ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Posts: 5
Registered: ‎05-30-2008
Accepted Solution

Multiple subnets over VPN (SSG350 to Cisco 2611)

Good afternoon :smileyhappy:

We have an SSG350 in our main site, as the hub in our 'hub and spoke' VPN network. On one of our spokes, we are connecting to a Cisco 2611 via a policy based VPN. My issue is that we have two subnets in the hub (10.1.1.0/24 and 192.168.1.0/24).There is already a policy based VPN established to 10.1.1.0/24 and the spoke's subnet (10.1.78.0/24). Currently, I'm trying to allow traffic to pass over the existing VPN from the remote site to the additional subnet 192.168.0/24. This is the setup I have so far:

 

SSG350:

-Configured with one gateway, and two separate Phase 2 rules for this spoke (one for each proxy ID pair).

-Two sets of policies, one for each subnet.

 

Cisco 2611

-Tried adding the addtional subnet into existing access list for VPN

i.e.  access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255

       access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255

How can I route traffic from the Cisco over the currently working VPN to an additional subnet on the Juniper side? Related config for each posted below...thanks in advance for any suggestions/links to point me in the right direction!!

 

Kara

 


Cisco 2611 edited config:

!
!

crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key XXXXXXXXXXXX address 4.4.4.4
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
!
crypto map nolan 11 ipsec-isakmp
 set peer 4.4.4.4
 set transform-set sharks
 match address 101
!
!
!
!
interface Ethernet0/0
 no ip address
 no ip directed-broadcast
 no cdp enable
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address 5.5.5.5 255.255.255.248
 no ip directed-broadcast
 ip nat outside
 no cdp enable
 frame-relay interface-dlci 16 IETF
 crypto map nolan
!
interface Ethernet0/1
 ip address 10.1.78.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no cdp enable
!
ip nat inside source route-map nonat interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 5.5.5.4
!
access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.1.78.0 0.0.0.255 any
access-list 102 deny   ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
route-map nonat permit 10
 match ip address 102


 

SSG 350 Edited Config:


set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "ERP"
set interface "ethernet0/2" zone "OPS"
set interface "ethernet0/3" zone "Null"
set interface ethernet0/0 ip 4.4.4.4/28
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 192.168.1.1/24
set interface ethernet0/1 route
set interface ethernet0/2 ip 10.1.1.1/24
set interface ethernet0/2 route

set ike gateway "To-RDsite" address 5.5.5.5 Main outgoing-interface "ethernet0/0" preshare "XXXXXXXXXXXXXXXXXXXXXX" proposal "pre-g1-des-md5" "pre-g1-des-sha" "pre-g2-des-sha" "pre-g2-des-md5"

set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log

set vpn "RDsite VPN" gateway "To-RDsite" replay tunnel idletime 0 sec-level compatible
set vpn "RDsite ERP Traffic" gateway "To-RDsite" replay tunnel idletime 0 sec-level compatible

set vpn "RDsite VPN" proxy-id local-ip 10.1.1.0/24 remote-ip 10.1.78.0/24 "ANY"
set vpn "RDsite ERP Traffic" proxy-id local-ip 192.168.1.0/24 remote-ip 10.1.78.0/24 "ANY"

set policy id 156 name "RDsite ERP Traffic" from "Untrust" to "ERP"  "net_10.1.78.0" "net_192.168.1.0" "ANY" tunnel vpn "RDsite ERP Traffic" id 0x54 pair-policy 155 log
set policy id 156
exit
set policy id 155 name "RDsite ERP Traffic" from "ERP" to "Untrust"  "net_192.168.1.0" "net_10.1.78.0" "ANY" tunnel vpn "RDsite ERP Traffic" id 0x54 pair-policy 156 log
set policy id 155
exit
set policy id 118 name "RDsite VPN" from "Untrust" to "OPS"  "net_10.1.78.0" "net_10.1.1.0" "ANY" tunnel vpn "Raleigh Durham VPN" id 0x17 pair-policy 117
set policy id 118
exit
set policy id 117 name "RDsite VPN" from "OPS" to "Untrust"  "net_10.1.1.0" "net_10.1.78.0" "ANY" tunnel vpn "Raleigh Durham VPN" id 0x17 pair-policy 118
set policy id 117
exit
set policy id 9 from "OPS" to "ERP"  "net_10.1.1.0" "net_192.168.1.0" "ANY" permit
set policy id 9
exit
set policy id 10 from "ERP" to "OPS"  "net_192.168.1.0" "net_10.1.1.0" "ANY" permit
set policy id 10
exit

Visitor
Posts: 5
Registered: ‎05-30-2008
0

Re: Multiple subnets over VPN (SSG350 to Cisco 2611)

Anyone have a suggestion? If I only knew what commands to research I could help myself. I'm not a Cisco person but most of the time just knowing what I need to look for is enough.

 

The question put simply:

There is an existing working VPN between a Juniper SSG350 and a Cisco 2611. There are two subnets on the Juniper side, and I need to access the secondary subnet from the Cisco. It's no problem at all from a route based Juniper to Juniper VPN. But I don't know what to do for a policy based Juniper to Cisco VPN. Thanks for any suggestions!!

 

Kara

Visitor
Posts: 5
Registered: ‎05-30-2008
0

Re: Multiple subnets over VPN (SSG350 to Cisco 2611)

Solved my own issue (yay finally!!). I had everything (almost) setup correctly, I just had the access lists in the wrong order. I figured the issue stemmed from my lack of knowledge of Cisco and I was right...I had added to access list 102 (the rule for outbound traffic) my statement to deny traffic to 192.168.1.0/24 to force the traffic to travel over the vpn. However I was wrong to add it to the end of that access lists since they are processed from top to bottom, the underlined rule below wasn't getting processed. Removed the access list and re-added with the correct order and voila! Victory.

 

Original access lists:

access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.1.78.0 0.0.0.255 any
access-list 102 deny   ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255

 

New access list:

access-list 101 permit ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 deny   ip 10.1.78.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 102 deny   ip 10.1.78.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 10.1.78.0 0.0.0.255 any
 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.