Juniper SSG-Cisco PIX VPN Configuration
December 18th, 2007
1 comment
Its been quite some time I’m wanting to post such a configuration. I helped with one such question in Experts-Exchange and sought permission from the author to post the working configuration once the VPN was up and running. Below would be the configuration of working SSG-PIX VPN with the consent of the author. Obviously the public ip addresses are masked.
To give a background, SSG is at the main office, PIX being at remote office. The VPN is built between 10.10.12.0 network to 10.10.7.0 network in the following configuration;
SSG 140 Configuration:-
1: JUNIPER (MAIN OFFICE)--->
2: set clock timezone -5
3: set vrouter trust-vr sharable
4: set vrouter "untrust-vr"
5: exit
6: set vrouter "trust-vr"
7: unset auto-route-export
8: exit
9: set auth-server "Local" id 0
10: set auth-server "Local" server-name "Local"
11: set auth default auth server "Local"
12: set auth radius accounting port 1646
13: set admin name "admin"
14: set admin password "XYZ123"
15: set admin http redirect
16: set admin auth timeout 10
17: set admin auth server "Local"
18: set admin format dos
19: set vip multi-port
20: set zone "Trust" vrouter "trust-vr"
21: set zone "Untrust" vrouter "trust-vr"
22: set zone "DMZ" vrouter "trust-vr"
23: set zone "VLAN" vrouter "trust-vr"
24: set zone id 100 "DMZ-WAN"
25: set zone "Untrust-Tun" vrouter "trust-vr"
26: set zone "Trust" tcp-rst
27: set zone "Untrust" block
28: unset zone "Untrust" tcp-rst
29: set zone "MGT" block
30: set zone "DMZ" tcp-rst
31: set zone "VLAN" block
32: unset zone "VLAN" tcp-rst
33: set zone "DMZ-WAN" block
34: unset zone "DMZ-WAN" tcp-rst
35: set zone "Trust" screen icmp-flood
36: set zone "Trust" screen udp-flood
37: set zone "Trust" screen winnuke
38: set zone "Trust" screen port-scan
39: set zone "Trust" screen ip-sweep
40: set zone "Trust" screen tear-drop
41: set zone "Trust" screen ping-death
42: set zone "Trust" screen ip-filter-src
43: set zone "Trust" screen land
44: set zone "Trust" screen syn-frag
45: set zone "Trust" screen tcp-no-flag
46: set zone "Trust" screen unknown-protocol
47: set zone "Trust" screen ip-bad-option
48: set zone "Trust" screen ip-record-route
49: set zone "Trust" screen ip-timestamp-opt
50: set zone "Trust" screen ip-security-opt
51: set zone "Trust" screen ip-loose-src-route
52: set zone "Trust" screen ip-strict-src-route
53: set zone "Trust" screen ip-stream-opt
54: set zone "Trust" screen icmp-fragment
55: set zone "Trust" screen icmp-large
56: set zone "Trust" screen syn-fin
57: set zone "Trust" screen fin-no-ack
58: set zone "Trust" screen limit-session source-ip-based
59: set zone "Trust" screen syn-ack-ack-proxy
60: set zone "Trust" screen block-frag
61: set zone "Trust" screen limit-session destination-ip-based
62: set zone "Trust" screen component-block exe
63: set zone "Trust" screen icmp-id
64: set zone "Trust" screen ip-spoofing drop-no-rpf-route
65: set zone "Untrust" screen tear-drop
66: set zone "Untrust" screen syn-flood
67: set zone "Untrust" screen ping-death
68: set zone "Untrust" screen ip-filter-src
69: set zone "Untrust" screen land
70: set zone "V1-Untrust" screen tear-drop
71: set zone "V1-Untrust" screen syn-flood
72: set zone "V1-Untrust" screen ping-death
73: set zone "V1-Untrust" screen ip-filter-src
74: set zone "V1-Untrust" screen land
75: set interface "ethernet0/0" zone "Trust"
76: set interface "ethernet0/1" zone "DMZ"
77: set interface "ethernet0/2" zone "Untrust"
78: set interface "ethernet0/3" zone "DMZ-WAN"
79: set interface "tunnel.1" zone "Untrust"
80: set interface ethernet0/0 ip 10.10.7.2/24
81: set interface ethernet0/0 route
82: unset interface vlan1 ip
83: set interface ethernet0/1 ip 10.10.9.1/24
84: set interface ethernet0/1 route
85: set interface ethernet0/2 ip X.Y.Z.98/27
86: set interface ethernet0/2 route
87: set interface ethernet0/3 ip 10.10.99.0/24
88: set interface ethernet0/3 route
89: set interface tunnel.1 ip unnumbered interface ethernet0/2
90: unset interface vlan1 bypass-others-ipsec
91: unset interface vlan1 bypass-non-ip
92: set interface ethernet0/0 ip manageable
93: unset interface ethernet0/1 ip manageable
94: set interface ethernet0/2 ip manageable
95: unset interface ethernet0/3 ip manageable
96: unset interface ethernet0/0 manage snmp
97: set interface ethernet0/0 manage mtrace
98: unset interface ethernet0/1 manage ping
99: set interface ethernet0/2 manage ping
100: set interface ethernet0/2 manage ssh
101: set interface ethernet0/2 manage telnet
102: set interface ethernet0/2 manage ssl
103: set interface ethernet0/2 manage web
104: set interface ethernet0/2 manage mtrace
105: set interface vlan1 manage mtrace
106: set interface "ethernet0/2" mip X.Y.Z.106 host 10.10.7.106 netmask 255.255.255.255 vr "trust-vr"
107: set interface "ethernet0/2" mip X.Y.Z.109 host 10.10.7.200 netmask 255.255.255.255 vr "trust-vr"
108: set interface "ethernet0/2" mip X.Y.Z.100 host 10.10.7.100 netmask 255.255.255.255 vr "trust-vr"
109: set interface "ethernet0/2" mip X.Y.Z.101 host 10.10.7.206 netmask 255.255.255.255 vr "trust-vr"
110: set interface "ethernet0/2" mip X.Y.Z.103 host 10.10.7.103 netmask 255.255.255.255 vr "trust-vr"
111: set interface "ethernet0/2" mip X.Y.Z.108 host 10.10.7.208 netmask 255.255.255.255 vr "trust-vr"
112: set interface "ethernet0/2" mip X.Y.Z.121 host 10.10.7.121 netmask 255.255.255.255 vr "trust-vr"
113: set interface "ethernet0/2" mip X.Y.Z.115 host 10.10.7.115 netmask 255.255.255.255 vr "trust-vr"
114: set interface "ethernet0/2" mip X.Y.Z.125 host 10.10.7.122 netmask 255.255.255.255 vr "trust-vr"
115: set interface "ethernet0/0" webauth
116: unset flow no-tcp-seq-check
117: set flow tcp-syn-check
118: set domain econium
119: set pki authority default scep mode "auto"
120: set pki x509 default cert-path partial
121: set dns host dns1 66.153.50.66 src-interface ethernet0/2
122: set dns host dns2 64.80.0.162 src-interface ethernet0/2
123: set dns host dns3 64.80.32.128 src-interface ethernet0/2
124: set dns host schedule 06:28
125: set address "Trust" "10.10.7.0/24" 10.10.7.0 255.255.255.0
126: set address "Trust" "10.10.7.106/24" 10.10.7.106 255.255.255.0
127: set address "Trust" "10.10.7.117/24" 10.10.7.117 255.255.255.0
128: set address "Trust" "Office LAN" 10.10.0.0 255.255.0.0
129: set address "Trust" "Trust_LAN" 10.10.7.0 255.255.255.0
130: set address "Untrust" "10.10.12.0/24" 10.10.12.0 255.255.255.0
131: set address "Untrust" "X.Y.Z.117/30" X.Y.Z.117 255.255.255.252
132: set address "Untrust" "W-Remote" 10.10.12.0 255.255.255.0
133: set address "DMZ-WAN" "Wireless" 10.10.99.0 255.255.255.0 "Wireless"
134: set ike gateway "W-Remote GW" address A.B.C.42 Main outgoing-interface "ethernet0/2" preshare "myxlplyt" proposal "pre-g2-3des-sha"
135: set ike respond-bad-spi 1
136: unset ike ikeid-enumeration
137: unset ike dos-protection
138: unset ipsec access-session enable
139: set ipsec access-session maximum 5000
140: set ipsec access-session upper-threshold 0
141: set ipsec access-session lower-threshold 0
142: set ipsec access-session dead-p2-sa-timeout 0
143: unset ipsec access-session log-error
144: unset ipsec access-session info-exch-connected
145: unset ipsec access-session use-error-log
146: set vpn "W-Remote VPN" gateway "W-Remote GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
147: set vpn "W-Remote VPN" id 1 bind interface tunnel.1
148: set url protocol websense
149: exit
150: set anti-spam profile ns-profile
151: set sbl default-server enable
152: set default action tag subject "*** [SPAM] ***"
153: exit
154: set vpn "W-Remote VPN" proxy-id local-ip 10.10.7.0/24 remote-ip 10.10.12.0/24 "ANY"
155: set policy id 34 from "Trust" to "Untrust" "10.10.7.0/24" "10.10.12.0/24" "ANY" permit log
156: set policy id 34
157: set log session-init
158: exit
159: set policy id 33 from "Untrust" to "Trust" "10.10.12.0/24" "10.10.7.0/24" "ANY" permit log
160: set policy id 33
161: set log session-init
162: exit
163: set policy id 21 from "Untrust" to "Trust" "Any" "MIP(X.Y.Z.106)" "ANY" permit log
164: set policy id 21
165: exit
166: set policy id 1 name "Internet Access" from "Trust" to "Untrust" "Office LAN" "Any" "HTTP" nat src permit log url-filter
167: set policy id 1
168: set log session-init
169: exit
170: set policy id 2 from "Trust" to "Untrust" "Office LAN" "Any" "HTTPS" nat src permit log
171: set policy id 2
172: exit
173: set policy id 5 from "Trust" to "DMZ" "Office LAN" "Any" "ANY" nat src permit log
174: set policy id 5
175: exit
176: set policy id 6 name "Deny All - DMZ" from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log
177: set policy id 6
178: exit
179: set policy id 7 from "Trust" to "Untrust" "Office LAN" "Any" "DNS" nat src permit
180: set policy id 7
181: exit
182: set policy id 8 from "Trust" to "Untrust" "Office LAN" "Any" "FTP" nat src permit
183: set policy id 8
184: exit
185: set policy id 9 from "Trust" to "Untrust" "Office LAN" "Any" "POP3" nat src permit
186: set policy id 9
187: exit
188: set policy id 10 from "Trust" to "Untrust" "Office LAN" "Any" "SMTP" nat src permit log
189: set policy id 10
190: exit
191: set policy id 11 name "Wireless Access" from "DMZ-WAN" to "Untrust" "Wireless" "Any" "DNS" nat src permit log
192: set policy id 11
193: set service "FTP"
194: set service "HTTP"
195: set service "HTTPS"
196: set service "PING"
197: set service "POP3"
198: set service "SMTP"
199: set service "VNC"
200: exit
201: set policy id 13 name "VNC" from "Trust" to "Untrust" "Office LAN" "Any" "VNC" nat src permit log
202: set policy id 13
203: exit
204: set policy id 14 name "Ping" from "Trust" to "Untrust" "Office LAN" "Any" "PING" nat src permit log
205: set policy id 14
206: exit
207: set policy id 31 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
208: set policy id 31
209: exit
210: set policy id 32 from "Trust" to "Untrust" "Office LAN" "Any" "ANY" nat src permit log
211: set policy id 32
212: exit
213: set nsmgmt bulkcli reboot-timeout 60
214: set ssh version v2
215: set ssh enable
216: set config lock timeout 5
217: set ntp server "0.0.0.0"
218: set ntp server backup1 "0.0.0.0"
219: set ntp server backup2 "0.0.0.0"
220: set snmp port listen 161
221: set snmp port trap 162
222: set vrouter "untrust-vr"
223: exit
224: set vrouter "trust-vr"
225: unset add-default-route
226: set route 10.10.12.0/24 interface tunnel.1 preference 20
227: set route 0.0.0.0/0 interface ethernet0/2 gateway X.Y.Z.97 preference 20 metric 10
228: exit
229: set vrouter "untrust-vr"
230: exit
231: set vrouter "trust-vr"
232: exit
PIX Configuration:-
1: CISCO PIX (REMOTE OFFICE) -->
2: PIX Version 6.3(5)
3: interface ethernet0 auto
4: interface ethernet1 auto
5: nameif ethernet0 outside security0
6: nameif ethernet1 inside security100
7: enable password ABCDE encrypted
8: passwd abcde encrypted
9: hostname W-Remote
10: domain-name pix
11: clock timezone EST -5
12: clock summer-time EDT recurring
13: fixup protocol dns maximum-length 512
14: fixup protocol ftp 21
15: fixup protocol h323 h225 1720
16: fixup protocol h323 ras 1718-1719
17: fixup protocol http 80
18: fixup protocol http 8080
19: fixup protocol pptp 1723
20: fixup protocol rsh 514
21: fixup protocol rtsp 554
22: fixup protocol sip 5060
23: fixup protocol sip udp 5060
24: fixup protocol skinny 2000
25: fixup protocol smtp 25
26: fixup protocol sqlnet 1521
27: fixup protocol tftp 69
28: names
29: access-list acl_out permit icmp any any
30: access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0
31: access-list nonat permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0
32: access-list cap permit ip host 10.10.12.112 host 10.10.7.117
33: access-list cap permit ip host 10.10.7.117 host 10.10.12.112
34: pager lines 24
35: logging on
36: logging monitor debugging
37: logging buffered debugging
38: logging history errors
39: mtu outside 1500
40: mtu inside 1500
41: ip address outside A.B.C.42 255.255.255.248
42: ip address inside 10.10.12.2 255.255.255.0
43: ip audit info action alarm
44: ip audit attack action alarm
45: pdm location 10.10.12.0 255.255.255.255 inside
46: pdm location 10.10.7.0 255.255.255.0 outside
47: pdm location 10.10.12.0 255.255.255.0 outside
48: pdm logging informational 100
49: pdm history enable
50: arp timeout 14400
51: global (outside) 1 interface
52: nat (inside) 0 access-list nonat
53: nat (inside) 1 10.10.12.0 255.255.255.0 0 0
54: access-group acl_out in interface outside
55: route outside 0.0.0.0 0.0.0.0 A.B.C.42 1
56: timeout xlate 0:05:00
57: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
58: timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
59: timeout sip-disconnect 0:02:00 sip-invite 0:03:00
60: timeout uauth 0:05:00 absolute
61: aaa-server TACACS+ protocol tacacs+
62: aaa-server TACACS+ max-failed-attempts 3
63: aaa-server TACACS+ deadtime 10
64: aaa-server RADIUS protocol radius
65: aaa-server RADIUS max-failed-attempts 3
66: aaa-server RADIUS deadtime 10
67: aaa-server LOCAL protocol local
68: http server enable
69: http 10.10.12.0 255.255.255.0 inside
70: no snmp-server location
71: no snmp-server contact
72: snmp-server community public
73: no snmp-server enable traps
74: no floodguard enable
75: sysopt connection permit-ipsec
76: sysopt connection permit-pptp
77: sysopt connection permit-l2tp
78: sysopt ipsec pl-compatible
79: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
80: crypto map pie 1 ipsec-isakmp
81: crypto map pie 1 match address 101
82: crypto map pie 1 set peer X.Y.Z.98
83: crypto map pie 1 set transform-set ESP-3DES-SHA
84: crypto map pie interface outside
85: isakmp enable outside
86: isakmp key ******** address X.Y.Z.98 netmask 255.255.255.0
87: isakmp policy 1 authentication pre-share
88: isakmp policy 1 encryption 3des
89: isakmp policy 1 hash sha
90: isakmp policy 1 group 2
91: isakmp policy 1 lifetime 3600
92: telnet 10.10.12.0 255.255.255.0 inside
93: telnet 10.10.7.0 255.255.255.0 inside
94: telnet timeout 30
95: ssh 0.0.0.0 0.0.0.0 outside
96: ssh timeout 60
97: management-access inside
98: console timeout 0
99: terminal width 80
100: : end