Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Between Cisco Pix 501 and Netscreen 25 running in Transparent Mode

Status
Not open for further replies.
JJCP

JJCP

MIS
Apr 25, 2005
10
US
I've looked all over the web as well as here at these forums, but have found very little documentation on this setup (see subject). I've used the article on cisco's site and also reviewed the article on juniper.net. Juniper states that I should use the Transparent modes sys-ip address as the peer, which I have done. I've also followed all other steps exactly. I was successful with creating a vpn between two cisco's using similar steps, but the Netscreen in Transparent mode is giving me fits.

Can anyone suggest anything that I should double check?
 
Sort by date Sort by votes
As far as I remember, you need to add a new tunnel interface with the ip you want to use as the vpn termination point. The tunnel interface should be bound to the untrusted zone, then set up the rest of the tunnel as normal.

I dont run any firewalls in transparant mode, but I seem to remember that from my training.

Stu
 
Upvote 0 Downvote
Thanks for the suggestion stooo. I will double check this.

-Jp
 
Upvote 0 Downvote
I've managed to get a connection established now, but I can't get any communication between the two networks. Ping times out, etc. Can anyone please look at the log below and see if this looks correct?

======================================================

02-20 17:41:41 info IKE<xx.xx.xx.195> Phase 2 msg ID <172e2a79>: Completed negotiations with SPI <101e0516>, tunnel ID <16>, and lifetime <3600> seconds/<4608000> KB.

2006-02-20 17:41:41 info IKE<xx.xx.xx.195>: Phase 2 msg ID <172e2a79>: Received responder lifetime notification. (0 sec/4608000 KB)

2006-02-20 17:41:41 info IKE<xx.xx.xx.195>: Received a notification message for DOI <1> <24576> <NOTIFY_RESPONDER_LIFETIME>.

2006-02-20 17:41:40 info IKE<xx.xx.xx.195>: Received initial contact notification and removed Phase 1 SAs.

2006-02-20 17:41:40 info IKE<xx.xx.xx.195>: Received initial contact notification and removed Phase 2 SAs.

2006-02-20 17:41:40 info IKE<xx.xx.xx.195>: Received a notification message for DOI <1> <24578> <NOTIFY_INITIAL_CONTACT>.

2006-02-20 17:41:40 info IKE<xx.xx.xx.195> Phase 2: Initiated negotiations.

2006-02-20 17:41:40 info IKE<xx.xx.xx.195> Phase 1: Completed Main mode negotiations with a <3600>-second lifetime.
 
Upvote 0 Downvote
loooks like the tunnel is set up properly. Does your policy alloow the traffic?

You should have a rule with action tunnel, and select whatever you called the vpn tunnel

Stu
 
Upvote 0 Downvote
I got it going now. I had the mask wrong on the access list of the cisco. All is well now. Thanks for your tips.

-Jp
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
260
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
272
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
86
PauS0n
PauS0n
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
198
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top