[Cisco ASA & Juniper SSG ScreenOS]
Below is a config to create a VPN
tunnel between a Cisco ASA (Blue side) to a Juniper SSG ScreenOS (Red Side).
Juniper Settings:
Ethernet0/0: 22.22.22.22, Untrust
bgroup0: 172.16.22.1, Trust
bgroup0: 172.16.22.1, Trust
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
! Enable
ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define
the pre-shared-key
tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create
a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
! ACL
must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
!
Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set
ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply
crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE
!^^^^^^^
Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1
! Make
sure that the VPN traffic is NOT NAT’d
access-list ACL-INSIDE-NONAT extended permit ip
192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
Juniper SSG-5 ScreenOS config (Red):
# Create a tunnel interface
set interface tunnel.1 zone Untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0
# Create the gateway (IKE settings)
# note that “sec-level standard” means the IKE policies will try to use: pre-g2-3des-sha and pre-g2-aes128-sha
set ike gateway “VPN-GATEWAY” ip 11.11.11.11 outgoing-interface ethernet0/0 preshare “sekretk3y” sec-level standard
# Configure VPN IPSEC settings
set vpn “VPN” gateway “VPN-GATEWAY” replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”
set vpn “VPN” id 1 bind interface tunnel.1
set vpn “VPN” proxy-id local-ip 172.16.22.0/24 remote-ip 192.168.11.0/24 “ANY”
# Configure a route for the remote end traffic
set vrouter trust-vr route 192.168.11.0/24 interface tunnel.1
# Create 2 address book entries and create two policies to permit this traffic
set address Untrust “192.168.11.0/24″ 192.168.11.0/24
set address Trust “172.16.22.0/24″ 172.16.22.0/24
set policy top from “Trust” to “Untrust” “172.16.22.0/24″ “192.168.11.0/24″ “ANY” Permit log count
set policy top from “Untrust” to “Trust” “192.168.11.0/24″ “172.16.22.0/24″ “ANY” Permit log count
No comments:
Post a Comment