Walk-through Part 1: Configuring Cisco PIX v6.3.1

  • Article

In this walk-through, you will configure ISA Server 2004, configure Cisco PIX 501, and then reconcile the IPSec policies in ISA Server and PIX.

Walk-through Part 1: Configuring ISA Server 2004

After the ISA Server installation is complete, perform the following steps on the ISA Server computer to set up the IPSec tunnel mode configuration:

  1. Create a remote site network that defines the IP subnet behind the PIX system and IPSec settings for the IPSec tunnel mode configuration.
  2. Create a network rule that defines how the traffic is passed to the PIX network (either using NAT or routing the traffic).
  3. Create a firewall policy access rule that defines which traffic is allowed to pass to the PIX network.

Procedure 1: Create a Remote Site Network

A remote site network defines the network behind the PIX system, and also defines the IPSec settings for the tunnel mode configuration. The New Site-to-Site Network Wizard creates a policy of IPSec settings that are not visible in the IPSec Policy Management console. The Main Mode and Quick Mode settings are dynamically inserted into the IPSec driver by the wizard. To create a remote site network, perform the following steps.

  1. To start the wizard, select the Virtual Private Networks (VPN) node in the ISA Server console, and then select the Remote Sites tab. On the Tasks tab, click Add Remote Site Network.
  2. In this example, a network definition that will specify the range of IP addresses that are accessible behind the PIX system through the IPSec tunnel mode configuration will be created. Enter the name PIXNet, and then click Next.
  3. Select IP Security protocol (IPSec) tunnel mode, and then click Next.
  4. Enter the tunnel mode endpoint addresses. The PIX system is the remote VPN gateway and ISA Server is the local VPN gateway. Then, click Next.
  5. Select the type of authentication you want to perform for Main Mode negotiations. For this example, select Use pre-shared key for authentication and enter 123456789 for initial testing. Then, click Next.
  6. Click Add to add the range of IP addresses that will be accessible through the tunnel mode configuration (the subnet that is behind the PIX system).
  7. If you want traffic destined for the PIX system’s external interface included, specify its address. In the following example, the subnet 172.25.3.0 is defined as behind the PIX system. Click Next.
  8. Click Finish to complete the wizard. After the wizard is finished, click Apply to make the configuration change active.

After the changes are applied, you can view the IPSec settings from ISA Server or by using a command-line utility. There are two methods to view the settings from ISA Server. To use the first method to view the IPSec settings, perform the following steps.

  1. On the Remote Sites tab, select the remote site network object you just created.
  2. On the Tasks tab, click View Remote Site IPSec Policy. The following dialog box appears.

Or, to use another method to view the IPSec settings, perform the following steps.

  1. On the Tasks tab, click Configure Remote Site.
  2. Select the Connection tab, and then click IPSec Settings. Phase I settings are displayed.
  3. Click the Phase II tab.

You can also use the command-line utility NETSH to view these Main Mode and Quick Mode policies and filters:

  • Main Mode Policy "c:\netsh ipsec dynamic show mmpolicy all"
    IKE MM Policy Name         : ISA Server PIXNet MM Policy
    IKE Soft SA Lifetime       : 28800 secs
     
    Encryption     Integrity        DH    Lifetime (Kb:secs)    QM Limit Per MM
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    3DES           SHA1              2             0:1728000              0
  • Main Mode Filters "c:\netsh ipsec dynamic show mmfilter all"
    Main Mode Filters: Generic
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{4ECE7FAD-F0A7-45FB-BAF7-4E193EB814F6}
    Connection Type            : ALL
    Source Address             : <My IP Address>   (255.255.255.255)
    Destination Address        : 192.168.55.100       (255.255.255.255)
    Authentication Methods     : Preshared key
    Security Methods           : 1  3DES/SHA1/DH2/1728000/QMlimit=0
    -------------------------------------------------------------------------------
    Filter name                    : IPSec{163EABB5-9F2B-44ED-B80E-4D7C462E4846}
    Connection Type            : ALL
    Source Address            : <My IP Address>   (255.255.255.255)
    Destination Address        : 192.168.55.1      (255.255.255.255)
    Authentication Methods     :  Preshared key
    Security Methods           : 1         3DES/SHA1/DH2/1728000/QMlimit=0
     
    2 Generic Filter(s)
  • Quick Mode Policy "c:\netsh ipsec dynamic show qmpolicy all"
    QM Negotiation Policy Name : ISA Server PIXNet QM Policy
     
    Security Methods           Lifetime (Kb:secs)       PFS DH Group
    -------------------------------------------------------------------------------------------------------------------
    ESP[3DES,SHA1]         0:3600            Medium (2)
  • Quick Mode Filters "c:\>netsh ipsec dynamic show qmfilter all"
    Quick Mode Filters(Tunnel): Generic
    -------------------------------------------------------------------------------
    Filter name                : IPSec{F886828B-A23B-4659-9F29-0B6129A3C9F8}
    Connection Type            : ALL
    Source Address             : 172.25.10.0       (255.255.255.0  )
    Destination Address        : 172.25.3.0        (255.255.255.0  )
    Tunnel Source              : <Any IP Address>
    Tunnel Destination         : 192.168.55.1
    Protocol                   : ANY     Src Port: 0      Dest Port: 0
    Mirrored                   : no
    Quick Mode Policy          : ISA Server PIXNet QM Policy
    Inbound Action             : Negotiate
    Outbound Action            : Negotiate

You have now created a remote site network, and viewed the changes to the IPSec settings. Now that the remote site network has been defined, the next step is to define a relationship between the ISA Server Internal network and the PIX remote network. In the next section, you will define whether you want the traffic to use NAT or be routed to the remote network.

Procedure 2: Create a Network Rule

To create a network rule, perform the following steps.

  1. In the ISA Server console, select Configuration, select Networks, select the Network Rules tab, and then on the Tasks tab, click Create a New Network Rule.
  2. For this scenario, enter the name ISANet to PIXNet, and then click Next.
  3. On the Network Traffic Sources page, click Add.
  4. Expand the Networks node.
  5. Select the Internal network, click Add, and then click Close.
  6. On the Network Traffic Sources page, click Next.
  7. On the Network Traffic Destinations page, click Add.
  8. Expand the Networks node.
  9. Select the PIXNet network, click Add, and then click Close.
  10. On the Network Traffic Destinations page, click Next.

Note

   In this example, traffic is routed between the two networks. This is because the IP subnets are different. If your scenario has two IP subnets that overlap (both local and remote subnets are 192.168.0.x), you should consider either using NAT for the traffic or redefining one of the IP subnets so that there is no overlap.

  1. On the summary page, review the rule details and then click Finish.
  2. After the wizard is complete, click Apply to make the configuration changes effective.
    ISA04_Operations_IPSecCisco_Part1_19#b117059c-af34-417e-a7fb-ddd1223ad75f

You have now created a network rule. The next step is to create an access rule.

Procedure 3: Create an Access Rule

Now that you have defined the remote site and the network rule, you need to define which traffic will pass through the IPSec tunnel mode configuration. You control this through the firewall policy by creating an access rule specifying the traffic you want to allow. To create an access rule, perform the following steps.

  1. In the ISA Server console, select Firewall Policy, right-click, select New, and then click Access Rule.
  2. Provide a name that describes accurately the source and destination networks, and the traffic allowed. For this scenario, enter the name Allow ISANet to PIXNet – All Protocols, and then click Next.
  3. On the Rule Action page, select Allow, and then click Next.
  4. On the Protocols page, in This rule applies to, select All outbound protocols, and then click Next.
  5. Click Add.
  6. Expand the Networks node.
  7. Select the Internal network. You could optionally include Local Host if you want to allow ISA Server to send traffic to the remote network. Click Add, click Close, and then click Next.
  8. On the Access Rule Sources page, click Next.
  9. On the Access Rule Destinations page, click Add.
  10. Expand the Networks node.
  11. Select the PIXNet network. Click Add, and then click Close.
  12. Click Next.
  13. Select which users to allow, and then click Next.
  14. Review the settings in the summary screen, and then click Finish to complete the wizard.
  15. After the wizard is complete, click Apply to make the configuration changes effective.

Note

   You must complete the same procedure to allow traffic from the PIXNet subnet to the ISANet subnet, because access rules are "one-way."

You have now created a remote site network, a network rule, and an access rule. Now that ISA Server is configured, you will configure the PIX device.