ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Cisco with CBAC/TCP Inspect and site-t0-site VPN

[ Edited ]
02.23.10   |  
‎02-23-2010 02:57 AM

hi forum,



I'm using pair of SSG550 to form a site-to-site IPSEC tunnel.

both SSGs are behind Cisco 2801 routers,acting as a main ISP gateways for their eth0/2 ifaces.

now, during recent penetration tests I found that both Cisco gear is vulnerable to even most primitive SYN flood type of attack.

in order to increase the level of protection I'm looking into implementing Cisco's CBAC/TCP Inspection features,

to be able to defeat DoS/DDoS type of attacks and guard the Cisco.


now, the question is the interop between Juniper's IPSEC/IKE/ESP type of traffic and Cisco's CBAC feature.

lets have this topology as an example of functional model:




SSG_A represents LAN_A and SSG550_B LAN_B, and both LANs can see each oter via IPSEC VPN tunnel.

now, with CBAC on Cisco_A:

if I send an intial IPSEC/ESP/IKE/whatever handshake request from SSG_A, CBAC on Cisco_A will record this flow as valid outbound flow,and will pass it thru.

but what will happen with return/inbound traffic [IPSEC response/keys from SSG_B] ?



will this one pass thru Ciscoi_A and form the tunnel?

or the CBAC on Cisco_A will drop the flow?


many thanks for ANY suggestions.


rootless rooter




comment added 25-02-2010:


anybody from Juniper fellows with some advice? I can't believe there's nobody unable to answer

or I'm I in wrong forum?