Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Step by step instructions to setup policy-based VPN between Juniper Firewall and Cisco PIX Step by step instructions to setup route-based VPN between Juniper Firewall and Cisco PIX
PROBLEM OR GOAL:
How to setup VPN between PIX and Juniper Netscreen Firewall with a single access list Policy-based VPN is suited for multiple access lists How to verify the VPN connection
Juniper firewall/NetScreen configuration: Untrust zone eth1 IP 1.1.1.1/24 Trust zone eth2 IP 10.1.1.1/24 Phase 1 Proposal pre-g2-des-sha Phase 2 Proposal nopfs-esp-des-sha Cisco PIX configuration: Outside eth1 IP 2.2.2.1/24 Inside eth2 IP 172.16.10.1/24 Phase 1 Proposal pre-g2-des-sha Phase 2 Proposal nopfs-esp-des-sha
SOLUTION:
Scenario 1 -- Juniper Netscreen Firewall using Policy-based VPN to Cisco PIX In this scenario, the Juniper firewall is setup with a policy-based VPN, and the policy matches the Access-list configured on the PIX.
set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
2. VPN Phase 2 Configuration
set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
3. Policy setup
"10.1.1.0/24" "172.16.10.0/24"
"ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 3 set policy id 3 from "Untrust" to "Trust" "172.16.10.0/24" "10.1.1.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 2
enable outside key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth policy 10 authentication pre-share policy 10 encryption des policy 10 hash sha policy 10 group 2 policy 10 lifetime 86400
access-list 101 permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 crypto ipsec transform-set nsset esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map nsmap 10 ipsec-isakmp crypto map nsmap 10 match address 101 crypto map nsmap 10 set peer 1.1.1.1 crypto map nsmap 10 set transform-set nsset crypto map nsmap interface outside
Scenario 2 -- Juniper Netscreen Firewall setup Route-based VPN to Cisco Pix In this scenario, there is no change on the PIX configuration between a Juniper firewall Policy-based and Routebased configuration. These steps document a route-based VPN on the Juniper firewall. Juniper Firewall Configuration 1. VPN Phase 1
set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
2. VPN Phase 2
set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
3. Create Tunnel Interface and bind it to the VPN To-Cisco-VPN"
set interface "tunnel.1" zone "Trust" set interface tunnel.1 ip unnumbered interface ethernet1 set vpn "To-Cisco-VPN" bind interface tunnel.1
4. Proxy ID setup, Proxy id has to be matched with the Access-list of the PIX. That is a limitation for a route-based VPN of Juniper Firewall if there is multiple access-list configured on PIX. In multiple access-list scenario, a Policybased VPN should be considered.
"ANY"
5. Setup static route to route traffic destined to the remote inside network via the tunnel interface created in step 3.
enable outside key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth policy 10 authentication pre-share policy 10 encryption des policy 10 hash sha policy 10 group 2 policy 10 lifetime 86400
access-list 101 permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0 crypto ipsec transform-set nsset esp-des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto map nsmap 10 ipsec-isakmp crypto map nsmap 10 match address 101 crypto map nsmap 10 set peer 1.1.1.1 crypto map nsmap 10 set transform-set nsset crypto map nsmap interface outside
ns-> ping 172.16.10.2 from eth2 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 1 seconds from ethernet2 .!!!! Success Rate is 80 percent (4/5), round-trip time min/avg/max=3/7/20 ms ns-> get ike cookie Active: 1, Dead: 0, Total 1 80182f/0003, 1.1.1.1:500->2.2.2.1:500, PRESHR/grp2/DES/SHA, xchg(5) (ToCisco/grp-1/usr-1) resent-tmr 14306744 lifetime 28800 lt-recv 28800 nxt_rekey 19542 cert-expire 0 initiator, err cnt 0, send dir 0, cond 0x10 nat-traversal map not available ike heartbeat : disabled ike heartbeat last rcv time: 0 ike heartbeat last snd time: 0
XAUTH status: 0 DPD seq local 0, peer 0 ns-> get sa total configured sa: 1 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta vsys 00000002< 2.2.2.1 500 esp: des/sha1 fdc08459 3589 403M A/00000002> 2.2.2.1 500 esp: des/sha1 82752ea1 3589 403M A/-
PID 3 0 2 0
pixfirewall# show crypto ipsec sa interface: outside Crypto map tag: nsmap, local addr. 2.2.2.1 local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) current_peer: 1.1.1.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 37, #pkts encrypt: 37, #pkts digest 37 #pkts decaps: 37, #pkts decrypt: 37, #pkts verify 37 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 12, #recv errors 0 local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 0