Wednesday, February 20, 2013

Site-to-site VPN CISCO ASA to JUNIPER


Site to Site VPN tunnel config

[Cisco ASA & Juniper SSG ScreenOS]

Below is a config to create a VPN tunnel between a Cisco ASA (Blue side) to a Juniper SSG ScreenOS (Red Side).
Juniper Settings:

Ethernet0/0: 22.22.22.22, Untrust
bgroup0: 172.16.22.1, Trust

 Cisco ASA config (Blue):


!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.


crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE

! Define the pre-shared-key

tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y

!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

! Create a crypto map entry that defines the tunnel

crypto map MAP-OUTSIDE 20 set peer 22.22.22.22

! ACL must be exactly the opposite of the other sides ACL

crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN

! Transform set must match other side identically

crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000

! Apply crypto map to an interface

crypto map MAP-OUTSIDE interface OUTSIDE

!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.


route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1

! Make sure that the VPN traffic is NOT NAT’d

access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT

Juniper SSG-5 ScreenOS config (Red):


# Create a tunnel interface
set interface tunnel.1 zone Untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0
# Create the gateway (IKE settings)
# note that “sec-level standard” means the IKE policies will try to use:  pre-g2-3des-sha and pre-g2-aes128-sha
set ike gateway “VPN-GATEWAY” ip 11.11.11.11 outgoing-interface ethernet0/0 preshare “sekretk3y” sec-level standard
# Configure VPN IPSEC settings
set vpn “VPN” gateway “VPN-GATEWAY” replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”
set vpn “VPN” id 1 bind interface tunnel.1
set vpn “VPN” proxy-id local-ip 172.16.22.0/24 remote-ip 192.168.11.0/24 “ANY”
# Configure a route for the remote end traffic
set vrouter trust-vr route 192.168.11.0/24 interface tunnel.1
# Create 2 address book entries and create two policies to permit this traffic
set address Untrust “192.168.11.0/24″ 192.168.11.0/24
set address Trust “172.16.22.0/24″ 172.16.22.0/24
set policy top from “Trust” to “Untrust” “172.16.22.0/24″ “192.168.11.0/24″ “ANY” Permit log count
set policy top from “Untrust” to “Trust” “192.168.11.0/24″ “172.16.22.0/24″ “ANY” Permit log count

0 comments:

Post a Comment