The other day, I wrote this articl about creating IPSec tunnels from ASA55xx to VyOS, and wanted to follow it up with another article explaining how to accomplish the same tunnel from a Cisco PIX running 6.x firmware. The setup is very similar to setting it up with an ASA55xx, but there is a few syntax differences and a few gotchas.
First, on your PIX, you need to make sure you have the 3DES encryption license, since VyOS, Vyatta, and EdgeMax do not contain DES (which is good, since it’s horribly insecure). Login to your pix, and issue “show version”. If it says “VPN-3DES-AES: Enabled”, then you are all set. If not, and it looks more like this:
Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(2) Compiled on Thu 04-Aug-05 21:40 by morlee EXAMPLEPIX up 4 hours 6 mins Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 0013.6009.538a, irq 10 1: ethernet1: address is 0013.6009.538b, irq 11 2: ethernet2: address is 000e.0c6d.e7af, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Disabled Maximum Physical Interfaces: 3 Maximum Interfaces: 5 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited This PIX has a Restricted (R) license. Serial Number: 8xxxxxxxx5 (0x3xxxxxxxb)
then stay with me and I will show you how to fix it up. The 3DES license has been EOL/EOS for a long time, and Cisco has now made it free of charge, and there is a self-help tool to generate a new license.
First, you will need a CCO account. If you don’t have one yet, you will need to set one up. I am not going to cover that here, as it’s outside the scope of this article. Head over to Cisco Licensing Portal, then, to the right of the PAK entry field, you should see a button that says “Get Other Licenses”. Click that, and choose “IPS, Crypto, Other…”. A popup window will show up, and in the “Product Family” box, choose “Security Products”, which will populate the “Product” box. Select “Cisco PIX Security Appliance 3DES/AES License”, then click Next. Choose the PIX Software version (6.x or 7.x) that matches your PIX, and enter the serial number from the “show version” command above, and click Next. The screen will ask you to agree to the license, and ask you where to send the activation code to. Check the box, enter your email address, and click Submit. Within an hour or two, you should get an email with a new activation code for your appliance.
Once you get your new activation key, connect to your PIX, enter configuration mode, and enter “activation-key xxxxxxxxx xxxxxxxxx xxxxxxxx xxxxxxx” where the xxxx are your new key. Exit configuration mode, then “write mem” to save it. You will need to restart your firewall at this point to make the new license active. After rebooting, “show version” again and make sure VPN-3DES-AES is now Enabled.
With all that licensing nonsense out of the way, we can get to the important part. I won’t cover the VyOS/EdgeMax config, since that was in the last article.
Here is the configuration required for the PIX:
!Create a nat exclusion acl for the traffic so it is not NAT translated access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !Create an acl for the interesting traffic access-list vpn1_interesting_traffic permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 !Create a transform set for 3DES/SHA crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !Create a crypto map crypto map outside_map 50 ipsec-isakmp crypto map outside_map 50 match address vpn1_interesting_traffic crypto map outside_map 50 set pfs group5 crypto map outside_map 50 set peer y.y.y.y crypto map outside_map 50 set transform-set ESP-3DES-SHA !Define our Pre-shared-key isakmp key !SuperSecretPSK! address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode !Tell the PIX to use the IP address as identity isakmp identity address !Create our IKE policy isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash sha isakmp policy 50 group 2 isakmp policy 50 lifetime 86400
Once you have this done, you should be able to ping between your networks. If you are attempting to ping from the PIX, you need to specify the inside interface as your source, like “ping inside 172.16.1.1”.
If you are having trouble, its easiest to tell whats going on from the VyOS side, using “monitor vpn ipsec”. It should tell you whats wrong, for the most part.. If you are stuck, let me know and I will see what I can do for you.
Good Luck!
December 17th, 2014 at 4:55 am
Thanks for sharing your views. Great blog..
May 29th, 2015 at 11:50 am
It so nice , thank ..
May 31st, 2015 at 10:22 am
it great.., thanks for your information in this blog
May 17th, 2016 at 4:19 am
very good article, detail and helpfull. thanks.
January 19th, 2017 at 11:30 pm
Thanks for the config. After entering the commands seems both my VyOS and pix can see each others private NIC addresses but not beyond that. Basically, I CANNOT ping anything across either network except the private NIC interface on both the VyOS and the PIX. Anything you can do to shed light on what the issue could be would be appreciated.
January 20th, 2017 at 1:17 pm
In my observation, this is usually an issue with the nat. If you capture traffic on the egress interface, it should not be translated (private source to private destination). Perhaps you need a no-nat rule on the Cisco (or a private to private translation), or an exclude on the VyOS side.
January 21st, 2017 at 2:14 am
Thank you for your quick reply.
I have nat exclusions per your config. Not sure what you mean by a no-nat rule, is that something you can send me an example of? Any help would be very much appreciated.
Thank you.
January 21st, 2017 at 8:17 pm
I figured out the Cisco PIX side, so now the VyOS can ping behind the PIX. However, the PIX cannot ping behind the VyOS. What am I missing?