Home > Articles > Cisco Network Technology > Network Administration & Support > Configuring the Cisco PIX Firewall for CA Site-to-Site

Configuring the Cisco PIX Firewall for CA Site-to-Site

Chapter Description

This sample chapter explains how to configure Cisco Secure PIX Firewall certificate authority (CA) support for Internet Protocol Security (IPSec). After presenting an overview of the configuration process, the chapter shows you each major step of the configuration, including support tasks, IKE, and IPSec.

Task 5: Test and Verify VPN Configuration

The last major task in configuring PIX Firewall IPSec is to test and verify the IKE and IPSec configuration accomplished in the previous tasks. This section summarizes the methods and commands used to test and verify the VPN configuration including CA, IKE, and IPSec configuration.

NOTE

Although many of the test and verify commands are used the same as when configuring preshared keys, there are some commands unique to RSA signatures.

Test and verify CA configuration with the commands in Table 7-3.

Table 7-3 Commands to Test and Verify CA Configuration

Command

Description

show ca identity

Displays the CA your PIX Firewall uses

show ca configure

Displays the parameters for communication between the PIX Firewall and the CA

show ca mypubkey rsa

Displays the PIX Firewall's public RSA keys

show ca certificate

Displays the current status of requested certificates and relevant information of received certificates, such as CA and RA certificates


Debug CA messages with the debug crypto ca command. This command displays communications between the PIX Firewall and the CA server.

Delete RSA keys and CA certificates with the commands in Table 7-4.

Table 7-4 Commands to Delete RSA Keys and CA Certificates

Command

Description

ca zeroize rsa

Deletes all RSA keys that were previously generated by your PIX Firewall. If you issue this command, you must also enter the no ca identity command to delete CA certificates and ask the CA administrator to revoke your PIX Firewall's certificates at the CA.

no ca identity

Manually removes the PIX Firewall's certificates from the configuration; this command deletes all the certificates issued by the CA.


Test and Verify IKE Configuration

Test and verify IKE configuration on the PIX Firewall with the commands in Table 7-5.

Table 7-5 Commands to Test and Verify IKE Configuration

Command

Description

show access-list

Lists the access-list command statements in the configuration. Used to verify general access lists to permit IPSec traffic.

show isakmp

Displays configured ISAKMP policies in a format similar to a write terminal command.

show isakmp policy

Displays default and any configured ISAKMP policies.


Test and Verify IPSec Configuration

Test and verify IPSec configuration on the PIX Firewall with the commands in Table 7-6.

Table 7-6 Commands to Test and Verify IPSec Configuration

Command

Description

show access-list

Lists the access-list command statements in the configuration. Used to verify that the crypto access lists select interesting traffic. Displays number of packets that matched the access list.

show crypto map

Displays the configured crypto map parameters.

show crypto ipsec transform-set

Displays the configured IPSec transform sets.

show crypto ipsec security-association lifetime

Displays the correct global IPSec SA lifetime values.


Monitor and Manage IKE and IPSec Communications

Monitor and manage IKE and IPSec communications between the PIX Firewall and IPSec peers with the commands in Table 7-7.

Table 7-7 Commands to Monitor and Manage IKE and IPSec Communications

Command

Description

show isakmp sa

Displays the current status of ISAKMP SAs

show crypto ipsec sa

Displays the current status of IPSec SAs—useful for ensuring traffic is being encrypted

clear crypto isakmp sa

Clears ISAKMP SAs

clear crypto ipsec sa

Clears IPSec SAs

debug crypto isakmp

Displays ISAKMP (IKE) communications between the PIX Firewall and IPSec peers

debug crypto ipsec

Displays IPSec communications between the PIX Firewall and IPSec peers