Link to home
Start Free TrialLog in
Avatar of pathix
pathixFlag for Canada

asked on

Terminatinv Cisco IPSEC VPN Behind a Juniper Firewall

Hi All, we have a Juniper netscreen on our edge facing the internet, which traditionally has terminated our user based vpn connections into our network. We have a Cisco Router behind the firewall, which we recently upgraded our IOS which now allows us to terminate user based IPSEC VPN Tunnels on the Router. I have configured the Cisco Easy VPN Server on the Router. I've wanted to use the Cisco VPN Solution for the Split tunneling option. What I need to know is, how to allow the Juniper netscreen to pass through ipsec traffic on a specific IP to the Cisco Router so that the user vpn terminates on the Cisco Router, but still maintain the user vpn functionality of the Juniper for the time being until we migrate all users over to the cisco solution? I had suspected a MIP Would do the trick but it doesn't seem to work..

500 Points for correct answer!
ASKER CERTIFIED SOLUTION
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pathix
pathix
Flag of Canada image

ASKER

Thanks for the pointer! i'm reading/following these KB's and it seems to point more towards a user inside of our network trying to connect to an ipsec device out on the internet, however i'm trying to do a bit've the opposite, which; is allow an internet user to connect to an ipsec device on our trusted network, and want the netscreen to pass this traffic through, is it fine to add the MIP, and set up a policy from 'untrust' to 'trust' with this MIP instead of trust to untrust?
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image
There should be no problem with creating a MIP and using a policy from untrust to trust to achieve the desired result. i have used the described strategy to place a netscreen 5gt behind an ns208.
Avatar of Sanga Collins
Sanga Collins
Flag of United States of America image
i forgot to mention that the juniper forums is also a good place to find useful information. these guys have saved my job on a couple of occasions :)

http://forums.juniper.net/jnet/
Avatar of pathix
pathix
Flag of Canada image

ASKER

K.. i've got all that done, but vpn is still not authenitcating so i'm going to review the EasyVPN Configuration to ensure there isn't anything strange going on there...
 
Thanks again! I'll update on the issue
Avatar of Qlemo
Qlemo
Flag of Germany image
Maybe you could save time by using free Shrew VPN client  (www.shrew.net) instead. It connects with both Juniper and Cisco, and allows for more settings than the Juniper client. Including split tunneling and Split DNS.
Avatar of pathix
pathix
Flag of Canada image

ASKER

I managed to get the vpn successfully terminating through the Juniper to the Cisco. The guide from Juniper helped, but there were ports that needed to be opened that were not identified (port 4500 and port 90-91) Once they were opened it wokred great!!
Thanks for your help!
Avatar of Qlemo
Qlemo
Flag of Germany image
Port 4500/udp should be mentioned, it is the standard NAT-T port. Ports 90, 91 seem to be Cisco specific, never heard of them, and never opened that ports to Cisco clients ...