This chapter looked at using the PIX Firewall with various VPN implementations. The basic tasks and steps of configuring VPNs on the firewall aren’t significantly different than working with router VPNs, although the command syntax is unique.
Remember, basic VPN terms and technology were covered in Chapters 9 through 11, and they should be reviewed before taking the certification exam.
This chapter looked at the tasks and steps involved in configuring PIX IPSec. The steps and related commands are summarized in the following task list.
Task 1. Prepare for IPSec
Step 1.1: Determine IKE (IKE phase one) policy
Step 1.2: Determine IPSec (IKE phase two) policy
Step 1.3: Check the current configuration
write terminal
show isakmp policy
show isakmp
Step 1.4: Ensure the network works without encryption
ping - all devices
Step 1.5: Ensure access control lists (ACLs) are compatible with IPSec
show access-lists
sysopt connection permit-ipsec
Task 2. Configure IKE
Step 2.1: Enable or disable IKE
isakmp enable interface-name
Step 2.2: Create IKE Phase 1 policy
isakmp policy commands
encryption
hash
authentication
group
lifetime
Step 2.3: Configure pre-shared keys (preshared keys)
isakmp identity
name
isakmp key
Step 2.3: Configure pre-shared keys (CA Support)
hostname
domain-name
ca generate rsa key
ca identity
ca configure
ca authenticate
ca enroll
show ca certificate
Step 2.4: Verify the IKE configuration
show isakmp policy
show isakmp
show isakmp sa
Task 3. Configure IPSec
Step 3.1: Configure crypto ACLs to define interesting traffic
access-list
Step 3.2: Configure transform set suites
crypto ipsec transform-set
Step 3.3: Configure global IPSec security association lifetimes
crypto ipsec security-association lifetime
Step 3.4: Configure crypto maps
crypto map
ipsec-manual | ipsec-isakmp
match address acl-name
set peer
set transform-set
set pfs
set security-association lifetime
crypto dynamic-map
Step 3.5: Apply the crypto maps to the terminating/originating interface
interface
crypto map interface
Task 4. Test and verify IPSec
Step 4.1: Display your configured IKE policies
show isakmp
show isakmp policy
Step 4.2: Display your configured transform sets
show crypto ipsec transform-set
Step 4.3: Display the current state of your IPSec SAs
show isakmp sa
show crypto ipsec security-association lifetime
Step 4.4: View your configured crypto maps
show crypto map
Step 4.5: Debug IKE and IPSec traffic through the Cisco IOS
debug crypto ipsec
debug crypto isakmp
Task 1. Prepare for IPSec to determine a detailed security policy for RSA encryption to include how to distribute the RSA public keys.
Task 2. Configure RSA keys manually.
Step 2.1: Plan for RSA keys
Step 2.2: Configure the router’s host name and domain name
hostname name
ip domain-name name
Step 2.3: Generate the RSA keys
crypto key generate rsa usage key
Step 2.4: Enter peer RSA public keys—Detail is important, any mistake entering the keys will cause them not to work.
crypto key pubkey-chain
crypto key pubkey-chain rsa
addressed-key key address
named-key key name
key-string string
Step 2.5: Verify the key configuration
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
Step 2.6: Manage RSA keys—Remove old keys to free up space
crypto key zeroize rsa
Task 3. Configure ISAKMP for IPSec to select RSA encryption as the authentication method in an ISAKMP policy.
Task 4. Configure IPSec—typically done the same as in preshare.
Task 5. Test and verify IPSec and exercise additional commands to view and manage RSA public keys.
Task 1. Prepare for IPSec
Step 1.1: Plan for CA support
Determine the type of CA server to use
Identify the CA server’s IP address, host name, and URL. Required for Lightweight Directory Protocol (LDAP).
Identify the CA server administrator contact information.
Step 1.2: Determine IKE (IKE phase one) policy
Step 1.3: Determine IPSec (IKE phase two) policy
Step 1.4: Check the current configuration
show running-config
show crypto isakmp [policy]
show crypto map
Step 1.5: Ensure the network works without encryption
ping all devices
Step 1.6: Ensure access control lists (ACLs) are compatible with IPSec
show access-lists
Task 2. Configure CA Support
Step 2.1: Manage the nonvolatile RAM (NVRAM) memory usage (optional)
crypto ca certificate query
Step 2.2: Set the router’s time and date
clock timezone zone hours [minutes]
clock set hh:mm:ss day month year
clock set hh:mm:ss month day year
Step 2.3: Configure the router’s host name and domain name
hostname name
ip domain-name name
ip host name address1 [address2. . . address8]
Step 2.4: Generate an RSA key pair—used to identify to the remote VPN peer
crypto key generate rsa [usage key]
Step 2.5: Declare a CA
crypto ca identity name
Step 2.6: Authenticate the CA
crypto ca authenticate name
Step 2.7: Request your own certificate
crypto ca enroll name
Step 2.8: Save the configuration
copy run start
Step 2.9: Monitor and maintain CA interoperability (optional)
Request a CRL
Delete your router’s RSA keys
Delete both public and private certificates from the configuration
Delete peer’s public keys
crypto ca identity name
Step 2.10: Verify the CA support configuration
show crypto ca certificates
show crypto key {mypubkey | pubkey-chain} rsa
Task 3. Configure IKE
Step 3.1: Enable or disable IKE
crypto isakmp enable
Step 3.2: Create IKE policies
crypto isakmp policy priority
Step 3.3: Configure preshared keys
crypto isakmp key and associated commands
Step 3.4: Verify the IKE configuration
show crypto isakmp policy
show crypto isakmp sa
Task 4. Configure IPSec
Step 4.1: Configure transform set suites
crypto ipsec transform-set
Step 4.2: Configure global IPSec security association lifetimes
crypto ipsec security-association lifetime
Step 4.3: Configure crypto ACLs
access-list
crypto map
Step 4.5: Apply the crypto maps to the terminating/originating interface
interface
crypto map
Task 5. Test and verify IPSec
Step 5.1: Display your configured IKE policies
show crypto isakmp policy
Step 5.2: Display your configured transform sets
show crypto ipsec transform set
Step 5.3: Display the current state of your IPSec SAs
show crypto ipsec sa
Step 5.4: View your configured crypto maps
show crypto map
Step 5.5: Debug IKE and IPSec traffic through the Cisco IOS
debug crypto ipsec
debug crypto isakmp
Step 5.6: Debug CA events
debug crypto key-exchange
debug crypto pki
The PIX Firewall OS version 6.2 introduced the Easy VPN Remote device (client) for connecting to any Easy VPN Server. This implementation greatly reduces configuration on the remote host and relies on the server policies for configuration decisions.
Scaling PIX Firewall VPN solutions includes the basic device features plus a variety of network management software applications to provide Web-based, centralized, configuration, monitoring, and reporting. Example applications include CiscoWorks VPN/ Security Management Solution (VMS), Cisco Secure Policy Manager (CSPM), and Cisco PIX Device Manager (PDM), which is covered in the next chapter.
PPPoE client was introduced on the PIX Firewall with PIX OS version 6.2. Point-to-Point Protocol over Ethernet (PPPoE) incorporates two widely used and understood standards: PPP and Ethernet. The PPPoE specification connects hosts on an Ethernet to the Internet through a common broadband medium, such as DSL line, cable modem, or wireless device.
1.? |
Which two of the following are PIX Firewall IPSec implementations?
|
|
2.? |
Which IPSec mode runs between two security gateways, such as PIX Firewall units?
|
|
3.? |
Which command enables IKE on a PIX Firewall?
|
|
4.? |
Which command defines the Diffie–Hellman configuration?
|
|
5.? |
In the isakmp policy 100 authentication rsa-sig command, what does rsa-sig mean?
|
|
6.? |
Of the following IKE policies, which is the highest priority?
|
|
7.? |
Which VPN feature requires device times to be set to GMT?
|
|
8.? |
Which command is not required to configure IPSec CAs?
|
|
9.? |
What does the sysopt connection permit-ipsec command do?
|
|
10.? |
Which is not a function performed by crypto access lists?
|
|
11.? |
Which is an example of a Cisco VPN Client implementation?
|
|
12.? |
Which command specifies a Syslog server for logging messages?
|
|
13.? |
Which is Cisco’s flagship-integrated security-management solution?
|
|
14.? |
Point-to-Point Protocol over Ethernet (PPPoE) uses which default authentication protocol?
|
|
15.? |
Which statement is true about PPPoE on PIX Firewalls?
|
|
Answers
1.? |
A. and C. Remote access and Site-to-site |
2.? |
C. Tunnel |
3.? |
B. isakmp enable |
4.? |
D. Pix(config)# isakmp policy 100 group 2 |
5.? |
C. CAs will be used for authentication |
6.? |
A. 100 |
7.? |
D. CAs |
8.? |
D. Pix(config)# show ca mypubkey rsa |
9.? |
C. Permits IPSec traffic to pass through the firewall without inspection by the interface ACLs |
10.? |
C. Denies statements that specify any matching packets will be discarded |
11.? |
B. Easy VPN Remote device |
12.? |
D. logging host |
13.? |
A. CiscoWorks VMS |
14.? |
C. PAP |
15.? |
C. It’s only supported on the outside interface of the PIX |