Screen OS

Hi,

 

We have a netscreen 5200 at our HO and Cisco ASA5540 at customer end. We already have a Policy based VPN established between one source(192.168.100.x) behind our DMZ zone DIP'd with outer FW interface(199.1.x.x) and  a customer destination(202.100.X.X) .

 

Now, we need to add another source in different zone WebZone(10.1.1.x) to the VPN with same customer destination.

I tried to add a policy but it gives an error that it can't bind it to same VPN. Also I tried to establish another VPN but again it doesn't allow to create it with same gateway.

 

I would appreciate if any of you guys could suggest a solution for this?

 

Kind Regards,

Raheel

 

What version of screenOS are you running?

 

I know you can have multiple policies bound to the same gaeway/Autokey Ike pair in version 6 and up.  But I'm not sure when the feature was added.

Thanks for your reply. We have 5.4

 

Is there any solution without having to upgrade?

If you have an available port and public ip address, you could create another public interface.  Then you would use this as the outbound gateway making the whole stack independent from the first connection.

 

The ASA would also need to create a new tunnel in this case to the new gateway.

 

I'm pretty sure the newer versions are supported on  the NS5200 for upgrade.

How about creating route based VPN int this situation?

So in our case we have one destination and multiple sources

Unfortunately, with a route based vpn and an ASA on the other end, you will then need multiple proxy-id configured. 

 

This feature is only in screenOS 6.3.  So you would still need an upgrade. 

 

This is the method that I prefer for connecting to the remote systems.  I have multiple ASA tunnels using this method on screenOS 6.3.

 

This allows me to pick up those routes into ospf and distribute the connection through the network.

You could configure multiple PII over one PI and avoid the multiple proxy-id's this way couldn't you Spuluka?

Screenie,

 

This was the original problem.  He needs to upgrade ScreenOS to get the multiple PII over PI. 

 

He is looking for a solution without change in firmware.

Thanks guys for your replies, So does the following make sense? Only one proxy ID is used in this situation so might not require ScreenOS upgrade.

 

1: Create a Tunnel interface (tunnel.1)

2. Create Gateway(use existing one in my case)

3. Create new Autokey IKE and bind to tunnel.1(proxy ID will be like existing one i.e source IP of my FW interface (199.1.x.x) and destination  customer side (202.100.X.X)

4. Then  set route 202.100.X.X via Tunnel.1

5. The create two "permit" action policies from the two sources i.e WebZone(10.1.1.x) and DMZ Zone (192.168.100.x) to the customer destination( in Advanced policy settings DIP on FW interface IP 199.1..x.x). 

Hi,

 

If I need an "alternative" VPN GW on a SSG that is already configured for IPSec I solve the problem this way:

Let's assume that VPN is terminated on the interface in Untrust zone and the last is mapped to the trust-vr.

 

a) create a loopback interface in Untrust zone

b) allow the subnet conflict for interfaces in trust-vr: set vrouter trust-vr ignore-subnet-conflict .

c) assign a free public IP to the loopback interface as x.x.x.x/32

d) create an arp-proxy entry on Untrust interface to make the loopback interface arp-responsive:

    set interface ethernetx/y proxy-arp-entry x.x.x.x    x.x.x.x

   You can also route this IP on the CPE router towards the FW, but a proxy-arp entry is better.

e) configure an Untrust-to-Untrust policy that enables IKE (UDP500) from the remote GW to  x.x.x.x/32

 

Now you can configure an IPSec VPN as usually, using the loopback interface as a VPN GW.

Hopefully all these commands are supported in 5.4.

I have tested this configuration with the route based VPN only as I never use the policy based VPN.

Well we require a solution that does'nt require any change from other(ASA) end.

I am no Netscreen expert so can someone please tell me why the solution I posted in my last post would/wouldn't work?

Hi,

 

There is no solution that does not require changes on the ASA. You cannot add a new network on SSG to the VPN and leave the ASA configuration unchanged (ASA ACLs).

ScreenOS is a very, very old release and it has specific limitations as explained in the first posting of Steve Puluka.

Pre-6.3 versions do not support multiple proxy IDs with route based VPN. But route based VPN combined with NAT solves the problem. You can configure a numbered tunnel interface and NAT the local networks to the IPs configured on this interface. Both src-NAT and dst-NAT can be implemented this way. If you switch to route based VPN the ASA should be reconfigured once. Any new network added to the SSG configuration in the future will not require any changes on the ASA. The proxy ID on the SSG and ACLs on the ASA stay the same.

But if a new nework is added to the ASA configuration you get a problem again.

I do recommend to upgrade to 6.3. 

 

Upgrading a NS5200 with mgmt1 and first generation cards are close to as expensive as a new box as only the chassis and power are left. Screenos 5.4 is still supported on these boxes and new bugfix releases are still shipping. These are supported to somewhere in 2013.