VPN between Netscreen and ASA

syedraheel · ‎08-20-2013

Hi

We need to access some of the servers of our busineess partner so I am trying to establish a VPN between our Netscreen Firewall and the partner ASA. Attached are configs and scenario for both. It's failing at Phase 1 .

From netscreen side we are NATing (MIP) the private IP 192.168.16.100 to Public IP 199.67.102.2 which is also serving as the Peer Gateway IP for other end.

From ASA side, they have 3 servers which needs to be accessed, but they just have one Public IP 100.12.166.28 which they are NATing to one of the servers.

The ASA is managed by our partner and I believe that there is a mistake in their NAT and access list config. Kindly check both the attached configs and let me know where is the issue?

Also, I dont want to use their private range i.e 10.15.3.x in my configuration as I have the same scheme in my local LAN so it possible that I could access all three of their servers with just one single System Public IP at their end?

Thanks

P.S: Actual IP addresses have been changed for security purpose

-Raheel

Marvin Rhoads · ‎08-20-2013

It looks like the ASA is using IKEv1 policy 40 with aes-192 and the Netscreen is using aes128. That will cause the P1 failure.

Re the NAT, doing twice NAT at the ASA end is a good approach but I don't quite follow the logic of having 3 different sources all map to a single source will work unless you do PAT.