Home > Articles > Cisco Network Technology > General Networking > Configuring PIX Firewall IPSec Support

Configuring PIX Firewall IPSec Support

Chapter Description

This chapter will teach you how to configure PIX Firewall IPSec using preshared keys for authentication and test and verify PIX Firewall IPSec.

Task 3: Configure IPSec

The next major task in configuring PIX Firewall IPSec is to configure the IPSec parameters previously gathered. This section presents the steps used to configure IPSec. The general tasks and commands used to configure IPSec encryption on PIX Firewalls are summarized as follows. Subsequent sections discuss each configuration step in detail.

Step 1

Configure crypto access lists with the access-list command.

Step 2

Configure transform set suites with the crypto ipsec transform-set command.

Step 3

(Optional) Configure global IPSec security association lifetimes with the crypto ipsec security-association lifetime command.

Step 4

Configure crypto maps with the crypto map command.

Step 5

Apply crypto maps to the terminating/originating interface with the crypto map map-name interface interface command.

Step 6

Verify IPSec configuration with the variety of available show commands.


Table 17-2 summarizes IPSec encryption policy details that will be configured in examples in this chapter.

Table 17-2 IPSec Policies for Two Peers

Parameter

Peer A Value

Peer B Value

Transform set

Authentication Header (AH)-MD5, Encapsulating Security Payload (ESP)-DES

AH-MD5, ESP-DES

IPSec mode

Tunnel

Tunnel

Hash algorithm

MD5

MD5

Peer host name

PIX 2

PIX 1

Peer interface

Ethernet 0 (outside)

Ethernet 0 (outside)

Peer IP address

192.168.2.2

192.168.1.2

IP address of hosts to be protected

10.1.1.0

10.2.1.0

Traffic (packet) type to be encrypted

TCP

TCP

SA establishment

ipsec-isakmp

ipsec-isakmp


Step 1: Create Crypto Access Lists

Crypto access lists are used to define which IP traffic is or is not protected by IPSec. Crypto access lists perform the following functions for IPSec:

  • Indicate the data flow to be protected by IPSec

  • Select outbound traffic to be protected by IPSec

  • Process inbound traffic in order to filter out and discard traffic that should have been protected by IPSec

  • Determine whether to accept requests for IPSec security associations for the requested data flows when processing IKE negotiations

You must use access lists to create crypto access lists. The crypto access lists identify the traffic flows to be protected. Although the crypto access list syntax is the same as that for regular access lists, the meanings are slightly different for crypto access lists: permit specifies that matching packets must be encrypted, and deny specifies that matching packets need not be encrypted. Crypto access lists behave similar to an access list applied to outbound traffic on a PIX Firewall interface.

You can configure interesting traffic with crypto access lists. You define a crypto access list with the access-list configuration command. To delete an access list, use the no form of the command. The command syntax is as follows:

access-list acl_name [deny | permit] protocol src_addr src_mask
 [operator port [port]] dest_addr dest_mask [operator port [port]]

The command parameters and syntax have the following meanings:

Command Parameter

Description

acl_name

Specifies the name or number of an access list.

deny

Does not select a packet for IPSec protection. Prevents traffic from being protected by crypto in the context of that particular crypto map entry.

permit

Selects a packet for IPSec protection. Causes all IP traffic that matches the specified conditions to be protected by crypto, using the policy described by the corresponding crypto map entry.

protocol

Specifies the name or number of an IP protocol. It can be one of the keywords icmp, ip, tcp, or udp, or an integer representing an IP protocol number, or an integer in the range 1 to 254 representing an IP protocol number. To match any Internet protocol, use the keyword ip.

src_addr

dest_addr

Specifies the address of the network or host from which the packet is being sent or from where the packet was received. There are three other ways to specify the source or destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-netmask or destination and destination netmask of 0.0.0.0 0.0.0.0. This keyword is normally not recommended for use with IPSec.

  • Use host source or host destination as an abbreviation for a source and source-netmask of 255.255.255.255 or a destination and destination-netmask of destination 255.255.255.255.

src_mask

dest_mask

Specifies the netmask bits (mask) to be applied to source or destination. There are three other ways to specify the source or destination netmask:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place zeroes in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-netmask or destination and destination-netmask of 0.0.0.0 0.0.0.0. This keyword is not recommended.

  • Use host source or host destination as an abbreviation for a source and source-netmask of source 255.255.255.255 or a destination and destination-netmask of destination 255.255.255.255.

operator

(Optional) Specifies a port or a port range to compare source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). The range operator requires two port numbers. Each of the other operators requires one port number.

port

IP service(s) you permit based on TCP or UDP protocol. Specify ports by either a literal name or a number in the range of 0 to 65535. You can specify all ports by not specifying a port value.


Here are some additional details for access lists:

  • PIX Firewall version 5.0 supports the IP protocol only with granularity to the network, subnet, and host level.

  • PIX Firewall version 5.1 supports granularity to either the TCP or UDP protocol and corresponding port.

  • The use of port ranges can dramatically increase the number of IPSec tunnels that PIX can originate or terminate. A new tunnel is created for each port.

Any unprotected inbound traffic that matches a permit entry in the crypto access list for a crypto map entry flagged as IPSec will be dropped.

If you want certain traffic to receive one combination of IPSec protection (for example, authentication only) and other traffic to receive a different combination of IPSec protection (for example, both authentication and encryption), you need to create two different crypto access lists to define the two different types of traffic.

CAUTION

Cisco recommends that you avoid using the any keyword to specify source or destination addresses. The permit any any statement is strongly discouraged because it causes all outbound traffic to be protected (as well as all traffic sent to the peer specified in the corresponding crypto map entry) and requires protection for all inbound traffic. Then, all inbound packets that lack IPSec protection are silently dropped. Also, you might experience increased CPU utilization and accompanying network throughput degradation.

Try to be as precise as possible when defining which packets to protect in a crypto access list. If you must use the any keyword in a permit statement, you must preface that statement with a series of deny statements to filter out any traffic (that would otherwise fall within that permit statement) that you do not want to be protected.

See the "Step 3: Create Crypto Access Lists" section of Chapter 16 for more details on how to configure crypto access lists.

Configure Symmetrical Crypto Access Lists

Cisco recommends that you configure mirror-image crypto access lists for use by IPSec. The crypto access lists on each peer should be symmetrical. For example, the source criteria of PIX 1 should be exactly the same as the destination criteria of PIX 1, and the destination criteria of PIX 1 should be exactly the same as the source criteria of PIX 2. On each PIX Firewall, both inbound and outbound traffic is evaluated against the same outbound IPSec access list. The access list's criteria are applied in the forward direction to traffic exiting the PIX Firewall and are applied in the reverse direction to traffic entering the PIX Firewall. When a PIX Firewall receives encrypted packets from an IPSec peer, it uses the same access list to determine which inbound packets to decrypt by viewing the source and destination addresses in the access list in reverse order.

Example 17-7 shows a crypto access list pair and illustrates why symmetrical access lists are recommended (refer to Figure 17-1 for a network diagram).

Example 17-7 A Crypto Access List Pair

Pix1(config)# show static
static (inside,outside) 192.168.1.9 10.1.1.4 netmask 255.255.255.255 0 0
pix1(config)# show access-list
access-list 110 permit ip host 192.168.1.9 host 192.168.2.9
Pix2(config)# show static
static (inside,outside) 192.168.2.9 10.2.1.4 netmask 255.255.255.255 0 0
Pix2(config)# show access-list
access-list 101 permit ip host 192.168.2.9 host 192.168.1.9

In the example for Site 1, IPSec protection is applied to traffic between the hosts at Site 1 and Site 2. Network address translation is configured on the PIX Firewalls. The host at Site 1 of 10.1.1.4 is statically mapped to global address 192.168.1.10 on PIX 1. The host at Site 2 of 10.2.1.4 is statically mapped to global address 192.168.2.10 on PIX 2. The access lists use the global address in the static command to specify interesting traffic. For traffic from the Site 1 host to the Site 2 host, the access list entry on PIX 1 is evaluated as follows:

  • The source is host 192.168.1.10 (statically mapped to 10.1.1.4).

  • The destination is host 192.168.2.10 (statically mapped to 10.2.1.4).

For incoming traffic from the Site 2 host to the Site 1 host, the same access list entry on PIX 1 is evaluated as follows:

  • The source is host 192.168.2.10 (statically mapped to 10.2.1.4).

  • The destination is host 192.168.1.10 (statically mapped to 10.1.1.4).

Step 2: Configure Transform Set Suites

The next major step in configuring PIX Firewall IPSec is to use the IPSec security policy to define a transform set. A transform set is a combination of individual IPSec transforms that enact a security policy for traffic. During the IKE IPSec security association, negotiation occurs during quick mode in IKE Phase 2, when the peers agree to use a particular transform set for protecting a particular data flow. Transform sets combine the following IPSec factors:

  • A mechanism for payload authentication—the AH transform

  • A mechanism for payload encryption—the ESP transform

  • The IPSec mode, either transport or tunnel

You define a transform set with the crypto ipsec transform-set configuration command. To delete a transform set, you use the no form of the command. The command syntax is as follows:

crypto ipsec transform-set transform-set-name transform1
 [transform2 [transform3]]

The command parameters and syntax have the following meanings:

Command Parameter

Description

transform-set-name

Specifies the name of the transform set to create (or modify).

transform1

transform2

transform3

Specify up to three transforms. Transforms define the IPSec security protocol(s) and algorithm(s). Each transform represents an IPSec security protocol (ESP, AH, or both) plus the algorithm you want to use.


Up to three transforms can be in a set. The default mode for each transform is tunnel. Sets are limited to up to one AH and up to two ESP transforms. Make sure you configure matching transform sets between IPSec peers.

When IKE is not used to establish security associations, a single transform set must be used. The transform set is not negotiated. If you specify an ESP protocol in a transform set, you can specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform.

The PIX Firewall supports the IPSec transforms shown in Table 17-3.

Table 17-3 PIX-Supported IPSec Transforms

Transform

Description

ah-md5-hmac

AH-HMAC-MD5 transform used for authentication

ah-sha-hmac

AH-HMAC-SHA transform used for authentication

esp-des

ESP transform using DES cipher (56 bits)

esp-3des

ESP transform using 3DES(EDE) cipher (168 bits)

esp-md5-hmac

ESP transform with HMAC-MD5 authentication used with an esp-des or esp-3des transform to provide additional integrity of ESP packets

esp-sha-hmac

ESP transform with HMAC-SHA authentication used with an esp-des or esp-3des transform to provide additional integrity for ESP packets


Choosing Transforms

Choosing IPSec transform combinations can be complex. The following tips might help you select transforms that are appropriate for your situation:

  • If you want to provide data confidentiality, include an ESP encryption transform.

  • Also consider including an ESP authentication transform or an AH transform to provide authentication services for the transform set.

  • To ensure data authentication for the outer IP header as well as the data, include an AH transform.

  • To ensure data authentication (using either ESP or AH), you can choose from the MD5 or SHA (HMAC keyed hash variants) authentication algorithms.

  • The SHA algorithm is generally considered stronger than MD5, but it is slower.

Transform Set Examples

Transform sets are limited to one AH transform and one or two ESP transforms. Some suggested combinations are shown in Examples 17-8 and 17-9.

Example 17-8 ESP Encryption with 56-bit DES, and ESP with SHA-1 for Authentication in Tunnel Mode (the Default) to Give Strong Security and Higher Performance

esp-des and esp-sha-hmac

Example 17-9 ESP Encryption with 3DES, and ESP with SHA-1 for Authentication in Tunnel Mode (the Default) to Give Stronger Security

esp-3des esp-sha-hmac

NOTE

As with Cisco routers, AH is seldom used with ESP because authentication is available with the esp-sha-hmac and esp-md5-hmac transforms. AH is also incompatible with network address translation (NAT) and port address translation (PAT) because they change the IP address in the TCP/IP packet header, breaking the authentication established by AH. AH can be used for data authentication alone, but it does not protect the confidentiality of the packet contents because it does not encrypt.

Transform Set Negotiation

Transform sets are negotiated during quick mode in IKE Phase 2 using previously configured transform sets. You can configure multiple transform sets and then specify one or more of the transform sets in a crypto map entry. You should configure the transforms from most-secure to least-secure as per your policy. The transform set defined in the crypto map entry is used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry's access list.

During the negotiation, the peers search for a transform set that is the same at both peers, as shown in Figure 17-2. When such a transform set is found, it is selected and is applied to the protected traffic as part of both peers' IPSec security associations. IPSec peers agree on one transform proposal per SA (unidirectional).

Step 3: Configure Global IPSec Security Association Lifetimes

The IPSec security association lifetime determines how long IPSec SAs remain valid before they are renegotiated. The PIX Firewall supports a global lifetime value that applies to all crypto maps. The global lifetime value can be overridden within a crypto map entry. The lifetimes apply only to security associations established via IKE. Manually established security associations do not expire. When a security association expires, a new one is negotiated without interrupting the data flow.

Figure 17-2 A Transform Set Negotiated Between IPSec Peers

You can change global IPSec security association lifetime values by using the crypto ipsec security-association lifetime configuration command. To reset a lifetime to the default value, use the no form of the command. The command syntax is as follows:

crypto ipsec security-association lifetime {seconds seconds |
 kilobytes kilobytes}

The command parameters and syntax have the following meanings:

Command Parameter

Description

seconds seconds

Specifies the number of seconds a security association will live before it expires. The default is 28,800 seconds (8 hours).

kilobytes kilobytes

Specifies the volume of traffic (in kilobytes) that can pass between IPSec peers using a given security association before that security association expires. The default is 4,608,000 KB (10 MBps for 1 hour).


Cisco recommends that you use the default lifetime values. Individual SAs can be configured using crypto maps, which are covered the section "Configuring Crypto Maps" later in this chapter.

Global IPSec SA Lifetime Examples

A general principle in cryptanalysis is that, given enough time or enough traffic protected under a single key, an attacker can break that key. Over time, a key's effective lifetime is reduced by advances made in cryptanalysis. The PIX Firewall allows you to fine-tune the key lifetime with the crypto ipsec security-association lifetime command. Consider the sample global IPSec security association lifetime shown in Example 17-10.

Example 17-10 Sample Global IPSec Security Association Lifetime

crypto ipsec security-association lifetime kilobytes 1382400

This lifetime is about 3 MBps for one hour, adequate for a PIX Firewall behind a perimeter router with an E1 wide-area network (WAN) interface to an ISP at 2.048 MBps. Example 17-11 shows a lifetime of 15 minutes, which is rather short but provides less time for breaking a key.

Example 17-11 Sample Lifetime of 15 Minutes

crypto ipsec security-association lifetime seconds 900

Before a key expires, IKE negotiates another one based on the IPSec SA lifetime value to allow for a smooth transition from key to key without having to tear down connections.

Step 4: Create Crypto Maps

Crypto map entries must be created for IPSec to set up SAs for traffic flows that must be encrypted. Crypto map entries created for IPSec set up security association parameters, tying together the various parts configured for IPSec, including the following:

  • Which traffic should be protected by IPSec (crypto access list)

  • The granularity of the traffic to be protected by a set of security associations

  • Where IPSec-protected traffic should be sent (who the remote IPSec peer is)

  • The local address to be used for the IPSec traffic

  • What IPSec security type should be applied to this traffic (transform sets)

  • Whether security associations are established manually or via IKE

  • IPSec security association lifetime

  • Other parameters that might be necessary to define an IPSec security association

The following sections consider crypto map parameters, examine the crypto map command, show how to configure crypto maps, and consider examples of crypto maps.

Crypto Map Parameters

You can apply only one crypto map set to a single interface. The crypto map set can include a combination of IPSec using IKE and IPSec with manually configured SA entries. Multiple interfaces can share the same crypto map set if you want to apply the same policy to multiple interfaces.

If you create more than one crypto map entry for a given interface, use the sequence number (seq-num) of each map entry to rank the map entries: the lower the seq-num, the higher the priority. At the interface that has the crypto map set, traffic is evaluated against higher-priority map entries first. You must create multiple crypto map entries for a given interface if any of the following conditions exist:

  • Different data flows are to be handled by separate IPSec peers.

  • You want to apply different IPSec security to different types of traffic (to the same or separate IPSec peers)—for example, if you want traffic between one set of subnets to be authenticated and traffic between another set of subnets to be both authenticated and encrypted. In this case, the different types of traffic should have been defined in two separate access lists, and you must create a separate crypto map entry for each crypto access list.

  • You are not using IKE to establish a particular set of security associations, and you want to specify multiple access list entries. You must create separate access lists (one per permit entry) and specify a separate crypto map entry for each access list.

Backup Gateways

You can define multiple remote peers by using crypto maps to allow for gateway redundancy. If one peer fails, there will still be a protected path. The peer that packets are actually sent to is determined by the last peer that the PIX Firewall heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, IKE tries the next peer on the crypto map list.

If you are not sure how to configure each crypto map parameter to guarantee compatibility with other peers, you might consider configuring dynamic crypto maps. Dynamic crypto maps are useful when the establishment of the IPSec tunnels is initiated by the remote peer (such as in the case of an IPSec PIX Firewall fronting a server). They are not useful if the establishment of the IPSec tunnels is locally initiated because the dynamic crypto maps are policy templates, not complete statements of policy. (The access lists in any referenced dynamic crypto map entry are used for crypto packet filtering.)

A dynamic crypto map entry is essentially a crypto map entry without all the parameters configured. It acts as a policy template in which the missing parameters are later dynamically configured (as the result of an IPSec negotiation) to match a peer's requirements. This allows peers to exchange IPSec traffic with the PIX Firewall even if the PIX Firewall does not have a crypto map entry specifically configured to meet all the peer's requirements.

Configuring Crypto Maps

You use the crypto map configuration command to create or modify a crypto map entry. You set the crypto map entries referencing dynamic maps to be the lowest-priority entries in a crypto map set (that is, to have the highest sequence numbers). You use the no form of this command to delete a crypto map entry or set. The command syntax is as follows:

crypto map map-name seq-num {ipsec-isakmp | ipsec-manual}
 [dynamic dynamic-map-name]
crypto map map-name seq-num match address acl_name
crypto map map-name seq-num set peer {hostname | ip-address}
crypto map map-name seq-num set pfs [group1 | group2]
crypto map map-name seq-num set security-association lifetime {seconds seconds |
 kilobytes kilobytes}
crypto map map-name seq-num set transform-set transform-set-name1
 [transform-set-name6]
crypto map map-name client authentication aaa-server-name
crypto map map-name client configuration address {initiate | respond}

The command parameters and syntax have the following meanings:

Command Parameter

Description

map-name

Assigns a name to the crypto map set.

seq-num

Assigns a number to the crypto map entry.

ipsec-manual

Indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

ipsec-isakmp

Indicates that IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.

acl_name

Identifies the named encryption access list. This name should match the name argument of the named encryption access list being matched.

match address

Specifies an access list for a crypto map entry.

set peer

Specifies an IPSec peer in a crypto map entry. Specify multiple peers by repeating this command. The peer is the terminating interface of the IPSec peer.

hostname

Specifies a peer by its host name. This is the peer's host name concatenated with its domain name, such as myhost.example.com.

ip-address

Specifies a peer by its IP address.

set pfs

Specifies that IPSec should ask for perfect forward secrecy (PFS). With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. PFS provides additional security for secret key generation at a cost of additional processing.

group1

Specifies that IPSec should use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Used with the esp-des transform.

group2

Specifies that IPSec should use the 1024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange. Used with the esp-3des transform.

set transform-set

Specifies which transform sets can be used with the crypto map entry. List multiple transform sets in order of priority, with the highest-priority (most secure) transform set first.

transform-set-name

Specifies the name of the transform set. For an ipsec-manual crypto map entry, you can specify only one transform set. For an ipsec-isakmp or dynamic crypto map entry, you can specify up to six transform sets.

kilobytes kilobytes

Specifies the volume of traffic (in kilobytes) that can pass between peers using a given security association before that SA expires. The default is 4,608,000 KB. The security association lifetime in a crypto map entry overrides the global security association lifetime value.

seconds seconds

Specifies the number of seconds a security association will live before it expires. The default is 3,600 seconds (one hour).

dynamic

(Optional) Specifies that this crypto map entry references a preexisting static crypto map. If you use this keyword, none of the crypto map configuration commands will be available.

dynamic-map-name

(Optional) Specifies the name of the dynamic crypto map set that should be used as the policy template.

aaa-server-name

Specifies the name of the AAA server that will authenticate the user during IKE authentication. The two AAA server options available are TACACS+ and RADIUS.

initiate

Indicates that the PIX Firewall attempts to set IP addresses for each peer.

respond

Indicates that the PIX Firewall accepts requests for IP addresses from any requesting peer.


Here are some additional guidelines for configuring crypto maps:

  • Identify the crypto map with a unique crypto map name and sequence number.

  • Use ipsec-isakmp for CA server support.

  • After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map map-name interface interface-name command.

NOTE

Access lists for crypto map entries tagged as ipsec-manual are restricted to a single permit entry, and subsequent entries are ignored. The security associations established by that particular crypto map entry are only for a single data flow. To be able to support multiple manually established security associations for different kinds of traffic, define multiple crypto access lists and then apply each one to a separate ipsec-manual crypto map entry. Each access list should include one permit statement defining what traffic to protect.

Example 17-12 illustrates a crypto map with two peers specified for redundancy purposes.

Example 17-12 A Crypto Map with Two Peers Specified for Redundancy

Pix1(config)# crypto map mymap 10 ipsec-isakmp
Pix1(config)# match address 151
Pix1(config)# set peer 192.168.2.2
Pix1(config)# set peer 192.168.3.2
Pix1(config)# set pfs group1
Pix1(config)# set transform-set mytransform
Pix1(config)# set security-association lifetime 2700

If the first peer cannot be contacted, the second peer will be used. There is no limit to the number of redundant peers that can be configured.

Setting Manual Keys

You can configure IPSec SAs manually and not use IKE to set up the SA. Cisco recommends that you use IKE to set up the SAs because it is very difficult to ensure that the SA values match between peers, and D-H is a vastly more secure method to generate secret keys between peers. If you must, you can use crypto map commands to manually specify the IPSec session keys and other SA parameters within a crypto map entry.

Security associations established via the crypto map command do not expire (unlike security associations established via IKE). Session keys at one peer must match the session keys at the remote peer. If you change a session key, the security association using the key will be deleted and reinitialized. See the "Configuring Manual IPSec" section of the "Configuring IPSec" chapter of the Configuration Guide for the Cisco Secure PIX Firewall for more details on manual IPSec.

Step 5: Apply Crypto Maps to Interfaces

The last step in configuring IPSec is to apply the crypto map set to an interface. You apply the crypto map to the PIX Firewall's interface connected to the Internet with the crypto map command in interface configuration mode. Use the no form of the command to remove the crypto map set from the interface. The command syntax is as follows:

crypto map map-name interface interface-name

The command parameters have the following meanings:

Command Parameter

Description

map-name

The name of the crypto map set.

interface interface-name

Specifies the identifying interface to be used by the PIX Firewall to identify itself to peers. If IKE is enabled and you are using a CA to obtain certificates, this should be the interface with the address specified in the CA certificates.


IPSec tunnels can be terminated on any PIX Firewall interface. This does not mean you terminate traffic coming from the outside on the inside interface. Traffic terminated on the inside interface is traffic from the inside network. Traffic terminated on the outside is traffic from the outside. Traffic terminated on a DMZ is traffic from the DMZ.

As soon as you apply the crypto map, the security association database should initialize in system memory. The SAs are available for setup when traffic defined by the crypto access list is transmitted or received.

Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-name but a different seq-num, they are considered part of the same set and are all applied to the interface. The crypto map entry with the lowest seq-num is considered the highest priority and is evaluated first.

Example 17-13 is an example of applying a crypto map to an outside interface.

Example 17-13 An Example of Applying a Crypto Map to an Outside Interface

crypto map mymap interface outside

Step 6: Verify IPSec Configuration

The last step in configuring IPSec on the PIX Firewall is to verify the IPSec configuration using available show commands.

You can view all configured access lists with the show access-list command. In Example 17-14, the hitcnt=0 value shows that no traffic has been evaluated against this access list.

Example 17-14 Showing Configured Access Lists with the show access-list Command

Pix2# show access-list
access-list 101 permit ip host 192.168.2.9 host 192.168.1.9 (hitcnt=0)

You can view the currently defined transform sets with the show crypto ipsec transform-set command. This command has the following syntax:

show crypto ipsec transform-set [tag transform-set-name]

The command parameter has the following meaning:

Command Parameter

Description

tag transform-set-name

(Optional) Shows only the transform sets with the specified transform-set-name


If no keyword is used, all transform sets configured at the PIX Firewall are displayed. Example 17-15 shows the transform sets with the names mine and vrysecure.

Example 17-15 Transform Sets with the Names mine and vrysecure

Pixfirewall# show crypto ipsec transform-set
Transform set mine: { esp-des }
will negotiate = { Tunnel, },
Transform set vrysecure: { esp-3des ah-sha-hmac
esp-sha-hmac }
will negotiate = { Tunnel, },

You can use the show crypto ipsec security-association lifetime command to view the current global IPSec SA lifetime. In Example 17-16, the global ipsec security-association lifetime is 2305000 KB and 3600 seconds.

Example 17-16 A Global ipsec security-association lifetime of 2305000 KB and 3600 Seconds

Pix1# show crypto ipsec security-association lifetime
Security-association lifetime: 2305000 kilobytes/3600 seconds

You can use the show crypto map command to view the crypto map configuration. If no keywords are used, all crypto maps configured at the PIX Firewall are displayed. The command syntax is as follows:

show crypto map [interface interface | tag map-name]

The command parameters and syntax have the following meanings:

Command Parameter

Description

interface interface

(Optional) Shows only the crypto map set applied to the specified interface

tag map-name

(Optional) Shows only the crypto map set with the specified map-name


Example 17-17 shows an example of crypto maps for PIX 1 and PIX 2. Note how the crypto map pulls together the six IPSec-related values.

Example 17-17 Crypto Maps for PIX 1 and PIX 2

Pix1(config)# show crypto map
Crypto Map "peer2" 10 ipsec-isakmp
  Peer = 192.168.2.2
  access-list 101 permit ip host 192.168.1.9 host 192.168.2.9 (hitcnt=0)
  Current peer: 192.168.2.2
  Security association lifetime: 4608000 kilobytes/28800 seconds
  PFS (Y/N): N
  Transform sets={ pix2, }
Pix2(config)# show crypto map
Crypto Map "peer1" 10 ipsec-isakmp
 Peer = 192.168.1.2
 access-list 101 permit ip host 192.168.2.9 host 192.168.1.9 (hitcnt=0)
 Current peer: 192.168.1.2
 Security association lifetime: 4608000 kilobytes/28800 seconds
 PFS (Y/N): N
 Transform sets={ pix1, }
4. Task 4: Test and Verify the Overall IPSec Configuration | Next Section Previous Section