How to configure Ipsec Tunnel




      
How to Create Ip Sec Tunnel between FW 1 (PIX) and FW2 (PIX)

1      - R1 is connected to PIX(FW1)

2      - R1 routes are pointed towards FW1
                      Ip route 0.0.0.0 0.0.0.0 1.1.1.2

3                  - On R1 routes of 1.1.1.0, and 4.4.4.0 should be allowed through ipsec
                      tunnel.
                 
 4                     - routes of 3.3.3.0 should not be allowed through ipsec tunnel.

##################################################################

experts please point me to right direction how to achieve this.
How-to-Create-Ipsec-Tunnel.jpg
pawanopensourceAsked:
Who is Participating?
 
602650528Commented:
Hi ,
You need 4 steps to config ipsec namely ;

1. Configure IKE for Preshared Keys
2. Configure IPSec
3. Configure Network Address Translation (NAT)
4. Configure PIX System Options

This link is a perfect example of whast you want to achieve.  Go through it and let me know if you need any clarification.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

cheers
0
 
DanJCommented:
The requirement is to set up a tunnel between F1 and F2 and the traffic sourced from 1.1.1.0/24 and 4.4.4.0/24 to be encrypted.
The way this work is to define an ACL for the interesting traffic on each firewall. This would select the traffic to be encrypted over the tunnel. All the traffic that is not matched in the ACL is not encrypted. You need also to define what are the target IPs for the traffic
Assuming the subnet behind F2 is x.x.x.0/24 and you want to encrypt traffic between this subnet and 1.1.1.0 and 4.4.4.0

on F1 the acl would look like this
access list extended FW_ACL permit ip 1.1.1.0 255.255.255.0 x.x.x.0 255.255.255.0
access list extended FW_ACL permit ip 4.4.4.0 255.255.255.0 x.x.x.0 255.255.255.0

on F2 the acl would look like this
access list extended FW_ACL permit ip x.x.x.0 255.255.255.0 1.1.1.0 255.255.255.0
access list extended FW_ACL permit ip x.x.x.0 255.255.255.0 4.4.4.0 255.255.255.0
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
pawanopensourceAuthor Commented:
i have configured R1, FW1,FW2.  problem which i am facing.

From R1 i cant ping 2.2.2.1 (FW1) e1

From FW2 i cant ping 1.1.1.2 (FW1) e0

below is the config which i have done in R1,FW1,FW2

###################################################################



R1#interface Ethernet0/0
 ip address 1.1.1.1 255.255.255.0
 half-duplex
!
R1#interface Ethernet0/1
 ip address 3.3.3.3 255.255.255.0
 half-duplex
!
R1#Ethernet0/2
 ip address 4.4.4.4 255.255.255.0
 half-duplex
!
R1#ip route 0.0.0.0 0.0.0.0 1.1.1.2



##############################################################


FW1#interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
FW1#interface Ethernet1
 nameif inside
 security-level 100
 ip address 2.2.2.1 255.255.255.0


FW1#route outside 0.0.0.0 0.0.0.0 1.1.1.1 1


#######################################################################


FW2#interface Ethernet0
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0

FW2#route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

##########################################################################

thanks
0
 
602650528Commented:
I think you got it all mixed together and u didn't read the link i sent you obviously. You have configured inte rface e0 of FW2 as outside interface but you are connecting it to interface e1 of FW1 which you have incorrectly configured as inside interface. The correct thing u need to do is;

FW1 E0  is inside interface and security level should be 0
FW1 E1  is outside interface and security level should be`100
FW2 E0  is outside interface and security level should be100

Also spare just 5 minutes to read the link i sent you for your own education. It is easy you copy a nd paste what we type here and it works but u haven't learnt anything.
0
 
pawanopensourceAuthor Commented:
ok done changes according to u, R1 isable to ping inside interface i.e E0 of FW1but R1  not able to ping outside interface (E1) of FW1.

0
 
pawanopensourceAuthor Commented:
my dear friend, from doing google i came to know that by default pix's outside interface never reply to ping,i think  we have to allow icmp for outside int through acl in (FW1)
0
 
602650528Commented:
yes icmp is not allowed by defaul. only tcp is allowed by default. as u said u need to permit icmp protocol.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.