What Is a Firewall?
2
Firewall Technologies
Application proxies
3
Packet-Filtering Techniques
Packet filters do not commonly inspect additional Layer 3 and Layer 4 fields
such as sequence numbers, TCP control flags, and TCP acknowledgement
(ACK) field.
4
Application Proxies
5
Stateful Inspection Firewalls
Stateful firewalls examine not only the packet header contents, but
also the application layer information within the payload.
A stateful firewall monitors the state of the connection and maintains
a database with this information. This database is usually called the
state table.
The state of the connection details whether such connection has
been established, closed, reset, or is being negotiated. These
mechanisms offer protection for different types of network attacks.
6
Sessions in an IP World
#1
Ack PIX Firewall #2
10.0.0.3 Flag Syn Syn 172.30.0.50
Start the embryonic
No data connection counter
#4 172.30.0.50 172.30.0.50
#3
10.0.0.3 The PIX Firewall follows the 192.168.0.20
Adaptive Security Algorithm:
23 • (Src IP, Src Port, 23
Dest IP, Dest Port ) check
1026 1026
• Sequence number check
IP header 92513 92513
• Translation check
TCP header 49092 49770
If the code bit is not syn-ack,
Syn-Ack PIX drops the packet. Syn-Ack
TCP Initialization—Inside to Outside (cont.)
Connectionless protocol
#1 PIX Firewall #2
10.0.0.3 172.30.0.50
All UDP responses arrive from
outside and within UDP user-
configurable timeout.
#4 (default=2 minutes) #3
172.30.0.50 172.30.0.50
The PIX Firewall follows the
10.0.0.3 192.168.0.20
Adaptive Security Algorithm:
45000 • (Src IP, Src Port, 45000
Dest IP, Dest Port ) check
1028 1028
• Translation check
IP header
TCP header
PIX FIREWALL
13
PIX Firewall—What Is it?
14
Adaptive Security Algorithm
PIX 535
Price
PIX 525
PIX 515
PIX 506
Functionality
PIX Firewall 501
Outside network
Internet e0
• Security level 0
• Interface name = outside
e0
PIX Firewall
e2
e1 DMZ network
Inside network
e2
e1 • Security level 50
• Security level 100 • Interface name = DMZ/intf2
• Interface name = inside
Firewall Zones and Security Levels (contd )
OUTSIDE
26
Firewall Zones and Security Levels (contd )
INSIDE
27
Firewall Zones and Security Levels (contd )
28
PIX Firewall Basic Commands
pixfirewall>
enable
pixfirewall#
enable password password
pixfirewall#
passwd password
The passwd command is used to set
a Telnet password.
write Commands
pixfirewall(config)#
telnet ip_address [netmask] [if_name]
Enables you to specify which hosts can
access the PIX Firewall console via Telnet
pixfirewall(config)#
kill telnet_id
Terminates a Telnet session
pixfirewall(config)#
who [local_ip]
Enables you to view which IP addresses are currently
accessing the PIX Firewall console via Telnet
http Commands
pixfirewall(config)#
http ip_address [netmask] [if_name]
Enables you to specify the clients that are
allowed to access the PIX Firewall’s HTTP
server
pixfirewall(config)#
http server enable
Enables the PIX Firewall HTTP server
hostname and ping Commands
pixfirewall(config)#
hostname newname
hostname command
pixfirewall(config)#
Ping ip_address
ping command
pixfirewall(config)# ping 10.0.0.3
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
show Commands
nameif
interface
ip address
nat
global
route
Command 1: nameif
pixfirewall(config)#
nameif hardware_id if_name security_level
pixfirewall(config)#
interface hardware_id hardware_speed
The outside and inside interfaces are set for 100 Mbps Ethernet
full-duplex communication.
Command 3: ip address
pixfirewall(config)#
43
NAT (Network Address Translation)
Cisco PIX, being a security device, can mask the network address on
the trusted side from the untrusted networks. Address translation is
useful in the following network deployments:
You use a private addressing scheme internally, and want to assign
global routable addresses to those hosts.
You change to a service provider that requires you to change the
addressing scheme. Rather than redesign the entire IP infrastructure,
you implement translation on the border appliance.
To hide internal address scheme.
You have more internal hosts than the number of global IP addresses.
44
NAT (Continued)
Dynamic NAT
PAT
Static NAT
Port Redirection (Static PAT)
45
Dynamic NAT
46
Dynamic NAT (Continued)
47
PAT (Port Address Translation)
48
PAT (Continued)
49
Port Address Translation
PAT Global
192.168.0.15
Internet
Source addr 10.0.0.3 192.168.0.15 Source addr
Destination Destination
172.30.0.50 172.30.0.50
addr addr
Information systems
Mapping Subnets to PAT Addresses
55
Static command
Inside
Security 100
static Command
pixfirewall(config)#
static [(internal_if_name, external_if_name)]
global_ip local_ip [netmask
network_mask][max_conns[em_limit]][norandomseq]
192.168.0.2
Packet sent from 10.0.0.3 has a source
PIX Firewall
address of 192.168.0.10
10.0.0.1
Permanently maps a single IP address
Recommended for internal service hosts
10.0.0.3
Static PAT / Port Redirection
Static PAT, also known as port redirection, is useful when the security
appliance needs to statically map multiple inside servers to one global IP
address.
58
Static PAT / Port Redirection (Contd)
59
Port Redirection
pixfirewall(config)#
telnet 192.168.0.2
Internet
Perimeter router
192.168.0.1
http://192.168.0.9:8080 192.168.0.2
172.16.0.2
PIX Firewall Web Server
10.0.0.1
10.0.0.4 10.0.0.3
The external user directs a Telnet request to the PIX Firewall’s outside IP address,
192.168.0.2. The PIX Firewall redirects the request to host 10.0.0.4.
The external user directs an HTTP port 8080 request to the PIX Firewall PAT address,
192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80.
No Network Address Translation (nat 0)
192.168.0.9
Connections vs. Translations
Translations—xlate
IP address to IP address translation
65,536 translations supported
Connections—conns
TCP or UDP sessions
How data moves through PIX ?
64
xlate Command
pixfirewall(config)#
67
Continued…
The following steps describe how data moves through ASA when an
Inside user visits a Web Server in Outside as shown in previous slide.
1. The user on the inside network requests a web page from www.example.com.
2. The security appliance receives the packet and because it is a new session, the
security appliance verifies that the packet is allowed according to the terms of the
security policy (access lists, filters, AAA).
3. The security appliance translates the local source address (10.1.2.27) to the
global address 209.165.201.10, which is on the outside interface subnet.
68
Continued…
4. The security appliance then records that a session is established and forwards
the packet from the outside interface.
5. When www.example.com responds to the request, the packet goes through the
security appliance, and because the session is already established, the packet
bypasses the many lookups associated with a new connection. The security
appliance performs NAT by translating the global destination address to the
local user address, 10.1.2.27.
69
An Outside User Visits a Web Server on DMZ.
70
Continued…
The following steps describe how data moves through ASA when an
Outside user visits a Web Server on DMZ as shown in previous slide.
1. A user on the outside network requests a web page from the DMZ web server using
the global destination address of 209.165.201.3, which is on the outside interface
subnet.
2. The security appliance receives the packet and because it is a new session, the
security appliance verifies that the packet is allowed according to the terms of the
security policy (access lists, filters, AAA).
3. The security appliance translates the destination address to the local address
10.1.1.3.
71
Continued…
4. The security appliance then adds a session entry to the fast path and forwards the
packet from the DMZ interface.
5. When the DMZ web server responds to the request, the packet goes through the
security appliance and because the session is already established, the packet
bypasses the many lookups associated with a new connection. The security
appliance performs NAT by translating the local source address to 209.165.201.3.
72
An Outside User Attempts to Access an Inside Host
73
Continued…
The following steps describe how data moves through ASA when an Outside
user attempts to access an Inside host as shown in previous slide.
1. A user on the outside network attempts to reach an inside host (assuming the host
has a routable IP address). If the inside network uses private addresses, no outside
user can reach the inside network without NAT. The outside user might attempt to
reach an inside user by using an existing NAT session.
2. The security appliance receives the packet and because it is a new session, the
security appliance verifies if the packet is allowed according to the security policy
(access lists, filters, AAA).
3. The packet is denied, and the security appliance drops the packet and logs the
connection attempt.
74
Command 4: nat
pixfirewall(config)#
nat [(if_name)] nat_id local_ip
[netmask]
Inside Outside
Source addr 10.0.0.3 Source addr 192.168.0.20
10.0.0.3 192.168.0.20
Internet
10.0.0.3
pixfirewall(config)#
global[(if_name)] nat_id {global_ip[-global_ip]
[netmask global_mask]} | interface
When internal hosts access the outside network through the firewall,
they are assigned public addresses from the 120.92.168.1 –
120.92.168.254 range
Access Through the PIX
Firewall
nat and global
e1 inside .1
security level 100
Internet
e0 outside .2
security level 0 PIX Firewall
Inside users can start outbound connections to both the DMZ and the Internet.
The nat (dmz) command gives DMZ services access to the Internet.
The global (dmz) command gives inside users access to the web server on the DMZ.
Command 6: route
pixfirewall(config)#
route if_name ip_address netmask gateway_ip
[metric]
.1
192.168.0.0/24
e0 outside .2
PIX Firewall 172.16.0.0/24 .2
e2 dmz .1
e1 inside .1 Bastion host
web and FTP server
10.0.0.0 /24
.3
Inside host
Syslog server
Syslog Messages
Security
Resources
System
Accounting
Configure Message Output to the PIX Firewall Buffer
pixfirewall(config)#
logging buffered level
Step 1—Send Syslog messages to an internal buffer.
pixfirewall(config)#
show logging
Step 2—View messages in the internal buffer.
pixfirewall(config)#
clear logging
Step 3—Clear the internal buffer.
pixfirewall(config)#
[no] logging message syslog_id
Enable or disable specific Syslog message type logging.
pixfirewall(config)#
logging standby
Allow a standby unit to send Syslog messages.
Configure Message Output to a Syslog Server
pixfirewall(config)#
logging host [in_if_name]
ip_address [protocol/port]
pixfirewall(config)#
logging trap level
pixfirewall(config)#
logging facility facility
Step 3—Set the facility marked on all messages.
pixfirewall(config)#
[no] logging timestamp
88
ASA Overview
89
ASA Basic configuration
This section describes how to configure basic settings on ASA that are
typically required for a functioning configuration. This includes the following :
90
Setting up the Host Name
Log into the ASA and go to “Configuration” mode. Now set the host name
for the device as shown below.
91
Setting Up the Domain Name
Similarly, set the Domain name for the appliance using the
command below.
92
Configuring Interfaces
93
Configuring NAT (Dynamic NAT / PAT)
94
Configuring NAT (Static NAT)
Static NAT is required to allow hosts on lower-security zone ot initiate connection with
servers on higher-security zone. Static NAT is typically used to NAT internal servers
which need to be accessed from external (Public) networks. The translation is always
active so both translated and remote hosts can originate connections. The following
command maps an inside IP address to an outside IP address :
95
Configuring NAT (Static PAT)
Static PAT, also called Port Redirection, is required when you need to assign one
public IP address to multiple servers which need to be accessed from Public
(external) network. ASA seggregates the request based on destination port
(TCP/UDP) of the incoming packet. The following commands show the sample
configuration of Static PAT:
96
Configuring NAT 0 (No NAT)
No NAT, also known as Identity NAT, is required when you require traffic from
specific interface to be excluded from NAT. This is genarally used in scenarios where
NAT is performed by some other device or external firewall. This is done using “NAT
0” command as shown below.
97
Configuring NAT (NAT Exemption)
NAT Exemption is similar to No NAT (Identity NAT). But NAT Exemption allows both
real host and host on other interface to initiate connection like Static NAT. NAT
Exemption is performed using Access-list command, which identifies addresses both
real and remote hosts. This enables all hosts identified by Access-list to initiate
connection. The following is a sample configuration of NAT Exemption.
98
Configuring ACL (Access-list)
The ACL identifies traffic that needs to be allowed or dropped when it tries to go
through the security appliance. By default ASA allows traffic to be initiated from
Higher Security zones to lower security zones. But once an ACL is applied on the
interface, ASA allows only those traffic which are explicitly permitted in the ACL. All
other traffic is dropped by default. The following is a sample ACL configuration.
99
Apply ACLs to interfaces (Access-grouping)
100
Configure Static IP Route
This can be explained as, for destination specified in “network”, send the traffic out
from “interface“ to the“gateway”. The following is a sample static route configuration.
101
Configure Default IP Route
A default route identifies the gateway IP address to which the security appliance
sends all IP packets for which it does not have a learned or static route. A default
route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that
identify a specific destination take precedence over the default route. To define the
default route, enter the following command:
102
PIX and ASA Failover Architectural Overview
o Active/Standby failover lets you use a standby security appliance to take over the
functionality of a failed unit.
o The failover configuration requires two identical ASA appliances connected to each
other through a dedicated failover link.
o The ASA unit that passes the traffic is known as “Active” unit and the other one is
known as “Standby” unit.
o When the active unit fails, it changes to the standby state while the standby unit
changes to the active state.
o Initially when failover is configured, one of the ASA is configured as “Primary” unit
with IP addresses to be used in active unit. The other one is configured as
“Secondary” unit with standby IP addresses.
103
Failover Architectural Overview (Cont.)
The security appliance supports two types of failover, regular (stateless) and stateful.
Regular/Stateless Failover
When a failover occurs, all active connections are dropped. Clients need to
reestablish connections when the new active unit takes over.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection
state information to the standby unit. After a failover occurs, the same connection
information is available at the new active unit. Supported end-user applications are
not required to reconnect to keep the same communication session.
104
Failover Architectural Overview (Cont.)
During initial startup, by default the Primary PIX/ASA becomes the Active unit
as shown below.
105
Failover Architectural Overview (Cont.)
When Primary unit fails, Secondary unit interchanges the IP addresses and MAC
addresses of the failed (Primary) unit and becomes active. The failed unit now
becomes standby.
106
Configuring Active/Standby Failover
107
Step 1: Select the failover link
The first step is to identify an Interface for LAN-based Failover and assign IP address
to the same. This interface will be used to send failover control messages. The
following is a sample configuration.
108
Step 2: Assign failover IP addresses
Assign the standby IP address for each firewall-interface configured to be used as shown
below.
109
Step 3: Set failover key (optional)
To secure the failover control messages sent between the two failover units of Cisco
ASA, an administrator can optionally specify a shared secret key. The shared secret
key encrypts and authenticates the failover messages sent between the two ASA
units. The following example shows how to configure a failover shared secret key of
cisco123.
110
Step 4: Designating the Primary Cisco PIX/ASA
111
Step 5: Enable Stateful Failover (Optional)
Alternatively, the same failover link (configured in Step -1) or a data interface can be used as
Stateful Failover link. Then you only need to mention the interface name in place of new name as
shown below:
Chicago(config)# failover link FO int
b. Assign an active and standby IP address to the Stateful Failover link.
Chicago(config)# failover interface ip statefullink 10.10.10.5 255.255.255.252 standby
10.10.10.6
(Note: If the same failover link or data interface is being used, skip the step b & c.
We have already defined the active and standby IP addresses for the interface.)
c. Enable the assigned interface as shown below.
112
Step 6: Enable Failover Globally
The last step in configuring failover on the primary Cisco ASA is to enable
failover globally and save the system configuration to Flash memory as
shown below.
Chicago(config)#failover
113
Step 7: Configure Failover on Secondary PIX/ASA
The only configuration required on the secondary unit is for the failover interface. The
secondary unit requires these commands to initially communicate with the primary unit.
After the primary unit sends its configuration to the secondary unit, the only permanent
difference between the two configurations is the failover lan unit command, which
identifies each unit as primary or secondary.
a. Specify the interface to be used as the failover interface and configure its IP. Enter this
command exactly as entered on the primary unit when configured the failover interface
on the primary unit.
114
Configure Failover on Secondary PIX/ASA(Cont.)
c. Enable failover :
hostname(config)# failover
115
What is VPN
117
VPN Types
Remote-Access
This is a user-to-LAN connection used by a company that has employees who need to
connect to the private network from various remote locations. Typically, a corporation that
wishes to set up a large remote-access VPN provides some form of Internet dial-up
account to their users using an Internet service provider (ISP). The telecommuters can then
dial a number to reach the Internet and use their VPN client software to access the
corporate network. Remote-access VPNs permit secure, encrypted connections between a
company's private network and remote users through a third-party service provider.
Site-to-Site
Through the use of dedicated equipment and large-scale encryption, a company can
connect multiple fixed sites over a public network such as the Internet. Each site needs
only a local connection to the same public network, thereby saving money on long private
leased-lines. Site-to-site VPNs can be further categorized into intranets or extranets. A site-
to-site VPN built between offices of the same company is said to be an intranet VPN, while
a VPN built to connect the company to its partner or customer is referred to as an extranet
VPN.
118
VPN Features
Data Confidentiality
This is the most important service provided by any VPN implementation. Since the private
data travels over a public network, data confidentiality is vital and can be attained by
encrypting the data. This is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to decode. VPN
encryption protocols are :
PPTP/MPPE
PPTP supports multi-protocol VPNs, with 40-bit and 128-bit encryption using a protocol
called Microsoft Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself
does not provide data encryption.
119
VPN Features ( Contd..)
L2TP/IPsec
Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the
tunneling of Layer 2 Tunneling Protocol (L2TP). Primarily used for remote-access VPNs with
Windows 2000 operating systems, since Windows 2000 provides a native IPsec and L2TP
client.
Data Integrity
While it is important that the data is encrypted over a public network, it is just as important to verify
that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that
the encrypted portion of the packet, or the entire header and data portion of the packet, has not
been tampered with. If tampering is detected, the packet is dropped. Data integrity can also
involve authenticating the remote peer.
120
VPN Features ( Contd..)
Anti Replay
This is the ability to detect and reject replayed packets and helps prevent spoofing.
121
VPN Features ( Contd..)
Carrier protocol
The protocol used by the network over which the information is travelling. The original packet
(Passenger protocol) is encapsulated inside the encapsulating protocol, which is then put
inside the carrier protocol's header (usually IP) for transmission over the public network. For
site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing capsulation
(GRE).For remote-access VPNs, tunneling normally takes place using Point-to-Point
Protocol (PPP).
AAA
Authentication, authorization, and accounting is used for more secure access in a remote-
access VPN environment. Without user authentication, anyone who sits at a laptop/PC with
pre-configured VPN client software can establish a secure connection into the remote
network. With user authentication however, a valid username and password also has to be
entered before the connection is completed. Usernames and passwords can be stored on
the VPN termination device itself, or on an external AAA server, which can provide
authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.
122
VPN
123
VPN
124
IPSec Dynamic – VPN Client/Easy VPN
Dynamic IPSec VPN
Specifies that the hosts at the client end of the VPN connection use
fully routable IP addresses.
PAT is not used.
Supports split tunneling.
Easy VPN – Client/PAT mode
PAT 10.0.0.0/24
192.168.1.1 10.0.1.2
VPN tunnel
10.0.0.0/24
172.16.10.5 172.16.10.4
VPN tunnel
172.16.20.6
Configuring Easy VPN Server with xauth
(extended authentication)
The following general tasks are used to configure Easy VPN Server on
a firewall appliance:
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ISAKMP
Pre-share
DES
SHA
Group 2
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
vpnpool
10.0.11.1-10.0.11.254
firewall(config)#
ip local pool { pool-name low-ip-address [high-ip-
address]}
Creates an optional local address pool if the remote client is using the remote server as an external
DHCP server.
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN group
Pre-share
Push DNS server
to client WINS server
DNS domain
Address pool
firewall(config)# Idle time
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to client
firewall(config)#
tunnel-group name [general-attributes | ipsec-attributes]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to client
firewall(config)#
tunnel-group name [general-attributes | ipsec-attributes]
firewall(config-general)#
address-pool [interface name] address_pool1
[...address_pool6]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config)#
group-policy group_name [internal | external | attributes]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config)#
Group-policy group_name [internal | external | attributes]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
dns-server value dns_ip_prim [dns_ip_sec]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN group
Push Pre-share
to client DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
wins-server value dns_ip_prim [dns_ip_sec]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Cisco.com
VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
default-domain value {domain-name | none}
VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
vpn-idle-timeout {minutes | none}
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
Transform set
DES
SHA-HMAC
firewall(config)#
crypto ipsec transform-set transform-set-name transform1
[transform2]]
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
firewall(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set
transform-set transform-set-name1
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
firewall(config)#
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-
map-name
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
firewall(config)#
crypto map map-name interface interface-name
Remote client
Outside Inside TACACS+
172.26.26.1
Internet server
10.0.0.15
192.168.1.5
firewall(config)#
aaa-server server_tag protocol auth_protocol
Remote client
Outside Inside TACACS+
172.26.26.1
Internet server
10.0.0.15
192.168.1.5
firewall(config-aaa-server)#
aaa-server server_tag [(if_name)] host server_ip [key]
timeout seconds
Remote client
Outside Inside TACACS+
172.26.26.1
Internet server
10.0.0.15
192.168.1.5
XAUTH
firewall(config-general)#
authentication-server-group [interface name] server group
[LOCAL | NONE]
Remote client
Outside Inside
10.0.11.0 10.0.0.0 TACACS+
Internet server
10.0.0.15
192.168.1.5
Encrypted — no translation
Clear text — translation
Outside Inside
10.0.11.0 10.0.0.0 TACACS+
Internet server
10.0.0.15
1) DPD send: Are you there?
2) DPD reply: Yes, I am here.
firewall(config-ipsec)#
isakmp keepalive [threshold seconds] [retry seconds]
[disable]
Configure the IKE DPD parameters.
DPD/Keepalive: Keepalive message that is sent towards peer device to make sure
that the vpn peer is still alive. When there is no response after the configured
retries, it will clear the VPN tunnel down on its local side.
isakmp keepalive [threshold seconds] [retry seconds] [disable]
Phase 1 (IKE) lifetime: During phase 1 negotiation, IKE lifetime is agreed, and the
Security Association (SA) parameters agreed are retained for the duration of the
lifetime. Before SA expires, IKE negotiation will start to set new SA. Default: 86400
seconds (24 hours)
crypto isakmp policy [priority] [lifetime seconds]
Phase 2 (IPSec) lifetime: Similar process as Phase 1 lifetime however, Phase 2 lifetime
can be measured by seconds (“timed” lifetime) OR/ kilobytes (“traffic-volume”
lifetime). If both lifetimes (seconds and kilobytes lifetimes) are specified, it will
expire and renegotiate phase 2 SAs on whichever lifetime expires first. Default:
28800 seconds (8 hours)
crypto map map-name seq-num set security-association lifetime
{seconds seconds | kilobytes kilobytes}
VPN Filter
Remote client
Outside Inside
10.0.11.0 10.0.0.0 WWW server
Internet 10.0.0.20
192.168.1.5
VPN Filter ACL direction
Only allowing web access (tcp/80) from VPN Client pool to internal web server
Security Security
Appliance 1 Appliance 6
Internet
e0, outside e0, outside
10.0.1.11 192.168.1.2 192.168.6.2 10.0.6.11
Site 2, STATIC
Site 1 (HUB)
Static IPSec Site-to-Site tunnel (Contd )
Traffic type to be IP IP
encrypted
Static IPSec Site-to-Site tunnel (Contd )
Site 1 (HUB) Site 2 (Remote) - static
interface ethernet0 interface ethernet0
nameif outside nameif outside
ip address 192.168.1.2 255.255.255.0 ip address 192.168.6.2 255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.6.0 nat (inside) 0 access-list 101
255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.8.0 crypto ipsec transform-set fw6 esp-3des esp-md5-hmac
255.255.255.0
crypto map FW1MAP 10 match address 101
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.6.0 crypto map FW1MAP 10 set peer 192.168.1.2
255.255.255.0
crypto map FW1MAP 10 set transform-set fw6
access-list 102 permit ip 10.0.1.0 255.255.255.0 10.0.8.0
255.255.255.0 crypto map FW1MAP interface outside
Thank You.
161