Lastmanuals offers a socially driven service of sharing, storing and searching manuals related to use of hardware and software : user guide, owner's manual, quick start guide, technical datasheets... DON'T FORGET : ALWAYS READ THE USER GUIDE BEFORE BUYING !!!
If this document matches the user guide, instructions manual or user manual, feature sets, schematics you are looking for, download it now. Lastmanuals provides you a fast and easy access to the user manual ASUS MS238H-A. We hope that this ASUS MS238H-A user guide will be useful to you.
Lastmanuals help download the user guide ASUS MS238H-A.
Detailed instructions for use are in the User's Guide.
[. . . ] 1 2. 2 Setup CISCO PIX Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. 2. 1 Setup IP address of LAN interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. 2. 2 Setup IP address of WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [. . . ] 1 2. 2. 2 Setup IP address of WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. 2. 3 Setup Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. 3 Setup MS238H-A/SL500 system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. 3. 1 Setup IP address of LAN interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. 3. 2 Setup IP address of WAN interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. 3. 3 Setup Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 Establish VPN Tunnel using Automatic Keying. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. 1 Configure VPN Policy on PIX 501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Figure 3. 5 Verify VPN tunnel establishment on the PIX firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 3. 6 Verify the VPN tunnel establishment on the MS238H-A/SL500 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Copyright 2006, ASUSTek Computer, Inc.
iii
1 Introduction
This application note details the steps for creating an IPSec VPN tunnel between an ASUS Internet Security Router and a CISCO PIX Firewall device. It is assumed that both devices have static IP address on the WAN interface, and a default route configured. All settings and screen dumps contained in this document are taken from a CISCO PIX 501 device running firmware PIX Firewall Version 6. 3(4), and an ASUS MS238H-A/SL500 running firmware 1. 1. 72A. 410.
2 Network Setup
This section describes how to setup the network to carry out the MS238H-A/SL500 and CISCO PIX 501 Network Configuration as illustrated in Figure 2. 1.
Cross Ethernet Cable WAN: 10. 64. 2. 145 WAN: 10. 64. 2. 130
LAN: 10. 64. 3. 1
Internet Security Router
LAN: 192. 168. 30. 1
CISCO PIX501
PC2: 10. 64. 3. 11
PC1: 192. 168. 30. 2
Figure 2. 1 Network Connections
2. 1 Setup Description
PC1 and PC2 are hosts in protected networks running Windows NT/98/2000/XP or Redhat Linux. Both MS238H-A/SL500 and PIX Firewall will protect their traffic from external network. NAT is not required for traffic between the two intranets, which can be transmitted using a VPN tunnel over the public Internet (in this setup example, a direct connection between two WAN interfaces serves as public network). However, NAT is required for connections to public Internet.
2. 2 Setup CISCO PIX Firewall
2. 2. 1 Setup IP address of LAN interface
pixfirewall# configure terminal pixfirewall(config)# ip address inside 192. 168. 30. 1 255. 255. 255. 0 Figure 2. 2 Setup LAN port IP address on the PIX firewall
2. 2. 2
Setup IP address of WAN interface
pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# ip address outside 10. 64. 2. 130 255. 255. 255. 0 Figure 2. 3 Setup WAN port IP address on the PIX firewall
Copyright 2006, ASUSTek Computer, Inc.
Page 1
2. 2. 3
Setup Routing Table
Figure 2. 4 Setup a default route to the PIX firewall
pixfirewall(config)# route outside 0. 0. 0. 0 0. 0. 0. 0 10. 64. 2. 145
2. 3 Setup MS238H-A/SL500 system
2. 3. 1 Setup IP address of LAN interface
Figure 2. 5 Setup LAN port IP address on the MS238H-A/SL500
2. 3. 2
Setup IP address of WAN interface
Figure 2. 6 Setup IP address of WAN interface on the MS238H-A/SL500
Copyright 2006, ASUSTek Computer, Inc.
Page 2
Figure 2. 7 Verify WAN interface configurations on the MS238H-A/SL500
2. 3. 3
Setup Routing Table
Figure 2. 8 Setup a default route to the MS238H-A/SL500
3 Establish VPN Tunnel using Automatic Keying
3. 1 Configure VPN Policy on PIX 501
Step: 1 Configure access list rule and VPN policy pixfirewall(config)# access-list MS238H-A permit ip 192. 168. 30. 0 255. 255. 255. 0 10. 64. 3. 0 255. 255. 255. 0 pixfirewall(config)# nat (inside) 0 access-list MS238H-A pixfirewall(config)# sysopt connection permit-ipsec pixfirewall(config)# crypto ipsec transform-set set1 esp-3des esp-sha-hmac pixfirewall(config)# crypto ipsec security-association lifetime seconds 3600 pixfirewall(config)# crypto map toMS238H-A 20 ipsec-isakmp pixfirewall(config)# crypto map toMS238H-A 20 match address MS238H-A pixfirewall(config)# crypto map toMS238H-A 20 set peer 10. 64. 2. 145 pixfirewall(config)# crypto map toMS238H-A 20 set transform-set set1 pixfirewall(config)# crypto map toMS238H-A interface outside pixfirewall(config)# isakmp enable outside pixfirewall(config)# isakmp key cwtest address 10. 64. 2. 145 netmask 255. 255. 255. 0 pixfirewall(config)# isakmp identity address pixfirewall(config)# isakmp policy 20 authentication pre-share pixfirewall(config)# isakmp policy 20 encryption 3des pixfirewall(config)# isakmp policy 20 hash sha pixfirewall(config)# isakmp policy 20 group 2 pixfirewall(config)# isakmp policy 20 lifetime 3600
Copyright 2006, ASUSTek Computer, Inc.
Page 3
Figure 3. 1 Setup VPN policy on the PIX firewall Step 2: Verify Configurations pix-firewall# show config : Saved : Written by enable_15 at 14:22:39. 654 UTC Thu May 4 2006 PIX Version 6. 3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI. 2KYOU encrypted hostname pix-firewall domain-name asus. com. tw fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list MS238H-A permit ip 192. 168. 30. 0 255. 255. 255. 0 10. 64. 3. 0 255. 255. 255. 0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10. 64. 2. 130 255. 255. 255. 0 ip address inside 192. 168. 30. 1 255. 255. 255. 0 ip audit info action alarm ip audit attack action alarm pdm location 192. 168. 1. 10 255. 255. 255. 255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list MS238H-A route outside 0. 0. 0. 0 0. 0. 0. 0 10. 64. 2. 145 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
Copyright 2006, ASUSTek Computer, Inc. [. . . ] Both MS238H-A/SL500 and PIX Firewall will protect their traffic from external network. NAT is not required for traffic between the two intranets, which can be transmitted using a VPN tunnel over the public Internet (in this setup example, a direct connection between two WAN interfaces serves as public network). However, NAT is required for connections to public Internet.
2. 2 Setup CISCO PIX Firewall
2. 2. 1 Setup IP address of LAN interface
pixfirewall# configure terminal pixfirewall(config)# ip address inside 192. 168. 30. 1 255. 255. 255. 0 Figure 2. 2 Setup LAN port IP address on the PIX firewall
2. 2. 2
Setup IP address of WAN interface
pixfirewall(config)# interface ethernet0 auto pixfirewall(config)# ip address outside 10. 64. 2. 130 255. 255. 255. 0 Figure 2. 3 Setup WAN port IP address on the PIX firewall
Copyright 2006, ASUSTek Computer, Inc.
Page 1
2. 2. 3
Setup Routing Table
Figure 2. 4 Setup a default route to the PIX firewall
pixfirewall(config)# route outside 0. 0. 0. 0 0. 0. 0. 0 10. 64. 2. 145
2. 3 Setup MS238H-A/SL500 system
2. 3. 1 Setup IP address of LAN interface
Figure 2. 5 Setup LAN port IP address on the MS238H-A/SL500
2. 3. 2
Setup IP address of WAN interface
Figure 2. 6 Setup IP address of WAN interface on the MS238H-A/SL500
Copyright 2006, ASUSTek Computer, Inc.
Page 2
Figure 2. 7 Verify WAN interface configurations on the MS238H-A/SL500
2. 3. 3
Setup Routing Table
Figure 2. 8 Setup a default route to the MS238H-A/SL500
3 Establish VPN Tunnel using Automatic Keying
3. 1 Configure VPN Policy on PIX 501
Step: 1 Configure access list rule and VPN policy pixfirewall(config)# access-list MS238H-A permit ip 192. 168. 30. 0 255. 255. 255. 0 10. 64. 3. 0 255. 255. 255. 0 pixfirewall(config)# nat (inside) 0 access-list MS238H-A pixfirewall(config)# sysopt connection permit-ipsec pixfirewall(config)# crypto ipsec transform-set set1 esp-3des esp-sha-hmac pixfirewall(config)# crypto ipsec security-association lifetime seconds 3600 pixfirewall(config)# crypto map toMS238H-A 20 ipsec-isakmp pixfirewall(config)# crypto map toMS238H-A 20 match address MS238H-A pixfirewall(config)# crypto map toMS238H-A 20 set peer 10. 64. 2. 145 pixfirewall(config)# crypto map toMS238H-A 20 set transform-set set1 pixfirewall(config)# crypto map toMS238H-A interface outside pixfirewall(config)# isakmp enable outside pixfirewall(config)# isakmp key cwtest address 10. 64. 2. 145 netmask 255. 255. 255. 0 pixfirewall(config)# isakmp identity address pixfirewall(config)# isakmp policy 20 authentication pre-share pixfirewall(config)# isakmp policy 20 encryption 3des pixfirewall(config)# isakmp policy 20 hash sha pixfirewall(config)# isakmp policy 20 group 2 pixfirewall(config)# isakmp policy 20 lifetime 3600
Copyright 2006, ASUSTek Computer, Inc.
Page 3
Figure 3. 1 Setup VPN policy on the PIX firewall Step 2: Verify Configurations pix-firewall# show config : Saved : Written by enable_15 at 14:22:39. 654 UTC Thu May 4 2006 PIX Version 6. 3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI. 2KYOU encrypted hostname pix-firewall domain-name asus. com. tw fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list MS238H-A permit ip 192. 168. 30. 0 255. 255. 255. 0 10. 64. 3. 0 255. 255. 255. 0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 10. 64. 2. 130 255. 255. 255. 0 ip address inside 192. 168. 30. 1 255. 255. 255. 0 ip audit info action alarm ip audit attack action alarm pdm location 192. 168. 1. 10 255. 255. 255. 255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list MS238H-A route outside 0. 0. 0. 0 0. 0. 0. 0 10. 64. 2. 145 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
Copyright 2006, ASUSTek Computer, Inc. [. . . ]
DISCLAIMER TO DOWNLOAD THE USER GUIDE ASUS MS238H-A
Lastmanuals offers a socially driven service of sharing, storing and searching manuals related to use of hardware and software : user guide, owner's manual, quick start guide, technical datasheets... In any way can't Lastmanuals be held responsible if the document you are looking for is not available, incomplete, in a different language than yours, or if the model or language do not match the description. Lastmanuals, for instance, does not offer a translation service.
Click on "Download the user manual" at the end of this Contract if you accept its terms, the downloading of the manual ASUS MS238H-A will begin.