Configuring the Central PIX Firewall, HQ_PIX, for ××× Tunneling
Step 1 Configure an Internet Security Association and Key Management
Protocol (ISAKMP) policy:
isakmp enable outside
isakmp policy 10 authentication ******
isakmp policy 10 encryption ***
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
Step 2 Configure a preshared key and associate it with the peer (Houston and
crypto i*** key sept1302 address
crypto i*** key sept1302address
Step 3 Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
Step 4 Create an access list:
access-list 120 permit ip
access-list 130 permit ip
Step 5 Define a crypto map for both Houston and Minneapolis:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 120
crypto map Dukem-Map 20 set peer
crypto map Dukem-Map 20 set transform-set myset
crypto map Dukem-Map 30 ipsec-isakmp
crypto map Dukem-Map 30 match address 130
crypto map Dukem-Map 30 set peer
crypto map Dukem-Map 30 set transform-set myset
Step 6 Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
Step 7 Specify that IPSec traffic is implicitly trusted (permitted):
sysopt connection ***-ipsec
Step 8 Configure a NAT 0 policy so that traffic between the offices is excluded
from ***:
access-list ××× permit ip
access-list ××× permit ip
nat 0 access-list ×××
Example B-6 shows the complete configuration for the HQ PIX.
Example B-6 HQ PIX Firewall Configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HQ_PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
access-list dmz permit tcp any host eq smtp
access-list dmz permit tcp any host eq www
access-list dmz permit tcp any host eq ftp
access-list dmz permit tcp any host eq 514
!--- Traffic to HOU-PIX:
access-list 120 permit ip
!--- Traffic to MN-PIX:
access-list 130 permit ip
!--- Do not Network Address Translate (NAT) traffic to other PIXes:
access-list ××× permit ip
access-list ××× permit ip
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip address DMZ
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
arp timeout 14400
global (outside) 1 netmask
global (outside) 1 netmask
nat (inside) 1
!--- Do not NAT traffic to other PIXes:
nat (inside) 0 access-list ×××
static (DMZ,outside) netmask 0 0
static (DMZ,outside) netmask 0 0
static (DMZ,outside) netmask 0 0
static (DMZ,outside) netmask 0 0
static (inside,outside) netmask 0 0
access-group DMZ in interface DMZ
access-group acl_out in interface outside
route outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip_media 0:02:00