Cisco ASA & Juniper Netscreen VPN Overlapping Encryption Domains


The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets.


Within this example each side will have an endpoint of Because of this both sides will present their endpoint as a different subnet via the use of NAT. These subnets will be :

Local Endpoint192.168.10.0/24172.16.1.0/24
Remote Endpoint192.168.10.0/24172.16.2.0/24

In terms of the Peer IP`s for each side, these are :

Local PeerJuniper Netscreen1.1.1.1
Remote PeerCisco ASA2.2.2.2


Below shows the network topology that our example is based upon.




Below shows the Juniper Netscreen configuration steps. The configuration is pretty standard. However one interesting point is the way in which a route based VPN with an interface based MIP is used. To ensure that only traffic destined to our remote endpoint ( is NAT`d we create a network based MIP which is assigned to the tunnel interface. Then just like any standard route based VPN a route is created ensuring that only traffic for the remote endpoint is sent to the tunnel interface.

Configure Tunnel Interface

set interface tunnel.1 zone “vpn”
set interface tunnel.1 ip

set interface tunnel.1 mip host netmask vrouter “trust-vr”

Configure Routes

set route interface ethernet0/3 gateway
set route interface tunnel.1

Address Books

set address “Trust” “local-net”
set address “vpn” “remote-net”

Configure VPN

set ike p1-proposal “ike-proposal1” preshare group2 esp 3des sha-1
set ike p2-proposal “vpn-proposal1” group2 esp 3des sha-1

set ike gateway “remote-ike” address Main outgoing-interface ethernet0/3 preshare “abc123” proposal “ike-proposal1”

set vpn “remote-vpn” gateway “remote-ike” proposal “vpn-proposal1”
set vpn “remote-vpn” proxy-id local-ip remote-ip “ANY”
set vpn “remote-vpn” bind interface tunnel.1

Configure Policy 

set policy from “Trust” to “vpn” “local-net” “remote-net” “ANY” permit
set policy from “vpn” to “Trust” “remote-net” “MIP(” “ANY” permit

Cisco ASA

Below shows the Cisco ASA configuration steps. The configuration consists of a standard VPN setup with the addition of a policy based NAT statement. This statement consists of an access-list which defines the source and destination i.e when should this statement be triggered. The static statement then uses the source address ( (that is defined within the POLICYNAT-100 ACL and which can also be thought of as the real address), against the NAT address of (that is defined within the static statement itself).

Configure NAT

access-list POLICYNAT-100 permit ip
static (inside,outside) access-list POLICYNAT-100

Configure VPN

access-list ENCDOM-100 permit ip

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key abc123

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set ESP-3DES-SHA
crypto map outside set pfs group2
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer

Configure Policy

access-list inside permit ip

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial