[c-nsp] ASA to Netscreen VPN?
ChrisSerafin
chris at chrisserafin.com
Fri Jun 29 16:04:08 EDT 2007
Adding this mess of isakmp policies worked? When I looked at the SA's
being used:
Phase1: 3DES -SHA1- Group 2 Rekey: 28800
Phase2: 3DES -MD5- Group 2 Rekey 3600
But the tunnel only works for 1 internal subnet on the ASA side, and we
change the networks on the both sides of the VPN as well.
This ACL works:
access-list outside_20_cryptomap_2 extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
This does not:
access-list outside_20_cryptomap_2 extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
access-list outside_20_cryptomap_2 extended permit ip 192.168.1.0
255.255.255.0 172.25.101.0 255.255.255.0
access-list outside_20_cryptomap_2 extended permit ip 192.168.2.0
255.255.255.0 172.25.101.0 255.255.255.0
The whole config is below: Thanks for all your help so far.
Chris Serafin
chris at chrisserafin.com
Result of the command: "sh run"
: Saved
:
ASA Version 7.2(2)
!
hostname corp
domain-name zzzzz.com
enable password 6SbzzzzzXhrP encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.131.196 255.255.255.192 standby 1.1.131.197
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.254.0.253 255.255.255.0 standby 10.254.0.254
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.1.254.1 255.255.255.0 standby 10.1.254.2
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa706-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name zzzzz.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Internet tcp
description Internet Service Group HTTP/HTTPS
port-object eq www
port-object eq https
object-group network WB-Corp-Office-Networks
description zzzzz Corporate Office Production Networks
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network Inside-Nets
network-object 10.254.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.1.254.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group service Management-Access-Group tcp
description Management Access Service Group
port-object eq ssh
port-object eq telnet
object-group network zzzz_Tunnel
description zzzz_TUNNEL
network-object 10.1.254.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any log debugging
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp object-group
WB-Corp-Office-Networks any
access-list outside_access_in remark Allow zzzz MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0
255.255.255.0 interface outside eq snmp
access-list outside_access_in remark Allow zzzz MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0
255.255.255.0 interface outside eq snmptrap
access-list outside_access_in remark Allow ICMP from zzzz
access-list outside_access_in extended permit icmp 205.234.155.0
255.255.255.0 interface outside
access-list outside_access_in remark RKON zzz VPN Ztunnel
access-list outside_access_in extended permit ip host 205.234.155.253
interface outside
access-list outside_access_in remark SSH Access for zzzz Office
access-list outside_access_in extended permit ip host 206.81.53.50
interface outside
access-list outside_20_cryptomap extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group
Inside-Nets 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group
zzz_Tunnel 172.25.101.0 255.255.255.0
access-list outside_20_cryptomap_1 extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
access-list outside_20_cryptomap_2 extended permit ip 10.1.254.0
255.255.255.0 172.25.101.0 255.255.255.0
pager lines 24
logging enable
logging list VPN_zzz level debugging class vpn
logging monitor debugging
logging asdm VPN_RKON
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
failover
failover lan unit secondary
failover lan interface WBFAILOVER Ethernet0/3
failover key *****
failover link WBFAILOVER Ethernet0/3
failover interface ip WBFAILOVER 172.16.0.3 255.255.255.0 standby 172.16.0.4
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group management_access_in in interface management
route outside 0.0.0.0 0.0.0.0 1.1.131.193 1
route inside 192.168.1.0 255.255.255.0 10.254.0.1 1
route inside 192.168.2.0 255.255.255.0 10.254.0.1 1
route management 10.1.0.0 255.255.255.0 10.1.254.196 1
route management 10.47.25.80 255.255.255.240 10.1.254.8 1
route management 1.1.1.0 255.255.255.0 10.1.254.196 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap_2
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 2.2.155.253
crypto map outside_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 60
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp nat-traversal 20
tunnel-group 2.2.155.253 type ipsec-l2l
tunnel-group 2.2.155.253 ipsec-attributes
pre-shared-key *
Simon Hamilton-Wilkes wrote:
> This is an ugly fragment, we were clearly trying various different
> timer settings.
> Our big issues is that formerly we were all Netscreen, and in the NS
> config each individual policy is set to tunnel rather than
> permit/deny. Whereas Cisco doesn't like that - having an extended ACL
> for the VPN, it prefers a simple network to network permit without
> protocol requirements - this we never really got over satisfactorily,
> and ended up adding Netscreens to the new sites that had been built
> out with ASA's, just for point to point VPNs. Otherwise we'd get lots
> of 'encrypted packet does not match SA' errors and eventually the SAs
> would go one way. Let me know how you get on.
>
> crypto ipsec transform-set netscreen esp-aes esp-sha-hmac
> crypto ipsec transform-set client esp-des esp-md5-hmac
> crypto dynamic-map dynmap 99 set transform-set 3des client
> crypto map allvpn 10 match address 101
> crypto map allvpn 10 set pfs
> crypto map allvpn 10 set peer x.x.x.x
> crypto map allvpn 10 set transform-set netscreen
> crypto map allvpn 40 match address 103
> crypto map allvpn 40 set pfs
> crypto map allvpn 40 set peer x.x.x.x
> crypto map allvpn 40 set transform-set netscreen
> crypto map allvpn 50 match address 105
> crypto map allvpn 50 set pfs
> crypto map allvpn 50 set peer x.x.x.x
> crypto map allvpn 50 set transform-set netscreen
> crypto map allvpn 60 match address 104
> crypto map allvpn 60 set peer x.x.x.x
> crypto map allvpn 60 set transform-set netscreen
> crypto map allvpn 70 match address 106
> crypto map allvpn 70 set pfs
> crypto map allvpn 70 set peer x.x.x.x
> crypto map allvpn 70 set transform-set netscreen
> crypto map allvpn 99 ipsec-isakmp dynamic dynmap
> crypto map allvpn interface outside
> crypto isakmp identity address
> crypto isakmp enable outside
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 9
> authentication pre-share
> encryption 3des
> hash md5
> group 1
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 1
> lifetime 86400
> crypto isakmp policy 20
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 28800
> crypto isakmp policy 30
> authentication pre-share
> encryption aes
> hash sha
> group 2
> lifetime 28800
> crypto isakmp policy 40
> authentication pre-share
> encryption aes
> hash sha
> group 2
> lifetime 3600
> crypto isakmp policy 45
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
>
>
>
>
> On 6/25/07, ChrisSerafin <chris at chrisserafin.com> wrote:
>> I'd love you if you had some! :)
>>
>> Chris
>>
>>
>> Simon Hamilton-Wilkes wrote:
>> > I had this working at my last job - I'll see if I have any configs
>> > archived still, but they'd be on my laptop at home. Had to do some
>> > adjusting of timers to make things work, plus the way Cisco and
>> > Juniper each handle tunnels supporting multiple protocols/networks
>> > differs in some way so there were always error messages and regularly
>> > complete failures requiring manual tunnel resets both ends. We tried
>> > various ASA versions in the 7.1 and 7.2 trains, of course TAC and JTAC
>> > were unhelpful - both blamed the others products...
>> >
>> > Simon
>> >
>> > On 6/25/07, ChrisSerafin <chris at chrisserafin.com> wrote:
>> >> I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper
>> >> Netscreen Firewall. I can't find any recent
>> >>
>> >> documentation regarding this setup. I'm receiving some error messages
>> >> from the ASDM which are below:
>> >>
>> >> 4 Jun 25 2007 14:32:54 713903 Group =
>> 2.2.155.253,
>> >> IP = 2.2.155.253, Freeing
>> >>
>> >> previously allocated memory for authorization-dn-attributes
>> >> 3 Jun 25 2007 14:32:54 713119 Group =
>> 2.2.155.253,
>> >> IP = 2.2.155.253, PHASE 1
>> >>
>> >> COMPLETED
>> >> 3 Jun 25 2007 14:32:54 713122 IP = 2.2.155.253,
>> >> Keep-alives configured on but
>> >>
>> >> peer does not support keep-alives (type = None)
>> >> 5 Jun 25 2007 14:32:54 713904 Group =
>> 2.2.155.253,
>> >> IP = 2.2.155.253, All IPSec SA
>> >>
>> >> proposals found unacceptable!
>> >> 3 Jun 25 2007 14:32:54 713902 Group =
>> 2.2.155.253,
>> >> IP = 2.2.155.253, QM FSM error
>> >>
>> >> (P2 struct &0x4274390, mess id 0x10055b4)!
>> >> 3 Jun 25 2007 14:32:54 713902 Group =
>> 2.2.155.253,
>> >> IP = 2.2.155.253, Removing
>> >>
>> >> peer from correlator table failed, no match!
>> >>
>> >> The VPN config is provided below. Anything stand out? or anyone
>> else get
>> >> this to work? Any comments welcome.
>> >>
>> >>
>> >>
>> >>
>> >> interface Ethernet0/0
>> >> speed 100
>> >> duplex full
>> >> nameif outside
>> >> security-level 0
>> >> ip address 1.1.131.196 255.255.255.192 standby 1.1.131.197
>> >> !
>> >> interface Ethernet0/1
>> >> speed 100
>> >> duplex full
>> >> nameif inside
>> >> security-level 100
>> >> ip address 10.254.0.253 255.255.255.0 standby 10.254.0.254
>> >> !
>> >> interface Ethernet0/3
>> >> description LAN/STATE Failover Interface
>> >> !
>> >> interface Management0/0
>> >> speed 100
>> >> duplex full
>> >> nameif management
>> >> security-level 100
>> >> ip address 10.1.254.1 255.255.255.0 standby 10.1.254.2
>> >> !
>> >> same-security-traffic permit inter-interface
>> >> same-security-traffic permit intra-interface
>> >> object-group network Inside-Nets
>> >> network-object 10.254.0.0 255.255.255.0
>> >> network-object 192.168.1.0 255.255.255.0
>> >> network-object 10.1.254.0 255.255.255.0
>> >> network-object 192.168.2.0 255.255.255.0
>> >> object-group service Management-Access-Group tcp
>> >> description Management Access Service Group
>> >> port-object eq ssh
>> >> port-object eq telnet
>> >> access-list management_access_in extended permit icmp any any
>> >> access-list management_access_in extended permit ip any any
>> >> access-list management_access_in extended permit tcp any any
>> >> access-list inside_access_in extended permit icmp any any log
>> debugging
>> >> access-list inside_access_in extended permit ip any any
>> >> access-list inside_access_in extended permit tcp object-group
>> >> Corp-Office-Networks any
>> >> access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
>> >> access-list outside_access_in extended permit udp 205.234.155.0
>> >> 255.255.255.0 interface outside eq snmp
>> >> access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
>> >> access-list outside_access_in extended permit udp 205.234.155.0
>> >> 255.255.255.0 interface outside eq snmptrap
>> >> access-list outside_access_in remark Allow ICMP from xxxx
>> >> access-list outside_access_in extended permit icmp 205.234.155.0
>> >> 255.255.255.0 interface outside
>> >> access-list outside_access_in remark xxxx MSSP VPN Ztunnel
>> >> access-list outside_access_in extended permit ip host 205.234.155.253
>> >> interface outside
>> >> access-list outside_access_in remark SSH Access for xxxx Office
>> >> access-list outside_access_in extended permit ip host 206.81.53.50
>> >> interface outside
>> >> access-list outside_20_cryptomap extended permit ip 10.1.254.0
>> >> 255.255.255.0 172.25.101.0 255.255.255.0
>> >> access-list inside_nat0_outbound extended permit ip object-group
>> >> Inside-Nets 172.25.101.0 255.255.255.0
>> >> access-list inside_nat0_outbound extended permit ip 10.1.254.0
>> >> 255.255.255.0 172.25.101.0 255.255.255.0
>> >> nat (inside) 0 access-list inside_nat0_outbound
>> >> access-group outside_access_in in interface outside
>> >> access-group inside_access_in in interface inside
>> >> access-group management_access_in in interface management
>> >> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>> >> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>> >> crypto map outside_map 20 match address outside_20_cryptomap
>> >> crypto map outside_map 20 set pfs
>> >> crypto map outside_map 20 set peer 2.2.155.253
>> >> crypto map outside_map 20 set transform-set ESP-3DES-MD5
>> >> crypto map outside_map interface outside
>> >> crypto isakmp identity address
>> >> crypto isakmp enable outside
>> >> crypto isakmp policy 10
>> >> authentication pre-share
>> >> encryption 3des
>> >> hash md5
>> >> group 2
>> >> lifetime 86400
>> >> crypto isakmp nat-traversal 20
>> >> tunnel-group 2.2.155.253 type ipsec-l2l
>> >> tunnel-group 2.2.155.253 ipsec-attributes
>> >> pre-shared-key *
>> >>
>> >>
>> >> Thanks for anything,
>> >>
>> >> Chris Serafin
>> >> Security Engineer
>> >> chris at chrisserafin.com
>> >> _______________________________________________
>> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> >
>> >
>> >
>>
>>
>
>
>
More information about the cisco-nsp
mailing list