Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
0
Helpful
6
Replies

Network Security for a department

Go to solution
shameer sa
Level 1
Level 1

‎11-03-2012 12:37 AM - edited ‎03-11-2019 05:18 PM

Hi all ,

       Please go through my network diagram

123.jpg

I am using ospf in the network .I only mentioned some of the routers in the diagram .

Consider a Department A which is having a branch connected to Router R3 and to some other routers through E1 links   which is no mentioned here .

Department A is having servers in the DMZ Zone of the firewall .

I need to add security features(Ipsec) to the department A network either though firewall or through routers .Here consider 192.168.2.0/24 in the R3 as department A network .Need to provide ipsec or any other security features to 192.168.2.0/24 network only not to the whole R3 network .

Routers Cisco  7206 ,7204

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to shameer sa

‎11-06-2012 03:54 AM

In your case, instead of terminating the IPSec tunnel on outside interface, you just have to change the interface to match your requirement, which is on the WAN interface.

If you have 14 branch routers, are you planning to build IPSec VPN from all the 14 branch routers?

If you are, then you just have to configure the crypto map with different sequence number. As per the above, the crypto map sequence number is 21, in your case, you can just configure 1 sequence number per branch router that you woudl like to build the VPN.

The crypto ACl must match the subnet local to PIX towards the remote subnet on the branch router.

The NONAT access-list is to bypass translation for those internal subnets.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-03-2012 04:00 AM

You can configure LAN-to-LAN IPSec VPN between R3 and the PIX 525 firewall.

What version is your PIX firewall?

Here is a few sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

0 Helpful

Go to solution
shameer sa
Level 1
Level 1
In response to Jennifer Halim

‎11-05-2012 10:18 PM

Hi Jennifer ,

    Thanx for the quick reply .

My pix version is  PIX Version 7.0(7) .

The document i will check and will reply

0 Helpful

Go to solution
shameer sa
Level 1
Level 1
In response to shameer sa

‎11-06-2012 03:49 AM

Hi jennifer ,

   I understood the router part configuration .

  Let me clear a point

In the pix ,servers are in the server zone whose security Level  is 95 and wan network in W AN zone and security level is 91. The ipsec is to be enable in WAN zone interface  for a particulaR traffic .

interface Ethernet4

speed 100

duplex full

nameif WAN

security-level 91

ip address x.x.x.x y.y.y.y

!

interface Ethernet5

speed 100

duplex full

nameif SERVER

security-level 95

ip address X.X.X.X Y.Y.Y.Y

!

I had read the following link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

I had totally confused with PIX  part .

crypto ipsec transform-set avalanche esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 3600
crypto ipsec df-bit clear-df outside
crypto map forsberg 21 match address Ipsec-conn
crypto map forsberg 21 set peer 172.17.63.230 
crypto map forsberg 21 set transform-set avalanche
crypto map forsberg interface outside

tunnel-group 172.17.63.230 type ipsec-l2l

tunnel-group 172.17.63.230 ipsec-attributes

pre-shared-key *

The above configuration is mentioning about one branch router and its ip 172.17.63.230.


But i had 14 branch routers .Then what is the change in the network configuration also what is the significance of 

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

.Here my traffic is not to the outside interface but only to the intranet .

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to shameer sa

‎11-06-2012 03:54 AM

In your case, instead of terminating the IPSec tunnel on outside interface, you just have to change the interface to match your requirement, which is on the WAN interface.

If you have 14 branch routers, are you planning to build IPSec VPN from all the 14 branch routers?

If you are, then you just have to configure the crypto map with different sequence number. As per the above, the crypto map sequence number is 21, in your case, you can just configure 1 sequence number per branch router that you woudl like to build the VPN.

The crypto ACl must match the subnet local to PIX towards the remote subnet on the branch router.

The NONAT access-list is to bypass translation for those internal subnets.

0 Helpful

Go to solution
shameer sa
Level 1
Level 1
In response to Jennifer Halim

‎11-06-2012 04:21 AM

Hi jeniffer,

          Thank you for the quick solution .

Can you please clarify the following

tunnel-group 172.17.63.230 type ipsec-l2l

tunnel-group 172.17.63.230 ipsec-attributes

pre-shared-key *

Here the above preshared key is cisco123 the same we configured in the router ? What is the significance of the line

tunnel-group 172.17.63.230 type ipsec-l2l.



0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to shameer sa

‎11-06-2012 06:01 PM

The line: tunnel-group 172.17.63.230 type ipsec-l2l

will create the tunnel-group for the ipsec-l2l (ipsec-lan to lan) so you can configure attributes for this particular ipsec peer.

And yes, it is the same as the router where we configure the preshared key.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card