One Bad Pixel
It's Pixelicious!

IPSec tunnel from Cisco PIX 6.x to VyOS (or Vyatta, or EdgeMax)

The other day, I wrote this articl about creating IPSec tunnels from ASA55xx to VyOS, and wanted to follow it up with another article explaining how to accomplish the same tunnel from a Cisco PIX running 6.x firmware. The setup is very similar to setting it up with an ASA55xx, but there is a few syntax differences and a few gotchas.
First, on your PIX, you need to make sure you have the 3DES encryption license, since VyOS, Vyatta, and EdgeMax do not contain DES (which is good, since it’s horribly insecure). Login to your pix, and issue “show version”. If it says “VPN-3DES-AES: Enabled”, then you are all set. If not, and it looks more like this:

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Thu 04-Aug-05 21:40 by morlee
EXAMPLEPIX up 4 hours 6 mins

Hardware:   PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0013.6009.538a, irq 10
1: ethernet1: address is 0013.6009.538b, irq 11
2: ethernet2: address is 000e.0c6d.e7af, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Disabled
Maximum Physical Interfaces: 3
Maximum Interfaces:          5
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 8xxxxxxxx5 (0x3xxxxxxxb)

then stay with me and I will show you how to fix it up. The 3DES license has been EOL/EOS for a long time, and Cisco has now made it free of charge, and there is a self-help tool to generate a new license.
First, you will need a CCO account. If you don’t have one yet, you will need to set one up. I am not going to cover that here, as it’s outside the scope of this article. Head over to Cisco Licensing Portal, then, to the right of the PAK entry field, you should see a button that says “Get Other Licenses”. Click that, and choose “IPS, Crypto, Other…”. A popup window will show up, and in the “Product Family” box, choose “Security Products”, which will populate the “Product” box. Select “Cisco PIX Security Appliance 3DES/AES License”, then click Next. Choose the PIX Software version (6.x or 7.x) that matches your PIX, and enter the serial number from the “show version” command above, and click Next. The screen will ask you to agree to the license, and ask you where to send the activation code to. Check the box, enter your email address, and click Submit. Within an hour or two, you should get an email with a new activation code for your appliance.
Once you get your new activation key, connect to your PIX, enter configuration mode, and enter “activation-key xxxxxxxxx xxxxxxxxx xxxxxxxx xxxxxxx” where the xxxx are your new key. Exit configuration mode, then “write mem” to save it. You will need to restart your firewall at this point to make the new license active. After rebooting, “show version” again and make sure VPN-3DES-AES is now Enabled.
With all that licensing nonsense out of the way, we can get to the important part. I won’t cover the VyOS/EdgeMax config, since that was in the last article.

Here is the configuration required for the PIX:

!Create a nat exclusion acl for the traffic so it is not NAT translated
access-list inside_outbound_nat0_acl permit ip

!Create an acl for the interesting traffic
access-list vpn1_interesting_traffic permit ip

!Create a transform set for 3DES/SHA
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!Create a crypto map
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address vpn1_interesting_traffic
crypto map outside_map 50 set pfs group5
crypto map outside_map 50 set peer y.y.y.y
crypto map outside_map 50 set transform-set ESP-3DES-SHA

!Define our Pre-shared-key
isakmp key !SuperSecretPSK! address y.y.y.y netmask no-xauth no-config-mode
!Tell the PIX to use the IP address as identity
isakmp identity address

!Create our IKE policy
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400

Once you have this done, you should be able to ping between your networks. If you are attempting to ping from the PIX, you need to specify the inside interface as your source, like “ping inside”.
If you are having trouble, its easiest to tell whats going on from the VyOS side, using “monitor vpn ipsec”. It should tell you whats wrong, for the most part.. If you are stuck, let me know and I will see what I can do for you.

Good Luck!


8 Responses for “IPSec tunnel from Cisco PIX 6.x to VyOS (or Vyatta, or EdgeMax)”

  1. Harga gamat murah Says:

    Thanks for sharing your views. Great blog..

  2. Obat sakit ginjal Says:

    It so nice , thank ..

  3. Agen gamat luxor di sorong Says:

    it great.., thanks for your information in this blog

  4. pengobatan jantung bengkak Says:

    very good article, detail and helpfull. thanks.

  5. Neo Says:

    Thanks for the config. After entering the commands seems both my VyOS and pix can see each others private NIC addresses but not beyond that. Basically, I CANNOT ping anything across either network except the private NIC interface on both the VyOS and the PIX. Anything you can do to shed light on what the issue could be would be appreciated.

  6. Jim Says:

    In my observation, this is usually an issue with the nat. If you capture traffic on the egress interface, it should not be translated (private source to private destination). Perhaps you need a no-nat rule on the Cisco (or a private to private translation), or an exclude on the VyOS side.

  7. Neo Says:

    Thank you for your quick reply.

    I have nat exclusions per your config. Not sure what you mean by a no-nat rule, is that something you can send me an example of? Any help would be very much appreciated.

    Thank you.

  8. Neo Says:

    I figured out the Cisco PIX side, so now the VyOS can ping behind the PIX. However, the PIX cannot ping behind the VyOS. What am I missing?

Leave a comment!