Pre-Shared Key Examples

Overview

In the following example the intranets use unregistered addresses and are connected over the public Internet by a site-to-site tunnel.

With unregistered IP addresses, NAT is not required for traffic between the two intranets, but it is required for connections to the public Internet.

If you do not need VPN tunneling, use this example without the access-list or the nat 0 access-list commands.

If you have a limited number of registered IP addresses and you cannot use PAT, configure the firewall to use NAT for connections to the public Internet, but avoid NAT for traffic between the two intranets. This configuration might also be useful if you were replacing a direct, leased-line connection between two intranets.

Configuring w/VPN Tunneling

  1. Define a host name:
    hostname hostname

  2. Configure an ISAKMP policy:
    isakmp enable outside
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encrypt des

  3. To configure pre-shared key and associate with the peer:
    crypto isakmp key cisco1234 address 209.165.200.229

  4. To configure the supported IPSec transforms:
    crypto ipsec transform-set strong esp-des esp-sha-hmac

  5. Create an access list:
    access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

    This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.

    This and the next step are not required if you want to enable NAT for all traffic.

  6. Exclude traffic between the intranets from NAT:
    nat 0 access-list 90

    This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.

  7. Enable NAT for all other traffic:
    nat (inside) 1 0 0

  8. Assign a pool of global addresses for NAT and PAT:
    global (outside) 1 209.165.202.129-209.165.202.159
    global (outside) 1 209.165.202.160

    The pool of registered addresses are only used for connections to the public Internet.

  9. Define a crypto map:
    crypto map toSanJose 20 ipsec-isakmp
    crypto map toSanJose 20 match address 90
    crypto map toSanJose 20 set transform-set strong
    crypto map toSanJose 20 set peer 209.165.200.229

  10. Apply the crypto map to the outside interface:
    crypto map toSanJose interface outside

  11. Specify that IPSec traffic be implicitly trusted (permitted):
    sysopt connection permit-ipsec

    Example 5-1: firewall 1 VPN Tunnel Configuration 

    nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 auto
interface ethernet1 auto
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname hostname
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging on
mtu outside 1500
mtu inside 1500
ip address outside 209.165.201.8 255.255.255.224
ip address inside 192.168.12.1 255.255.255.0
no failover
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat 0 access-list 90
access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 1 0 0
global (outside) 1 209.165.202.129-209.165.202.159
global (outside) 1 209.165.202.160
no rip outside passive
no rip outside default
rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 209.165.201.7 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address 90
crypto map toSanJose 20 set peer 209.165.200.229
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose interface outside
isakmp enable outside
isakmp key cisco1234 address 209.165.200.229 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80

    In this example, the following statements are not used when enabling NAT for all traffic:

    nat 0 access-list 90
    access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0

    Configuring firewall 2 for VPN Tunneling

    Follow these steps to configure firewall 2:

    1. Define a host name:
      hostname SanJose

    2. Define the domain name:
      domain-name example.com

    3. Create a net static:
      static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

    4. To configure the ISAKMP policy:
      isakmp enable outside
      isakmp policy 8 authentication pre-share
      isakmp policy 8 encryption 3des

    5. To configure a pre-shared key and associate it with the peer:
      crypto isakmp key cisco1234 address 209.165.201.8

    6. To configure IPSec supported transforms:
      crypto ipsec transform-set strong esp-3des esp-sha-hmac

    7. Create an access list:
      access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0

      This access list defines traffic from network 10.0.0.0 to 192.168.12.0. Both of these networks use unregistered addresses.

      This and the next step are not required if you want to enable NAT for all traffic.

    8. Exclude traffic between the intranets from NAT:
      nat 0 access-list 80

      This excludes traffic matching access list 80 from NAT. The nat 0 command is always processed before any other nat commands.

    9. Enable NAT for all other traffic:
      nat (inside) 1 0 0

    10. Assign a pool of global addresses for NAT and PAT:
      global (outside) 1 209.165.202.160-209.165.202.89
      global (outside) 1 209.165.202.190

      The pool of registered addresses are only used for connections to the public Internet.

    11. Define a crypto map:
      crypto map newyork 10 ipsec-isakmp
      crypto map newyork 10 match address 80
      crypto map newyork 10 set transform-set strong
      crypto map newyork 10 set peer 209.165.201.8

    12. Apply the crypto map to an interface:
      crypto map newyork interface outside

    13. Specify that IPSec traffic be implicitly trusted (permitted):
      sysopt connection permit-ipsec

    Example 5-2: firewall 2 VPN Tunnel Configuration 

    nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2  dmz security50
nameif ethernet3  perimeter security40
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SanJose
domain-name example.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol smtp 25
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
names
pager lines 24
no logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
mtu outside 1500
mtu inside 1500
mtu  dmz 1500
mtu  perimeter 1500
ip address outside 209.165.200.229 255.255.255.224
ip address inside 10.0.0.1 255.0.0.0
ip address  dmz 192.168.101.1 255.255.255.0
ip address  perimeter 192.168.102.1 255.255.255.0
no failover
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address  dmz 0.0.0.0
failover ip address  perimeter 0.0.0.0
arp timeout 14400
nat 0 access-list 80
access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.0
nat (inside) 1 0 0
global (outside) 1 209.165.202.160-209.165.202.89
global (outside) 1 209.165.202.190
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
no rip  dmz passive
no rip  dmz default
no rip  perimeter passive
no rip  perimeter default
route outside 0.0.0.0 0.0.0.0 209.165.200.228 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map newyork 10 ipsec-isakmp
crypto map newyork 10 match address 80
crypto map newyork 10 set peer 209.165.201.8
crypto map newyork 10 set transform-set strong
crypto map newyork interface outside
isakmp enable outside
isakmp key cisco1234 address 209.165.201.8 netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
sysopt connection permit-ipsec
telnet timeout 5
terminal width 80

    In this example, the following statements are not used when enabling NAT for all traffic:

    nat 0 access-list 80
    access-list 80 permit ip 10.0.0.0 255.0.0.0 192.168.12.0 255.255.255.00