Configure a PIX Security Appliance Site-to-Site VPN using Pre-shared Keys
Task 3 – Configure IPSec parameters

The tasks and commands used to configure IPSec encryption on the PIX Security Appliance are summarized in Figure .

Step 1 –Configure interesting traffic
Crypto ACLs perform the same function on the PIX Security Appliance and an IOS router. Crypto ACLs are used to define which IP traffic is interesting and will be protected by IPSec, and which traffic will not be protected by IPSec . Remember that it is recommended to avoid using the any keyword to specify source or destination addresses.
Use the show run access-list command to display currently configured ACLs. Figure contains an example ACL for each of the peer PIX Security Appliances. In the fw1 ACL, the source network is 10.0.1.0 and the destination network is 10.0.6.0. In the fw6 ACL, the source network is 10.0.6.0 and the destination address is 10.0.1.0. The ACLs are symmetrical.
The nat 0 command instructs the PIX Security Appliance not to use NAT for any traffic deemed interesting traffic for IPSec. In Figure , traffic matching access-list 101, traffic from 10.0.1.0/24 to 10.0.6.0/24, is exempt from NAT.
Step 2 – Configure an IPSec transform set
Transforms define the IPSec security protocols and algorithms . Each transform represents an IPSec security protocol, ESP, AH, or both, plus the algorithm to be used.
Multiple transform sets can be specified, and then one or more of these transform sets can be specified in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec SA negotiation to protect the data flows specified by the ACL of that crypto map entry.
During the IPSec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
A transform set equals an AH transform and an ESP transform plus the mode, either transport mode or tunnel mode. Transform sets are limited to one AH and two ESP transforms. The default mode is tunnel. Be sure to configure matching transform sets between IPSec peers.
NOTE:

In PIX Security Appliance versions 6.0 and higher, Layer 2 Tunneling Protocol (L2TP) is the only protocol that can use the IPSec transport mode. The PIX discards all other types of packets using IPSec transport mode.

The PIX Security Appliance supports the transforms listed in Figure .
Choosing IPSec transforms combinations can be complex. The tips shown in Figure may help to select appropriate transforms.
Step 3 –Configure the crypto map
The syntax for the crypto map command is shown in Figure . Configure the crypto map with the crypto map command by completing the substeps shown in Figure .
Step 4– Apply the crypto map to an interface
Apply the crypto map to an interface with the crypto map map-name interface interface-name command . This activates the IPSec policy.
Use the show run crypto map command to verify the crypto map configuration. Consider the example of a crypto map for the PIX Security Appliance with the name fw1 in Figure .

Lab Activity

e-Lab Activity: Configure a Crypto ACL on a PIX Security Appliance

In this activity, the student will configure a crypto ACL on the PIX Security Appliance.

Lab Activity

e-Lab Activity: Configure a Transform Set and ISAKMP Policy on a PIX Security Appliance

In this activity, the student will configure a transform set ISAKMP policy on the PIX Security Appliance.

Lab Activity

e-Lab Activity: Create a Crypto Map and apply it to a PIX Security Appliance Interface

In this activity, the student will create a crpto map and apply it to a PIX Security Appliance interface.

Interactive Media Activity

Demonstration Activity: Configure Interesting Traffic

In this activity, students will learn to configure crypto maps.