• Home
  • Articles
  • Firewalls
  • Juniper
  • How do I configure a Site to Site VPN between a Cisco ASA and Juniper Netscreen with overlapping encryption domains ?

How do I configure a Site to Site VPN between a Cisco ASA and Juniper Netscreen with overlapping encryption domains ?


The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets.


Within this example each side will have an endpoint of Because of this both sides will present their endpoint as a different subnet via the use of NAT. These subnets will be :

Local Endpoint
Remote Endpoint

In terms of the Peer IP`s for each side, these are :

Local Peer Juniper Netscreen
Remote Peer Cisco ASA


Below shows the network topology that our example is based upon.




Below shows the Juniper Netscreen configuration steps. The configuration is pretty standard. However one interesting point is the way in which a route based VPN with an interface based MIP is used. To ensure that only traffic destined to our remote endpoint ( is NAT`d we create a network based MIP which is assigned to the tunnel interface. Then just like any standard route based VPN a route is created ensuring that only traffic for the remote endpoint is sent to the tunnel interface.

Configure Tunnel Interface

set interface tunnel.1 zone "vpn"
set interface tunnel.1 ip

set interface tunnel.1 mip host netmask vrouter “trust-vr”

Configure Routes

set route interface ethernet0/3 gateway
set route interface tunnel.1

Address Books

set address "Trust" "local-net"
set address "vpn" "remote-net"

Configure VPN

set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1
set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1

set ike gateway "remote-ike" address Main outgoing-interface ethernet0/3 preshare "abc123" proposal "ike-proposal1"

set vpn "remote-vpn" gateway "remote-ike" proposal "vpn-proposal1"
set vpn "remote-vpn" proxy-id local-ip remote-ip "ANY"
set vpn "remote-vpn" bind interface tunnel.1

Configure Policy 

set policy from "Trust" to "vpn" "local-net" "remote-net" "ANY" permit
set policy from "vpn" to "Trust" "remote-net" "MIP(" "ANY" permit

Cisco ASA

Below shows the Cisco ASA configuration steps. The configuration consists of a standard VPN setup with the addition of a policy based NAT statement. This statement consists of an access-list which defines the source and destination i.e when should this statement be triggered. The static statement then uses the source address ( (that is defined within the POLICYNAT-100 ACL and which can also be thought of as the real address), against the NAT address of (that is defined within the static statement itself).

Configure NAT

access-list POLICYNAT-100 permit ip
static (inside,outside) access-list POLICYNAT-100

Configure VPN

access-list ENCDOM-100 permit ip

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
     pre-shared-key abc123

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set ESP-3DES-SHA
crypto map outside set pfs group2
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer

Configure Policy

access-list inside permit ip

Tags: ASA, VPN, Juniper, Netscreen

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001