Terminatinv Cisco IPSEC VPN Behind a Juniper Firewall

Hi All, we have a Juniper netscreen on our edge facing the internet, which traditionally has terminated our user based vpn connections into our network. We have a Cisco Router behind the firewall, which we recently upgraded our IOS which now allows us to terminate user based IPSEC VPN Tunnels on the Router. I have configured the Cisco Easy VPN Server on the Router. I've wanted to use the Cisco VPN Solution for the Split tunneling option. What I need to know is, how to allow the Juniper netscreen to pass through ipsec traffic on a specific IP to the Cisco Router so that the user vpn terminates on the Cisco Router, but still maintain the user vpn functionality of the Juniper for the time being until we migrate all users over to the cisco solution? I had suspected a MIP Would do the trick but it doesn't seem to work..

500 Points for correct answer!
pathixAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
there are 2 great KB-artices on the juniper site that covers this exact topic. this should get you going in the rigt direction. you had the correct concept of solving the problem. just missing a couple of minor details.

Configuring Your Firewall to Allow IPSec Traffic to Pass Through in NAT Mode (ScreenOS 5.1 and below)
http://kb.juniper.net/KB4715

How to Pass IPSec Traffic through a Juniper Firewall
http://kb.juniper.net/KB9243
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pathixAuthor Commented:
Thanks for the pointer! i'm reading/following these KB's and it seems to point more towards a user inside of our network trying to connect to an ipsec device out on the internet, however i'm trying to do a bit've the opposite, which; is allow an internet user to connect to an ipsec device on our trusted network, and want the netscreen to pass this traffic through, is it fine to add the MIP, and set up a policy from 'untrust' to 'trust' with this MIP instead of trust to untrust?
0
Sanga CollinsSystems AdminCommented:
There should be no problem with creating a MIP and using a policy from untrust to trust to achieve the desired result. i have used the described strategy to place a netscreen 5gt behind an ns208.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Sanga CollinsSystems AdminCommented:
i forgot to mention that the juniper forums is also a good place to find useful information. these guys have saved my job on a couple of occasions :)

http://forums.juniper.net/jnet/
0
pathixAuthor Commented:
K.. i've got all that done, but vpn is still not authenitcating so i'm going to review the EasyVPN Configuration to ensure there isn't anything strange going on there...
 
Thanks again! I'll update on the issue
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Maybe you could save time by using free Shrew VPN client  (www.shrew.net) instead. It connects with both Juniper and Cisco, and allows for more settings than the Juniper client. Including split tunneling and Split DNS.
0
pathixAuthor Commented:
I managed to get the vpn successfully terminating through the Juniper to the Cisco. The guide from Juniper helped, but there were ports that needed to be opened that were not identified (port 4500 and port 90-91) Once they were opened it wokred great!!
Thanks for your help!
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Port 4500/udp should be mentioned, it is the standard NAT-T port. Ports 90, 91 seem to be Cisco specific, never heard of them, and never opened that ports to Cisco clients ...

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.