• Aucun résultat trouvé

The following tables show an example configuration for PIX1 and PIX2. You may experience differences between the example configuration and your own configuration.

PIX1 Example Configuration

The example in the following table is a summary of the configuration for PIX1.

Table 12-1. PIX1 Example Configuration Example Configuration Description ip address outside 192.168.1.2

255.255.255.0

ip address inside 10.0.1.1 255.255.255.0

ip address dmz 172.16.1.1 255.255.0.0

Configures the IP addresses for each PIX Firewall interface.

global (outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.255.0

Creates a global pool on the outside interface.

nat (inside) 1 10.0.0.0 0.0.0.0 0 0 Enables NAT for the inside interface.

static (inside,outside) 192.168.1.10 10.0.1.3 netmask 255.255.255.255 0 0

Creates a static translation between the global IP address of 192.168.1.10 and the inside Windows NT server at address 10.0.1.3.

access-list 101 permit ip host 192.168.1.10 host 192.168.2.10

The crypto ACL specifies that traffic between the internal Windows NT servers of PIX1 and PIX2 be encrypted. The source and destination IP addresses are the global IP addresses of the static translations. Note that the ACLs for PIX1 and PIX2 are mirror images of each other.

conduit permit icmp any any conduit permit tcp host 192.168.1.10 eq www any

The conduits permit ICMP and Web access for testing.

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

Specifies the router on the outside interface for the default route.

sysopt connection permit-ipsec Enables IPSec to bypass ACL, access, and conduit restrictions.

Example Configuration Description crypto ipsec transform-set pix2

esp-des

Defines a crypto map transform set named pix2 to use esp-des.

crypto map peer2 10 ipsec-isakmp Defines the crypto map named peer2 with a priority of 10 to use ISAKMP access. The crypto map defines IPSec (IKE phase two) parameters.

crypto map peer2 10 match address 101

Defines the crypto map named peer2 to use ACL 101 for crypto traffic selection.

crypto map peer2 10 set peer 192.168.2.2

Defines the crypto map named peer2 to point to the peer (pix2) by specifying the peer PIX Firewall’s outside interface IP address.

crypto map peer2 10 set transform-set pix2

Defines the crypto map named peer2 to use the transform set named pix2.

crypto map peer2 interface outside Assigns the crypto map set named peer2 to the outside PIX Firewall interface. As soon as the crypto map is assigned to the interface, the IKE and IPSec policy is active.

isakmp enable outside Enables ISAKMP (IKE) on the outside interface.

isakmp key cisco123 address 192.168.2.2 netmask

255.255.255.255

Defines the pre-shared IKE key of cisco123 to work with the IPSec peer at address 192.168.2.2. The address points to the peer’s outside interface. A wildcard address of 0.0.0.0 with a netmask of 0.0.0.0 could also have been used.

isakmp policy 10 authentication pre-share

Defines the ISAKMP (IKE) policy of 10 to use pre-shared keys for authentication.

isakmp policy 10 encryption des Defines the ISAKMP (IKE) policy of 10 to use DES

encryption. Could have used 3DES for stronger encryption.

isakmp policy 10 hash sha Defines the ISAKMP (IKE) policy of 10 to use the SHA-1 hashing algorithm for encryption.

isakmp policy 10 group 1 Specifies use of DH group 1. Could have used DH group 2 for stronger security, but requires more CPU time to execute.

isakmp policy 10 lifetime 86400 Specifies an ISAKMP (IKE) lifetime of 86,400 seconds.

PIX2 Example Configuration

The example in the following table is a summary of the configuration for PIX2.

Table 12-2. PIX2 Example Configuration Example Configuration Description ip address outside 192.168.2.2

255.255.255.0

ip address inside 10.0.2.1 255.255.255.0

ip address dmz 172.16.2.1 255.255.0.0

Configures the IP addresses for each PIX Firewall interface.

global (outside) 1 192.168.2.10-192.168.2.254 netmask 255.255.255.0

Creates a global pool on the outside interface.

nat (inside) 1 10.0.0.0 0.0.0.0 0 0 Enables NAT for the inside interface.

Example Configuration Description static (inside,outside) 192.168.2.10

10.0.2.3 netmask 255.255.255.255 0 0

Creates a static translation between the global IP address of 192.168.2.10 and the inside Windows NT server at address 10.0.2.3.

access-list 101 permit ip host 192.168.2.10 host 192.168.1.10

The crypto ACL specifies that traffic between the internal Windows NT servers of PIX1 and PIX2 be encrypted. The source and destination IP addresses are the global IP addresses of the static translations. Note that the ACLs for PIX1 and PIX2 are mirror images of each other.

conduit permit icmp any any conduit permit tcp host 192.168.2.10 eq www any

The conduits permit ICMP and Web access for testing.

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

Specifies the router on the outside interface for the default route.

sysopt connection permit-ipsec Enables IPSec to bypass ACL, access, and conduit restrictions.

crypto ipsec transform-set pix1 esp-des

Defines a crypto map transform set named pix1 to use esp-des.

crypto map peer1 10 ipsec-isakmp Defines the crypto map named peer1 with a priority of 10 to use ISAKMP access. The crypto map defines IPSec (IKE phase two) parameters.

crypto map peer1 10 match address 101

Defines the crypto map named peer1 to use ACL 101 for crypto traffic selection.

crypto map peer1 10 set peer 192.168.1.2

Defines the crypto map named peer1 to point to the peer (pix1) by specifying the peer PIX Firewall’s outside interface IP address.

crypto map peer1 10 set transform-set pix1

Defines the crypto map named peer1 to use the transform set named pix1.

crypto map peer1 interface outside Assigns the crypto map set named peer1 to the outside PIX Firewall interface. As soon as the crypto map is assigned to the interface, the IKE and IPSec policy is active.

isakmp enable outside Enables ISAKMP (IKE) on the outside interface.

isakmp key cisco123 address 192.168.1.2 netmask

255.255.255.255

Defines the pre-shared IKE key of cisco123 to work with the IPSec peer at address 192.168.1.2. The address points to the peer’s outside interface. A wildcard address of 0.0.0.0 with a netmask of 0.0.0.0 could also have been used.

isakmp policy 10 authentication pre-share

Defines the ISAKMP (IKE) policy of 10 to use pre-shared keys for authentication.

isakmp policy 10 encryption des Defines the ISAKMP (IKE) policy of 10 to use DES

encryption. Could have used 3DES for stronger encryption.

isakmp policy 10 hash sha Defines the ISAKMP (IKE) policy of 10 to use the SHA-1 hashing algorithm for encryption.

isakmp policy 10 group 1 Specifies use of DH group 1. Could have used DH group 2 for stronger security, but requires more CPU time to execute.

isakmp policy 10 lifetime 86400 Specifies an ISAKMP (IKE) lifetime of 86,400 seconds.

16

Documents relatifs