Lab 14.6.6 Configure a Secure VPN gateway Using IPSec between ...

More documents

Recommendations

Info

access-list ACLIN permit tcp any object-group ALLSERVERS eq wwwaccess-list ACLIN permit tcp any host 192.168.P.11 eq www (hitcnt=0)access-list ACLIN permit tcp any host 192.168.P.10 eq www (hitcnt=2)access-list ACLIN permit tcp any host 192.168.P.6 eq www (hitcnt=0)access-list ACLIN permit tcp any host 192.168.P.7 eq www (hitcnt=0)access-list ACLIN permit icmp any any object-group PINGaccess-list ACLIN permit icmp any any echo (hitcnt=12)access-list ACLIN permit icmp any any echo-reply (hitcnt=4)access-list ACLIN permit icmp any any unreachable (hitcnt=0)access-list ACLIN deny ip any any (hitcnt=3)access-list ACLDMZ; 3 elementsaccess-list ACLDMZ permit icmp any any object-group PINGaccess-list ACLDMZ permit icmp any any echo (hitcnt=0)access-list ACLDMZ permit icmp any any echo-reply (hitcnt=8)access-list ACLDMZ permit icmp any any unreachable (hitcnt=0)access-list 101; 1 elementsaccess-list 101 permit ip host 192.168.P.10 host 192.168.Q.10(hitcnt=0)(where P = pod number, and Q = peer pod number)c. Configure an IPSec transform set (IKE phase two parameters) to use ESP and DES. Use atransform-set-name of pixQ.PixP(config)# crypto ipsec transform-set pixQ esp-des(where Q = peer pod number)1. What are some other IPSec security protocol combinations that can be used?_____________________________________________________________________________d. Create a crypto map by completing the following sub-steps:i. Create a crypto map entry. Use a map-name of peer Q.PixP(config)# crypto map peerQ 10 ipsec-isakmp(where Q = peer pod number)ii. Look at the crypto map and observe the defaults:PixP(config)# show crypto mapCrypto Map “peerQ” 10 ipsec-isakmpNo matching address list set.Current peer: 0.0.0.0Security association lifetime: 4608000 kilobytes/28800 secondsPFS (Y/N): NTransform sets={ }6 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.
iii. Assign the ACL to the crypto map:PixP(config)# crypto map peerQ 10 match address 101(where Q = peer pod number)iv. Define the peer. The peer IP address should be set to the peer’s outside interface IPaddress:PixP(config)# crypto map peerQ 10 set peer 192.168.Q.2(where Q = peer pod number)v. Specify the transform set used to reach the peer. Use the transform set name configured insub-step 2.PixP(config)# crypto map peerQ 10 set transform-set pixQ(where Q = peer pod number)vi. Apply the crypto map set to the outside interface:PixP(config)# crypto map peerQ interface outside(where Q = peer pod number)Step 4 Test and Verify VPN ConfigurationComplete the following steps to test and verify VPN configuration:a. Verify the IKE policy. Note the default values.PixP(config)# show isakmpisakmp enable outsideLab 13-6 Cisco Secure PIX Firewall Advanced 3.0 Copyright 2002, CiscoSystems, Inc.isakmp key ******** address 192.168.Q.2 netmask 255.255.255.255isakmp policy 10 authentication pre-shareisakmp policy 10 encryption desisakmp policy 10 hash shaisakmp policy 10 group 1isakmp policy 10 lifetime 86400(where Q = peer pod number)b. Examine the IKE policies in the PIX Firewall:PixP(config)# show isakmp policyProtection suite of priority 10encryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Pre-Shared KeyDiffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limitDefault protection suiteencryption algorithm: DES - Data Encryption Standard (56 bit keys).hash algorithm: Secure Hash Standardauthentication method: Rivest-Shamir-Adleman Signature7 - 11 Fundamentals of Network Security v 1.0 - Lab 14.6.6 Copyright © 2003, Cisco Systems, Inc.
Page 1: Lab 14.6.6 Configure a Secure VPN g
Page 9 and 10: local ident (addr/mask/prot/port):(
Page 11: k. Remove all isakmp command statem

Lab 14.6.6 Configure a Secure VPN gateway Using IPSec between ...

Create successful ePaper yourself

Delete template?

Save as template?