{"id":41,"date":"2007-06-29T14:57:22","date_gmt":"2007-06-29T19:57:22","guid":{"rendered":"http:\/\/www.gamescheat.ca\/?p=41"},"modified":"2019-09-04T19:57:41","modified_gmt":"2019-09-05T00:57:41","slug":"how-to-configure-cisco-pix-506e-for-remote-access-with-aes-256-bit-encryption","status":"publish","type":"post","link":"http:\/\/www.gamescheat.ca\/?p=41","title":{"rendered":"How to configure Cisco Pix 506E for remote access with AES 256 bit encryption"},"content":{"rendered":"<p>Here is how I configured a Cisco Pix 506E for remote access.\u00c2\u00a0 This is the runnig config, I changed the ip and other info for security reasons.<\/p>\n<p>\u00c2\u00a0<img loading=\"lazy\" align=\"middle\" width=\"400\" src=\"http:\/\/www.gamescheat.ca\/photos\/wii.gif\" alt=\"Cisco\" height=\"146\" style=\"width: 400px; height: 146px\" title=\"Cisco\" \/><\/p>\n<p>PIX Version 6.3(5)<br \/>\ninterface ethernet0 auto<br \/>\ninterface ethernet1 auto<br \/>\nnameif ethernet0 outside security0<br \/>\nnameif ethernet1 inside security100<\/p>\n<p>!\u2014 Define the privilege mode password<br \/>\nenable password QveUAuiX encrypted<\/p>\n<p>!\u2014 the telnet password<br \/>\npasswd QveUAui encrypted<\/p>\n<p>!\u2014 Define the host name<br \/>\nhostname Wii<\/p>\n<p>fixup protocol dns maximum-length 512<br \/>\nfixup protocol ftp 21<br \/>\nfixup protocol h323 h225 1720<br \/>\nfixup protocol h323 ras 1718-1719<br \/>\nfixup protocol http 80<br \/>\nfixup protocol rsh 514<br \/>\nfixup protocol rtsp 554<br \/>\nfixup protocol sip 5060<br \/>\nfixup protocol sip udp 5060<br \/>\nfixup protocol skinny 2000<br \/>\nfixup protocol smtp 25<br \/>\nfixup protocol sqlnet 1521<br \/>\nfixup protocol tftp 69<br \/>\nnames<\/p>\n<p>!\u2014 Define access list 101 to enable spilt tunnel<br \/>\naccess-list 101 permit ip 10.10.11.0 255.255.255.0 10.10.20.0 255.255.255.0<br \/>\naccess-list 101 permit ip host 10.10.30.1 10.10.20.0 255.255.255.0<\/p>\n<div style=\"float: left;\"><div style=\"margin: 15px 15px 15px 15px\";><script type=\"text\/javascript\"><!--\ngoogle_ad_client = \"pub-3319935785736004\";\ngoogle_alternate_color = \"FFFFFF\";\ngoogle_ad_width = 180;\ngoogle_ad_height = 150;\ngoogle_ad_format = \"180x150_as\";\ngoogle_ad_type = \"text_image\";\ngoogle_ad_channel =\"\";\ngoogle_color_border = \"cccccc\";\ngoogle_color_link = \"cc0000\";\ngoogle_color_bg = \"ffffff\";\ngoogle_color_text = \"000000\";\ngoogle_color_url = \"008000\";\n\/\/--><\/script>\n<script type=\"text\/javascript\"\n  src=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\">\n<\/script><\/div><\/div><p>!\u2014 Define access list 102 to avoid network address translation (NAT)on IPsec packets.<br \/>\naccess-list 102 permit ip 10.10.11.0 255.255.255.0 10.10.20.0 255.255.255.0<br \/>\naccess-list 102 permit ip host 10.10.30.1 10.10.20.0 255.255.255.0<\/p>\n<p>pager lines 24<br \/>\nmtu outside 1500<br \/>\nmtu inside 1500<\/p>\n<p>!\u2014Define the Public ip on ethernet0<br \/>\nip address outside 72.10.10.100 255.255.255.248<\/p>\n<p>!\u00e2\u20ac\u201dDefine the LAN ip on ethernet1<br \/>\nip address inside 10.10.11.2 255.255.255.0<\/p>\n<p>ip audit info action alarm<br \/>\nip audit attack action alarm<\/p>\n<p>!\u2014Define the dhcp pool for remote client<br \/>\nip local pool Remote-dhcp-pool 10.10.20.100-10.10.20.150<br \/>\npdm logging informational 100<br \/>\npdm history enable<br \/>\narp timeout 14400<br \/>\nglobal (outside) 1 interface<\/p>\n<p>!\u2014 Do not NAT IPsec packets<br \/>\nnat (inside) 0 access-list 102<\/p>\n<p>nat (inside) 1 0.0.0.0 0.0.0.0 0 0<\/p>\n<p>!\u2014 Configure default route<br \/>\nroute outside 0.0.0.0 0.0.0.0 72.10.10.99 1<\/p>\n<p>!\u2014 Configure route to internal network<br \/>\nroute inside 10.10.30.0 255.255.255.0 10.10.11.1 1<\/p>\n<p>timeout xlate 0:05:00<br \/>\ntimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<br \/>\ntimeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<br \/>\ntimeout sip-disconnect 0:02:00 sip-invite 0:03:00<br \/>\ntimeout uauth 0:05:00 absolute<br \/>\naaa-server TACACS+ protocol tacacs+<br \/>\naaa-server TACACS+ max-failed-attempts 3<br \/>\naaa-server TACACS+ deadtime 10<br \/>\naaa-server RADIUS protocol radius<br \/>\naaa-server RADIUS max-failed-attempts 3<br \/>\naaa-server RADIUS deadtime 10<br \/>\naaa-server LOCAL protocol local<br \/>\nhttp server enable<br \/>\nhttp 0.0.0.0 0.0.0.0 inside<br \/>\nno snmp-server location<br \/>\nno snmp-server contact<br \/>\nsnmp-server community public<br \/>\nno snmp-server enable traps<br \/>\nfloodguard enable<\/p>\n<p>!\u2014 Allow packets from IPsec tunnel pass through without checking against conduits and access lists<br \/>\nsysopt connection permit-ipsec<\/p>\n<p>!\u2014 Configure the transform set, use AES 256 bit encryption algorithm<br \/>\ncrypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac<\/p>\n<p>!\u2014 Configure dynamic crypto map and add it to static crypto map<br \/>\ncrypto dynamic-map map2 10 set transform-set trmset1<br \/>\ncrypto map map1 10 ipsec-isakmp dynamic map2<\/p>\n<p>!\u2014 Enable local authentication, prompt for user authentication<br \/>\ncrypto map map1 client authentication LOCAL<\/p>\n<p>!\u2014 Bind crypto map to outside interface (Ethernet 0)<br \/>\ncrypto map map1 interface outside<\/p>\n<p>isakmp enable outside<br \/>\nisakmp identity address<br \/>\n!\u2014 Define isakmp policy to be used while negotiatin the isakmp SA. Use AES 256 bit as encryption. The available AES options are AES, AES 192 and AES 256. AES 192 is unsupported by VPN client.<br \/>\nisakmp policy 10 authentication pre-share<br \/>\nisakmp policy 10 encryption aes-256<br \/>\nisakmp policy 10 hash sha<br \/>\nisakmp policy 10 group 2<br \/>\nisakmp policy 10 lifetime 86400<\/p>\n<p>!\u2014 Define VPN group called nintendo and policy attributes downloaded to the Easy VPN client (remote client).<br \/>\nvpngroup nintendo address-pool Remote-dhcp-pool<br \/>\nvpngroup nintendo dns-server 10.10.11.10<br \/>\nvpngroup nintendo default-domain wiivil.com<\/p>\n<p>!\u2014 Configure access list 101 to enable split tunnel for remote client. Removing this line will diable spilt tunnel, this is recommended to higher security.<br \/>\nVpngroup Nintendo split-tunnel 101<\/p>\n<p>vpngroup nintendo idle-time 1800<br \/>\nvpngroup nintendo password ********<br \/>\n!\u2014 Enable telnet in LAN interface (Ethernet 1).<br \/>\ntelnet 0.0.0.0 0.0.0.0 inside<br \/>\ntelnet timeout 5<br \/>\nssh timeout 5<br \/>\nconsole timeout 0<br \/>\ndhcpd auto_config outside<\/p>\n<p>!\u2014 define remote user Wii and set password to wiivil<br \/>\nusername Wii password wiivil encrypted privilege 2<\/p>\n<p>!\u2014 define remote user Zelda and set password to nintendo<br \/>\nusername zelda password nintendo encrypted privilege 2<br \/>\nterminal width 80<br \/>\nCryptochecksum:b8b824d9c20b2ec0bc2170bb5d8b5e71<br \/>\n: end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here is how I configured a Cisco Pix 506E for remote access.\u00c2\u00a0 This is the runnig config, I changed the ip and other info for security reasons. \u00c2\u00a0 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside&hellip;<\/p>\n<p class=\"more-link-p\"><a class=\"more-link\" href=\"http:\/\/www.gamescheat.ca\/?p=41\">Read more &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[65],"tags":[],"_links":{"self":[{"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=\/wp\/v2\/posts\/41"}],"collection":[{"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41"}],"version-history":[{"count":1,"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=\/wp\/v2\/posts\/41\/revisions"}],"predecessor-version":[{"id":697,"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=\/wp\/v2\/posts\/41\/revisions\/697"}],"wp:attachment":[{"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.gamescheat.ca\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}