Re: PIX newbie

sruzila · ‎12-02-2004

I'm new to PIX so forgive me if I'm a little dumb :-)

I have two PIX 501's at two offices. I want to connect them together into a VPN so that the users at each office can access the servers and resources at the other office.

Should I use the EasyVPN java GUI (I guess this is the PDM??) or the CLI? What type of client should they be...network or client? I have static public IP's on the outside interface of each and static private IP's on the inside interface. The clients use DHCP off a Netware server, but all network equipment and servers have static IP's.

Please dumb it down for me! I have the config guides from cisco but want to make sure I do this right the first time!

Thanks in advance!!!

Steve

thisisshanky · ‎12-02-2004

Steve,

Use the following document. Simplest method is to use Preshared keys.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a00800eb72b.html

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sruzila · ‎12-02-2004

I understand everything except the NATing (steps 5-8 on the link you posted). I'm using PAT so that my users can get out to the internet. Do I need use NAT for the VPN? I'm also unsure about the global command. Does the VPN need a separate public IP or can I use the outside port's public IP (which is what I did with the previous firewall)? Should both PIX's be configured as network or client? Or both?

Can someone explain the 0's at the end of this:

nat (inside) 1 0 0

Thanks again! Sorry I'm a little dense.

steve

thisisshanky · ‎12-02-2004

You can leave the PAT as it is. And configure a nat 0 access-list which bypass all traffic to be encrypted from getting PATed. Instead they will be tunneled using the outside IP of the PIX.

The global command is attached to the nat command. When you say nat (inside) 1 0 0

the 1 is the NAT ID and this should match with the global command. The 0 and 0 stands for the network address and Mask (0.0.0.0 and 0.0.0.0) - just a short cut. It means that NAT any thing and everything coming from the inside interface. The same reason why you will have to configure a NAT 0 access-list to prevent the VPN traffic from getting NATed (PATed).

Global command uses the same number 1 which is specified in the NAT command. If you want to use PAt you can just say

global (outside) 1 interface eth 0

Hope that helps!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sruzila · ‎12-02-2004

Thanks...it does help! So, just to be 110% sure...I should do exactly like the link says (except change the IP's and such) and have the global (outside) set to the static public IP that I the outside interface is set to...Right?

Thanks again!

Steve

thisisshanky · ‎12-02-2004

Yes thats correct. You could either set to the outside static IP or specify the interface.

global (outside) 1 x.x.x.x

OR

global (outside) 1 interface eth0

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sruzila · ‎12-02-2004

One last question...I swear!

What does the 20 mean?

crypto map toSanJose 20 ipsec-isakmp

Steve

thisisshanky · ‎12-02-2004

If you have multiple sites, each site could be matched in a different instance of the same crypto map. 10, 20, 30 etc are arbitrary numbers...and they represent a separate instance of the same crypto map. You can only apply one crypto map to an interface. So you need different instances of the same crypto map to define separate set of policies or to add more site to site vpn tunnels.

Hope that explains!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sruzila · ‎12-02-2004

I figured that was it. Thanks again for all the help!!!

steve