The goal of this sample configuration is to connect a private network behind a Cisco PIX Firewall to a private network behind the Cisco VPN 3000 Concentrator. The devices on the networks know each other by their private addresses.
Refer to IPsec: Router-to-PIX Security Appliance 7.x and Later or ASA Configuration Example for more information about the LAN-to-LAN tunnel configuration between a router and Cisco PIX/ASA Security Appliances.
Refer to IPsec Tunnel Between PIX 7.x and VPN 3000 Concentrator Configuration Example for more information when the PIX has software version 7.x.
Refer to LAN-to-LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example for more information about the L2L IPSec tunnel configuration between a Cisco VPN 3000 Concentrator and router with Advance Encryption Standard (AES).
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
PIX Software 6.3(1)
VPN 3000 Concentrator with 4.0.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses this network setup:
|PIX Firewall Configuration|
PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname sv2-11 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names !--- Access control list (ACL) for interesting traffic !--- to be encrypted over the tunnel. access-list 101 permit ip 10.13.1.0 255.255.255.0 10.31.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 !--- IP addresses on the interfaces. ip address outside 172.18.124.157 255.255.255.0 ip address inside 10.13.1.48 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside pdm history enable arp timeout 14400 global (outside) 1 interface !--- Binding ACL 101 to the Network Address Translation (NAT) statement !--- to avoid NAT on the IPSec packet. nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 !--- Default route to the Internet. route outside 0.0.0.0 0.0.0.0 172.16.124.132 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable !--- The sysopt command avoids conduit on !--- the IPSec-encrypted traffic. sysopt connection permit-ipsec !---- IPSec policies crypto ipsec transform-set aptset esp-3des esp-md5-hmac !--- Setting up the tunnel peer, encryption ACL, and transform set. crypto map aptmap 10 ipsec-isakmp crypto map aptmap 10 match address 101 crypto map aptmap 10 set peer 172.18.124.132 crypto map aptmap 10 set transform-set aptset !--- Applying the crypto map on the interface. crypto map aptmap interface outside isakmp enable outside !--- Pre-shared key for the tunnel peer. isakmp key ******** address 172.18.124.132 netmask 255.255.255.255 !--- IKE policies isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:1209dc5ffed40ad7c999d655509260f5 : end [OK]
Complete these steps in order to configure the VPN Concentrator.
Note: This example was performed in a lab environment by accessing the VPN Concentrator through the console port and adding a minimal configuration (see steps 1 and 2) so that the additional configuration is done through the graphical user interface (GUI).
Go to Administration > System Reboot > Schedule reboot > Reboot with Factory/Default Configuration and reboot.
When the VPN Concentrator comes up in Quick Configuration mode after you reboot, configure basic device information:
Interfaces/Masks in Configuration > Interfaces (public=172.18.124.132/24, private=10.31.1.80/24)
Default Gateway in Configuration > System > IP routing > Default_Gateway > 172.18.124.157
The VPN Concentrator is now accessible through the GUI from the inside network.
Note: You can also manage the VPN Concentrator from the outside. Refer to How to Manage the VPN 3000 Concentrator from the Public Network for more information.
Launch the GUI and go to Configuration > Interfaces in order to confirm the interfaces.
Note: The interface that terminates the tunnel should have a filter applied to it. In this case, the public interface has the public (default) filter applied. Rules are automatically added later to the applied filter on the IPSec interface.
Go to Configuration > System > Tunneling Protocols > IPSec LAN-to-LAN > Modify or Add in order to configure the IPSec LAN-to-LAN tunnel. Click Apply when you are finished.
In this example, the necessary information for the outside interface of the PIX is populated.
On the confirmation page that displays the automatically configured parameters, click OK in order to accept the configuration.
Note: Do not modify these LAN-to-LAN settings.
Go to Configuration > Policy Management > Traffic Management > Assign Rules to Filter in order to confirm that the rules have been created and applied correctly.
Rules are automatically created and added to the filter applied to the IPSec interface. In this case, the public (default) filter that is applied to the public interface has new rules added to it by the configuration.
On the confirmation page that displays the automatically configured group information, click Apply in order to accept the group settings.
Note: Do not modify these group settings.
On the confirmation page that displays the automatically created security association (SA), confirm that the SA appears in the list of IPSec SAs.
Go to Configuration > System > Tunneling Protocols > IPSec > IKE Proposals in order to confirm that the IKE proposals are shown as active.
There is currently no verification procedure available for this configuration.
This section provides information you can use to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug crypto engine—Shows the traffic that is encrypted.
debug crypto ipsec—Use to see the IPSec negotiations of phase 2.
debug crypto isakmp—Use to see the Internet Security Association and Key Management Protocol (ISAKMP) negotiations of phase 1.
These debug options are individually available if you go to Configuration > System > Events > Classes > Add.
Go to Monitoring > Event Log and click Get Log in order to see the actual debug.
Go to Monitoring > Statistics > IPSec in order to see IPSec status.
- Cisco VPN 3000 Series Concentrators Support Page
- Cisco VPN 3000 Client Support Page
- PIX 500 Series Firewalls Support Page
- Cisco Secure PIX Firewall Command References
- IP Security Protocol (IPSec) Support Page
- Configuring IPSec Network Security
- Request for Comments (RFCs)
- Technical Support and Documentation - Cisco Systems
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.