How to setup a VPN between a Juniper Firewall and a Cisco PIX
Summary:
Step by step instructions to setup policy-based VPN between Juniper Firewall and Cisco PIX
Step by step instructions to setup route-based VPN between Juniper Firewall and Cisco PIX
Problem or Goal:Step by step instructions to setup route-based VPN between Juniper Firewall and Cisco PIX
- How to setup VPN between PIX and Juniper Netscreen Firewall with a single access list
- Policy-based VPN is suited for multiple access lists
- How to verify the VPN connection
Juniper firewall/NetScreen configuration:
Untrust zone eth1 IP 1.1.1.1/24
Trust zone eth2 IP 10.1.1.1/24
Phase 1 Proposal pre-g2-des-sha
Phase 2 Proposal nopfs-esp-des-sha
Cisco PIX configuration:
Outside eth1 IP 2.2.2.1/24
Inside eth2 IP 172.16.10.1/24
Phase 1 Proposal pre-g2-des-sha
Phase 2 Proposal nopfs-esp-des-sha
Scenario 1 -- Juniper Netscreen Firewall using Policy-based VPN to Cisco PIX
In this scenario, the Juniper firewall is setup with a policy-based VPN, and the policy matches the Access-list configured on the PIX.
Juniper Firewall Configuration
1. VPN Phase 1 Configuration
set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"2. VPN Phase 2 Configuration
set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"3. Policy setup
set policy id 2 from "Trust" to "Untrust" "10.1.1.0/24" "172.16.10.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 3
set policy id 3 from "Untrust" to "Trust" "172.16.10.0/24" "10.1.1.0/24" "ANY" tunnel vpn "To-Cisco-VPN" id 2 pair-policy 2PIX Firewall Configuration
1. VPN Phase 1 Configuration
isakmp enable outside
isakmp key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 864002. VPN Phase 2 Configuration
access-list 101 permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto ipsec transform-set nsset esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 101
crypto map nsmap 10 set peer 1.1.1.1
crypto map nsmap 10 set transform-set nsset
crypto map nsmap interface outsideScenario 2 -- Juniper Netscreen Firewall setup Route-based VPN to Cisco Pix
In this scenario, there is no change on the PIX configuration between a Juniper firewall Policy-based and Route-based configuration. These steps document a route-based VPN on the Juniper firewall.
Juniper Firewall Configuration
1. VPN Phase 1
set ike gateway "To-Cisco" address 2.2.2.1 Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"2. VPN Phase 2
set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"3. Create Tunnel Interface and bind it to the VPN “To-Cisco-VPN"
set interface "tunnel.1" zone "Trust"
set interface tunnel.1 ip unnumbered interface ethernet1
set vpn "To-Cisco-VPN" bind interface tunnel.14. Proxy ID setup, Proxy id has to be matched with the Access-list of the PIX. That is a limitation for a route-based VPN of Juniper Firewall if there is multiple access-list configured on PIX. In multiple access-list scenario, a Policy-based VPN should be considered.
set vpn "To-Cisco-VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 172.16.10.0/24 "ANY"5. Setup static route to route traffic destined to the remote inside network via the tunnel interface created in step 3.
set route 172.16.10.0/24 interface tunnel.1PIX Firewall Configuration
1. VPN Phase 1 Configuration
isakmp enable outside
isakmp key netscreen address 1.1.1.1 netmask 255.255.255.255 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 864002. VPN Phase 2 Configuration
access-list 101 permit ip 172.16.10.0 255.255.255.0 10.1.1.0 255.255.255.0
crypto ipsec transform-set nsset esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 101
crypto map nsmap 10 set peer 1.1.1.1
crypto map nsmap 10 set transform-set nsset
crypto map nsmap interface outsideUseful Commands to verify the VPN connection on the Juniper firewall :
ns-> ping 172.16.10.2 from eth2 Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 1 seconds from ethernet2
.!!!!
Success Rate is 80 percent (4/5), round-trip time min/avg/max=3/7/20 ms
ns-> get ike cookie
Active: 1, Dead: 0, Total 1
80182f/0003, 1.1.1.1:500->2.2.2.1:500, PRESHR/grp2/DES/SHA, xchg(5) (To-Cisco/grp-1/usr-1)
resent-tmr 14306744 lifetime 28800 lt-recv 28800 nxt_rekey 19542 cert-expire 0
initiator, err cnt 0, send dir 0, cond 0x10
nat-traversal map not available
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0
ns-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 2.2.2.1 500 esp: des/sha1 fdc08459 3589 403M A/- 3 0
00000002> 2.2.2.1 500 esp: des/sha1 82752ea1 3589 403M A/- 2 0Useful Commands to verify the VPN connection on the PIX firewall :
pixfirewall# show crypto ipsec sa
interface: outside
Crypto map tag: nsmap, local addr. 2.2.2.1
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 37, #pkts encrypt: 37, #pkts digest 37
#pkts decaps: 37, #pkts decrypt: 37, #pkts verify 37
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0
local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 0
0 comments:
Post a Comment