fir3net
PPS-Firenetbanner-780.5x190-30-03-17

PIX - VPN - Site 2 Site

Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall.

Configuration

(config)#isakmp enable outside
(config)#isakmp policy 10
(config-isakmp-policy)# encryption aes-256
(config-isakmp-policy)# hash sha
(config-isakmp-policy)# authentication pre-share
(config-isakmp-policy)# group 1
(config-isakmp-policy)# lifetime 86400

(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth

(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0

(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0
(config)#nat (inside) 0 access-list nonat

(config)#crypto ipsec transform-set TRAN esp-aes-256 esp-sha-hmac
(config)#Crypto map MYFW_MAP 10 ipsec-isakmp
(config)#Crypto map MYFW_MAP 10 match address ED
(config)#Crypto map MYFW_MAP 10 set peer 1.1.1.1
(config)#Crypto map MYFW_MAP 10 set transform-set TRAN
(config)#Crypto map MYFW_MAP 10 set security-association lifetime seconds 3600
(config)#Crypto map MYFW_MAP interface outside
(config)#Crypto isakmp identity address

Debug/Show/Clear Commands

  • show isakmp                                               display all isakmp configurations  
  • show isakmp policy                                    display only configured ISAKMP policies
  • show crypto ipsec transform-set              display all configured ipsec transform-sets
  • show crypto map                                         display all configured crypto map entries
  • show crypto isakmp sa                              display the status of current IKE SAs  
  • show crypto ipsec sa                                  displays the status of current IPSec SAs
  • show crypto ipsec sa [peer <addr>]
  • show crypto ipsec sa [peer <addr>] | i (remote ident)
  • show crypto engine connection active
  • clear crypto isakmp sa                               clear all active ISAKMP SAs
  • clear crypto ipsec sa                                   clear all active IPSec SAs
  • debug crypto isakmp                                   display IKE communication between PIX and its IPSec peers
  • debug crypt ipsec                                         display IPSec communication betwen the PIX and its IPSec peers

Additional Reference

PIX/ASA 7.x: Simple PIX-to-PIX VPN Tunnel Configuration Example

Tags: Cisco, VPN, Site-to-Site

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001