|
Building a Site-to-Site VPN with Cisco PIX501 and Linux, Preparations - Page 1 |
|
 |
|
Cisco's smallest security appliance PIX 501 is a solid device for building site-to-site IPSEC VPN tunnels with speeds of more then 3 MB/s. Although surpassed by Netscreens 5 series in terms of features and flexibility, it handles standard setups easily. Here we describe a site-to-site VPN tunnel setup with Linux. Although there are descriptions on the net, none covers NAT on the internal interface for only inbound connections to the 'inside' network. The network drawing above shows the setup used in the examples below. The Linux systems are 4 VMware instances running simultaenously. First we wipe out the settings. Starting from scratch as a simple firewall we verify if our routing is OK. mypix> ena |
This example creates a access list permitting icmp (ping): access-list inside_access_in permit icmp any any access-list outside_access_in permit icmp any any Next, we need to bind the access lists to the interfaces: access-group inside_access_in in interface inside access-group outside_access_in in interface outside Finally, we expose the internal network to the outside interface: static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 Of course, only in a lab setup! Pinging all IP in the chain ensures routing is OK. This is our PIX configuration for the network above. <page 2> |
If the 'enable' password is lost, Cisco's password recovery procedure clears out the password by executing a tftp-loaded image at the boot monitor prompt of the PIX. The configuration stays untouched, only the passwords are wiped out. After creating a 'virgin' PIX, a base configuration to check routing will verify connectivity: ip address inside 192.168.1.103 255.255.255.0 ip address outside 128.12.1.155 255.255.255.0 route outside 0.0.0.0 0.0.0.0 128.12.1.10After configuring the Interfaces and setting the default route, we need to 'allow' traffic. |
|
   |
