pathix
asked on
Terminatinv Cisco IPSEC VPN Behind a Juniper Firewall
Hi All, we have a Juniper netscreen on our edge facing the internet, which traditionally has terminated our user based vpn connections into our network. We have a Cisco Router behind the firewall, which we recently upgraded our IOS which now allows us to terminate user based IPSEC VPN Tunnels on the Router. I have configured the Cisco Easy VPN Server on the Router. I've wanted to use the Cisco VPN Solution for the Split tunneling option. What I need to know is, how to allow the Juniper netscreen to pass through ipsec traffic on a specific IP to the Cisco Router so that the user vpn terminates on the Cisco Router, but still maintain the user vpn functionality of the Juniper for the time being until we migrate all users over to the cisco solution? I had suspected a MIP Would do the trick but it doesn't seem to work..
500 Points for correct answer!
500 Points for correct answer!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There should be no problem with creating a MIP and using a policy from untrust to trust to achieve the desired result. i have used the described strategy to place a netscreen 5gt behind an ns208.
i forgot to mention that the juniper forums is also a good place to find useful information. these guys have saved my job on a couple of occasions :)
http://forums.juniper.net/jnet/
http://forums.juniper.net/jnet/
ASKER
K.. i've got all that done, but vpn is still not authenitcating so i'm going to review the EasyVPN Configuration to ensure there isn't anything strange going on there...
Thanks again! I'll update on the issue
Thanks again! I'll update on the issue
Maybe you could save time by using free Shrew VPN client (www.shrew.net) instead. It connects with both Juniper and Cisco, and allows for more settings than the Juniper client. Including split tunneling and Split DNS.
ASKER
I managed to get the vpn successfully terminating through the Juniper to the Cisco. The guide from Juniper helped, but there were ports that needed to be opened that were not identified (port 4500 and port 90-91) Once they were opened it wokred great!!
Thanks for your help!
Thanks for your help!
Port 4500/udp should be mentioned, it is the standard NAT-T port. Ports 90, 91 seem to be Cisco specific, never heard of them, and never opened that ports to Cisco clients ...
ASKER