Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Juniper command in cisco config.

Posted on 2012-08-24
4
Medium Priority
?
664 Views
Last Modified: 2012-08-28
I have a guide to setup a tunnel for a juniper the commands I am unsure about how to configure on the Cisco PIX 501 are

set interface tunnel.142 ip unnumbered interface ethernet2/1
set interface "tunnel.142" mip 172.17.16.117 host 10.1.0.84 netmask 255.255.255.255 vr "trust-vr"

Also  

set route 192.168.117.0/24 interface tunnel.142 preference 20 permanent

What would the same commands be if configured on a Cisco PIX 501
0
Comment
Question by:Don Coleman
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:Charlie2012
ID: 38330106
For Route Based VPN Juniper Firewall Configuration:


1. VPN Phase 1:

set ike gateway "To-Cisco" address x.x.x.x Main outgoing-interface "ethernet1" preshare "netscreen" proposal "pre-g2-des-sha"
VPN Phase 2:

set vpn "To-Cisco-VPN" gateway "To-Cisco" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
Create Tunnel Interface and bind it to the VPN “To-Cisco-VPN"

set interface "tunnel.1" zone "Trust"
set interface tunnel.1 ip unnumbered interface ethernet1
set vpn "To-Cisco-VPN" bind interface tunnel.1
Proxy ID setup, Proxy id has to be matched with the Access-list of the PIX. That is a limitation for a route-based VPN of Juniper Firewall if there is multiple access-list configured on PIX. In multiple access-list scenario, a Policy-based VPN should be considered.

set vpn "To-Cisco-VPN" proxy-id local-ip x.x.x.x/x remote-ip x.x.x.x/x "ANY"
Setup static route to route traffic destined to the remote inside network via the tunnel interface created in step 3.

set route x.x.x.x/x interface tunnel.1

PIX Firewall Configuration:

VPN Phase 1 Configuration:

isakmp enable outside
isakmp key netscreen address x.x.x.x netmask 255.255.255.255 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
VPN Phase 2 Configuration:

access-list 101 permit ip x.x.x.x 0.0.0.255 x.x.x.x 0.0.0.255
crypto ipsec transform-set nsset esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 101
crypto map nsmap 10 set peer x.x.x.x
crypto map nsmap 10 set transform-set nsset
crypto map nsmap interface outside



Useful Commands to verify the VPN connection on the PIX firewall:

pixfirewall# show crypto ipsec sa


interface: outside
    Crypto map tag: nsmap, local addr. 2.2.2.1

   local  ident (addr/mask/prot/port): (x.x.x.x/subnetmask/0/0)
   remote ident (addr/mask/prot/port): (x.x.x.x/subnetmask/0/0)
   current_peer: x.x.x.x:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37, #pkts encrypt: 37, #pkts digest 37
    #pkts decaps: 37, #pkts decrypt: 37, #pkts verify 37
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 0


Hope this helps
0
 

Author Comment

by:Don Coleman
ID: 38330189
Thanks for the quick reply I am not configuring the Juniper but they sent me a guide for setting a tunnel up on a juniper and I want to configure it on a Cisco PIX 501

Here is the entire config they gave me to configure on a Juniper I would like to know how to do it on the PIX 501 thanks.
0
 
LVL 3

Accepted Solution

by:
Charlie2012 earned 2000 total points
ID: 38340282
PIX Firewall Configuration:

VPN Phase 1 Configuration:

isakmp enable outside
isakmp key netscreen address x.x.x.x netmask 255.255.255.255 no-xauth
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
VPN Phase 2 Configuration:

access-list 101 permit ip x.x.x.x 0.0.0.255 x.x.x.x 0.0.0.255
crypto ipsec transform-set nsset esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map nsmap 10 ipsec-isakmp
crypto map nsmap 10 match address 101
crypto map nsmap 10 set peer x.x.x.x
crypto map nsmap 10 set transform-set nsset
crypto map nsmap interface outside


http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wpxref99203
0
 

Author Closing Comment

by:Don Coleman
ID: 38340997
Thanks for the response I was able to figure it out your config looks to be what I was looking for with the exception of 3des instead of des.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question