Purpose
The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets.
Example
Within this example each side will have an endpoint of 192.168.10.0/24. Because of this both sides will present their endpoint as a different subnet via the use of NAT. These subnets will be :
REAL | NAT | |
Local Endpoint | 192.168.10.0/24 | 172.16.1.0/24 |
Remote Endpoint | 192.168.10.0/24 | 172.16.2.0/24 |
In terms of the Peer IP`s for each side, these are :
VENDOR | PEER | |
Local Peer | Juniper Netscreen | 1.1.1.1 |
Remote Peer | Cisco ASA | 2.2.2.2 |
Topology
Below shows the network topology that our example is based upon.
Netscreen
Below shows the Juniper Netscreen configuration steps. The configuration is pretty standard. However one interesting point is the way in which a route based VPN with an interface based MIP is used. To ensure that only traffic destined to our remote endpoint (172.16.2.0/24) is NAT`d we create a network based MIP which is assigned to the tunnel interface. Then just like any standard route based VPN a route is created ensuring that only traffic for the remote endpoint is sent to the tunnel interface.
Configure Tunnel Interface
set interface tunnel.1 zone “vpn”
set interface tunnel.1 ip 172.16.1.1/24
set interface tunnel.1 mip 172.16.1.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr”
Configure Routes
set route 0.0.0.0/0 interface ethernet0/3 gateway 1.1.1.100
set route 172.16.2.0/24 interface tunnel.1
Address Books
set address “Trust” “local-net” 192.168.10.0 255.255.255.0
set address “vpn” “remote-net” 172.16.2.0 255.255.255.0
Configure VPN
set ike p1-proposal “ike-proposal1” preshare group2 esp 3des sha-1
set ike p2-proposal “vpn-proposal1” group2 esp 3des sha-1
set ike gateway “remote-ike” address 2.2.2.2 Main outgoing-interface ethernet0/3 preshare “abc123” proposal “ike-proposal1”
set vpn “remote-vpn” gateway “remote-ike” proposal “vpn-proposal1”
set vpn “remote-vpn” proxy-id local-ip 172.16.1.0/24 remote-ip 172.16.2.0/24 “ANY”
set vpn “remote-vpn” bind interface tunnel.1
Configure Policy
set policy from “Trust” to “vpn” “local-net” “remote-net” “ANY” permit
set policy from “vpn” to “Trust” “remote-net” “MIP(172.16.1.0/24)” “ANY” permit
Cisco ASA
Below shows the Cisco ASA configuration steps. The configuration consists of a standard VPN setup with the addition of a policy based NAT statement. This statement consists of an access-list which defines the source and destination i.e when should this statement be triggered. The static statement then uses the source address (192.168.10.0/24) (that is defined within the POLICYNAT-100 ACL and which can also be thought of as the real address), against the NAT address of 172.16.2.0/24 (that is defined within the static statement itself).
Configure NAT
access-list POLICYNAT-100 permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0
static (inside,outside) 172.16.2.0 255.255.255.0 access-list POLICYNAT-100
Configure VPN
access-list ENCDOM-100 permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key abc123
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set ESP-3DES-SHA
crypto map outside set pfs group2
crypto map outside 100 match address ENCDOM-100
crypto map outside 100 set peer 1.1.1.1
Configure Policy
access-list inside permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial