Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
2
Replies

Netscreen to ASA IKE negotiation failure

Go to solution
tivoverb1
Level 1
Level 1

‎04-26-2007 05:03 PM

Howdy, Y'all-

I have a Netscreen ISG2000 which is trying to host a point to point VPN with an ASA running v7.1.

On the Netscreen side, I've configured a "policy-based" VPN, which is expecting only HTTPS traffic over the tunnel. Therefore, in IKE negotiation, it expects the proposal to only include IP proto 6.

On the ASA side, the administrator (not my coworker, and I have no access) isn't seeing a place to define the outbound allowed protocols for the IKE proposal.

I can see that there is supposed to be an ACL that is tied to the crypto-map, which specifies the traffic which should be routed to the tunnel. I suspect that it is now saying "access-list (1) extended permit ip ?", which is allowing all IP protos over the tunnel.

What I want to do is something like "access-list (1) extended permit tcp .... eq 443".

Can anyone confirm that this will force the ASA to specify that it's only TCP that will be passed in the proposal?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
oabduo983
Level 1
Level 1

‎04-27-2007 02:52 AM

Hi,

Yes, if you have configured your netscreen with policy based VPN, and you policy allows only https traffic to flow from your internal subnet to his internal subnet (do not forget to check the modify matching bidirectional policy option)... then his access-list on his side must be exactly symmetrical of yours (including the source and destination being host or subnet as well as port in your case it will be tcp 443)...

In the ASA he will have the access-list

access-list test permit tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443

crypto map mymap 10 match address test

plz rate if this helps!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
oabduo983
Level 1
Level 1

‎04-27-2007 02:52 AM

Hi,

Yes, if you have configured your netscreen with policy based VPN, and you policy allows only https traffic to flow from your internal subnet to his internal subnet (do not forget to check the modify matching bidirectional policy option)... then his access-list on his side must be exactly symmetrical of yours (including the source and destination being host or subnet as well as port in your case it will be tcp 443)...

In the ASA he will have the access-list

access-list test permit tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443

crypto map mymap 10 match address test

plz rate if this helps!

0 Helpful

Go to solution
tivoverb1
Level 1
Level 1
In response to oabduo983

‎05-01-2007 11:14 PM

Thanks! Worked like a charm.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents