fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Firewalls
  • Juniper
  • How do I configure a Site to Site VPN between a Cisco ASA and Juniper Netscreen with overlapping encryption domains ?

How do I configure a Site to Site VPN between a Cisco ASA and Juniper Netscreen with overlapping encryption domains ?

Purpose

The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets.

Example

Within this example each side will have an endpoint of 192.168.10.0/24. Because of this both sides will present their endpoint as a different subnet via the use of NAT. These subnets will be :

  REAL NAT
Local Endpoint 192.168.10.0/24 172.16.1.0/24
Remote Endpoint 192.168.10.0/24 172.16.2.0/24

In terms of the Peer IP`s for each side, these are :

  VENDOR PEER
Local Peer Juniper Netscreen 1.1.1.1
Remote Peer Cisco ASA 2.2.2.2

Topology

Below shows the network topology that our example is based upon.

 

 


Netscreen

Below shows the Juniper Netscreen configuration steps. The configuration is pretty standard. However one interesting point is the way in which a route based VPN with an interface based MIP is used. To ensure that only traffic destined to our remote endpoint (172.16.2.0/24) is NAT`d we create a network based MIP which is assigned to the tunnel interface. Then just like any standard route based VPN a route is created ensuring that only traffic for the remote endpoint is sent to the tunnel interface.

Configure Tunnel Interface

set interface tunnel.1 zone "vpn"
set interface tunnel.1 ip 172.16.1.1/24

set interface tunnel.1 mip 172.16.1.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr”

Configure Routes

set route 0.0.0.0/0 interface ethernet0/3 gateway 1.1.1.100
set route 172.16.2.0/24 interface tunnel.1

Address Books

set address "Trust" "local-net" 192.168.10.0 255.255.255.0
set address "vpn" "remote-net" 172.16.2.0 255.255.255.0

Configure VPN

set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1
set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1

set ike gateway "remote-ike" address 2.2.2.2 Main outgoing-interface ethernet0/3 preshare "abc123" proposal "ike-proposal1"

set vpn "remote-vpn" gateway "remote-ike" proposal "vpn-proposal1"
set vpn "remote-vpn" proxy-id local-ip 172.16.1.0/24 remote-ip 172.16.2.0/24 "ANY"
set vpn "remote-vpn" bind interface tunnel.1

Configure Policy 

set policy from "Trust" to "vpn" "local-net" "remote-net" "ANY" permit
set policy from "vpn" to "Trust" "remote-net" "MIP(172.16.1.0/24)" "ANY" permit


Cisco ASA

Below shows the Cisco ASA configuration steps. The configuration consists of a standard VPN setup with the addition of a policy based NAT statement. This statement consists of an access-list which defines the source and destination i.e when should this statement be triggered. The static statement then uses the source address (192.168.10.0/24) (that is defined within the POLICYNAT-100 ACL and which can also be thought of as the real address), against the NAT address of 172.16.2.0/24 (that is defined within the static statement itself).

Configure NAT

access-list POLICYNAT-100 permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0
static (inside,outside) 172.16.2.0 255.255.255.0 access-list POLICYNAT-100

Configure VPN

access-list ENCDOM-100 permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
     pre-shared-key abc123

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set ESP-3DES-SHA
crypto map outside set pfs group2
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 1.1.1.1

Configure Policy

access-list inside permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0

Tags: ASA, VPN, Juniper, Netscreen

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001