In this chapter I'll discuss how to configure IPsec LAN-to-LAN (L2L) sessions on the PIX and ASA security appliances. The first part of the chapter focuses on the components you'll need to configure the management connection, much of which applies to remote access sessions, and the second part will focus on configuring the components of the data connections. At the end of the chapter I'll illustrate an example of an L2L session between PIXs/ASAs.
In April 2005, Cisco introduced a new version of the Finesse Operating System (FOS) for the PIX security appliances, called 7.0. Currently this is supported only on the 515/515E PIXs and higher. Likewise, in May 2005, Cisco introduced the new Adapter Security Appliance (ASA) devices, which support PIX, VPN concentrator, router, and IDS features all in one box. Fortunately, much of the code and commands found in the 7.0 PIX security appliances are the same as those found in the ASA devices. However, the 501 and 506/506E PIXs only support the FOS 6.3 software. Because the 7.0 software is new, and the 6.x software is still in wide use, I'll point out differences in the configurations of both operating systems throughout the chapter where appropriate.
Note
In version 7.0, the PIX/ASA supports VPN only in single mode, commonly called routed mode. VPNs are not supported when your PIX/ASA is configured for multiple security contexts (multi-mode) or in an Active/Active stateful failover configuration. In FOS 6.3 and earlier, the stateful failover feature of the PIXs did not provide stateful failover for VPN sessions; in FOS 7.0, this enhancement has been added. The configuration of failover and stateful failover on the PIX/ASA, however, is beyond the scope of this book. Topics such as tunnel groups, which were added in FOS 7.0, I'll address in Chapter 22, "PIX and ASA Remote Access Connections," where it is more appropriate.
Part I: VPNs
Overview of VPNs
VPN Technologies
IPsec
PPTP and L2TP
SSL VPNs
Part II: Concentrators
Concentrator Product Information
Concentrator Remote Access Connections with IPsec
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
Concentrator Site-to-Site Connections
Concentrator Management
Verifying and Troubleshooting Concentrator Connections
Part III: Clients
Cisco VPN Software Client
Windows Software Client
3002 Hardware Client
Part IV: IOS Routers
Router Product Information
Router ISAKMP/IKE Phase 1 Connectivity
Router Site-to-Site Connections
Router Remote Access Connections
Troubleshooting Router Connections
Part V: PIX Firewalls
PIX and ASA Product Information
PIX and ASA Site-to-Site Connections
PIX and ASA Remote Access Connections
Troubleshooting PIX and ASA Connections
Part VI: Case Study
Case Study
Index