Subscribe via RSS
Subscribe via Email

PIX - VPN - Site 2 Site
VendorCisco
PlatformPIX
Version7.2
Firewalls - Cisco - PIX
Sunday, 18 May 2008 13:43

Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall.

Configuration

(config)#isakmp enable outside
(config)#isakmp policy 10
(config-isakmp-policy)# encryption aes-256
(config-isakmp-policy)# hash sha
(config-isakmp-policy)# authentication pre-share
(config-isakmp-policy)# group 1
(config-isakmp-policy)# lifetime 86400

(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth

(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0

(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#nat (inside) 0 access-list nonat

(config)#crypto ipsec transform-set TRAN esp-aes-256 esp-sha-hmac
(config)#Crypto map MYFW_MAP 10 ipsec-isakmp
(config)#Crypto map MYFW_MAP 10 match address ED
(config)#Crypto map MYFW_MAP 10 set peer 1.1.1.1
(config)#Crypto map MYFW_MAP 10 set transform-set TRAN
(config)#Crypto map MYFW_MAP 10 set security-association lifetime seconds 3600
(config)#Crypto map MYFW_MAP interface outside
(config)#Crypto isakmp identity address

Debug/Show/Clear Commands

  • show isakmp                                               display all isakmp configurations  
  • show isakmp policy                                    display only configured ISAKMP policies
  • show crypto ipsec transform-set              display all configured ipsec transform-sets
  • show crypto map                                         display all configured crypto map entries
  • show crypto isakmp sa                              display the status of current IKE SAs  
  • show crypto ipsec sa                                  displays the status of current IPSec SAs
  • show crypto ipsec sa [peer <addr>]
  • show crypto ipsec sa [peer <addr>] | i (remote ident)
  • show crypto engine connection active
  • clear crypto isakmp sa                               clear all active ISAKMP SAs
  • clear crypto ipsec sa                                   clear all active IPSec SAs
  • debug crypto isakmp                                   display IKE communication between PIX and its IPSec peers
  • debug crypt ipsec                                         display IPSec communication betwen the PIX and its IPSec peers

Additional Reference

PIX/ASA 7.x: Simple PIX-to-PIX VPN Tunnel Configuration Example 



Related Articles
 

Latest Articles

We have 45 guests online