Cisco PIX 506E - How To: Configure New IPsec Tunnel via CLI

Hey folks,

I am brand new to Cisco and have no clue as to what I'm doing, but I really want to learn this. I apologize for my incorrect use of terminology in advance.

OBJECTIVE: My company has a Cisco PIX 506E and we need to set up an IPsec VPN Tunnel to one of our clients. It will be used to connect to them for remote access and support.

CONSIDERATIONS: I think the 506E will support 5 tunnels, currently there are 3 other tunnels that were setup by other people. I DO NOT want to break those! I also do not have the PDM, so this will have to be accomplished through the CLI.

QUESTION(S):
1.) How do I determine if I have the available resources on the PIX to add another tunnel?
2.) How can I ensure that I will not break the other (3)?
3.) What information do I need to from the remote client side? Their public IP, internal IP, and pre-shared key?
4.) What do I need to have from my side?
5.) Is there a step-by-step CLI guide that will walk me through the process of creating this new tunnel?

Thanks so much for your help!!!
slandsawAsked:
Who is Participating?
 
pegla12Connect With a Mentor Commented:
Small correction, PIX 506 should have 25 simultaneus VPN connections posible.
0
 
pegla12Commented:
Read this>  http://www.infosecwriters.com/text_resources/pdf/PIX-IPSec.pdf
I hope this will be enough.
What you need from other side is their public IP peer address, set of address of computers included in VPN site to site which you will put in access list, you should exchange information with person who is working on VPN on partner side and aggree with him what will be perameters for SA (security association)  and crypto ipsec transform-set (what type of encryption) and in the end exchange pre-shared key with that person.
This is an example how it should be>

access-list outside remark "your remark"
access-list outside line 1 permit ip xxx.xxx.xxx.xxx 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside line 2 permit ip xxx.xxx.xxx.xxx 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside line 3 permit ip xxx.xxx.xxx.xxx 255.255.255.0 host xxx.xxx.xxx.xxx

access-list vpn3 line 1 remark "your remark"
access-list vpn3 line 2 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ftp
access-list vpn3 line 3 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq 3389
access-list vpn3 line 4 permit tcp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq ssh

crypto ipsec transform-set set3 esp-3des esp-md5-hmac

crypto map yourmap 40 ipsec-isakmp
crypto map yourmap 40 match address vpn3
crypto map yourmap 40 set peer xxx.xxx.xxx.xxx
crypto map yourmap 40 set transform-set set3
crypto map yourmap 40 set security-association lifetime seconds 3600 kilobytes 2560

isakmp enable outside

isakmp key xxxxxxxxxx address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
you should fill the blanks (xxxx) with your data. The first access-list is just to permit your PC's out, the second access-list is important because on the other side there shoul be an exact same list, if not the VPN tunnel will not work.
The number behind crypto map yourmap is used for debugging and you can put what ever number you want except those alredy used with your other 3 crypto maps.
Hope this will help you.
Regards.
0
 
pegla12Commented:
One more thing, in access list vpn3 I've put some examples with traffic permited, you should change that in traffic you want to permit.
0
 
slandsawAuthor Commented:
Awesome document, thank you! What about the other items or are they a concern?

1.) How do I determine if I have the available resources on the PIX to add another tunnel? (i.e. enough available "tunnels")
2.) How can I ensure that I will not break the other (3)?

CLARIFICATION:
1.) I'm assuming I can replace "vpn3" and "yourmap" with different text?

REMOTE ACCESS USE:
 - We will be connecting to (2) servers on their side , preferrably through VNC or RDP and then remoting out to the various workstations from there, preferrably with VNC or Dameware.

Our client has supplied the following info:

[Phase 1] 
xxx.xxx.xxx.xxx (MY PUBLIC IP) = ISAKMP-PEER-MYCOMPANY

[ISAKMP-peer-MYCOMPANY] 
Phase=                  1 
Transport=              udp 
Address=                xxx.xxx.xxx.xxx (MY PUBLIC IP)
ID=                     VPN-ID 
Configuration=          Main-Mode-3DES-SHA-GRP2 
Authentication=         CLIENTSUPPLIEDKEY

[IPsec-THEIRCOMPANY-MYCOMPANY] 
Phase=                  2 
ISAKMP-peer=            ISAKMP-peer-MYCOMPANY
Configuration=          Quick-Mode-ESP-3DES-SHA-PFS-GRP2 
Local-ID=               NET-THEIRCOMPANY 
Remote-ID=              NET-MYCOMPANY

[Net-MYCOMPANY] 
ID-type=                IPV4_ADDR_SUBNET 
Network=                xxx.xxx.xxx.xxx
Netmask=                xxx.xxx.xxx.xxx

Open in new window

0
 
pegla12Commented:
Depending of the software version of your pix in 6.1 and 6.2 version, the relevant limit is 5 VPN tunnels. In 6.3 the limit became 10. So you don't have to wory about that.
And yes you can replace vpn3 and yourmap with the names you prefer. And if you wont reboot your pix or delete it's configuration you will not break the other tunnels.
Port for VNC by default is tcp 5900, RDP is tcp 3389 and Dameware is I think tcp 6129.

0
All Courses

From novice to tech pro — start learning today.