How do I configure a Site to Site VPN between a Cisco ASA and Juniper Netscreen with overlapping encryption domains ?
The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets.
Within this example each side will have an endpoint of 192.168.10.0/24. Because of this both sides will present their endpoint as a different subnet via the use of NAT. These subnets will be :
In terms of the Peer IP`s for each side, these are :
|Local Peer||Juniper Netscreen||18.104.22.168|
|Remote Peer||Cisco ASA||22.214.171.124|
Below shows the network topology that our example is based upon.
Below shows the Juniper Netscreen configuration steps. The configuration is pretty standard. However one interesting point is the way in which a route based VPN with an interface based MIP is used. To ensure that only traffic destined to our remote endpoint (172.16.2.0/24) is NAT`d we create a network based MIP which is assigned to the tunnel interface. Then just like any standard route based VPN a route is created ensuring that only traffic for the remote endpoint is sent to the tunnel interface.
Configure Tunnel Interface
set interface tunnel.1 zone "vpn"
set interface tunnel.1 ip 172.16.1.1/24
set interface tunnel.1 mip 172.16.1.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr”
set route 0.0.0.0/0 interface ethernet0/3 gateway 126.96.36.199
set route 172.16.2.0/24 interface tunnel.1
set address "Trust" "local-net" 192.168.10.0 255.255.255.0
set address "vpn" "remote-net" 172.16.2.0 255.255.255.0
set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1
set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1
set ike gateway "remote-ike" address 188.8.131.52 Main outgoing-interface ethernet0/3 preshare "abc123" proposal "ike-proposal1"
set vpn "remote-vpn" gateway "remote-ike" proposal "vpn-proposal1"
set vpn "remote-vpn" proxy-id local-ip 172.16.1.0/24 remote-ip 172.16.2.0/24 "ANY"
set vpn "remote-vpn" bind interface tunnel.1
set policy from "Trust" to "vpn" "local-net" "remote-net" "ANY" permit
set policy from "vpn" to "Trust" "remote-net" "MIP(172.16.1.0/24)" "ANY" permit
Below shows the Cisco ASA configuration steps. The configuration consists of a standard VPN setup with the addition of a policy based NAT statement. This statement consists of an access-list which defines the source and destination i.e when should this statement be triggered. The static statement then uses the source address (192.168.10.0/24) (that is defined within the POLICYNAT-100 ACL and which can also be thought of as the real address), against the NAT address of 172.16.2.0/24 (that is defined within the static statement itself).
access-list POLICYNAT-100 permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0
static (inside,outside) 172.16.2.0 255.255.255.0 access-list POLICYNAT-100
access-list ENCDOM-100 permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 ipsec-attributes
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set ESP-3DES-SHA
crypto map outside set pfs group2
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 18.104.22.168
access-list inside permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0