Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

SNA/IP Solution

Securing Mainframe Host-To-Host Connectivity

Downloads

Table Of Contents

Securing Mainframe Host-to-Host Connectivity Using VPNs

Introduction

Virtual Private Networks

Configuring the Network

Verifying Network Connections

Router—`show ip route'

PIX525—`sh route'

Cisco Catalyst Switch—`show ip route'—SHARE6000

Activate the Host-to-Host Connection

Network Configurations

MVSP

MVSZ

Cisco Catalyst 6000 Series Switch

Cisco PIX Firewall

Router

Configuration Cheat Sheets

References

White Paper

Securing Mainframe Host-to-Host Connectivity Using VPNs

Introduction

Computers that exchange critical financial and personal data are, in many cases, IBM and IBM-compatible mainframes. The protocol suite that makes these transactions possible is called Systems Network Architecture (SNA), and to cross from one SNA network to another requires a feature called SNA Network Interconnect (SNI). The IBM 3745 or 3746 communications controller, also known as a front end processor (FEP), is a required component of all SNI connections and precludes SNA/SNI from taking advantage of the reliability and security advances of IP networks. Now that the FEP is no longer available, rapidly escalating maintenance and reliability issues mean that a replacement must be found. An alternative for SNA/SNI is Advanced Peer-to-Peer Networking (APPN) and extended border node (EBN). When used with enterprise extender (EE)—also known as High Performance Routing over IP (HPR/IP)—the connection between mainframes is over an IP network. This paper presents one possible approach to implementing a virtual private network (VPN) for EE connections that may traverse public network facilities.

Virtual Private Networks

VPNs meet today's increased intranet and Internet security demands. A VPN is a node-to-node connection that allows only authorized packets to communicate between the two nodes. With the growth of e-commerce, there is an increased need to provide a secure connection between IBM hosts. These host-to-host connections can be within the same company over an intranet, or between two separate companies over the Internet. For example: Company X is a supplier to Company Y. To reduce administration costs, Company Y's application queries the database application on Company X for inventory costs. This information is private between the two companies, and ensuring its security is critical.

The configuration of technology, from the mainframe to Cisco® PIX® firewalls, is often managed by various groups within a company. The advantage of this implementation is that each component can be configured by its own team, with each team needing only to understand its own addressing scheme and routing protocols.

There are several methods of routing from the mainframe. Static and dynamic routing protocols include Routing Initiation Protocol (RIP) and Open Shortest Path First (OSPF). For consistency of routing protocols across the entire network, OSPF was chosen. It is also possible to use a combination of the various routing protocols and to perform routing convergence at selected nodes.

There are several ways to provide network security between the two sites. This document reviews the use of Cisco PIX firewalls and VPN tunnels.

Note: If all of the sites in a VPN are owned by the same enterprise, the VPN is considered a corporate intranet. If the sites in a VPN are owned by different enterprises, the VPN is considered an extranet.

Figure 1

Testbed Network Topology

Figure 1 shows the topology used to provide connection and configuration information. The bottom section shows the secure and unsecure areas (from the perspective of packets encapsulated with security headers). In this situation, the secure tunnel is between the two Cisco PIX firewalls running VPN. In a real-world network there would be many devices between the two firewalls. Another way to show this would be to replace the "Jedi" router with a cloud labeled either "Intranet" or "Extranet."

Configuring the Network

Cisco Systems® documentation provides step-by-step details on the configuration of each section of this network (referenced at the end of this document). This document reviews the areas of most importance to the success of this implementation, which are the command relationships. It does not discuss standard definitions, such as the IP addresses being part of the same segment.

For a diagrammatic view of the configuration relationships, refer to Appendix F.

We will work through the configuration starting from the left side of the network diagram.

1. The VTAM switched major node (see EESMN) requires that the IP address referenced is the address of the loopback address of the IBM Communications Server stack on the opposite host (MVSZ).

2. The device profile used in the CS configuration (Profile.TCPIP) requires that the device name (in this example, `EOSAF500') matches the VTAML TRL definition (OSAF500).

3. The Cisco PIX crypto map "set peer" command requires the address of the other Cisco PIX firewall. This is the address of the opposite-end VPN tunnel. For the Cisco PIX 525, this address will be the Cisco PIX 515 Firewall's "outside" address of 209.165.201.5. For the Cisco PIX 515 Firewall, the address will be the Cisco PIX 525 Firewall's "outside" address of 209.165.200.230.

4. When using the pre-shared keys, the Cisco PIX "isakmp" key command must match the same key entered at the other Cisco PIX Firewall, and must point to the address of the other firewall.

These four steps will connect the mainframe to the opposite-end Cisco PIX firewall, via the VPN tunnel. With the mainframe on the other side configured in the same method, the host-to-host connection will become active.

Verifying Network Connections

Before end-to-end connectivity of the IBM hosts can be confirmed, the IP routes should be reviewed. Using "SHOW ROUTE" on the Cisco PIX firewall and "SHOW IP ROUTE" on the router and Cisco Catalyst® switch will display the available router. Use this output to identify if the network addresses from each host are propagating across the network. If they are not, isolate the node that the propagation stops at, and review the configuration.

The route marked in bold is the loopback address on each of the hosts. The "IA" at the beginning of the network address indicates it was learnt via an OSPF inter area.

Router—`show ip route' 

O IA 192.162.90.0/24 [110/11] via 209.165.201.5, 11:59:41, FastEthernet2/0

O IA 192.163.90.0/24 [110/11] via 209.165.200.230, 11:59:41, FastEthernet4/0

C    209.165.200.0/24 is directly connected, FastEthernet4/0

C    209.165.201.0/24 is directly connected, FastEthernet2/0

     192.162.50.0/24 is variably subnetted, 2 subnets, 2 masks

O IA 192.162.50.0/24 [110/15] via 209.165.201.5, 11:42:14, FastEthernet2/0

O IA 192.162.50.1/32 [110/15] via 209.165.201.5, 11:42:14, FastEthernet2/0

     192.163.50.0/24 is variably subnetted, 2 subnets, 2 masks

O IA 192.163.50.1/32 [110/15] via 209.165.200.230, 00:02:09, FastEthernet4/0

O IA 192.163.50.0/24 [110/15] via 209.165.200.230, 00:02:09, FastEthernet4/0

O IA 192.162.100.0/24 [110/12] via 209.165.201.5, 11:42:09, FastEthernet2/0

O IA 192.163.100.0/24 [110/12] via 209.165.200.230, 00:02:25, FastEthernet4/0

PIX525—`sh route'

On the Cisco PIX firewall, only one route is "IA" (OSPF inter area); the other is "O" (OSPF):

Mel#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

 

  

O IA 192.162.90.0 255.255.255.0 [110/21] via 209.165.200.229, 0:01:06, outside

C    192.163.90.0 255.255.255.0 is directly connected, inside

C    209.165.200.0 255.255.255.0 is directly connected, outside

O    209.165.201.0 255.255.255.0 [110/11] via 209.165.200.229, 11:58:39, outside

     192.162.50.0 255.255.255.0 is variably subnetted, 2 subnets, 2 masks

O IA 192.162.50.0 255.255.255.0 [110/25] via 209.165.200.229, 0:01:06, outside

O IA 192.162.50.1 255.255.255.255 [110/25] via 209.165.200.229, 0:01:06, outside

     192.163.50.0 255.255.255.0 is variably subnetted, 2 subnets, 2 masks

O    192.163.50.1 255.255.255.255 [110/14] via 192.163.90.39, 0:01:08, inside

O    192.163.50.0 255.255.255.0 [110/14] via 192.163.90.39, 0:01:08, inside

O IA 192.162.100.0 255.255.255.0 [110/22] via 209.165.200.229, 0:01:08, outside

O    192.163.100.0 255.255.255.0 [110/11] via 192.163.90.39, 0:01:08, inside

 

Cisco Catalyst Switch—`show ip route'—SHARE6000

  

C    192.162.90.0/24 is directly connected, FastEthernet3/1

O IA 192.163.90.0/24 [110/22] via 192.162.90.1, 3d13h, FastEthernet3/1

O IA 209.165.200.0/24 [110/12] via 192.162.90.1, 3d13h, FastEthernet3/1

O IA 209.165.201.0/24 [110/11] via 192.162.90.1, 3d13h, FastEthernet3/1

     10.0.0.0/32 is subnetted, 1 subnets

C    10.99.1.1 is directly connected, Loopback0

     192.162.50.0/24 is variably subnetted, 2 subnets, 2 masks

O    192.162.50.0/24 [110/4] via 192.162.100.39, 3d13h, Vlan90

O    192.162.50.1/32 [110/4] via 192.162.100.39, 3d13h, Vlan90

     192.163.50.0/24 is variably subnetted, 2 subnets, 2 masks

O IA 192.163.50.1/32 [110/26] via 192.162.90.1, 00:00:59, FastEthernet3/1

O IA 192.163.50.0/24 [110/26] via 192.162.90.1, 00:00:59, FastEthernet3/1

C    192.162.100.0/24 is directly connected, Vlan90

O IA 192.163.100.0/24 [110/23] via 192.162.90.1, 00:01:14, FastEthernet3/1

 

Activate the Host-to-Host Connection

Once the TCP stack has been started on both hosts, the External Communications Adapter (XCA) and switched major node is active, the Cross Domain Resource Manager (CDRM) is activated, and the two hosts will connect. The following output shows the host named "MVSP" becoming active. 

 

IST590I CONNECTOUT ESTABLISHED FOR PU EEMVSP01 ON LINE LIO000

IST1086I APPN CONNECTION FOR ESPNET.MVSZ IS ACTIVE - TGN = 21

IST093I EEMVSP01 ACTIVE

IST1488I ACTIVATION OF RTP CNR0000B AS PASSIVE TO ESPNET.MVSZ

IST1488I ACTIVATION OF RTP CNR0000A AS ACTIVE TO ESPNET.MVSZ

IST1096I CP-CP SESSIONS WITH ESPNET.MVSZ ACTIVATED

 

With console logging enabled on the Cisco PIX firewalls, the following output will show the VPN connect being created. The activation request is moving from host "MVSP" to host "MVSZ" and through the Cisco PIX 525 to the Cisco PIX 515. The output below is from the Cisco PIX 525. 

 

609001: Built local-host inside:192.163.50.1

302015: Built outbound UDP connection 0 for outside:192.162.50.1/12000 (192.162.50.1/
12000) to inside:192.163.50.1/12000 (192.163.50.1/12000)

702303: sa_request, (key eng. msg.) src=http://www.cisco.com/warp/public/cc/so/neso/lnso/lnsiso/ 209.165.200.230, dest= 209.165.201.5, src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, 
transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 
0, keysize= 0, flags= 0x4004

 

602301: sa created, (sa) sa_dest= 209.165.200.230, sa_prot= 50, sa_spi= 
0x4ba45076(1269059702), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1

 

602301: sa created, (sa) sa_dest= 209.165.201.5, sa_prot= 50, sa_spi= 
0x6c13ec46(1813244998), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2

 

302015: Built outbound UDP connection 1 for outside:192.162.50.1/12001 (192.162.50.1/
12001) to inside:192.163.50.1/12001 (192.163.50.1/12001)

 

The following is the VPN connection from the Cisco PIX 515: 

 

602301: sa created, (sa) sa_dest= 209.165.201.5, sa_prot= 50, sa_spi= 
0x6c13ec46(1813244998), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 1

 

602301: sa created, (sa) sa_dest= 209.165.200.230, sa_prot= 50, sa_spi= 
0x4ba45076(1269059702), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2

 

609001: Built local-host inside:192.162.50.1

302015: Built inbound UDP connection 0 for outside:192.163.50.1/12000 (192.163.50.1/
12000) to inside:192.162.50.1/12000 (192.162.50.1/12000)

302015: Built inbound UDP connection 1 for outside:192.163.50.1/12001 (192.163.50.1/
12001) to inside:192.162.50.1/12001 (192.162.50.1/12001)

 

The `show connection' command on either Cisco PIX firewall shows that the connection is active between the two hosts. 

 

pix525# sh conn

2 in use, 2 most used

UDP out 192.162.50.1:12000 in 192.163.50.1:12000 idle 0:01:04 flags -

UDP out 192.162.50.1:12001 in 192.163.50.1:12001 idle 0:00:09 flags -

 

The two hosts are now connected.

 

Network Configurations

To reduce the amount of documentation, for this example, only the commands directly associated to the configurations are shown.

MVSP

Virtual Telecommunications Access Method (VTAM) Definitions 

CDRMEE

 

CDRMPZ    VBUILD TYPE=CDRM

NETWMPMZ  NETWORK NETID=ESPNET

MVSPMVSZ  CDRM CDRDYN=YES,CDRSC=OPT,SUBAREA=56,ELEMENT=1,RECOVERY=YES,

               VPACING=63,ISTATUS=ACTIVE

EESMN

 

EESMN    VBUILD TYPE=SWNET

EEMVSP01 PU    CPCP=YES,ADDR=01,PUTYPE=2,

               CONNTYPE=APPN,

               HPR=YES,

               TGP=ESCON,

               DYNLU=YES,

               DISCNT=NO,

               DWACT=YES,

               NETID=ESPNET,

               CPNAME=MVSZ,

               ISTATUS=ACTIVE

*  IPADDR IS THE IP ADDR OF THE TCPMVSZ6 EE STACK ON MVSZ

EEPATHY  PATH  IPADDR=192.162.50.1,

               GRPNM=EEGRPIO,SAPADDR=8

EEXCA

 

EEXCAV   VBUILD TYPE=XCA

EETG     PORT  MEDIUM=HPRIP,CAPACITY=1000M,

               VNNAME=EESNI,

               VNGROUP=EEGRPIO,

               LIVTIME=15,

               SRQTIME=15,

               SRQRETRY=9,

               SAPADDR=04

EEGRPIO  GROUP ANSWER=ON,

               AUTOGEN=(10,LIO,PIO),

               CALL=INOUT,

               DIAL=YES,

               DYNPU=YES,

               DYNPUPFX=$E,

               ISTATUS=ACTIVE 

OSAF500


OSAF500  VBUILD TYPE=TRL 

EOSAF500 TRLE  LNCTL=MPC,

               READ=(F500),

               WRITE=(F501), 

               DATAPATH=(F502),

               PORTNAME=OSAMDB2,

               MPCLEVEL=QDIO

Communications Server Definitions

  

OMPROUTE

 

Area

     Area_Number=2.2.2.2

     Stub_Area=no

     Authentication_Type=None;

;

Comparison=Type2;

;

Routerid=192.163.100.39;

;

OSPF_Interface

    IP_Address=192.163.100.39

    MTU=1500

    Subnet_Mask=255.255.255.0

    Name=LOSAF500

    Attaches_To_Area=2.2.2.2

    Hello_Interval=3

    Dead_Router_Interval=9

    Cost0=3;

OSPF_Interface

    IP_Address=192.163.50.1

    MTU=1500

    Subnet_Mask=255.255.255.0

    Name=VIPALNK1

    Attaches_To_Area=2.2.2.2

    Hello_Interval=3

    Dead_Router_Interval=9

    Cost0=3;

;

AS_Boundary_Routing

    Import_RIP_Routes=No

    Import_Direct_Routes=YES

    Import_Static_Routes=YES

    Import_Subnet_Routes=YES

    Originate_Default_Route=No

    Originate_as_Type=2

    Default_Route_Cost=1;

  

PROFILE.TCPIP

 

DEVICE   IUTSAMEH    MPCPTP     AUTORESTART

LINK     SAMELINK    MPCPTP     IUTSAMEH

;

DEVICE VIPADEV1  VIRT    0

LINK   VIPALNK1  VIRT    0 VIPADEV1

;

DEVICE EOSAF500 MPCIPA NONROUTER

LINK   LOSAF500 IPAQENET  EOSAF500

;

AUTOLOG

    EZAFTMP2    ; 'C' FTP SERVER

    MISCEP2     ; MISC DAEMON

    ROUTEDP2    ; ROUTED SERVER

ENDAUTOLOG

HOME

192.163.100.39   LOSAF500

192.163.50.1     VIPALNK1

DATASETPREFIX TCPMVSP.TCPIP2

START IUTSAMEH

START EOSAF500

 

RESOLVER.CONFIG

 

NOCOMMONSEARCH

;

TCPIPJOBNAME TCPMVSP2

 

RESOLVER.ENV

 

RESOLVER_CONFIG=//'TCPMVSP.TCPIP2.RESOLVER.CONFIG'

OMPROUTE_FILE=//'TCPMVSP.TCPIP2.OMPROUTE.CONFIG'

 

TCPIP.DATA

 

TCPIPJOBNAME TCPMVSP2

 

MVSZ

VTAM Definitions 

CDRMEE

 

CDRMPP    VBUILD TYPE=CDRM

NETWMZMP  NETWORK NETID=PLEX4NET

MVSZMVSP  CDRM CDRDYN=YES,CDRSC=OPT,SUBAREA=07,ELEMENT=1,RECOVERY=YES,

               VPACING=63,ISTATUS=ACTIVE

EESMN

 

EESMN    VBUILD TYPE=SWNET

EEMVSZ01 PU    CPCP=YES,ADDR=01,PUTYPE=2,

               CONNTYPE=APPN,

               HPR=YES,

               TGP=ESCON,

               DYNLU=YES,

               DISCNT=NO,

               DWACT=YES, 

               NETID=PLEX4NET,

               CPNAME=MVSP,

               ISTATUS=ACTIVE

* IPADDR IS THE IP ADDRESS OF THE TCPMVSP2 EE STACK ON MVSP

EEPATHP  PATH  IPADDR=192.163.50.1,

               GRPNM=EEGRPIO,SAPADDR=8

EEXCA

 

EEXCAV   VBUILD TYPE=XCA

EETG     PORT  MEDIUM=HPRIP,CAPACITY=1000M,

               VNNAME=EESNI, 

               VNGROUP=EEGRPIO,

               LIVTIME=15,

               SRQTIME=15,

               SRQRETRY=9,

               SAPADDR=04

EEGRPIO  GROUP ANSWER=ON,

               AUTOGEN=(10,LIO,PIO),

               CALL=INOUT,

               DIAL=YES,

               DYNPU=YES,

               DYNPUPFX=$E,

               ISTATUS=ACTIVE

OSAF100

 

OSAF100  VBUILD TYPE=TRL

EOSAF100 TRLE  LNCTL=MPC,

               READ=(F100),

               WRITE=(F101),

               DATAPATH=(F102),

               PORTNAME=OSAMDB1,

               MPCLEVEL=QDIO

 

Communications Server Definitions

  

OMPROUTE

 

Area

 Area_Number=1.1.1.1

 Authentication_Type=None

 Stub_Area=no;

;

Comparison=Type2;

;

Routerid=192.162.100.39;

;

OSPF_INTERFACE

     IP_Address                =   192.162.100.39

     Name                      =   LOSAF100

     Subnet_Mask               =   255.255.255.0

     MTU                       =   1500

     Router_Priority           =   0

     ATTACHES_TO_AREA          =   1.1.1.1

     Hello_Interval            =   3

     Dead_Router_Interval      =   9

     COST0                     =   3;

;

OSPF_INTERFACE

     IP_Address                =   192.162.50.1

     Name                      =   VIPALNK1

     Subnet_Mask               =   255.255.255.0

     MTU                       =   1500

     Router_Priority           =   0

     ATTACHES_TO_AREA          =   1.1.1.1

     Hello_Interval            =   3

     Dead_Router_Interval      =   9

     COST0                     =   3;

;

AS_BOUNDARY_ROUTING

      Import_RIP_Routes=No

      Import_Static_Routes=Yes

      Import_Direct_Routes=Yes

      Import_Subnet_Routes=Yes

      Originate_Default_Route=No

      Originate_as_Type=2

      Default_Route_Cost=1;

 

PROFILE.TCPIP

 

DEVICE   IUTSAMEH    MPCPTP     AUTORESTART

LINK     SAMELINK    MPCPTP     IUTSAMEH

;

DEVICE VIPADEV1  VIRT    0

LINK   VIPALNK1  VIRT    0 VIPADEV1

;

DEVICE EOSAF100 MPCIPA NONROUTER

LINK  LOSAF100 IPAQENET EOSAF100

;

AUTOLOG

    EZAFTMZ6    ; 'C' FTP Server

    MISCSEZ6    ; MISC DAEMON

    ROUTEDZ6    ; ROUTED  Server

;   LPSERVEC    ; LPR

ENDAUTOLOG

HOME

192.162.100.39 LOSAF100

192.162.50.1     VIPALNK1

DATASETPREFIX   TCPMVSZ.TCPIP6

START IUTSAMEH

START EOSAF100

 

RESOLVER.CONF

 

NOCOMMONSEARCH

;

TCPIPJOBNAME TCPMVSZ6

 

RESOLVER.ENV

 

RESOLVER_CONFIG=//'TCPMVSZ.TCPIP6.RESOLVER.CONFIG'

OMPROUTE_FILE=//'TCPMVSZ.TCPIP6.OMPROUTE.CONFIG'

 

TCPIP.DATA

 

TCPIPJOBNAME TCPMVSZ6

 

Cisco Catalyst 6000 Series Switch

Valley-fatcat

  

interface FastEthernet2/48

 description SHARE VPN test - crbrown - to pix525

 ip address 192.167.90.39 255.255.255.0

 duplex full

 speed 100

!

interface GigabitEthernet4/13

 description VPN SHARE test - crbrown to host mvsp

 ip address 192.163.100.1 255.255.255.0

 load-interval 30

!

router ospf 222

 log-adjacency-changes

 network 192.163.50.0 0.0.0.255 area 2.2.2.2

 network 192.163.100.0 0.0.0.255 area 2.2.2.2

 

SHARE2000 

 

interface FastEthernet3/1

 description SHARE VPN testing - crbrown - to pix515-5

 ip address 192.162.90.39 255.255.255.0

!

interface GigabitEthernet4/1

 description VPN Share test - crbrown- to Host MVSZ

 mtu 9216

 load-interval 30

 switchport

 switchport access vlan 90

!

interface Vlan90

 description SHARE - VPN Testing - crbrown to mvsz

 ip address 192.162.100.1 255.255.255.0

 ip ospf hello-interval 3

 ip ospf dead-interval 9

 ip ospf priority 10

!

router ospf 222

 log-adjacency-changes

 network 192.162.0.0 0.0.255.255 area 1.1.1.1

 network 192.166.0.0 0.0.255.255 area 1.1.1.1

 network 201.165.201.0 0.0.0.255 area 0

 

Cisco PIX Firewall

Cisco PIX 515 

 

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet1 inside security100

nameif ethernet2 outside security0

access-list 90 permit ip any any 

ip address inside 192.162.90.1 255.255.255.0

ip address outside 209.165.201.5 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.162.90.39 192.162.90.39 netmask 255.255.255.255 0 0 

router ospf 222

  network 192.162.0.0 255.255.0.0 area 1.1.1.1 

  network 209.165.0.0 255.255.0.0 area 0 

  log-adj-changes

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac 

crypto map to525 20 ipsec-isakmp

crypto map to525 20 match address 90

crypto map to525 20 set peer 209.165.200.230

crypto map to525 20 set transform-set strong

crypto map to525 interface outside

isakmp enable outside

isakmp key ******** address 209.165.200.230 netmask 255.255.255.255 

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash sha

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

 

Cisco PIX 525

  

interface ethernet0 auto

interface ethernet1 auto

access-list 80 permit ip any any 

ip address outside 209.165.200.230 255.255.255.0

ip address inside 192.163.90.1 255.255.255.0

global (outside) 1 209.165.201.9-209.165.201.30

global (outside) 1 interface

global (outside) 1 209.165.201.31

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.163.90.39 192.163.90.39 netmask 255.255.255.255 0 0 

access-group 80 in interface outside

router ospf 222

  network 192.163.0.0 255.255.0.0 area 2.2.2.2 

  network 209.165.0.0 255.255.0.0 area 0 

  log-adj-changes

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-sha-hmac 

crypto map to515 10 ipsec-isakmp

crypto map to515 10 match address 80

crypto map to515 10 set peer 209.165.201.5

crypto map to515 10 set transform-set strong

crypto map to515 interface outside

isakmp enable outside

isakmp key ******** address 209.165.201.5 netmask 255.255.255.255 

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

 

Router

Jedi

  

interface FastEthernet2/0

 description connected to pix515-5 eth0

 ip address 209.165.201.6 255.255.255.0

 duplex full

!

interface FastEthernet4/0

 description connected to pix1 (525)

 ip address 209.165.200.229 255.255.255.0

 duplex full

!

router ospf 222

 log-adjacency-changes

 network 209.165.200.0 0.0.0.255 area 0

 network 209.165.201.0 0.0.0.255 area 0

 

Configuration Cheat Sheets

Figure 2

Enterprise Extender to Communications Server Configuration—Part 1 of 3

Figure 3

Cisco Catalyst/MSFC to Cisco PIX Firewall Configuration—Part 2 of 3

Figure 4

Cisco PIX to Intranet Router Configuration—Part 3 of 3

References

Cisco PIX Firewall and VPN Configuration, Version 6.3

Cisco PIX Firewall Software Command Reference, Version 6.3

Cisco IOS® IP Command Reference, Volume 2 of 3: Routing Protocols, R12.2

Cisco Catalyst 6000 Series IOS Software Configuration Guide, Release 12.1

IBM z/OS Communications Server IP Configuration Guide, V1R4

IBM z/OS Communications Server SNA Resource Definition Samples, V1R4