Walk-through Part 2: Configuring Cisco PIX 501

In this walk-through, you will access the PIX Device Manager (PDM) and then use the VPN Wizard to set up tunnel mode protection.

This walk-through consists of the following steps:

  1. Access the PIX Device Manager
  2. VPN Wizard

Procedure 1: Access the PIX Device Manager

This guide uses the PIX Device Manager (PDM) for the walk-through. If you would rather use the Cisco CLI commands, see "Cisco CLI and Windows Server 2003 NETSH Commands" later in this document.

To access the PIX Device Manager, perform the following steps.

  1. Open Internet Explorer and entering If the server does not respond to this HTTPS request, you might want to verify that the HTTP service is running on the PIX. Access the PIX through the console and enter the following command:
  2. Provide the Enable password and then you will be in Enable mode, as shown by the # symbol after the hostname of the PIX:
  3. Now type:
    pixfirewall#show config
  4. The PIX configuration will be printed to the display. Look through the output for the following lines:
    http server enable
    http inside
    The first line shows that the HTTP service is enabled, and the second entry shows what IP addresses are allowed to access the HTTP service, and on which PIX interface.
  5. If you do not see the preceding entries, consider enabling the HTTP service temporarily to aid in configuring the IPSec tunnel mode setup. To do this, enter the following commands:
    pixfirewall# configure terminal
    pixfirewall (config)# http server enable
    pixfirewall (config)# http inside
  6. After this is done, you should be able to access the PIX Device Manager from the client you specified. You might receive a certificate warning from Internet Explorer. Acknowledge the error and continue. You should see the following screen.
  7. Click Yes.

To begin the tunnel mode protection setup, perform the following steps.

  1. Click the Wizards menu, and then click VPN Wizard.
  2. The wizard will begin. Select Site to Site VPN, select outside in the box, and then click Next.
  3. In Peer IP Address, enter the ISA Server external IP address In Pre-Shared key and Reenter key, enter 123456789, and then click Next.
  4. Change Encryption to 3DES, Authentication to SHA, and in DH Group, select Group 2 (1024-bit). This is the highest common Diffie-Hellman group possible between PIX and Windows Server 2003. These entries correspond to Main Mode (Phase I) settings in ISA Server. Click Next.
       PIX is also capable of using the stronger Group 5 (1536) for the Diffie-Hellman key length. Windows Server 2003 is capable of using Group 2048 (2048) for the key length. The key length should match on both sides, so Group 2 is used on both. (The ISA Server wizard defaults to Group 2 when creating the IPSec policy). Also, the PIX is able to use the much stronger cryptographic algorithm AES-128, 192, or 256 (Advanced Encryption Standard), but Windows Server 2003 does not include support for AES with IPSec.
  5. On the Transform Set page, in Encryption, select 3DES, and in Authentication, select SHA, and then click Next.
  6. On the IPSec Traffic Selector page, select IP Address, and then in Interface, select inside. In IP address, type and in Mask, select Click the >> button to move this address range into the Selected box, and then click Next.
  7. On the IPSec Traffic Selector (Continue) page, you will specify the destination IP subnet (ISANet). In Interface, select outside, in IP address, type, and then in Mask, select Click the >> button to move this address range into the Selected box, and then click Finish.
  8. The first time you add the remote network behind ISA Server, you are prompted to define the network. Select OK.
  9. On the Create host/network page, in IP Address, type and in Mask, select In Interface, select outside and in Name (Recommended), type ISANet to aid in identifying this network. Then, click Next.
    The Static Route page is typically not needed. In this test scenario, the ISA Server computer and the PIX point to each other for their default gateway, so this is not needed. It is completed in the following screen to show what you would enter, if it was needed.
    For example, you would define this setting if your ISA Server computer and PIX were on the same subnet (during a lab) and pointed to a common default gateway. You would need to add the static route to both sides. This is because even though IPSec has an ACL that defines which traffic goes through the tunnel mode configuration, that only causes the security associations to come online. The traffic will not go through it if it does not know how to route to that destination.
    In a production environment, ISA Server and PIX would point to their respective default gateways, and each system would use that host or system to route traffic to the remote subnet.
  10. Click Finish.
  11. Now that you have completed the wizard, ISANet is listed in the Selected box. You can finish the VPN Wizard. Click Finish.