Cisco PIX 515E Security Appliance Getting Started Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS CHAPTER 1 Installing and Setting Up the PIX 515E Security Appliance 1-1 Verifying the Package Contents 1-2 Installing the PIX 515E Security Appliance 1-3 Front and Back Panel Components 1-4 Setting Up the Security Appliance 1-5 About the Factory-Default Configuration 1-6 About the Adaptive Security Device Manager 1-6 Using the Startup Wizard 1-7 Before Launching the Startup Wizard 1-7 Running the Startup Wizard 1-8 What to Do Next 1-9 CHAPTER 2 Scenario: DMZ Configuration 2-1 Example DMZ Netw
Contents CHAPTER 3 Scenario: IPsec Remote-Access VPN Configuration 3-1 Example IPsec Remote-Access VPN Network Topology 3-1 Implementing the IPsec Remote-Access VPN Scenario 3-2 Information to Have Available 3-3 Starting ASDM 3-3 Configuring the PIX 515E for an IPsec Remote-Access VPN 3-5 Selecting VPN Client Types 3-6 Specifying the VPN Tunnel Group Name and Authentication Method 3-7 Specifying a User Authentication Method 3-8 (Optional) Configuring User Accounts 3-10 Configuring Address Pools 3-11 Conf
Contents Viewing VPN Attributes and Completing the Wizard 4-11 Configuring the Other Side of the VPN Connection 4-13 What to Do Next 4-13 APPENDIX A Obtaining a DES License or a 3DES-AES License A-1 PIX 515E Security Appliance Getting Started Guide 78-17645-01 v
Contents PIX 515E Security Appliance Getting Started Guide vi 78-17645-01
C H A P T E R 1 Installing and Setting Up the PIX 515E Security Appliance This chapter describes how to install and perform the initial configuration of the security appliance.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Verifying the Package Contents Verifying the Package Contents Verify the contents of the packing box, shown in Figure 1-1, to ensure that you have received all items necessary to install your PIX 515E security appliance.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Installing the PIX 515E Security Appliance Installing the PIX 515E Security Appliance This section describes how to install your PIX 515E security appliance into your own network, which might resemble the example network in Figure 1-2.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Front and Back Panel Components Step 5 Power up the PIX 515E security appliance. The power switch is located at the rear of the chassis. Front and Back Panel Components Figure 1-3 illustrates the LEDs on the front panel of the PIX515E Security Appliance. Figure 1-3 ACT NETWORK 97779 POWER PIX515E Security Appliance Front Panel LEDs LED Color State Description POWER Green On On when the unit has power.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance Figure 1-4 PIX 515E Security Appliance Back Panel 100 Mbps LED ACT LED 100 Mbps LED LINK ACT LED LED USB LINK LED PIX-515 DO NOT INSTALL INTERFACE CARDS WITH POWER APPLIED LINK 10/100 ETHERNET 1 100 Mbps ACT FAILOVER LINK 10/100 ETHERNET 0 10/100BaseTX ETHERNET 1 (RJ-45) USB CONSOLE 97784 100 Mbps ACT 10/100BaseTX Console Power switch ETHERNET 0 port (RJ-45) (RJ-45) Setting Up the Securi
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance About the Factory-Default Configuration Cisco security appliances are shipped with a factory-default configuration that enables quick startup. The factory-default configuration automatically configures an interface for management so you can quickly connect to the device and use ASDM to complete your configuration.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance The Adaptive Security Device Manager (ASDM) is a feature-rich graphical interface that enables you to manage and monitor the security appliance. Its web-based design provides secure access so that you can connect to and manage the security appliance from any location by using a web browser.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance Setting Up the Security Appliance Step 3 Gather the following information: • A unique hostname to identify the security appliance on your network. • The IP addresses of your outside interface, inside interface, and any other interfaces to be configured. • The IP addresses to use for Network Address Translation (NAT) or Port Address Translation (PAT) configuration. • The IP address range for the DHCP server.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance What to Do Next c. In the window that requires you to choose the method you want to use to run the ASDM software, choose either to download the ASDM launcher or to run the ASDM software as a Java applet. Step 4 In the dialog box that requires a username and password, leave both fields empty. Press Enter. Step 5 Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate dialog boxes. ASDM starts.
Chapter 1 Installing and Setting Up the PIX 515E Security Appliance What to Do Next PIX 515E Security Appliance Getting Started Guide 1-10 78-17645-01
C H A P T E R 2 Scenario: DMZ Configuration This chapter describes a configuration scenario in which the security appliance is used to protect network resources located in a demilitarized zone (DMZ). A DMZ is a separate network located in the neutral zone between a private (inside) network and a public (outside) network.
Chapter 2 Scenario: DMZ Configuration Example DMZ Network Topology Figure 2-1 Network Layout for DMZ Configuration Scenario Security Appliance inside interface 10.10.10.0 (private address) 10.10.10.0 (private address) outside interface 209.165.200.225 (public address) Internet DMZ interface 10.30.30.0 (private address) DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.
Chapter 2 Scenario: DMZ Configuration Example DMZ Network Topology Figure 2-2 Outgoing HTTP Traffic Flow from the Private Network Security Appliance HTTP client HTTP request 10.10.10.0 (private address) Internal IP address translated to address of outside interface outside interface 209.165.200.225 (public address) HTTP request Internet Internal IP address translated to address from IP pool HTTP client HTTP client DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Figure 2-3 Incoming HTTP Traffic Flow From the Internet 2 Incoming request 1 destined for public address of DMZ web server intercepted. Security Appliance HTTP request sent to public address of DMZ web server. Internet HTTP client 3 Destination IP address 4 Web server receives request for content. DMZ Web Private IP address: 10.30.30.30 Server Public IP address: 209.165.200.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment This configuration procedure assumes that the security appliance already has interfaces configured for the inside interface, the DMZ interface, and the outside interface. Set up interfaces of the security appliance by using the Startup Wizard in ASDM. Be sure that the DMZ interface security level is set between 0 and 100. (A common choice is 50.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment To accomplish this task, you should configure a PAT translation rule (port address translation rule, sometimes called an interface NAT) for the internal interface that translates internal IP addresses to the external IP address of the security appliance. In this scenario, the internal address to be translated is that of a subnet of the private network (10.10.10.0).
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Creating IP Pools for Network Address Translation The security appliance uses Network Address Translation (NAT) and Port Address Translation (PAT) to prevent internal IP addresses from being exposed externally. This procedure describes how to create a pool of IP addresses that the DMZ interface and outside interface can use for address translation.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment To configure a pool of IP addresses that can be used for network address translation, perform the following steps: Step 1 In the ASDM window, click the Configuration tool. a. In the Features pane, click NAT. The NAT Configuration screen appears. b. In the right pane, click the Global Pools tab. c. Click Add to create a new global pool for the DMZ interface. The Add Global Address Pool dialog box appears.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment d. From the Interfaces drop-down list, choose DMZ. e. To create a new IP pool, enter a unique Pool ID. In this scenario, the Pool ID is 200. f. In the IP Addresses to Add area, specify the range of IP addresses to be used by the DMZ interface: – Click the Range radio button. – Enter the Starting IP address and Ending IP address of the range. In this scenario, the range of IP addresses is 10.30.30.50–10.30.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment g. Click Add to add this range of IP addresses to the Address Pool. The Add Global Pool dialog box configuration should be similar to the following: h. Step 2 Click OK to return to the Configuration > NAT window. Add addresses to the IP pool to be used by the outside interface.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment You can add these addresses to the same IP pool that contains the address pool used by the DMZ interface (in this scenario, the Pool ID is 200). e. Click the Port Address Translation (PAT) using the IP address of the interface radio button.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 3 Confirm that the configuration values are correct. Step 4 Click Apply in the main ASDM window. Configuring NAT for Inside Clients to Communicate with the DMZ Web Server In the previous procedure, you created a pool of IP addresses that could be used by the security appliance to mask the private IP addresses of inside clients.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment In this procedure, you configure a Network Address Translation (NAT) rule that associates IP addresses from this pool with the inside clients so they can communicate securely with the DMZ web server. To configure NAT between the inside interface and the DMZ interface, perform the following steps starting from the main ASDM window: Step 1 In the main ASDM window, click the Configuration tool.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment c. Click OK to add the Dynamic NAT Rule and return to the Configuration > NAT window. Review the configuration screen to verify that the translation rule appears as you expected.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 6 Click Apply to complete the security appliance configuration changes.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment For many configurations, you would also need to create a NAT rule between the inside interface and the outside interface to enable inside clients to communicate with the Internet. However, in this scenario you do not need to create this rule explicitly.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 5 In the Static Translation area, specify the public IP address to be used for the web server: a. From the Interface drop-down list, choose Outside. b. From the IP Address drop-down list, choose the public IP address of the DMZ web server. In this scenario, the public IP address of the DMZ web server is 209.165.200.226.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment The displayed configuration should be similar to the following: Step 7 Click Apply to complete the security appliance configuration changes. Providing Public HTTP Access to the DMZ Web Server By default, the security appliance denies all traffic coming in from the public network.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment processes the traffic, whether the traffic is incoming or outgoing, the origin and destination of the traffic, and the type of traffic protocol and service to be permitted. In this section, you create an access rule that permits incoming HTTP traffic originating from any host or network on the Internet, if the destination of the traffic is the web server on the DMZ network.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 2 Step 3 In the Interface and Action area: a. From the Interface drop-down list, choose Outside. b. From the Direction drop-down list, choose Incoming. c. From the Action drop-down list, choose Permit. In the Source area: a. From the Type drop-down list, choose IP Address. b. Enter the IP address of the source host or source network. Use 0.0.0.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Alternatively, if the address of the source host or network is preconfigured, choose the source IP address from the IP Address drop-down list. c. Step 4 In the Destination area: a. Step 5 Enter the netmask for the source IP address or select one from the Netmask drop-down list. In the IP address field, enter the public IP address of the destination host or network, such as a web server.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment At this point, the entries in the Add Access Rule dialog box should be similar to the following: d. Step 6 Click OK. The displayed configuration should be similar to the following. Verify that the information you entered is accurate.
Chapter 2 Scenario: DMZ Configuration Configuring the Security Appliance for a DMZ Deployment Step 7 Click Apply to save the configuration changes to the configuration that the security appliance is currently running. Clients on both the private and public networks can now resolve HTTP requests for content from the DMZ web server, while keeping the private network secure. Note Although the destination address specified is the private address of the DMZ web server (10.30.30.
Chapter 2 Scenario: DMZ Configuration What to Do Next Step 8 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts.
Chapter 2 Scenario: DMZ Configuration What to Do Next To Do This ... See ...
Chapter 2 Scenario: DMZ Configuration What to Do Next PIX 515E Security Appliance Getting Started Guide 2-26 78-17645-01
C H A P T E R 3 Scenario: IPsec Remote-Access VPN Configuration This chapter describes how to use the security appliance to accept remote-access IPsec VPN connections. A remote-access VPN enables you to create secure connections, or tunnels, across the Internet, thus providing secure access to off-site users. If you are implementing an Easy VPN solution, this chapter describes how to configure the Easy VPN server (sometimes called a headend device).
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Figure 3-1 Network Layout for Remote Access VPN Scenario DNS Server 10.10.10.163 VPN client (user 1) Security Appliance Internal network Inside 10.10.10.0 Outside Internet WINS Server 10.10.10.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario • Specifying the VPN Tunnel Group Name and Authentication Method, page 3-7 • Specifying a User Authentication Method, page 3-8 • (Optional) Configuring User Accounts, page 3-10 • Configuring Address Pools, page 3-11 • Configuring Client Attributes, page 3-12 • Configuring the IKE Policy, page 3-13 • Configuring IPsec Encryption and Authentication Parameters, page 3-15 • Specifying Add
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Note Remember to add the “s” in “https” or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance. The Main ASDM window appears.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring the PIX 515E for an IPsec Remote-Access VPN To begin the process for configuring a remote-access VPN, perform the following steps: Step 1 In the main ASDM window, choose VPN Wizard from the Wizards drop-down menu. The VPN Wizard Step 1 screen appears. Step 2 In Step 1 of the VPN Wizard, perform the following steps: a. Click the Remote Access VPN radio button. b.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Selecting VPN Client Types In Step 2 of the VPN Wizard, perform the following steps: Step 1 Specify the type of VPN client that will enable remote users to connect to this security appliance. For this scenario, click the Cisco VPN Client radio button. You can also use any other Cisco Easy VPN remote product. Step 2 Click Next to continue.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Specifying the VPN Tunnel Group Name and Authentication Method In Step 3 of the VPN Wizard, perform the following steps: Step 1 Specify the type of authentication that you want to use by performing one of the following steps: • To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, “Cisco”).
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Enter a Tunnel Group Name (such as “Cisco”) for the set of users that use common connection parameters and client attributes to connect to this security appliance. Step 3 Click Next to continue.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 4 of the VPN Wizard, perform the following steps: Step 1 If you want to authenticate users by creating a user database on the security appliance, click the Authenticate Using the Local User Database radio button. Step 2 If you want to authenticate users with an external AAA server group: Step 3 a. Click the Authenticate Using an AAA Server Group radio button. b.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario (Optional) Configuring User Accounts If you have chosen to authenticate users with the local user database, you can create new user accounts here. You can also add users later using the ASDM configuration interface. In Step 5 of the VPN Wizard, perform the following steps: Step 1 To add a new user, enter a username and password, and then click Add.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring Address Pools For remote clients to gain access to your network, you must configure a pool of IP addresses that can be assigned to remote VPN clients as they are successfully connected. In this scenario, the pool is configured to use the range of IP addresses 209.165.201.1–209.166.201.20.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 3 Click Next to continue. Configuring Client Attributes To access your network, each remote access client needs basic network configuration information, such as which DNS and WINS servers to use and the default domain name. Rather than configuring each remote client individually, you can provide the client information to ASDM.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario In Step 7 of the VPN Wizard, perform the following steps: Step 1 Enter the network configuration information to be pushed to remote clients. Step 2 Click Next to continue. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario To specify the IKE policy in Step 8 of the VPN Wizard, perform the following steps: Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5/7) used by the security appliance during an IKE security association. Step 2 Click Next to continue.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Configuring IPsec Encryption and Authentication Parameters In Step 9 of the VPN Wizard, perform the following steps: Step 1 Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA). Step 2 Click Next to continue.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Specifying Address Translation Exception and Split Tunneling Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in clear text form. The security appliance uses Network Address Translation (NAT) to prevent internal IP addresses from being exposed externally.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Note Step 2 Enable split tunneling by checking the Enable Split Tunneling check box at the bottom of the screen. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel. Click Next to continue.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration What to Do Next If you are satisfied with the configuration, click Finish to apply the changes to the security appliance. If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration What to Do Next To Do This ... See ...
Chapter 3 Scenario: IPsec Remote-Access VPN Configuration What to Do Next PIX 515E Security Appliance Getting Started Guide 3-20 78-17645-01
C H A P T E R 4 Scenario: Site-to-Site VPN Configuration This chapter describes how to use the security appliance to create a site-to-site VPN. Site-to-site VPN features provided by the security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Network Layout for Site-to-Site VPN Configuration Scenario Site B Site A Security Appliance 1 Outside 209.165.200.226 Inside 10.10.10.0 Security Appliance 2 Internet Outside 209.165.200.236 132066 Figure 4-1 Inside 10.20.20.0 Creating a VPN site-to-site deployment such as the one in Figure 4-1 requires you to configure two security appliances, one on each side of the connection.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Site-to-Site VPN This section describes how to use the ASDM VPN Wizard to configure the security appliance for a site-to-site VPN.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring the Security Appliance at the Local Site Note The security appliance at the first site is referred to as Security Appliance 1 from this point forward. To configure the Security Appliance 1, perform the following steps: Step 1 In the main ASDM window, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario In Step 1 of the VPN Wizard, perform the following steps: a. Click the Site-to-Site VPN radio button. Note The Site-to-Site VPN option connects two IPsec security gateways, which can include security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity. b. From the drop-down list, choose Outside as the enabled interface for the current VPN tunnel. c.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Providing Information About the Remote VPN Peer The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site. Note In this scenario, the remote VPN peer is referred to as Security Appliance 2 from this point forward.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 3 Click Next to continue. Configuring the IKE Policy IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Note Step 2 When configuring Security Appliance 2, enter the exact values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process. Click Next to continue.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Configuring IPsec Encryption and Authentication Parameters In Step 4 of the VPN Wizard, perform the following steps: Step 1 Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA) from the drop-down lists. Step 2 Click Next to continue.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Specifying Hosts and Networks Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with the remote-site peer. Add or remove hosts and networks dynamically by clicking Add or Delete, respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 5 Click Next to continue. Viewing VPN Attributes and Completing the Wizard In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the security appliance.
Chapter 4 Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario Step 6 If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts.
Chapter 4 Scenario: Site-to-Site VPN Configuration Configuring the Other Side of the VPN Connection Configuring the Other Side of the VPN Connection You have just configured the local security appliance. Now you need to configure the security appliance at the remote site. At the remote site, configure the second security appliance to serve as a VPN peer.
Chapter 4 Scenario: Site-to-Site VPN Configuration What to Do Next You can configure the security appliance for more than one application. The following sections provide configuration procedures for other common applications of the security appliance. To Do This ... See ...
C H A P T E R A Obtaining a DES License or a 3DES-AES License The Cisco PIX 515E security appliance is available either with a DES or 3DES-ASE license that provides encryption technology to enable specific features, such as secure remote management (SSH, ASDM, and so on), site-to-site VPN, and remote access VPN. The license is enabled through an encryption license key.
Chapter A Obtaining a DES License or a 3DES-AES License To use the activation key, perform the following steps: Command Purpose Step 1 hostname# show version Shows the software release, hardware configuration, license key, and related uptime data. Step 2 hostname# configure terminal Enters global configuration mode.
