[c-nsp] ASA to Netscreen VPN?

ChrisSerafin chris at chrisserafin.com
Mon Jun 25 16:22:46 EDT 2007 

I'm trying to set up a L2L VPN with a Cisco ASA 5510 and a Juniper 
Netscreen Firewall.  I can't find any recent

documentation regarding this setup. I'm receiving some error messages 
from the ASDM which are below:

4    Jun 25 2007    14:32:54    713903             Group = 2.2.155.253, 
IP = 2.2.155.253, Freeing

previously allocated memory for authorization-dn-attributes
3    Jun 25 2007    14:32:54    713119             Group = 2.2.155.253, 
IP = 2.2.155.253, PHASE 1

COMPLETED
3    Jun 25 2007    14:32:54    713122             IP = 2.2.155.253, 
Keep-alives configured on but

peer does not support keep-alives (type = None)
5    Jun 25 2007    14:32:54    713904             Group = 2.2.155.253, 
IP = 2.2.155.253, All IPSec SA

proposals found unacceptable!
3    Jun 25 2007    14:32:54    713902             Group = 2.2.155.253, 
IP = 2.2.155.253, QM FSM error

(P2 struct &0x4274390, mess id 0x10055b4)!
3    Jun 25 2007    14:32:54    713902             Group = 2.2.155.253, 
IP = 2.2.155.253, Removing

peer from correlator table failed, no match!

The VPN config is provided below. Anything stand out? or anyone else get 
this to work? Any comments welcome.




interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 1.1.131.196 255.255.255.192 standby 1.1.131.197
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.254.0.253 255.255.255.0 standby 10.254.0.254
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 10.1.254.1 255.255.255.0 standby 10.1.254.2
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Inside-Nets
 network-object 10.254.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 10.1.254.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
object-group service Management-Access-Group tcp
 description Management Access Service Group
 port-object eq ssh
 port-object eq telnet
access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any log debugging
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp object-group 
Corp-Office-Networks any
access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0 
255.255.255.0 interface outside eq snmp
access-list outside_access_in remark Allow xxxx MSSP SNMP Monitoring
access-list outside_access_in extended permit udp 205.234.155.0 
255.255.255.0 interface outside eq snmptrap
access-list outside_access_in remark Allow  ICMP from xxxx
access-list outside_access_in extended permit icmp 205.234.155.0 
255.255.255.0 interface outside
access-list outside_access_in remark xxxx MSSP VPN Ztunnel
access-list outside_access_in extended permit ip host 205.234.155.253 
interface outside
access-list outside_access_in remark SSH Access for xxxx Office
access-list outside_access_in extended permit ip host 206.81.53.50 
interface outside
access-list outside_20_cryptomap extended permit ip 10.1.254.0 
255.255.255.0 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group 
Inside-Nets 172.25.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.254.0 
255.255.255.0 172.25.101.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group management_access_in in interface management
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 2.2.155.253
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 2.2.155.253 type ipsec-l2l
tunnel-group 2.2.155.253 ipsec-attributes
 pre-shared-key *


Thanks for anything,

Chris Serafin
Security Engineer
chris at chrisserafin.com

More information about the cisco-nsp mailing list