Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall.
Configuration
(config)#isakmp enable outside
(config)#isakmp policy 10
(config-isakmp-policy)# encryption aes-256
(config-isakmp-policy)# hash sha
(config-isakmp-policy)# authentication pre-share
(config-isakmp-policy)# group 1
(config-isakmp-policy)# lifetime 86400
(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth
(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#nat (inside) 0 access-list nonat
(config)#crypto ipsec transform-set TRAN esp-aes-256 esp-sha-hmac
(config)#Crypto map MYFW_MAP 10 ipsec-isakmp
(config)#Crypto map MYFW_MAP 10 match address ED
(config)#Crypto map MYFW_MAP 10 set peer 1.1.1.1
(config)#Crypto map MYFW_MAP 10 set transform-set TRAN
(config)#Crypto map MYFW_MAP 10 set security-association lifetime seconds 3600
(config)#Crypto map MYFW_MAP interface outside
(config)#Crypto isakmp identity address
Debug/Show/Clear Commands
- show isakmp display all isakmp configurations
- show isakmp policy display only configured ISAKMP policies
- show crypto ipsec transform-set display all configured ipsec transform-sets
- show crypto map display all configured crypto map entries
- show crypto isakmp sa display the status of current IKE SAs
- show crypto ipsec sa displays the status of current IPSec SAs
- show crypto ipsec sa [peer <addr>]
- show crypto ipsec sa [peer <addr>] | i (remote ident)
- show crypto engine connection active
- clear crypto isakmp sa clear all active ISAKMP SAs
- clear crypto ipsec sa clear all active IPSec SAs
- debug crypto isakmp display IKE communication between PIX and its IPSec peers
- debug crypt ipsec display IPSec communication betwen the PIX and its IPSec peers
Additional Reference
PIX/ASA 7.x: Simple PIX-to-PIX VPN Tunnel Configuration Example
Latest posts by Rick Donato (see all)
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial