|
How do I Set Up a VPN Between My NetScreen and My Cisco PIX?
In this example, we are using ScreenOS 4.0 on the NetScreen, and software version 6.1.(1) on the Cisco PIX. Occasionally, it is necessary to create an IPSec VPN tunnel to a non-NetScreen firewall. This article provides a general out line of the necessary configurations that should be performed in order to successfully establish an IPSec VPN tunnel between a NetScreen device and a Cisco PIX firewall. The reader should have some basic knowledge of both the NetScreen ScreenOS 4.0 and the Cisco PIX software. The lists below show the proposals we will use for this example: - Untrust IP of device 1.1.1.1
- Trust Network 10.1.1.0/24
- Phase 1 Proposal pre-g2-3des-sha
- Phase 2 Proposal g2-esp-3des-sha
- Untrust IP of device 2.2.2.1
- Trust Network 176.16.10.0/24
- Phase 1 Proposal 3des-sha
- Phase 2 Proposal 3des-sha
To configure a NetScreen to Cisco PIX IPSec VPN, perform the following steps: NetScreen is not responsible for anything regarding these articles, nor is there any guarantee that they are accurate. Cisco PIX is a trademark of Cisco Systems, Inc.
This article applies to ScreenOS 4.0 and 5.0.
In this example, we are using ScreenOS 4.0 on the NetScreen, and software version 6.1.(1) on the Cisco PIX.
To configure the NetScreen side of your NetScreen to Cisco PIX IPSec VPN, perform the following steps:
In this example, we will use a Route-Based VPN on our NetScreen.
Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.
From the NetScreen options menu, click Network, and then click Interfaces.
Click New.
From the Tunnel Interface Name text box, enter a tunnel name.
For this example, we have entered 1.
From the Zone drop-down menu, select a Zone.
For this example, we have selected Untrust (trust-vr).
Click to select Unnumbered. From the Interface drop-down menu, select an Interface.
For this example, we have selected ethernet (trust-vr).
Click OK.
From the NetScreen options menu, click VPNs, select AutoKey Advanced, and then click Gateway.
Click New.
In the Gateway Name text box, enter a Gateway Name.
For this example, we have entered Site B GW.
From Security Level, click to select Custom.
From Remote Gateway Type, click to select Static IP Address, and enter an IP Address/Hostname.
For this example, we have entered 2.2.2.1.
In the Preshared Key text box, enter a Preshared Key.
For this example, we have entered netscreen.
From the Outgoing Interface drop-down menu, click to choose an Outgoing Interface. Click Advanced.
For this example, we have selected Untrust.
From the Phase 1 Proposal drop-down menu, click to choose a Phase 1 Proposal.
For this example, we have selected pre-g2-3des-sha.
Click to select Mode (Initiator). Click Return.
Click OK.
From the NetScreen options menu, click VPNs, and then click AutoKey IKE.
Click New.
In the VPN Name text box, enter a VPN Name. From Security Level, click to select Custom.
For this example, we have entered Site B VPN.
From Remote Gateway, click to select Predefined. From the Remote Gateway drop-down menu, click to select Site B GW.
Click Advanced.
From the Phase 2 Proposal drop-down menu, select a Phase 2 Proposal.
For this example, we have selected g2-esp-3des-sha.
From Bind to, click to select Tunnel Interface. From the Tunnel Interface drop-down menu, click to select tunnel.1.
Click to select Proxy-lD. In the Local IP/Netmask text box, enter a Local IP/Netmask, and then in the Remote IP/Netmask text box, enter a Remote IP/Netmask.
For this example, we have entered 10.1.1.0/24 for our Local IP/Netmask and 172.16.10.0/24 for the Remote IP/Netmask.
From the Service drop-down menu, click to select ANY. Click Return.
Click OK.
From the NetScreen options menu, click Policies.
In the From drop-down menu, click to select Trust. In the To drop-down menu, click to select Untrust.
Click New.
From Source Address, click to select New Address, and enter a New Address.
For this example, we have entered 10.1.1.0/24.
From Destination Address, click to select New Address, and enter a New Address.
For this example, we have entered 172.16.10.0/24.
In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.
Click to select Position at Top.
Click OK.
In the From drop-down menu, click to select Untrust. In the To drop-down menu, click to select Trust.
Click New.
From Source Address, click to select New Address, and enter a New Address.
For this example, we have entered 172.16.10.0/24.
From Destination Address, click to select New Address, and enter a New Address.
For this example, we have entered 10.1.1.0/24.
In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.
Click to select Position at Top.
Click OK.
From the NetScreen options menu, click Network, select Routing, and then click Routing Table.
Click New.
From Virtual Router Name, in the Network Address/Netmask text boxes, enter a Network Address/Netmask.
For this example, we have entered 172.16.10.0/255.255.255.0.
Click to select Gateway. From the Interface drop-down menu, click to select tunnel.1.
Click OK.
Juniper Networks is not responsible for anything regarding these articles, nor is there any guarantee that they are accurate.
Cisco PIX is a trademark of Cisco Systems, Inc
This article applies to ScreenOS 4.0 and 5.0. In this example, we are using ScreenOS 4.0 on the NetScreen, and software version 6.1.(1) on the Cisco PIX. To configure the IPSec VPN on the Cisco PIX, perform the following steps: Configure the access list. For this example, we entered 10.1.1.0 255.255.255.0 for the remote network, and 172.16.10.0 255.255.255.0 for the local network. The access list defines which IP traffic is or is not protected by IPSec. These settings are similarly configured on the NetScreen in the AutoKey IKE, Policies, and Route areas. Configure the crypto settings. In this example, the settings in Step 2 include the six necessary crypto steps. The crypto ipsec and crypto map settings are similarly configured in the AutoKey IKE/Gateway areas of the NetScreen. These settings are basically part of Phase 1in relation to the NetScreen. Configure the isakmp settings. In this example, the settings in Step 3 include the seven necessary isakmp steps. The isakmp settings are similarly configured in the AutoKey Advanced and Gateway areas of the NetScreen. These settings are basically part of Phase 2 in relation to the NetScreen. NetScreen devices have a default lifetime of 28800 seconds (8 hours) while the Cisco PIX typically has a lifetime of 86400 seconds (24 hours). You will need to make sure that the lifetime setting matches on both devices. After the IPSec VPN has been configured, you can make the IKE VPN negotiate by sending traffic through the VPN. In this example, we have sent a ping to 10.1.1.1 (the Trust IP Address of the NetScreen) from the PIX. After three or four pings, the VPN should be established. NetScreen is not responsible for anything regarding these articles, nor is there any guarantee that they are accurate. Cisco PIX is a trademark of Cisco Systems, Inc
How do I Set Up a VPN Between My NetScreen and My Cisco PIX?
In this example, we are using ScreenOS 4.0 on the NetScreen, and software version 6.1.(1) on the Cisco PIX. Occasionally, it is necessary to create an IPSec VPN tunnel to a non-NetScreen firewall. This article provides a general out line of the necessary configurations that should be performed in order to successfully establish an IPSec VPN tunnel between a NetScreen device and a Cisco PIX firewall. The reader should have some basic knowledge of both the NetScreen ScreenOS 4.0 and the Cisco PIX software. The lists below show the proposals we will use for this example: - Untrust IP of device 1.1.1.1
- Trust Network 10.1.1.0/24
- Phase 1 Proposal pre-g2-3des-sha
- Phase 2 Proposal g2-esp-3des-sha
- Untrust IP of device 2.2.2.1
- Trust Network 176.16.10.0/24
- Phase 1 Proposal 3des-sha
- Phase 2 Proposal 3des-sha
To configure a NetScreen to Cisco PIX IPSec VPN, perform the following steps: NetScreen is not responsible for anything regarding these articles, nor is there any guarantee that they are accurate. Cisco PIX is a trademark of Cisco Systems, Inc.
This article applies to ScreenOS 4.0 and 5.0.
In this example, we are using ScreenOS 4.0 on the NetScreen, and software version 6.1.(1) on the Cisco PIX.
To configure the NetScreen side of your NetScreen to Cisco PIX IPSec VPN, perform the following steps:
In this example, we will use a Route-Based VPN on our NetScreen.
Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen Using the WebUI.
From the NetScreen options menu, click Network, and then click Interfaces.
Click New.
From the Tunnel Interface Name text box, enter a tunnel name.
For this example, we have entered 1.
From the Zone drop-down menu, select a Zone.
For this example, we have selected Untrust (trust-vr).
Click to select Unnumbered. From the Interface drop-down menu, select an Interface.
For this example, we have selected ethernet (trust-vr).
Click OK.
From the NetScreen options menu, click VPNs, select AutoKey Advanced, and then click Gateway.
Click New.
In the Gateway Name text box, enter a Gateway Name.
For this example, we have entered Site B GW.
From Security Level, click to select Custom.
From Remote Gateway Type, click to select Static IP Address, and enter an IP Address/Hostname.
For this example, we have entered 2.2.2.1.
In the Preshared Key text box, enter a Preshared Key.
For this example, we have entered netscreen.
From the Outgoing Interface drop-down menu, click to choose an Outgoing Interface. Click Advanced.
For this example, we have selected Untrust.
From the Phase 1 Proposal drop-down menu, click to choose a Phase 1 Proposal.
For this example, we have selected pre-g2-3des-sha.
Click to select Mode (Initiator). Click Return.
Click OK.
From the NetScreen options menu, click VPNs, and then click AutoKey IKE.
Click New.
In the VPN Name text box, enter a VPN Name. From Security Level, click to select Custom.
For this example, we have entered Site B VPN.
From Remote Gateway, click to select Predefined. From the Remote Gateway drop-down menu, click to select Site B GW.
Click Advanced.
From the Phase 2 Proposal drop-down menu, select a Phase 2 Proposal.
For this example, we have selected g2-esp-3des-sha.
From Bind to, click to select Tunnel Interface. From the Tunnel Interface drop-down menu, click to select tunnel.1.
Click to select Proxy-lD. In the Local IP/Netmask text box, enter a Local IP/Netmask, and then in the Remote IP/Netmask text box, enter a Remote IP/Netmask.
For this example, we have entered 10.1.1.0/24 for our Local IP/Netmask and 172.16.10.0/24 for the Remote IP/Netmask.
From the Service drop-down menu, click to select ANY. Click Return.
Click OK.
From the NetScreen options menu, click Policies.
In the From drop-down menu, click to select Trust. In the To drop-down menu, click to select Untrust.
Click New.
From Source Address, click to select New Address, and enter a New Address.
For this example, we have entered 10.1.1.0/24.
From Destination Address, click to select New Address, and enter a New Address.
For this example, we have entered 172.16.10.0/24.
In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.
Click to select Position at Top.
Click OK.
In the From drop-down menu, click to select Untrust. In the To drop-down menu, click to select Trust.
Click New.
From Source Address, click to select New Address, and enter a New Address.
For this example, we have entered 172.16.10.0/24.
From Destination Address, click to select New Address, and enter a New Address.
For this example, we have entered 10.1.1.0/24.
In the Service drop-down menu, click to select ANY. From the Action drop-down menu, click to select Permit.
Click to select Position at Top.
Click OK.
From the NetScreen options menu, click Network, select Routing, and then click Routing Table.
Click New.
From Virtual Router Name, in the Network Address/Netmask text boxes, enter a Network Address/Netmask.
For this example, we have entered 172.16.10.0/255.255.255.0.
Click to select Gateway. From the Interface drop-down menu, click to select tunnel.1.
Click OK.
Juniper Networks is not responsible for anything regarding these articles, nor is there any guarantee that they are accurate.
Cisco PIX is a trademark of Cisco Systems, Inc
This article applies to ScreenOS 4.0 and 5.0. In this example, we are using ScreenOS 4.0 on the NetScreen, and software version 6.1.(1) on the Cisco PIX. To configure the IPSec VPN on the Cisco PIX, perform the following steps: Configure the access list. For this example, we entered 10.1.1.0 255.255.255.0 for the remote network, and 172.16.10.0 255.255.255.0 for the local network. The access list defines which IP traffic is or is not protected by IPSec. These settings are similarly configured on the NetScreen in the AutoKey IKE, Policies, and Route areas. Configure the crypto settings. In this example, the settings in Step 2 include the six necessary crypto steps. The crypto ipsec and crypto map settings are similarly configured in the AutoKey IKE/Gateway areas of the NetScreen. These settings are basically part of Phase 1in relation to the NetScreen. Configure the isakmp settings. In this example, the settings in Step 3 include the seven necessary isakmp steps. The isakmp settings are similarly configured in the AutoKey Advanced and Gateway areas of the NetScreen. These settings are basically part of Phase 2 in relation to the NetScreen. NetScreen devices have a default lifetime of 28800 seconds (8 hours) while the Cisco PIX typically has a lifetime of 86400 seconds (24 hours). You will need to make sure that the lifetime setting matches on both devices. After the IPSec VPN has been configured, you can make the IKE VPN negotiate by sending traffic through the VPN. In this example, we have sent a ping to 10.1.1.1 (the Trust IP Address of the NetScreen) from the PIX. After three or four pings, the VPN should be established. NetScreen is not responsible for anything regarding these articles, nor is there any guarantee that they are accurate. Cisco PIX is a trademark of Cisco Systems, Inc
|
|