l2l tunnel using pdm

7/31/2019 l2l Tunnel Using Pdm

1/17

LANtoLAN VPN Tunnel Between Two PIXesusing PDM Configuration Example

Document ID: 67929

Introduction

PrerequisitesRequirements

Components Used

Network Diagram

Conventions

Background Information

Configuration Procedure

Verify

Troubleshoot

NetPro Discussion Forums Featured Conversations

Related Information

Introduction

This document describes the procedure to configure VPN tunnels between two PIX Firewalls using Cisco PIX

Device Manager (PDM). PDM is a browserbased configuration tool designed to help you set up, configure,

and monitor your PIX Firewall with a GUI. PIX Firewalls are placed at two different sites.

A tunnel is formed using IPsec. IPsec is a combination of open standards that provide data confidentiality,

data integrity, and data origin authentication between IPsec peers.

PrerequisitesRequirements

There are no requirements for this document.

Components Used

The information in this document is based on Cisco Secure PIX 515E Firewalls with 6.x and PDM version

3.0.

Refer to Configuring a Simple PIXtoPIX VPN Tunnel Using IPsec for a configuration example on theconfiguration of a VPN tunnel between two PIX devices using the Command Line Interface (CLI).

The information in this document was created from the devices in a specific lab environment. All of the

devices used in this document started with a cleared (default) configuration. If your network is live, make sure

that you understand the potential impact of any command.

Network Diagram

This document uses this network setup:

Cisco LANtoLAN VPN Tunnel Between Two PIXes using PDM Configuration Example


2/17

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

IPsec negotiation can be broken down into five steps, and includes two Internet Key Exchange (IKE) phases.

An IPsec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels

between the IPsec peers.

1.

In IKE Phase 1, the IPsec peers negotiate the established IKE Security Association (SA) policy. Once

the peers are authenticated, a secure tunnel is created using Internet Security Association and Key

Management Protocol (ISAKMP).

2.

In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA

transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.

3.

The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec

parameters configured in the IPsec transform sets.

4.

The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.

Note: IPsec negotiation between the two PIXes fails if the SAs on both of the IKE phases do not

match on the peers.

5.

Configuration Procedure

Apart from other general configuration on the CLI of PIX to access it through the Ethernet 0 interface, use the

commands http server enable and http server where and

is the IP address and the mask of the workstation on which PDM is installed. The configuration in

this document is for PIX01. PIX02 can be configured using the same steps with different addresses.

Complete these steps:

Open your browser and type https:// to access the PIX in PDM.1.

ClickConfiguration and go to the VPN tab.2.



3/17

ClickTransform Sets under IPSec to create a Transform set.3.



4/17

ClickAdd, select all the appropriate options, and clickOK to create a new Transform set.4.



5/17

ClickPreShared Keys under IKE to configure preshared keys.5.



6/17

ClickAdd to add a new preshared key.6.



7/17

This window shows the key, which is the password for the tunnel association. This has to match on

both sides of the tunnel.



8/17

ClickPolicies under IKE to configure policies.7.



9/17

ClickAdd and fill in the appropriate fields.8.



10/17

ClickOK to add a new policy.9.



11/17

Select the outside interface, clickEnable, and from the Identity pull downmenu select address.10.



12/17

ClickIPSec Rules under IPSec to create IPsec rules.11.



13/17

Fill in the appropriate fields.12.

ClickNew in the Tunnel Policy. A Tunnel Policy window appears. Fill in the appropriate fields.13.



14/17

ClickOK to see the configured IPsec rule.14.

ClickVPN Systems Options and checkBypass access check for all IPSec traffic.15.



15/17

Verify

If there is interesting traffic to the peer, the tunnel is established between PIX01 and PIX02.

The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to

view an analysis ofshow command output.

View the VPN Status under Home in the PDM (highlighted in red) in order to verify the formation of the

tunnel.



16/17

You can also verify the formation of tunnels using CLI under Tools in the PDM. Issue the show crypto

isakmp sa command to check the formation of tunnels and issue the show crypto ipsec sa command to

observe the number of packets encapsulated, encrypted, and so forth.

Note: The inside interface of the PIX cannot be pinged for the formation of the tunnel unless the

managementaccess command is configured in the global confirguration mode.

PIX02(config)#managementaccess inside

PIX02(config)#show managementaccess

managementaccess inside

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

NetPro Discussion Forums Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions,

and information about networking solutions, products, and technologies. The featured links are some of the

most recent conversations available in this technology.

NetPro Discussion Forums Featured Conversations for VPN

Service Providers: VPN Service Architectures



17/17

Service Providers: Network Management

Virtual Private Networks: General

Related Information

Redundant Tunnel Creation between Firewalls using PDM

Cisco Secure PIX Firewall Command ReferencesRequests for Comments (RFCs)

Cisco PIX Firewall Software

Security Product Field Notices (including PIX)

Technical Support & Documentation Cisco Systems

All contents are Copyright 20062007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Jul 11, 2007 Document ID: 67929

Cisco LAN to LAN VPN Tunnel Between Two PIXes using PDM Configuration Example

l2l tunnel using pdm

Documents