[ LiB ]Practical Exercise 14-8: PIX to Cisco VPN 3000 Client Practical Exercise 14-9: Layer 2 Tunneling Protocol over IPSec

Practical Exercise 14-8 Solution

The following is a step-by-step discussion of the Practical Exercise solution.

Task 1 Solution

Step 1. At the PIX console, provide all the configuration required to configure the PIX firewall:

Define traffic for the mode pool:




PIX(config)#access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0
  255.255.255.0

Define the mode pool:




PIX(config)#ip local pool ippool 10.1.2.1-10.1.2.254

Prevent NAT for the pool:




PIX(config)#nat (inside) 0 access-list 101

Enable IPSec sysopt:




PIX(config)#sysopt connection permit-ipsec

Enable ISAKMP:




PIX(config)#isakmp enable outside
PIX(config)#isakmp identity address

Define IKE parameters for VPN 3000 3.x:




PIX(config)#isakmp policy 10 authentication pre-share
PIX(config)#isakmp policy 10 encryption des
PIX(config)#isakmp policy 10 hash md5
PIX(config)#isakmp policy 10 group 2
PIX(config)#isakmp policy 10 lifetime 86400

Define IKE parameters for VPN 3000 2.x:




PIX(config)#isakmp policy 20 authentication pre-share
PIX(config)#isakmp policy 20 encryption des
PIX(config)#isakmp policy 20 hash md5
PIX(config)#isakmp policy 20 group 1
PIX(config)#isakmp policy 20 lifetime 86400

Define IKE parameters for all clients:




PIX(config)#vpngroup vpn3000 address-pool ippool
PIX(config)#vpngroup vpn3000 dns-server 10.1.1.2
PIC(config)#vpngroup vpn3000 wins-server 10.1.1.2
PIX(config)#vpngroup vpn3000 default-domain cisco.com
PIX(config)#vpngroup vpn3000 idle-time 1800
PIX(config)#vpngroup vpn3000 password cisco
PIX(config)#vpngroup vpn3000 split-tunnel 101

Define IPSec parameters:




PIX(config)#crypto ipsec transform-set myset esp-des esp-md5-hmac
PIX(config)#crypto dynamic-map dynmap 10 set transform-set myset
PIX(config)#crypto map mymap 10 ipsec-isakmp dynamic dynmap
PIX(config)#crypto map mymap interface outside
PIX(config)#crypto dynamic-map dynmap 10 set transform-set myset
PIX(config)#crypto map mymap 10 ipsec-isakmp dynamic dynmap
PIX(config)#crypto map mymap interface outside

Task 2 Solution

Step 1. On the client PC, provide all the configuration required to create the connection IPSec settings:

- Click New to create a new connection, and assign a name to your entry in the Connection Entry box, as shown in Figure 14-12.

Figure 14-12. Naming the Entry

graphics/14fig12.gif


- Enter the IP address of the destination's public interface, as shown in Figure 14-13.

Figure 14-13. Adding the Destination's IP Address

graphics/14fig13.gif


- Under Group Access Information, enter the group name and group password, as shown in Figure 14-14.

Figure 14-14. Adding the Group Name and Group Password

graphics/14fig14.gif


- Click Finish to save the profile in the Registry, as shown in Figure 14-15.

Figure 14-15. Saving the Entry

graphics/14fig15.gif


- Click Connect to test the connection, as shown in Figure 14-16.

Figure 14-16. Connecting to the Destination

graphics/14fig16.gif


[ LiB ]Practical Exercise 14-8: PIX to Cisco VPN 3000 Client Practical Exercise 14-9: Layer 2 Tunneling Protocol over IPSec