10.0.0.0 255.0.0.0 0 0 ! Creates a static translation between the global and inside Windows NT server. static (inside,outside) 192.168.2.10 10.2.1.4 netmask 255.255.255.255 0 0 ! Crypto access list specifies that traffic between the internal Windows NT ! servers behind PIX Firewalls is encrypted. ! The source and destination IP addresses are the global IP addresses of the ! statics. The access lists for PIX 2 and PIX 1 are mirror images of each other. access-list 101 permit ip host 192.168.2.10 host 192.168.1.10 ! The conduits permit ICMP and Web access for testing. conduit permit icmp any any conduit permit tcp host 192.168.2.10 eq www any route outside 0.0.0.0 0.0.0.0 192.168.2.2 1 ! Enables IPSec to bypass access list, access, and conduit restrictions. sysopt connection permit-ipsec ! Defines a crypto map transform set to use esp-des. crypto ipsec transform-set pix1 esp-des crypto map peer1 10 ipsec-isakmp ! Defines the crypto map. crypto map peer1 10 match address 101 ! Defines the crypto map to point to the peer by specifying the peer PIX's ! outside interface IP address. crypto map peer1 10 set peer 192.168.1.1 ! Defines the crypto map to use the transform set. crypto map peer1 10 set transform-set pix1 ! Assigns the crypto map set to the outside PIX interface. As soon as the ! crypto map is assigned to the interface, the IKE and IPSec policy is active. crypto map peer1 interface outside ! Enables IKE on the outside interface. isakmp enable outside ! Defines the preshared IKE key. isakmp key cisco123 address 192.168.2.2 netmask 255.255.255.255 ! Defines the IKE policy to use preshared keys for authentication. isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha ! Specifies use of D-H group 1. Could have used D-H group 2 for stronger security ! along with translation esp-3des, but would require more CPU time to execute. isakmp policy 10 group 1 ! Specifies the IKE lifetime. isakmp policy 10 lifetime 86400