Versions Compared

Old Version 9

changes.mady.by.user Adam Melong

Saved on

compared with

New Version 10

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
outlinetrue

PIX

Most of the configurations come from this great guide:

How to configure Site to Site VPN

  1. Define a host name:
    Code Block
    hostname NewYork
  2. Configure an ISAKMP policy:
    Code Block
    isakmp enable outside isakmp policy 9 authentication pre-share isakmp policy 9 encrypt 3des
  3. Configure a pre-shared key and associate with the peer:
    Code Block
    crypto isakmp key cisco1234 address 209.165.200.229
  4. Configure the supported IPSec transforms:
    Code Block
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
  5. Create an access list:
    Code Block
    access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
    This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.
    Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.
  6. Exclude traffic between the intranets from NAT:
    Code Block
    nat 0 access-list 90
    This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
  7. Enable NAT for all other traffic:
    Code Block
    nat (inside) 1 0 0
  8. Assign a pool of global addresses for NAT and PAT:
    Code Block
    global (outside) 1 209.165.201.9-209.165.201.30
global (outside) 1 209.165.201.8
    The pool of registered addresses are only used for connections to the public Internet.
  9. Define a crypto map:c
    Code Block
    rypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set transform-set strong crypto map toSanJose 20 set peer 209.165.200.229
  10. Apply the crypto map to the outside interface:
    Code Block
    crypto map toSanJose interface outside
  11. Specify that IPSec traffic be implicitly trusted (permitted):
    Code Block
    sysopt connection permit-ipsec

...

On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.

ASA

How to configure VPN

Troubleshooting

Debugs ISAKMP SA negotiations:debug crypto isakmp sa <debug level>

Password Recovery

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

...

Code Block
hostname(config)# copy running-config startup-config

Troubleshooting

Pinging Through the Security Appliance

After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.

...