Table of Contents
| Table of Contents |
|---|
PIX
Most of the configurations come from this great guide:
...
How to configure Site to Site VPN
Define a host name:
Code Block hostname NewYork
Configure an ISAKMP policy:
Code Block isakmp enable outside isakmp policy 9 authentication pre-share isakmp policy 9 encrypt 3des
Configure a pre-shared key and associate with the peer:
Code Block crypto isakmp key cisco1234 address 209.165.200.229
Configure the supported IPSec transforms:
Code Block crypto ipsec transform-set strong esp-3des esp-sha-hmac
Create an access list:
Code Block access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.
Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.Exclude traffic between the intranets from NAT:
Code Block nat 0 access-list 90
This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
Enable NAT for all other traffic:
Code Block nat (inside) 1 0 0
Assign a pool of global addresses for NAT and PAT:
Code Block global (outside) 1 209.165.201.9-209.165.201.30 global (outside) 1 209.165.201.8The pool of registered addresses are only used for connections to the public Internet.
Define a crypto map:c
Code Block ryptocrypto map toSanJose 20 ipsec-isakmp crypto map toSanJose 20 match address 90 crypto map toSanJose 20 set transform-set strong crypto map toSanJose 20 set peer 209.165.200.229
Apply the crypto map to the outside interface:
Code Block crypto map toSanJose interface outside
Specify that IPSec traffic be implicitly trusted (permitted):
Code Block sysopt connection permit-ipsec
Password Recovery
Performing password recovery on the security appliance erases the login password, enable password, and aaa authentication console commands. To erase these commands so you can log in with the default passwords, perform the following steps:
Step 1 Download the PIX password tool from Cisco.com to a TFTP server accessible from the security appliance. See the link in the "Password Recovery Procedure for the PIX" document at the following URL:
Step 2 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-1.
Step 3 Power off the security appliance, and then power it on.
...
| Code Block | ||
|---|---|---|
| ||
------------------------------------------------------------------------------- The following example shows the PIX password recovery with the TFTP server on the outside interface: monitor> interface 0 0: i8255X @ PCI(bus:0 dev:13 irq:10) 1: i8255X @ PCI(bus:0 dev:14 irq:7 ) Using 0: i82559 @ PCI(bus:0 dev:13 irq:10), MAC: 0050.54ff.82b9 monitor> address 10.21.1.99 address 10.21.1.99 monitor> server 172.18.125.3 server 172.18.125.3 monitor> file np70.bin file np52.bin monitor> gateway 10.21.1.1 gateway 10.21.1.1 monitor> ping 172.18.125.3 Sending 5, 100-byte 0xf8d3 ICMP Echoes to 172.18.125.3, timeout is 4 seconds: !!!!! Success rate is 100 percent (5/5) monitor> tftp tftp np52.bin@172.18.125.3 via 10.21.1.1................................... Received 73728 bytes Cisco PIX password tool (4.0) #0: Tue Aug 22 23:22:19 PDT 2005 Flash=i28F640J5 @ 0x300 BIOS Flash=AT29C257 @ 0xd8000 Do you wish to erase the passwords? [yn] y Passwords have been erased. Rebooting.... |
Disabling Password Recovery
You might want to disable password recovery to ensure that unauthorized users cannot use the password recovery mechanism to compromise the security appliance. To disable password recovery, enter the following command:
...
On the PIX 500 series security appliance, the no service password-recovery command forces the PIX password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.
ASA
How to configure VPN
Troubleshooting
Debugs ISAKMP SA negotiations:debug crypto isakmp sa <debug level>
Password Recovery
Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance
To recover from the loss of passwords, perform the following steps:
--------------------------------------------------------------------------------
Step 1 Connect to the security appliance console port according to the "Accessing the Command-Line Interface" section on page 2-1.
Step 2 Power off the security appliance, and then power it on.
Step 3 During the startup messages, press the Escape key when prompted to enter ROMMON.
Step 4 To set the security appliance to ignore the startup configuration at reload, enter the following command:
| Code Block | ||
|---|---|---|
| ||
rommon #1> confreg
The security appliance displays the current configuration register value, and asks if you want to change the value:
Current Configuration Register: 0x00000011
Configuration Summary:
boot TFTP image, boot default image from Flash on netboot failure
Do you wish to change this configuration? y/n [n]:
Step 5 Record your current configuration register value, so you can restore it later. |
Step 6 At the prompt, enter Y to change the value.
The security appliance prompts you for new values.
Step 7 Accept the default values for all settings, except for the "disable system configuration?" value; at that prompt, enter Y.
Step 8 Reload the security appliance by entering the following command:
| Code Block |
|---|
rommon #2> boot
The security appliance loads a default configuration instead of the startup configuration. |
Step 9 Enter privileged EXEC mode by entering the following command:
| Code Block |
|---|
hostname> enable |
Step 10 When prompted for the password, press Return.
The password is blank.
Step 11 Load the startup configuration by entering the following command:
| Code Block |
|---|
hostname# copy startup-config running-config |
Step 12 Enter global configuration mode by entering the following command:
| Code Block |
|---|
hostname# configure terminal |
Step 13 Change the passwords in the configuration by entering the following commands, as necessary:
| Code Block |
|---|
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password |
Step 14 Change the configuration register to load the startup configuration at the next reload by entering the following command:
| Code Block |
|---|
hostname(config)# config-register value
Where value is the configuration register value you noted in Step 5. 0x1 is the default configuration register. For more information about the configuration register, see the Cisco Security Appliance Command Reference. |
Step 15 Save the new passwords to the startup configuration by entering the following command:
...
Troubleshooting
Pinging Through the Security Appliance
After you successfully ping the security appliance interfaces, you should make sure traffic can pass successfully through the security appliance. For routed mode, this test shows that NAT is working correctly, if configured. For transparent mode, which does not use NAT, this test confirms that the security appliance is operating correctly; if the ping fails in transparent mode, contact Cisco TAC.
...