\nRemote Endpoint<\/td>\n | 192.168.10.0\/24<\/td>\n | 172.16.2.0\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n In terms of the Peer IP`s for each side, these are :<\/p>\n \n\n\n<\/td>\n | VENDOR<\/span><\/strong><\/td>\nPEER<\/span><\/strong><\/td>\n<\/tr>\n\nLocal Peer<\/td>\n | Juniper Netscreen<\/td>\n | 1.1.1.1<\/td>\n<\/tr>\n | \nRemote Peer<\/td>\n | Cisco ASA<\/td>\n | 2.2.2.2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/span>Topology<\/strong><\/span><\/h3>\nBelow shows the network topology that our example is based upon.<\/p>\n <\/p>\n <\/p>\n <\/span>Netscreen<\/strong><\/span><\/h3>\nBelow shows the Juniper Netscreen configuration steps. The configuration is pretty standard. However one interesting point is the way in which a route based VPN with an interface based MIP is used. To ensure that only traffic destined to our remote endpoint (172.16.2.0\/24) is NAT`d we create a network based MIP which is assigned to the tunnel interface. Then just like any standard route based VPN a route is created ensuring that only traffic for the remote endpoint is sent to the tunnel interface.<\/p>\n <\/span>Configure Tunnel Interface<\/strong><\/span><\/h4>\nset interface tunnel.1 zone “vpn” \nset interface tunnel.1 ip 172.16.1.1\/24<\/p>\n set interface tunnel.1 mip 172.16.1.1 host 192.168.10.1 netmask 255.255.255.0 vrouter \u201ctrust-vr\u201d<\/p>\n <\/span>Configure Routes<\/strong><\/span><\/h4>\nset route 0.0.0.0\/0 interface ethernet0\/3 gateway 1.1.1.100 \nset route 172.16.2.0\/24 interface tunnel.1<\/p>\n <\/span>Address Books<\/strong><\/span><\/h4>\nset address “Trust” “local-net” 192.168.10.0 255.255.255.0 \nset address “vpn” “remote-net” 172.16.2.0 255.255.255.0<\/p>\n <\/span>Configure VPN<\/strong><\/span><\/h4>\nset ike p1-proposal “ike-proposal1” preshare group2 esp 3des sha-1 \nset ike p2-proposal “vpn-proposal1” group2 esp 3des sha-1<\/p>\n set ike gateway “remote-ike” address 2.2.2.2 Main outgoing-interface ethernet0\/3 preshare “abc123” proposal “ike-proposal1”<\/p>\n set vpn “remote-vpn” gateway “remote-ike” proposal “vpn-proposal1” \nset vpn “remote-vpn” proxy-id local-ip 172.16.1.0\/24 remote-ip 172.16.2.0\/24 “ANY” \nset vpn “remote-vpn” bind interface tunnel.1<\/p>\n <\/span>Configure Policy\u00a0<\/strong><\/span><\/h4>\nset policy from “Trust” to “vpn” “local-net” “remote-net” “ANY” permit \nset policy from “vpn” to “Trust” “remote-net” “MIP(172.16.1.0\/24)” “ANY” permit<\/p>\n <\/span>Cisco ASA<\/strong><\/span><\/h3>\nBelow shows the Cisco ASA configuration steps. The configuration consists of a standard VPN setup with the addition of a policy based NAT statement. This statement consists of an access-list which defines the source and destination i.e when should this statement be triggered. The static statement then uses the source address (192.168.10.0\/24) (that is defined within the POLICYNAT-100 ACL and which can also be thought of as the real address), against the NAT address of 172.16.2.0\/24 (that is defined within the static statement itself).<\/p>\n <\/span>Configure NAT<\/strong><\/span><\/h4>\naccess-list POLICYNAT-100 permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0 \nstatic (inside,outside) 172.16.2.0 255.255.255.0 access-list POLICYNAT-100<\/p>\n <\/span>Configure VPN<\/strong><\/span><\/h4>\naccess-list ENCDOM-100 permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0<\/p>\n tunnel-group 1.1.1.1 type ipsec-l2l \ntunnel-group 1.1.1.1 ipsec-attributes \npre-shared-key abc123<\/p>\n crypto isakmp identity address \ncrypto isakmp enable outside \ncrypto isakmp policy 10 \nauthentication pre-share \nencryption 3des \nhash sha \ngroup 2 \nlifetime 86400<\/p>\n crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac \ncrypto map outside interface outside \ncrypto map outside set transform-set ESP-3DES-SHA \ncrypto map outside set pfs group2 \ncrypto map outside 100 match address ENCDOM-100 \ncrypto map outside 100 set peer 1.1.1.1<\/p>\n | | | |