.
Manucomp Systems
Hours of Operation

Monday to Friday:
9am - 6pm EST

Saturday & Sunday:
Closed

If you would like additional information please contact us toll-free at :

1-866-440-1115
info@manucomp.com

Can't find the product you are looking for?
Request a quote.
IPsec Between a Static PIX 6.x and a Dynamic IOS Router with NAT Configuration Example
Back to Cisco Tips

IPsec Between a Static PIX 6.x and a Dynamic
IOS Router with NAT Configuration Example


The configuration shows you how to enable the router to accept dynamic IPsec connections from a PIX. The remote router performs Network Address Translation (NAT) if private network 172.16.1.x accesses the Internet. Traffic from 192.168.1.x to private network 172.16.1.x behind the PIX Security Appliance is excluded from the NAT process. The IPsec tunnel establishes only if the traffic (172.16.1.x) initiates the connection from the PIX Security Appliance with the router having remote network (10.2.1.x). The PIX can initiate connections to the router, but the router cannot initiate connections to the PIX.


Network Diagram



Click here for a larger view
Click the image for a larger view

Configuarations

PIX 6.x

pixfirewall# sh run
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname Hydro
domain-name manucomp.com.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- This access list (nonat) is used for a nat zero command that prevents
!--- traffic which matches the access list from undergoing NAT.


access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

!--- This is the access list (IPsec-traffic) used for the VPN interesting traffic
!--- to be encrypted.

access-list IPSEC-Traffic permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 140.4.10.1 255.255.255.0
ip address inside 172.16.1.1 255.255.255.0

ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400

!--- NAT 0 prevents NAT for networks specified in the ACL - nonat.
!--- The nat 1 command specifies PAT using the
!--- outside interface for all other traffic.

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.1.0 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0 140.4.10.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat

!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- A triple single DES encryption with
!--- the md5 hash algorithm is used.

crypto ipsec transform-set Myset esp-des esp-md5-hmac

!--- Define which traffic should be sent to the IPsec peer.

crypto map Mymap 10 ipsec-isakmp
crypto map Mymap 10 match address IPSEC-Traffic

!--- Sets the IPsec peer.

crypto map Mymap 10 set peer 140.4.10.2

!--- Sets the IPsec transform set "myset"
!--- to be used with the crypto map entry "mymap".

crypto map Mymap 10 set transform-set myset

!--- Specifies the interface to be used with
!--- the settings defined in this configuration.

crypto map Mymap interface outside

!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 10.

isakmp enable outside
isakmp key cisco123 address 140.4.10.2 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain manucomp.com
dhcpd option 150 ip 10.10.10.10
terminal width 80
Cryptochecksum:e24f9dcd7d1a41588e62be33adb2462a
: end

R-831:

R-831#sh run
Building configuration...

Current configuration : 2330 bytes

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname R-831

boot-start-marker
boot-end-marker

enable secret 5 $1$m4k4$MZavrcmPXuB0xKF.8Hfm31

no aaa new-model

ip subnet-zero

no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable

!--- Configuration for IKE policies.
!--- Enables the IKE policy configuration (config-isakmp)
!--- command mode, where you can specify the parameters that
!--- are used during an IKE negotiation.


crypto isakmp policy 10
hash md5
authentication pre-share
group 2

!--- Specifies the preshared key "cisco123" which should
!--- be identical at both peers. This is a global
!--- configuration mode command. It accepts any peer which matches
!--- the pre-shared key.

crypto isakmp key cisco123 address 140.4.10.1

!--- Configuration for IPsec policies.
!--- Enables the crypto transform configuration mode,
!--- where you can specify the transform sets that are used
!--- during an IPsec negotiation.

crypto ipsec transform-set Myset esp-des esp-md5-hmac

!--- IPsec policy, Phase 2.

crypto dynamic-map DYN 10

!--- Configures IPsec to use the transform-set
!--- "Myset" defined earlier in this configuration.

set transform-set Myset

!--- Specifies the interesting traffic to be encrypted.

match address 101

crypto map IPSEC 10 ipsec-isakmp dynamic DYN

interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out

interface Ethernet1
ip address 140.4.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto

!--- Configures the interface to use the
!--- crypto map "IPSEC" for IPsec.

crypto map IPSEC

interface FastEthernet1
duplex auto
speed auto

interface FastEthernet2
duplex auto
speed auto

interface FastEthernet3
duplex auto
speed auto

interface FastEthernet4
duplex auto
speed auto

ip classless
ip route 0.0.0.0 0.0.0.0 140.4.10.1
ip http server
no ip http secure-server

ip nat inside source list 110 interface Ethernet1 overload
!--- This ACL 110 identifies the traffic flows and be PATed
!--- via the outside interface( Ethernet1).

access-list 110 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any

!--- This crypto ACL 101 permit identifies the
!--- matching traffic flows to be protected via encryption.

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

!
control-plane
!
alias exec sb show ip int brief
!
line con 0
privilege level 15
password cisco
logging synchronous
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco
!
scheduler max-task-time 5000
end

Verify

PIX Security Appliance − show Commands:

show crypto isakmp sa Shows all current IKE SAs at a peer.

pixfirewall(config)#show crypto isakmp sa

Total : 1
Embryonic : 0

dst
src
state
pending
created
140.4.10.1
140.4.10.2
QM_IDLE
0
1

 

show crypto ipsec sa Shows all current IPsec SAs at a peer.

pix501(config)#show crypto ipsec sa

!--- This command is issued after a ping
!--- is attempted from the PC behind the
!--- Easy VPN Client to the PC
!--- behind the server.

interface: outside
Crypto map tag: mymap, local addr. 140.4.10.1
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 140.4.10.2:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

!--- ping packets
!--- are successfully exchanged between the
!--- Easy VPN Remote Hardware Client
!--- and the Easy VPN Server.

local crypto endpt.: 140.4.10.1, remote crypto endpt.: 140.4.10.2
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 13f1aa83
inbound esp sas:
spi: 0xf4dd4178(4108140920)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28567)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x13f1aa83(334604931)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/28567)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

Remote IOS Router − show Commands:

show crypto isakmp sa_Displays all current IKE SAs at a peer.

show crypto ipsec sa_Displays all current IPsec SAs at a peer.