[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to configure Ipsec Tunnel

Posted on 2011-04-28
8
Medium Priority
?
558 Views
Last Modified: 2012-05-11



      
How to Create Ip Sec Tunnel between FW 1 (PIX) and FW2 (PIX)

1      - R1 is connected to PIX(FW1)

2      - R1 routes are pointed towards FW1
                      Ip route 0.0.0.0 0.0.0.0 1.1.1.2

3                  - On R1 routes of 1.1.1.0, and 4.4.4.0 should be allowed through ipsec
                      tunnel.
                 
 4                     - routes of 3.3.3.0 should not be allowed through ipsec tunnel.

##################################################################

experts please point me to right direction how to achieve this.
How-to-Create-Ipsec-Tunnel.jpg
0
Comment
Question by:pawanopensource
  • 4
  • 3
8 Comments
 
LVL 6

Accepted Solution

by:
602650528 earned 1000 total points
ID: 35482831
Hi ,
You need 4 steps to config ipsec namely ;

1. Configure IKE for Preshared Keys
2. Configure IPSec
3. Configure Network Address Translation (NAT)
4. Configure PIX System Options

This link is a perfect example of whast you want to achieve.  Go through it and let me know if you need any clarification.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

cheers
0
 
LVL 6

Expert Comment

by:602650528
ID: 35482852
0
 
LVL 9

Assisted Solution

by:DanJ
DanJ earned 1000 total points
ID: 35482894
The requirement is to set up a tunnel between F1 and F2 and the traffic sourced from 1.1.1.0/24 and 4.4.4.0/24 to be encrypted.
The way this work is to define an ACL for the interesting traffic on each firewall. This would select the traffic to be encrypted over the tunnel. All the traffic that is not matched in the ACL is not encrypted. You need also to define what are the target IPs for the traffic
Assuming the subnet behind F2 is x.x.x.0/24 and you want to encrypt traffic between this subnet and 1.1.1.0 and 4.4.4.0

on F1 the acl would look like this
access list extended FW_ACL permit ip 1.1.1.0 255.255.255.0 x.x.x.0 255.255.255.0
access list extended FW_ACL permit ip 4.4.4.0 255.255.255.0 x.x.x.0 255.255.255.0

on F2 the acl would look like this
access list extended FW_ACL permit ip x.x.x.0 255.255.255.0 1.1.1.0 255.255.255.0
access list extended FW_ACL permit ip x.x.x.0 255.255.255.0 4.4.4.0 255.255.255.0
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 

Author Comment

by:pawanopensource
ID: 35489101
i have configured R1, FW1,FW2.  problem which i am facing.

From R1 i cant ping 2.2.2.1 (FW1) e1

From FW2 i cant ping 1.1.1.2 (FW1) e0

below is the config which i have done in R1,FW1,FW2

###################################################################



R1#interface Ethernet0/0
 ip address 1.1.1.1 255.255.255.0
 half-duplex
!
R1#interface Ethernet0/1
 ip address 3.3.3.3 255.255.255.0
 half-duplex
!
R1#Ethernet0/2
 ip address 4.4.4.4 255.255.255.0
 half-duplex
!
R1#ip route 0.0.0.0 0.0.0.0 1.1.1.2



##############################################################


FW1#interface Ethernet0
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
FW1#interface Ethernet1
 nameif inside
 security-level 100
 ip address 2.2.2.1 255.255.255.0


FW1#route outside 0.0.0.0 0.0.0.0 1.1.1.1 1


#######################################################################


FW2#interface Ethernet0
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0

FW2#route outside 0.0.0.0 0.0.0.0 2.2.2.1 1

##########################################################################

thanks
0
 
LVL 6

Expert Comment

by:602650528
ID: 35489428
I think you got it all mixed together and u didn't read the link i sent you obviously. You have configured inte rface e0 of FW2 as outside interface but you are connecting it to interface e1 of FW1 which you have incorrectly configured as inside interface. The correct thing u need to do is;

FW1 E0  is inside interface and security level should be 0
FW1 E1  is outside interface and security level should be`100
FW2 E0  is outside interface and security level should be100

Also spare just 5 minutes to read the link i sent you for your own education. It is easy you copy a nd paste what we type here and it works but u haven't learnt anything.
0
 

Author Comment

by:pawanopensource
ID: 35489615
ok done changes according to u, R1 isable to ping inside interface i.e E0 of FW1but R1  not able to ping outside interface (E1) of FW1.

0
 

Author Comment

by:pawanopensource
ID: 35489623
my dear friend, from doing google i came to know that by default pix's outside interface never reply to ping,i think  we have to allow icmp for outside int through acl in (FW1)
0
 
LVL 6

Expert Comment

by:602650528
ID: 35489874
yes icmp is not allowed by defaul. only tcp is allowed by default. as u said u need to permit icmp protocol.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question