[fw-wiz] Netscreen to Cisco IOS tunneling

From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
Date: Tue, 22 May 2007 09:00:25 -0400

Good morning (afternoon) all,

Have the following question in regards to a tunnel I'm trying to established between a Netscreen and a 3845:

#sh ver
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(6)T1, RELEASE SOFTWARE (fc3)
...

ROM: Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)

My network information:

My VPN Peer address:
10.10.53.98

My ACL Host range:
10.10.53.192/30

Client's Netscreen Peer address:
10.15.179.238

---
Their networks:

Customer Pre-shared key:
secret

PHASE 1 proposal: DH group2-3des-md5
PHASE 2 proposal: PFS group2-esp-3des-md5

Client's ACL host range:
10.10.178.192/30

My configs:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key secret address 10.15.179.238

crypto ipsec transform-set predefined esp-3des esp-md5-hmac

crypto map defined 10 ipsec-isakmp
set peer 10.15.179.238
set transform-set predefined
set pfs group2
match address 112

access-list 112 permit ip 208.50.53.98 0.0.0.7 63.79.178.192 0.0.0.3

Question... Since I have a constant 20+Mpbs on one of my interfaces, I'm reluctant to have an outage...

interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx

If I apply the crypto map predefined to this interface, would it drop all traffic non encrypted?

interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx
crypto map predefined

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Prev by Date: [fw-wiz] PIX - acl breaks implicit outbound rule
Next by Date: Re: [fw-wiz] HIPS experience
Previous by thread: [fw-wiz] PIX - acl breaks implicit outbound rule
Next by thread: [fw-wiz] can iptables block incoming http connections from open proxy servers?
Index(es):
- Date
- Thread

Relevant Pages

PIX-515E Default routing and cryptos
... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... crypto map outside_map 20 match address outside_cryptomap_20 ... isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)
Re: IPSEC to PIX 515
... as for the "savvis" interface - we are in teh midst of switching from ... access-group savvist in interface savvist ... crypto map outside 1 match address savvis ... fixup protocol dns maximum-length 512 ...
(comp.dcom.sys.cisco)
Re: PIX-515E Default routing and cryptos
... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)
Re: PIX 525 and swapping interface definitions
... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
(comp.dcom.sys.cisco)
Pix 515e -> dynamic 851w
... crypto map dyn-map 100 ipsec-isakmp dynamic dynmap ... crypto map dyn-map interface outside ... isakmp policy 20 authentication pre-share ... ip nat outside ...
(comp.dcom.sys.cisco)