[fw-wiz] Netscreen to Cisco IOS tunneling

From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
Date: Tue, 22 May 2007 09:00:25 -0400

Good morning (afternoon) all,

Have the following question in regards to a tunnel I'm trying to established between a Netscreen and a 3845:

#sh ver
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.4(6)T1, RELEASE SOFTWARE (fc3)
...

ROM: Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)

My network information:

My VPN Peer address:
10.10.53.98

My ACL Host range:
10.10.53.192/30

Client's Netscreen Peer address:
10.15.179.238

---
Their networks:

Customer Pre-shared key:
secret

PHASE 1 proposal: DH group2-3des-md5
PHASE 2 proposal: PFS group2-esp-3des-md5

Client's ACL host range:
10.10.178.192/30

My configs:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key secret address 10.15.179.238

crypto ipsec transform-set predefined esp-3des esp-md5-hmac

crypto map defined 10 ipsec-isakmp
set peer 10.15.179.238
set transform-set predefined
set pfs group2
match address 112

access-list 112 permit ip 208.50.53.98 0.0.0.7 63.79.178.192 0.0.0.3

Question... Since I have a constant 20+Mpbs on one of my interfaces, I'm reluctant to have an outage...

interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx

If I apply the crypto map predefined to this interface, would it drop all traffic non encrypted?

interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx
crypto map predefined

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Prev by Date: [fw-wiz] PIX - acl breaks implicit outbound rule
Next by Date: Re: [fw-wiz] HIPS experience
Previous by thread: [fw-wiz] PIX - acl breaks implicit outbound rule
Next by thread: [fw-wiz] can iptables block incoming http connections from open proxy servers?
Index(es):
- Date
- Thread

Relevant Pages

PIX-515E Default routing and cryptos
... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... crypto map outside_map 20 match address outside_cryptomap_20 ... isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)
Re: IPSEC to PIX 515
... as for the "savvis" interface - we are in teh midst of switching from ... access-group savvist in interface savvist ... crypto map outside 1 match address savvis ... fixup protocol dns maximum-length 512 ...
(comp.dcom.sys.cisco)
Re: PIX-515E Default routing and cryptos
... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
(comp.dcom.sys.cisco)
Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
... Are crypto maps for the L2L tunnels on the same interface as the AnyConnect VPN? ... crypto map OutsideVPN 192 match address SiteA ... tunnel-group A.x.x.66 general-attributes ...
(Firewall-Wizards)
Re: PIX 525 and swapping interface definitions
... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
(comp.dcom.sys.cisco)