© 2000, Cisco Systems, Inc. CSPFF Chapter 11 VPN Configuration With the Cisco Secure PIX Firewall
© 2000, Cisco Systems, Inc. CSPFF Objectives Upon completion of this chapter, you will be able to perform the following tasks: Identify how the PIX Firewall enables a secure VPN. Identify the tasks to configure PIX Firewall IPSec support. Identify the commands to configure PIX Firewall IPSec support. Configure a VPN between PIX Firewalls.
© 2000, Cisco Systems, Inc. CSPFF The PIX Firewall Enables a Secure VPN
© 2000, Cisco Systems, Inc. CSPFF PIX Firewall VPN Topologies Internet PIX Firewall to PIX Firewall VPN gateway Internet PIX Firewall to router VPN gateway VPN Client to PIX Firewall VPN via dialup VPN Client to PIX Firewall VPN via network Internet Other vendors to PIX Firewall VPN
© 2000, Cisco Systems, Inc. CSPFF IPSec Enables PIX Firewall VPN Features Confidentiality Integrity Authentication Anti-replay IPSec Internet
© 2000, Cisco Systems, Inc. CSPFF What Is IPSec? IETF standard that enables encrypted communication between peers: –Consists of open standards for securing private communications –Network layer encryption ensuring data confidentiality, integrity, and authentication –Scales from small to very large networks –Included in PIX Firewall version 5.0 and later Internet IPSec
© 2000, Cisco Systems, Inc. CSPFF IPSec Standards Supported by PIX Firewall IPSec (IP Security Protocol) –Authentication Header (AH) –Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) DES Triple DES (3DES) Diffie-Hellman MD5 (Message Digest 5) SHA (Secure Hash Algorithm) RSA signatures Certificate Authorities
© 2000, Cisco Systems, Inc. CSPFF IPSec Configuration Tasks Overview Task 1Prepare for Configuring VPN Support. Task 2Configure IKE Parameters. Task 3Configure IPSec Parameters. Task 4Test and Verify VPN Configuration.
© 2000, Cisco Systems, Inc. CSPFF Task 1Prepare to Configure VPN Support
© 2000, Cisco Systems, Inc. CSPFF Task 1Prepare to Configure VPN Support Step 1. Determine IKE (IKE phase 1) policy. Step 2. Determine IPSec (IKE phase 2) policy. Step 3. Ensure the network works without encryption (no excuses!). Step 4. Implicitly permit IPSec packets to bypass PIX access lists and conduits.
© 2000, Cisco Systems, Inc. CSPFF Planning includes the following steps: Identify IKE phase 1 policies for peers. Determine key distribution methods. Identify IPSec peer PIX Firewall IP addresses and hostnames. Goal: Minimize misconfiguration Plan for IKE
© 2000, Cisco Systems, Inc. CSPFF IKE Phase 1 Policy Parameters IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm 3DES SHA-1 Parameter Key Exchange RSA Signature D-H Group 2 < seconds seconds DES MD5 Pre-share D-H Group 1 Strong Stronger
© 2000, Cisco Systems, Inc. CSPFF Determine IKE Phase 1 Policy IKE SA Lifetime Authentication Method Encryption Algorithm Hash Algorithm Site seconds DES SHA Site 2 DES SHA Pre-share Parameter 768-bit D-HKey Exchange Pre-share 768-bit D-H seconds e Site 1Site 2 e PIX1PIX Internet
© 2000, Cisco Systems, Inc. CSPFF Planning includes the following: Select IPSec algorithms and parameters for optimal security and performance. Identify IPSec peer PIX details. Determine IP addresses and applications of hosts to be protected. Select manual or IKE-initiated SAs. Goal: Minimize misconfiguration Plan for IPSec
© 2000, Cisco Systems, Inc. CSPFF Determine IPSec (IKE Phase 2) Policy Peer PIX IP Address Traffic (Packet) Type to be Encrypted Site 1 IP Site 2 IP Transform SetESP-DES, Tunnel SA Establishment Policy ipsec-isakmp Peer PIX HostnamePIX2PIX Encrypting Hosts e Site 1Site 2 e PIX1PIX Internet
© 2000, Cisco Systems, Inc. CSPFF Task 2Configure IKE Parameters
© 2000, Cisco Systems, Inc. CSPFF Step 1Enable or Disable IKE isakmp enable interface-name pixfirewall(config)# Enables or disables IKE on your PIX Firewall interfaces IKE is enabled by default Disable IKE on any PIX Firewall interface on which you are not using IPSec
© 2000, Cisco Systems, Inc. CSPFF Creates a policy suite grouped by priority number Creates policy suites that match peers Can use default values Step 2Configure an IKE Phase 1 Policy pixfirewall(config)# isakmp policy priority encryption des|3des pixfirewall(config)# isakmp policy priority hash md5|sha pixfirewall(config)# isakmp policy priority authentication pre-share|rsa-sig pixfirewall(config)# isakmp policy priority group 1|2 pixfirewall(config)# isakmp policy priority lifetime seconds pixfirewall(config)# isakmp policy priority encryption des|3des pixfirewall(config)# isakmp policy priority hash md5|sha pixfirewall(config)# isakmp policy priority authentication pre-share|rsa-sig pixfirewall(config)# isakmp policy priority group 1|2 pixfirewall(config)# isakmp policy priority lifetime seconds
© 2000, Cisco Systems, Inc. CSPFF isakmp key keystring address peer-address [netmask mask] pixfirewall(config)# Step 3Configure the IKE Pre-shared Key Pre-shared keystring must be identical at both peers Use any combination of alphanumeric characters up to 128 bytes for keystring Specify peer-address as host or wildcard address Easy to configure, yet is not scalable
© 2000, Cisco Systems, Inc. CSPFF pixfirewall# show isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit pixfirewall# show isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Step 4Verify IKE Phase 1 Policies Displays configured and default IKE protection suites
© 2000, Cisco Systems, Inc. CSPFF Task 3Configure IPSec Parameters
© 2000, Cisco Systems, Inc. CSPFF access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask pixfirewall(config)# Step 1Configure Interesting Traffic Permit = encrypt Deny = do not encrypt Access list selects IP traffic by address, network, or subnet
© 2000, Cisco Systems, Inc. CSPFF pix1(config)# show static static (inside,outside) netmask pix1(config)# show access-list access-list 110 permit ip host host pix1(config)# show static static (inside,outside) netmask pix1(config)# show access-list access-list 110 permit ip host host PIX1 pix2(config)# show static static (inside,outside) netmask pix2(config)# show access-list access-list 101 permit ip host host pix2(config)# show static static (inside,outside) netmask pix2(config)# show access-list access-list 101 permit ip host host PIX2 e Site 1Site 2 e PIX1PIX Internet Example Crypto Access Lists Lists are symmetrical
© 2000, Cisco Systems, Inc. CSPFF crypto ipsec transform-set transform-set-name transform1 [transform2 transform3]] pixfirewall(config)# Step 2Configure an IPSec Transform Set Sets limited up to one AH and up to two ESP transforms Default mode is tunnel Configure matching sets between IPSec peers
© 2000, Cisco Systems, Inc. CSPFF Available IPSec Transforms ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth
© 2000, Cisco Systems, Inc. CSPFF pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp pixfirewall(config)# crypto map map-name seq-num match address access-list-name pixfirewall(config)# crypto map map-name seq-num set peer hostname | ip-address pixfirewall(config)# crypto map map-name seq-num set transform- set transform-set-name1 [transform-set-name2, transform-set- name9] pixfirewall(config)# crypto map map-name seq-num set pfs [group1 | group2] pixfirewall(config)# crypto map map-name seq-num set security- association lifetime seconds seconds | kilobytes kilobytes pixfirewall(config)# crypto map map-name seq-num ipsec-isakmp pixfirewall(config)# crypto map map-name seq-num match address access-list-name pixfirewall(config)# crypto map map-name seq-num set peer hostname | ip-address pixfirewall(config)# crypto map map-name seq-num set transform- set transform-set-name1 [transform-set-name2, transform-set- name9] pixfirewall(config)# crypto map map-name seq-num set pfs [group1 | group2] pixfirewall(config)# crypto map map-name seq-num set security- association lifetime seconds seconds | kilobytes kilobytes Step 3Configure the Crypto Map Specifies IPSec (IKE phase 2) parameters Map names and sequence numbers group entries into a policy
© 2000, Cisco Systems, Inc. CSPFF crypto map map-name interface interface-name pixfirewall(config)# Step 4Apply the Crypto Map to an Interface Applies the crypto map to an interface Activates IPSec policy
© 2000, Cisco Systems, Inc. CSPFF pix1(config)# show crypto map Crypto Map "peer2" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, } pix1(config)# show crypto map Crypto Map "peer2" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, } Example Crypto Map for PIX 1 e Site 1Site 2 e PIX1PIX Internet
© 2000, Cisco Systems, Inc. CSPFF pix2(config)# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, } pix2(config)# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, } Example Crypto Map for PIX 2 e Site 1Site 2 e PIX1PIX Internet
© 2000, Cisco Systems, Inc. CSPFF Task 3Test and Verify VPN Configuration
© 2000, Cisco Systems, Inc. CSPFF Verify access list selects interesting traffic show access-list Verify correct IKE configuration show isakmp show isakmp policy Verify correct IPSec configuration show crypto ipsec transform-set Task 4Test and Verify VPN Configuration
© 2000, Cisco Systems, Inc. CSPFF Task 4Test and Verify VPN Configuration (cont.) Verify correct crypto map configuration show crypto map Clear IPSec SA clear crypto sa Clear IKE SA clear isakmp Debug IKE and IPSec traffic through the PIX Firewall debug crypto ipsec debug crypto isakmp
© 2000, Cisco Systems, Inc. CSPFF Scale PIX Firewall VPNs
© 2000, Cisco Systems, Inc. CSPFF CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server. CA Server
© 2000, Cisco Systems, Inc. CSPFF Enroll a PIX Firewall With a CA Configure CA support. Generate public or private keys. Authenticate the CA. Request signed certificates from the CA. CA administrator verifies request and sends signed certificates. CA server
© 2000, Cisco Systems, Inc. CSPFF Lab Exercise
© 2000, Cisco Systems, Inc. CSPFF Lab Visual Objective PIX Firewall /24.1 e0 e0 Outside.2 e1 Inside.1 IS NT2 NT Server: Syslog Server IIS FTP and Web Server.3 Pod1 Perimeter Router Internet NT Server: FTP, Web / /24 s0 Pod2 Perimeter Router /24 PIX Firewall /24.1 e0 e1 Inside.1 IS NT1 NT Server: Syslog Server IIS FTP and Web Server /24 Pod 1Pod /24 s0 e0 Outside.2 Internet
© 2000, Cisco Systems, Inc. CSPFF Summary
© 2000, Cisco Systems, Inc. CSPFF Summary Identify how the PIX Firewall enables a secure VPN. Identify the tasks performed to configure PIX Firewall IPSec support. Identify the commands used to configure PIX Firewall IPSec support. Configure a VPN between PIX Firewalls.
© 2000, Cisco Systems, Inc. CSPFF Review Questions
© 2000, Cisco Systems, Inc. CSPFF Review Questions Q1) What Ipsec features are enabled on the PIX Firewall? Q2) What are the four steps to configuring IPSec? Q3) What are the policy parameters for IKE Phase 1? Q4) Is setting the Crypto Map a necessary step in IKE Phase 2? Q5) What command allows the PIX Firewall to use the default policy parameters?
© 2000, Cisco Systems, Inc. CSPFF Review Questions (cont.) Q6) Which parameterpermit or denyspecifies that the traffic must be encrypted? Q7) What is the command to show the currently configured Access-Lists? Q8) Can AH and ESP be used at the same time? Q9) What command activates the IPSec policy? Q10) Why is a CA server the most scalable solution?