Configuration Dynamic VPN between Netscreen and PIX:

Index:

1. Topology
2. Netscreen configuration
2.1 interface
a. Configure IP for trust interface
b. Configure untrust interface
c. Configure tunnel interface
2.2 Address object
2.3 VPN Configure
a. Phase I:
b. Phase II
2.4 Route
2.5 Policy configuration:
3. Pix Configuration:
3.1 Configure interface IP:
3.2 Access-list nonat (permit vpn traffic)
3.3 Routing
3.4 VPN config
a. Phase I.
b. Phase II
Appendix A:
Pix Configuration:
Netscreen (5GT)
Nat device (5GT-ADSL)


1. Topology


2. Netscreen configuration:

a. Configure IP for trust interface:

set interface trust ip 192.168.2.1/24
set interface trust nat

b. Configure untrust interface.

set interface untrust ip 192.168.4.2/24
set interface untrust route

c. Configure tunnel interface

set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface untrust

set address trust “Local_LAN” 192.168.2.0/24
set address untrust “Remote_LAN” 192.168.1.0/24


a. Phase I:

set ike gateway "gw_pix" address 192.168.201.1 Aggr outgoing-interface "untrust" preshare "key" proposal " pre-g2-3des-sha"

b. Phase II

set vpn "vpn_pix" gateway "gw_pix" proposal "nopfs-esp-3des-sha"
set vpn "vpn_pix" monitor source-interface trust destination-ip 192.168.1.1 optimized rekey
set vpn "vpn_pix" id 1 bind interface tunnel.1
set vpn "vpn_pix" proxy-id local-ip 192.168.2.0/24 remote-ip 192.168.1.0/24 "ANY"

set route 192.168.1.0/24 interface tunnel.1
set route 0.0.0.0/0 interface untrust gateway 192.168.4.1

set policy id 1 from "trust" to "untrust" " “Local_LAN” “Remote_LAN” "ANY" permit
set policy id 2 from "Untrust" to "Trust" “Remote_LAN” “Local_LAN” "ANY" permit

3. Pix Configuration:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 192.168.201.1/24 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0route outside 0.0.0.0 0.0.0.0 192.168.201.2

3.4 VPN config

a. Phase I.

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

sysopt connection permit−ipsec !−−− This command avoids applied ACLs or conduits on encrypted packets.

b. Phase II
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set mytrans
crypto dynamic-map outside_dyn_map 10 match address nonat
crypto map dyn-map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map dyn-map interface outside


Appendix A:

pix(config)# show run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix
domain-name pix.cisco.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit icmp any any
pager lines 24
icmp permit 192.168.1.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.201.1 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.201.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.201.1 255.255.255.255 outside
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address nonat
crypto dynamic-map outside_dyn_map 10 set transform-set mytrans
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
username lvcuong password 3kFzZ89Ysqwgarem encrypted privilege 2
terminal width 80
Cryptochecksum:44bed10cd5aec129133d20f7ed25e926
: end
pix(config)#


ns5gt-> get config
Total Config size 4049:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.2.1/24
set interface trust nat
set interface untrust ip 192.168.4.2/24
set interface untrust route
set interface tunnel.1 ip unnumbered interface untrust
set interface tunnel.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface trust dhcp server service
set interface trust dhcp server auto
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set console timeout 0
set hostname ns5gt

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address Trust "local" 192.168.4.0 255.255.255.0
set ike gateway "gw_pix" address 192.168.201.1 Aggr outgoing-interface "untrust" preshare "FV7bU1TONNwsYRsRskCXpMGaDonhhh822Q==" proposal "pre-g2-3des-sha"
set ike gateway "gw_pix" cert peer-ca all
set ike respond-bad-spi 1
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "vpn_pix" gateway "gw_pix" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "vpn_pix" monitor source-interface trust destination-ip 192.168.1.1 optimized rekey
set vpn "vpn_pix" id 1 bind interface tunnel.1
set url protocol sc-cpa
exit
set vpn "vpn_pix" proxy-id local-ip 192.168.2.0/24 remote-ip 192.168.1.0/24 "ANY"
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" permit
set policy id 2
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.5.0/24 interface untrust gateway 192.168.201.1
set route 192.168.1.0/24 interface tunnel.1 preference 20
set route 0.0.0.0/0 gateway 192.168.4.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ns5gt->

Nat device (5GT-ADSL)

ns5gt-adsl-> get confi
Total Config size 3521:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "adsl1" pvc 8 35 mux llc protocol bridged zone "Null"
unset interface vlan1 ip
set interface trust ip 192.168.4.1/24
set interface trust nat
set interface untrust ip 192.168.201.2/24
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface trust dhcp server service
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns5gt-adsl

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set av profile "scan-mgr"
set ftp scan-mode scan-all
set ftp decompress-layer 2
set http scan-mode scan-all
set imap scan-mode scan-all
set imap decompress-layer 2
set pop3 scan-mode scan-all
set pop3 decompress-layer 2
set smtp scan-mode scan-all
set smtp decompress-layer 2
exit
set av scan-mgr max-content-size drop
set av scan-mgr max-msgs drop
set url protocol sc-cpa
exit
set anti-spam profile ns-profile
set sbl default-server enable
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ns5gt-adsl->