Hi All,
I'm looking for some help and guidance regarding an issue with Route based IPSEC VPN Config between SSG-550M and Cisco ASA.
From the get sa output, its A/D, however traffic is passing through it. The Remote end verified and they are able to reach my Trust NW.
Posting the config below for reference:
(Software Version: 6.3.0r17b.0, Type: Firewall+VPN)
X.X.X.X & Y.Y.Y.Y are Public IPs.
Proxy-id - Unchecked
tunnel.5 is ip unnumbered interface (loopback.10)
set vpn "VPN_NAME" gateway "VPN_NAME_GW" no-replay tunnel idletime 0 sec-level standard
set vpn "VPN_NAME" monitor
set vpn "VPN_NAME" id 0x22 bind interface tunnel.5
set vpn "VPN_NAME" proxy-id local-ip 10.0.7.0/24 remote-ip 10.0.4.0/24 "ANY"
set ike gateway "VPN_NAME_GW" address Y.Y.Y.Y1 Main outgoing-interface "loopback.10" preshare "PRESHARE-KEY" sec-level compatible
set route 10.0.4.0/24 interface tunnel.5
set address "Untrust" "Y.Y.Y.Y/29" Y.Y.Y.Y 255.255.255.248
set address "Untrust" "10.0.4.0/24" 10.0.4.0 255.255.255.0
set policy id 98 from "Untrust" to "Untrust" "Y.Y.Y.Y/29" "X.X.X.X1/32" "ANY" permit log
set policy id 98a from "Untrust" to "Untrust" "10.0.4.0/24" "X.X.X.X1/32" "ANY" permit log
set policy id 01 from "Untrust" to "Trust" "Y.Y.Y.Y/29" "10.0.7.0/24" "ANY" permit log
set policy id 01a from "Untrust" to "Trust" "10.0.4.0/24" "10.0.7.0/24" "ANY" permit log
set policy id 03 from "Trust" to "Untrust" "10.0.7.0/24" "Y.Y.Y.Y/29" "ANY" permit log
set policy id 03a from "Trust" to "Untrust" "10.0.7.0/24" "10.0.4.0/24" "ANY" permit log
Also how do I enable PFS in Screen OS and is it a global option or can I enable it specific to this VPN without affecting other VPNs that are in production.
Thanks in advance for Your help.
Best Regards,