Chapter Review
Chapter Review
This chapter looked at using the PIX Firewall with various VPN implementations. The basic tasks and steps of configuring VPNs on the firewall aren’t significantly different than working with router VPNs, although the command syntax is unique.
Remember, basic VPN terms and technology were covered in Chapters 9 through 11, and they should be reviewed before taking the certification exam.
This chapter looked at the tasks and steps involved in configuring PIX IPSec. The steps and related commands are summarized in the following task list.
Configuring IPSec
Task 1. Prepare for IPSec
-
Step 1.1: Determine IKE (IKE phase one) policy
-
Step 1.2: Determine IPSec (IKE phase two) policy
-
Step 1.3: Check the current configuration
write terminal
show isakmp policy
show isakmp
-
Step 1.4: Ensure the network works without encryption
ping - all devices
-
Step 1.5: Ensure access control lists (ACLs) are compatible with IPSec
show access-lists
sysopt connection permit-ipsec
Task 2. Configure IKE
-
Step 2.1: Enable or disable IKE
isakmp enable interface-name
-
Step 2.2: Create IKE Phase 1 policy
isakmp policy commands
encryption
hash
authentication
group
lifetime
-
Step 2.3: Configure pre-shared keys (preshared keys)
isakmp identity
name
isakmp key
-
Step 2.3: Configure pre-shared keys (CA Support)
hostname
domain-name
ca generate rsa key
ca identity
ca configure
ca authenticate
ca enroll
show ca certificate
-
Step 2.4: Verify the IKE configuration
show isakmp policy
show isakmp
show isakmp sa
Task 3. Configure IPSec
-
Step 3.1: Configure crypto ACLs to define interesting traffic
access-list
-
Step 3.2: Configure transform set suites
crypto ipsec transform-set
-
Step 3.3: Configure global IPSec security association lifetimes
crypto ipsec security-association lifetime
-
Step 3.4: Configure crypto maps
crypto map
ipsec-manual | ipsec-isakmp
match address acl-name
set peer
set transform-set
set pfs
set security-association lifetime
crypto dynamic-map
-
Step 3.5: Apply the crypto maps to the terminating/originating interface
interface
crypto map interface
Task 4. Test and verify IPSec
-
Step 4.1: Display your configured IKE policies
show isakmp
show isakmp policy
-
Step 4.2: Display your configured transform sets
show crypto ipsec transform-set
-
Step 4.3: Display the current state of your IPSec SAs
show isakmp sa
show crypto ipsec security-association lifetime
-
Step 4.4: View your configured crypto maps
show crypto map
-
Step 4.5: Debug IKE and IPSec traffic through the Cisco IOS
debug crypto ipsec
debug crypto isakmp
Configuring IPSec for RSA Encrypted Nonces
Task 1. Prepare for IPSec to determine a detailed security policy for RSA encryption to include how to distribute the RSA public keys.
Task 2. Configure RSA keys manually.
-
Step 2.1: Plan for RSA keys
-
Step 2.2: Configure the router’s host name and domain name
hostname name
ip domain-name name
-
Step 2.3: Generate the RSA keys
crypto key generate rsa usage key
-
Step 2.4: Enter peer RSA public keys—Detail is important, any mistake entering the keys will cause them not to work.
crypto key pubkey-chain
crypto key pubkey-chain rsa
addressed-key key address
named-key key name
key-string string
-
Step 2.5: Verify the key configuration
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
-
Step 2.6: Manage RSA keys—Remove old keys to free up space
crypto key zeroize rsa
Task 3. Configure ISAKMP for IPSec to select RSA encryption as the authentication method in an ISAKMP policy.
Task 4. Configure IPSec—typically done the same as in preshare.
Task 5. Test and verify IPSec and exercise additional commands to view and manage RSA public keys.
Configuring CA Support Tasks
Task 1. Prepare for IPSec
-
Step 1.1: Plan for CA support
Determine the type of CA server to use
Identify the CA server’s IP address, host name, and URL. Required for Lightweight Directory Protocol (LDAP).
Identify the CA server administrator contact information.
-
Step 1.2: Determine IKE (IKE phase one) policy
-
Step 1.3: Determine IPSec (IKE phase two) policy
-
Step 1.4: Check the current configuration
show running-config
show crypto isakmp [policy]
show crypto map
-
Step 1.5: Ensure the network works without encryption
ping all devices
-
Step 1.6: Ensure access control lists (ACLs) are compatible with IPSec
show access-lists
Task 2. Configure CA Support
-
Step 2.1: Manage the nonvolatile RAM (NVRAM) memory usage (optional)
crypto ca certificate query
-
Step 2.2: Set the router’s time and date
clock timezone zone hours [minutes]
clock set hh:mm:ss day month year
clock set hh:mm:ss month day year
-
Step 2.3: Configure the router’s host name and domain name
hostname name
ip domain-name name
ip host name address1 [address2. . . address8]
-
Step 2.4: Generate an RSA key pair—used to identify to the remote VPN peer
crypto key generate rsa [usage key]
-
Step 2.5: Declare a CA
crypto ca identity name
-
Step 2.6: Authenticate the CA
crypto ca authenticate name
-
Step 2.7: Request your own certificate
crypto ca enroll name
-
Step 2.8: Save the configuration
copy run start
-
Step 2.9: Monitor and maintain CA interoperability (optional)
Request a CRL
Delete your router’s RSA keys
Delete both public and private certificates from the configuration
Delete peer’s public keys
crypto ca identity name
-
Step 2.10: Verify the CA support configuration
show crypto ca certificates
show crypto key {mypubkey | pubkey-chain} rsa
Task 3. Configure IKE
-
Step 3.1: Enable or disable IKE
crypto isakmp enable
-
Step 3.2: Create IKE policies
crypto isakmp policy priority
-
Step 3.3: Configure preshared keys
crypto isakmp key and associated commands
-
Step 3.4: Verify the IKE configuration
show crypto isakmp policy
show crypto isakmp sa
Task 4. Configure IPSec
-
Step 4.1: Configure transform set suites
crypto ipsec transform-set
-
Step 4.2: Configure global IPSec security association lifetimes
crypto ipsec security-association lifetime
-
Step 4.3: Configure crypto ACLs
access-list
crypto map
-
Step 4.5: Apply the crypto maps to the terminating/originating interface
interface
crypto map
Task 5. Test and verify IPSec
-
Step 5.1: Display your configured IKE policies
show crypto isakmp policy
-
Step 5.2: Display your configured transform sets
show crypto ipsec transform set
-
Step 5.3: Display the current state of your IPSec SAs
show crypto ipsec sa
-
Step 5.4: View your configured crypto maps
show crypto map
-
Step 5.5: Debug IKE and IPSec traffic through the Cisco IOS
debug crypto ipsec
debug crypto isakmp
-
Step 5.6: Debug CA events
debug crypto key-exchange
debug crypto pki
The PIX Firewall OS version 6.2 introduced the Easy VPN Remote device (client) for connecting to any Easy VPN Server. This implementation greatly reduces configuration on the remote host and relies on the server policies for configuration decisions.
Scaling PIX Firewall VPN solutions includes the basic device features plus a variety of network management software applications to provide Web-based, centralized, configuration, monitoring, and reporting. Example applications include CiscoWorks VPN/ Security Management Solution (VMS), Cisco Secure Policy Manager (CSPM), and Cisco PIX Device Manager (PDM), which is covered in the next chapter.
PPPoE client was introduced on the PIX Firewall with PIX OS version 6.2. Point-to-Point Protocol over Ethernet (PPPoE) incorporates two widely used and understood standards: PPP and Ethernet. The PPPoE specification connects hosts on an Ethernet to the Internet through a common broadband medium, such as DSL line, cable modem, or wireless device.
Questions
|
1.? |
Which two of the following are PIX Firewall IPSec implementations?
|
|
|
2.? |
Which IPSec mode runs between two security gateways, such as PIX Firewall units?
|
|
|
3.? |
Which command enables IKE on a PIX Firewall?
|
|
|
4.? |
Which command defines the Diffie–Hellman configuration?
|
|
|
5.? |
In the isakmp policy 100 authentication rsa-sig command, what does rsa-sig mean?
|
|
|
6.? |
Of the following IKE policies, which is the highest priority?
|
|
|
7.? |
Which VPN feature requires device times to be set to GMT?
|
|
|
8.? |
Which command is not required to configure IPSec CAs?
|
|
|
9.? |
What does the sysopt connection permit-ipsec command do?
|
|
|
10.? |
Which is not a function performed by crypto access lists?
|
|
|
11.? |
Which is an example of a Cisco VPN Client implementation?
|
|
|
12.? |
Which command specifies a Syslog server for logging messages?
|
|
|
13.? |
Which is Cisco’s flagship-integrated security-management solution?
|
|
|
14.? |
Point-to-Point Protocol over Ethernet (PPPoE) uses which default authentication protocol?
|
|
|
15.? |
Which statement is true about PPPoE on PIX Firewalls?
|
|
Answers
|
1.? |
A. and C. Remote access and Site-to-site |
|
2.? |
C. Tunnel |
|
3.? |
B. isakmp enable |
|
4.? |
D. Pix(config)# isakmp policy 100 group 2 |
|
5.? |
C. CAs will be used for authentication |
|
6.? |
A. 100 |
|
7.? |
D. CAs |
|
8.? |
D. Pix(config)# show ca mypubkey rsa |
|
9.? |
C. Permits IPSec traffic to pass through the firewall without inspection by the interface ACLs |
|
10.? |
C. Denies statements that specify any matching packets will be discarded |
|
11.? |
B. Easy VPN Remote device |
|
12.? |
D. logging host |
|
13.? |
A. CiscoWorks VMS |
|
14.? |
C. PAP |
|
15.? |
C. It’s only supported on the outside interface of the PIX |
