Cisco PIX VPN GUI Config
This recipe demonstrates how to create a site to site IPSec VPN using the GUI config between two Cisco PIX boxes. It was designed to be used by people with a good working knowledge of computers and networking, but without experience on Cisco PIX hardware.
To successfully follow these instructions, the following prerequisites must be met:
- You must be running PIX firewall version 6.2(2) or better
- You must be running PIX device manager V2.0(2) or better
- A computer running a recent WWW browser (e,g. IE V5.5) with a Java virtual machine
Before commencing the config, collect this information:
- The public IP address, subnet mask and default gateway and DNS servers assigned by the ISP for both of the sites.
- The private IP address range for each site. Note that the IP address ranges used at each site CAN NOT be the same. If you need help selecting IP address ranges, try the technique described here. This recipe has assumed the existence of two sites called "Auckland" and "Wellington".
- A password to assign to the GUI config, which will be required to access it in the future.
- A password to be used by the two PIX boxes which is required to bring the VPN up (called a pre-shared key).
Gotcha #1: To make an IPSec VPN run through a PAT connection you must be using PIX OS V6.3 or better. These instructions do not describe how to do this scenario (hint, you must port forward UDP port 500, UDP port 4500 and IP protocol 50). PIX OS V6.2 and below CAN NOT create IPSec VPNs that run through a PAT connection. This means that you can not put a PIX box behind a JetStream router, and run an IPSec VPN through it. In New Zealand, this generally means you can only use the PIX box's to create site to site VPNs when the PIX box is located on a public Ethernet segment (e,g. a data centre), the end of a wireless link, or a layer 2 cable connection.
The steps to configure the VPN are:
You have now completed configuring one end of the VPN. Now repeat the whole process again for the other end. Once you have done this, each site should be able to ping computers at the other site.