Home > Others

Configure IPSec-router to the PIX Firewall

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

This document describes the IPSec Configuration between the router and the Cisco Firewall. The traffic between the Headquarters and the branch offices is a private IP address. When the LAN users of the branch offices access the Internet, address translation is required.

Network Topology

Screen. width-333) this. width = screen. width-333 "border = 0>

Configuration

Define outbound traffic:
Access-list ipsec permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
! --- Route traffic is not converted to addresses
Access-list nonat permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Ip address outside 172.17.63.213 255.255.255.240
Ip address inside 10.1.1.1 255.255.255.0
Global (outside) 1 172.17.63.210
! --- Route traffic is not converted to addresses
Nat (inside) 0 access-list nonat
Nat (inside) 1 10.1.1.0 255.255.255.0 0 0
Conducting it permit icmp any
Route outside 0.0.0.0 0.0.0.0 172.17.63.209 1
! --- IPSec Policy:
Sysopt connection permit-ipsec
Crypto ipsec transform-set avalanche esp-des esp-md5-hmac
Crypto ipsec security-association lifetime seconds 3600
Crypto map forsberg 21 ipsec-isakmp
Crypto map forsberg 21 match address ipsec
Crypto map forsberg 21 set peer 172.17.63.230
Crypto map forsberg 21 set transform-set avalanche
Crypto map forsberg interface outside

! --- IKE policy:
Isakmp enable outside
Isakmp key pair final2000 address 172.17.63.230 netmask limit 255
Isakmp identity address
Isakmp policy 21 authentication pre-share
Isakmp policy 21 encryption des
Isakmp policy 21 hash md5
Isakmp policy 21 group 1
: End


Branch Router

Hostname Branch_Router
! --- IKE policy:
Crypto isakmp policy 11
Hash md5
Authentication pre-share
Crypto isakmp key pair final2000 address 172.17.63.213
! --- IPSec Policy:
Crypto ipsec transform-set sharks esp-des esp-md5-hmac
Crypto map nolan 11 ipsec-isakmp
Set peer 172.17.63.213
Set transform-set sharks
Match address 120
!
Interface Ethernet0
Ip address 172.17.63.230 255.255.255.255.240
Ip nat outside
Crypto map nolan
!
Interface Ethernet1
Ip address 10.2.2.1 255.255.255.0
Ip nat inside
!
Ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.240
Ip nat inside source route-map nonat pool branch overload
Ip route 0.0.0.0 0.0.0.0 172.17.63.225
Access-list 120 permit ip 10.2.2.0 0.0.255 10.1.1.0 0.0.255
Access-list 130 deny ip 10.2.2.0 0.0.255 10.1.1.0 0.0.255
Access-list 130 permit ip 10.2.2.0 0.0.255 any
Route-map nonat permit 10
Matches ip address 130
End


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More