Juniper SSG-Cisco PIX VPN Configuration
Its been quite some time I’m wanting to post such a configuration. I helped with one such question in Experts-Exchange and sought permission from the author to post the working configuration once the VPN was up and running. Below would be the configuration of working SSG-PIX VPN with the consent of the author. Obviously the public ip addresses are masked.
To give a background, SSG is at the main office, PIX being at remote office. The VPN is built between 10.10.12.0 network to 10.10.7.0 network in the following configuration;
SSG 140 Configuration:-
1: JUNIPER (MAIN OFFICE)--->
2: set clock timezone -5
3: set vrouter trust-vr sharable
4: set vrouter "untrust-vr"
5: exit
6: set vrouter "trust-vr"
7: unset auto-route-export
8: exit
9: set auth-server "Local" id 0
10: set auth-server "Local" server-name "Local"
11: set auth default auth server "Local"
12: set auth radius accounting port 1646
13: set admin name "admin"
14: set admin password "XYZ123"
15: set admin http redirect
16: set admin auth timeout 10
17: set admin auth server "Local"
18: set admin format dos
19: set vip multi-port
20: set zone "Trust" vrouter "trust-vr"
21: set zone "Untrust" vrouter "trust-vr"
22: set zone "DMZ" vrouter "trust-vr"
23: set zone "VLAN" vrouter "trust-vr"
24: set zone id 100 "DMZ-WAN"
25: set zone "Untrust-Tun" vrouter "trust-vr"
26: set zone "Trust" tcp-rst
27: set zone "Untrust" block
28: unset zone "Untrust" tcp-rst
29: set zone "MGT" block
30: set zone "DMZ" tcp-rst
31: set zone "VLAN" block
32: unset zone "VLAN" tcp-rst
33: set zone "DMZ-WAN" block
34: unset zone "DMZ-WAN" tcp-rst
35: set zone "Trust" screen icmp-flood
36: set zone "Trust" screen udp-flood
37: set zone "Trust" screen winnuke
38: set zone "Trust" screen port-scan
39: set zone "Trust" screen ip-sweep
40: set zone "Trust" screen tear-drop
41: set zone "Trust" screen ping-death
42: set zone "Trust" screen ip-filter-src
43: set zone "Trust" screen land
44: set zone "Trust" screen syn-frag
45: set zone "Trust" screen tcp-no-flag
46: set zone "Trust" screen unknown-protocol
47: set zone "Trust" screen ip-bad-option
48: set zone "Trust" screen ip-record-route
49: set zone "Trust" screen ip-timestamp-opt
50: set zone "Trust" screen ip-security-opt
51: set zone "Trust" screen ip-loose-src-route
52: set zone "Trust" screen ip-strict-src-route
53: set zone "Trust" screen ip-stream-opt
54: set zone "Trust" screen icmp-fragment
55: set zone "Trust" screen icmp-large
56: set zone "Trust" screen syn-fin
57: set zone "Trust" screen fin-no-ack
58: set zone "Trust" screen limit-session source-ip-based
59: set zone "Trust" screen syn-ack-ack-proxy
60: set zone "Trust" screen block-frag
61: set zone "Trust" screen limit-session destination-ip-based
62: set zone "Trust" screen component-block exe
63: set zone "Trust" screen icmp-id
64: set zone "Trust" screen ip-spoofing drop-no-rpf-route
65: set zone "Untrust" screen tear-drop
66: set zone "Untrust" screen syn-flood
67: set zone "Untrust" screen ping-death
68: set zone "Untrust" screen ip-filter-src
69: set zone "Untrust" screen land
70: set zone "V1-Untrust" screen tear-drop
71: set zone "V1-Untrust" screen syn-flood
72: set zone "V1-Untrust" screen ping-death
73: set zone "V1-Untrust" screen ip-filter-src
74: set zone "V1-Untrust" screen land
75: set interface "ethernet0/0" zone "Trust"
76: set interface "ethernet0/1" zone "DMZ"
77: set interface "ethernet0/2" zone "Untrust"
78: set interface "ethernet0/3" zone "DMZ-WAN"
79: set interface "tunnel.1" zone "Untrust"
80: set interface ethernet0/0 ip 10.10.7.2/24
81: set interface ethernet0/0 route
82: unset interface vlan1 ip
83: set interface ethernet0/1 ip 10.10.9.1/24
84: set interface ethernet0/1 route
85: set interface ethernet0/2 ip X.Y.Z.98/27
86: set interface ethernet0/2 route
87: set interface ethernet0/3 ip 10.10.99.0/24
88: set interface ethernet0/3 route
89: set interface tunnel.1 ip unnumbered interface ethernet0/2
90: unset interface vlan1 bypass-others-ipsec
91: unset interface vlan1 bypass-non-ip
92: set interface ethernet0/0 ip manageable
93: unset interface ethernet0/1 ip manageable
94: set interface ethernet0/2 ip manageable
95: unset interface ethernet0/3 ip manageable
96: unset interface ethernet0/0 manage snmp
97: set interface ethernet0/0 manage mtrace
98: unset interface ethernet0/1 manage ping
99: set interface ethernet0/2 manage ping
100: set interface ethernet0/2 manage ssh
101: set interface ethernet0/2 manage telnet
102: set interface ethernet0/2 manage ssl
103: set interface ethernet0/2 manage web
104: set interface ethernet0/2 manage mtrace
105: set interface vlan1 manage mtrace
106: set interface "ethernet0/2" mip X.Y.Z.106 host 10.10.7.106 netmask 255.255.255.255 vr "trust-vr"
107: set interface "ethernet0/2" mip X.Y.Z.109 host 10.10.7.200 netmask 255.255.255.255 vr "trust-vr"
108: set interface "ethernet0/2" mip X.Y.Z.100 host 10.10.7.100 netmask 255.255.255.255 vr "trust-vr"
109: set interface "ethernet0/2" mip X.Y.Z.101 host 10.10.7.206 netmask 255.255.255.255 vr "trust-vr"
110: set interface "ethernet0/2" mip X.Y.Z.103 host 10.10.7.103 netmask 255.255.255.255 vr "trust-vr"
111: set interface "ethernet0/2" mip X.Y.Z.108 host 10.10.7.208 netmask 255.255.255.255 vr "trust-vr"
112: set interface "ethernet0/2" mip X.Y.Z.121 host 10.10.7.121 netmask 255.255.255.255 vr "trust-vr"
113: set interface "ethernet0/2" mip X.Y.Z.115 host 10.10.7.115 netmask 255.255.255.255 vr "trust-vr"
114: set interface "ethernet0/2" mip X.Y.Z.125 host 10.10.7.122 netmask 255.255.255.255 vr "trust-vr"
115: set interface "ethernet0/0" webauth
116: unset flow no-tcp-seq-check
117: set flow tcp-syn-check
118: set domain econium
119: set pki authority default scep mode "auto"
120: set pki x509 default cert-path partial
121: set dns host dns1 66.153.50.66 src-interface ethernet0/2
122: set dns host dns2 64.80.0.162 src-interface ethernet0/2
123: set dns host dns3 64.80.32.128 src-interface ethernet0/2
124: set dns host schedule 06:28
125: set address "Trust" "10.10.7.0/24" 10.10.7.0 255.255.255.0
126: set address "Trust" "10.10.7.106/24" 10.10.7.106 255.255.255.0
127: set address "Trust" "10.10.7.117/24" 10.10.7.117 255.255.255.0
128: set address "Trust" "Office LAN" 10.10.0.0 255.255.0.0
129: set address "Trust" "Trust_LAN" 10.10.7.0 255.255.255.0
130: set address "Untrust" "10.10.12.0/24" 10.10.12.0 255.255.255.0
131: set address "Untrust" "X.Y.Z.117/30" X.Y.Z.117 255.255.255.252
132: set address "Untrust" "W-Remote" 10.10.12.0 255.255.255.0
133: set address "DMZ-WAN" "Wireless" 10.10.99.0 255.255.255.0 "Wireless"
134: set ike gateway "W-Remote GW" address A.B.C.42 Main outgoing-interface "ethernet0/2" preshare "myxlplyt" proposal "pre-g2-3des-sha"
135: set ike respond-bad-spi 1
136: unset ike ikeid-enumeration
137: unset ike dos-protection
138: unset ipsec access-session enable
139: set ipsec access-session maximum 5000
140: set ipsec access-session upper-threshold 0
141: set ipsec access-session lower-threshold 0
142: set ipsec access-session dead-p2-sa-timeout 0
143: unset ipsec access-session log-error
144: unset ipsec access-session info-exch-connected
145: unset ipsec access-session use-error-log
146: set vpn "W-Remote VPN" gateway "W-Remote GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
147: set vpn "W-Remote VPN" id 1 bind interface tunnel.1
148: set url protocol websense
149: exit
150: set anti-spam profile ns-profile
151: set sbl default-server enable
152: set default action tag subject "*** [SPAM] ***"
153: exit
154: set vpn "W-Remote VPN" proxy-id local-ip 10.10.7.0/24 remote-ip 10.10.12.0/24 "ANY"
155: set policy id 34 from "Trust" to "Untrust" "10.10.7.0/24" "10.10.12.0/24" "ANY" permit log
156: set policy id 34
157: set log session-init
158: exit
159: set policy id 33 from "Untrust" to "Trust" "10.10.12.0/24" "10.10.7.0/24" "ANY" permit log
160: set policy id 33
161: set log session-init
162: exit
163: set policy id 21 from "Untrust" to "Trust" "Any" "MIP(X.Y.Z.106)" "ANY" permit log
164: set policy id 21
165: exit
166: set policy id 1 name "Internet Access" from "Trust" to "Untrust" "Office LAN" "Any" "HTTP" nat src permit log url-filter
167: set policy id 1
168: set log session-init
169: exit
170: set policy id 2 from "Trust" to "Untrust" "Office LAN" "Any" "HTTPS" nat src permit log
171: set policy id 2
172: exit
173: set policy id 5 from "Trust" to "DMZ" "Office LAN" "Any" "ANY" nat src permit log
174: set policy id 5
175: exit
176: set policy id 6 name "Deny All - DMZ" from "Untrust" to "DMZ" "Any" "Any" "ANY" deny log
177: set policy id 6
178: exit
179: set policy id 7 from "Trust" to "Untrust" "Office LAN" "Any" "DNS" nat src permit
180: set policy id 7
181: exit
182: set policy id 8 from "Trust" to "Untrust" "Office LAN" "Any" "FTP" nat src permit
183: set policy id 8
184: exit
185: set policy id 9 from "Trust" to "Untrust" "Office LAN" "Any" "POP3" nat src permit
186: set policy id 9
187: exit
188: set policy id 10 from "Trust" to "Untrust" "Office LAN" "Any" "SMTP" nat src permit log
189: set policy id 10
190: exit
191: set policy id 11 name "Wireless Access" from "DMZ-WAN" to "Untrust" "Wireless" "Any" "DNS" nat src permit log
192: set policy id 11
193: set service "FTP"
194: set service "HTTP"
195: set service "HTTPS"
196: set service "PING"
197: set service "POP3"
198: set service "SMTP"
199: set service "VNC"
200: exit
201: set policy id 13 name "VNC" from "Trust" to "Untrust" "Office LAN" "Any" "VNC" nat src permit log
202: set policy id 13
203: exit
204: set policy id 14 name "Ping" from "Trust" to "Untrust" "Office LAN" "Any" "PING" nat src permit log
205: set policy id 14
206: exit
207: set policy id 31 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
208: set policy id 31
209: exit
210: set policy id 32 from "Trust" to "Untrust" "Office LAN" "Any" "ANY" nat src permit log
211: set policy id 32
212: exit
213: set nsmgmt bulkcli reboot-timeout 60
214: set ssh version v2
215: set ssh enable
216: set config lock timeout 5
217: set ntp server "0.0.0.0"
218: set ntp server backup1 "0.0.0.0"
219: set ntp server backup2 "0.0.0.0"
220: set snmp port listen 161
221: set snmp port trap 162
222: set vrouter "untrust-vr"
223: exit
224: set vrouter "trust-vr"
225: unset add-default-route
226: set route 10.10.12.0/24 interface tunnel.1 preference 20
227: set route 0.0.0.0/0 interface ethernet0/2 gateway X.Y.Z.97 preference 20 metric 10
228: exit
229: set vrouter "untrust-vr"
230: exit
231: set vrouter "trust-vr"
232: exit
PIX Configuration:-
1: CISCO PIX (REMOTE OFFICE) -->
2: PIX Version 6.3(5)
3: interface ethernet0 auto
4: interface ethernet1 auto
5: nameif ethernet0 outside security0
6: nameif ethernet1 inside security100
7: enable password ABCDE encrypted
8: passwd abcde encrypted
9: hostname W-Remote
10: domain-name pix
11: clock timezone EST -5
12: clock summer-time EDT recurring
13: fixup protocol dns maximum-length 512
14: fixup protocol ftp 21
15: fixup protocol h323 h225 1720
16: fixup protocol h323 ras 1718-1719
17: fixup protocol http 80
18: fixup protocol http 8080
19: fixup protocol pptp 1723
20: fixup protocol rsh 514
21: fixup protocol rtsp 554
22: fixup protocol sip 5060
23: fixup protocol sip udp 5060
24: fixup protocol skinny 2000
25: fixup protocol smtp 25
26: fixup protocol sqlnet 1521
27: fixup protocol tftp 69
28: names
29: access-list acl_out permit icmp any any
30: access-list 101 permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0
31: access-list nonat permit ip 10.10.12.0 255.255.255.0 10.10.7.0 255.255.255.0
32: access-list cap permit ip host 10.10.12.112 host 10.10.7.117
33: access-list cap permit ip host 10.10.7.117 host 10.10.12.112
34: pager lines 24
35: logging on
36: logging monitor debugging
37: logging buffered debugging
38: logging history errors
39: mtu outside 1500
40: mtu inside 1500
41: ip address outside A.B.C.42 255.255.255.248
42: ip address inside 10.10.12.2 255.255.255.0
43: ip audit info action alarm
44: ip audit attack action alarm
45: pdm location 10.10.12.0 255.255.255.255 inside
46: pdm location 10.10.7.0 255.255.255.0 outside
47: pdm location 10.10.12.0 255.255.255.0 outside
48: pdm logging informational 100
49: pdm history enable
50: arp timeout 14400
51: global (outside) 1 interface
52: nat (inside) 0 access-list nonat
53: nat (inside) 1 10.10.12.0 255.255.255.0 0 0
54: access-group acl_out in interface outside
55: route outside 0.0.0.0 0.0.0.0 A.B.C.42 1
56: timeout xlate 0:05:00
57: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
58: timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
59: timeout sip-disconnect 0:02:00 sip-invite 0:03:00
60: timeout uauth 0:05:00 absolute
61: aaa-server TACACS+ protocol tacacs+
62: aaa-server TACACS+ max-failed-attempts 3
63: aaa-server TACACS+ deadtime 10
64: aaa-server RADIUS protocol radius
65: aaa-server RADIUS max-failed-attempts 3
66: aaa-server RADIUS deadtime 10
67: aaa-server LOCAL protocol local
68: http server enable
69: http 10.10.12.0 255.255.255.0 inside
70: no snmp-server location
71: no snmp-server contact
72: snmp-server community public
73: no snmp-server enable traps
74: no floodguard enable
75: sysopt connection permit-ipsec
76: sysopt connection permit-pptp
77: sysopt connection permit-l2tp
78: sysopt ipsec pl-compatible
79: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
80: crypto map pie 1 ipsec-isakmp
81: crypto map pie 1 match address 101
82: crypto map pie 1 set peer X.Y.Z.98
83: crypto map pie 1 set transform-set ESP-3DES-SHA
84: crypto map pie interface outside
85: isakmp enable outside
86: isakmp key ******** address X.Y.Z.98 netmask 255.255.255.0
87: isakmp policy 1 authentication pre-share
88: isakmp policy 1 encryption 3des
89: isakmp policy 1 hash sha
90: isakmp policy 1 group 2
91: isakmp policy 1 lifetime 3600
92: telnet 10.10.12.0 255.255.255.0 inside
93: telnet 10.10.7.0 255.255.255.0 inside
94: telnet timeout 30
95: ssh 0.0.0.0 0.0.0.0 outside
96: ssh timeout 60
97: management-access inside
98: console timeout 0
99: terminal width 80
100: : end
Foremost, let me commend your uncloudedness on this subject. I am not an expert on this subject, but after studying your article, my understanding has developed well. Please allow me to take hold of your rss feed to remain in touch with any forthcoming updates. Fabulous job and will extend it on to supporters and my web site readers.