Configuring the Central PIX Firewall, HQ_PIX, for ××× Tunneling
 
Step 1 Configure an Internet Security Association and Key Management
Protocol (ISAKMP) policy:
isakmp enable outside
isakmp policy 10 authentication ******
isakmp policy 10 encryption ***
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
 
Step 2 Configure a preshared key and associate it with the peer (Houston and
Minneapolis):
crypto i*** key sept1302 address 192.168.3.2
crypto i*** key sept1302address 192.168.2.2
Step 3 Configure the supported IPSec transforms:
crypto ipsec transform-set myset esp-des esp-md5-hmac
Step 4 Create an access list:
access-list 120 permit ip 10.10.10.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list 130 permit ip 10.10.10.0 255.255.255.0 10.20.10.0
255.255.255.0
 
Step 5 Define a crypto map for both Houston and Minneapolis:
crypto map Dukem-Map 20 ipsec-isakmp
crypto map Dukem-Map 20 match address 120
crypto map Dukem-Map 20 set peer 192.168.3.2
crypto map Dukem-Map 20 set transform-set myset
crypto map Dukem-Map 30 ipsec-isakmp
crypto map Dukem-Map 30 match address 130
crypto map Dukem-Map 30 set peer 192.168.2.2
crypto map Dukem-Map 30 set transform-set myset
 
Step 6 Apply the crypto map to the outside interface:
crypto map Dukem-Map interface outside
 
Step 7 Specify that IPSec traffic is implicitly trusted (permitted):
sysopt connection ***-ipsec
 
 
Step 8 Configure a NAT 0 policy so that traffic between the offices is excluded
from ***:
access-list ××× permit ip 10.10.10.0 255.255.255.0 10.30.10.0
255.255.255.0
access-list ××× permit ip 10.10.10.0 255.255.255.0 10.20.10.0
255.255.255.0
nat 0 access-list ×××
Example B-6 shows the complete configuration for the HQ PIX.
Example B-6 HQ PIX Firewall Configuration
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname HQ_PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
 
access-list dmz permit tcp any host 192.168.1.4 eq smtp
access-list dmz permit tcp any host 192.168.1.5 eq www
access-list dmz permit tcp any host 192.168.1.6 eq ftp
access-list dmz permit tcp any host 192.168.1.8 eq 514
!--- Traffic to HOU-PIX:
access-list 120 permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
!--- Traffic to MN-PIX:
access-list 130 permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
!--- Do not Network Address Translate (NAT) traffic to other PIXes:
access-list ××× permit ip 10.10.10.0 255.255.255.0 10.30.10.0 255.255.255.0
access-list ××× permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0
ip address DMZ 172.16.31.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
global (outside) 1 192.168.1.12-192.168.1.250 netmask 255.255.255.0
global (outside) 1 192.168.1.252 netmask 255.255.255.0
nat (inside) 1 10.10.10.0 255.255.255.0
!--- Do not NAT traffic to other PIXes:
nat (inside) 0 access-list ×××
static (DMZ,outside) 192.168.1.4 172.16.31.4 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.5 172.16.31.5 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.6 172.16.31.6 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.1.8 172.16.31.7 netmask 255.255.255.255 0 0
static (inside,outside) 192.168.1.7 10.10.10.7 netmask 255.255.255.255 0 0
access-group DMZ in interface DMZ
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h323 0:05:00 sip 0:30:00 sip_media 0:02:00