ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Policy-Based Site-to-Site VPN - SSG5 to Cisco ASA - Multiple Zone Question

‎06-23-2011 04:51 PM

I have a SSG5 setup with multiple zones (4 to be exact), and I am attempting to setup a policy-based site-to-site VPN with a Cisco ASA.

 

Setting up the VPN was relatively straightforward.

However, I only have a connection between one zone and the ASA.

 

I would like to add the other zones to this setup, but I haven't found any type of documentation that would help with this (all docs assume you have one zone - Trust).

 

So assuming I have contiguous IP subnets across the zones, how do I add the other zones to this VPN tunnel?

Is it as simple as adding new policies referencing the other zones?

 

 

1 REPLY
ScreenOS Firewalls (NOT SRX)

Re: Policy-Based Site-to-Site VPN - SSG5 to Cisco ASA - Multiple Zone Question

‎06-23-2011 06:15 PM

When using policy based vpn tunnels you can simply create multiple policies and associate them with the same autokey object.  When you do this they will each generate a pair of proxy ids for the tunnel.  so they do not need to be contiguous with the existing subnets.  The address objects used in each policy are additive on the Juniper side.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home