[fw-wiz] Netscreen to Cisco IOS tunneling

To:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Subject:	[fw-wiz] Netscreen to Cisco IOS tunneling
From:	"J. Oquendo" <sil@infiltrated.net>
Date:	Tue, 22 May 2007 09:00:25 -0400
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	fwwizards-list2@consult.net
Delivered-to:	firewall-wizards@listserv.icsalabs.com
List-archive:	<https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help:	<mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id:	Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post:	<mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Reply-to:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender:	firewall-wizards-bounces@listserv.icsalabs.com
User-agent:	Thunderbird 1.5.0.10 (Windows/20070221)

Good morning (afternoon) all,

Have the following question in regards to a tunnel I'm trying toestablished between a Netscreen and a 3845:


#sh ver

Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version12.4(6)T1, RELEASE SOFTWARE (fc3)

...

ROM: Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version12.3(11)T5, RELEASE SOFTWARE (fc1)



My network information:

My VPN Peer address:
10.10.53.98

My ACL Host range:
10.10.53.192/30

Client's Netscreen Peer address:
10.15.179.238

---
Their networks:

Customer Pre-shared key:
secret

PHASE 1 proposal:    DH group2-3des-md5
PHASE 2 proposal:    PFS group2-esp-3des-md5

Client's ACL host range:
10.10.178.192/30



My configs:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key secret address 10.15.179.238

crypto ipsec transform-set predefined esp-3des esp-md5-hmac

crypto map defined 10 ipsec-isakmp
set peer 10.15.179.238
set transform-set predefined
set pfs group2
match address 112

access-list 112 permit ip 208.50.53.98 0.0.0.7 63.79.178.192 0.0.0.3

Question... Since I have a constant 20+Mpbs on one of my interfaces, I'mreluctant to have an outage...


interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx

If I apply the crypto map predefined to this interface, would it dropall traffic non encrypted?


interface Serial1/0.xxx point-to-point
description xxx.xxx.xxx.xxx
ip address 10.5.5.106 255.255.255.252
frame-relay interface-dlci xxx
crypto map predefined

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

<Prev in Thread]	Current Thread	[Next in Thread>
[fw-wiz] Netscreen to Cisco IOS tunneling, J. Oquendo <=

Previous by Date:	[fw-wiz] PIX - acl breaks implicit outbound rule, Richard Shaw
Next by Date:	Re: [fw-wiz] HIPS experience, stursa
Previous by Thread:	[fw-wiz] PIX - acl breaks implicit outbound rule, Richard Shaw
Next by Thread:	[fw-wiz] can iptables block incoming http connections from open proxy servers?, White Hat
Indexes:	[Date] [Thread] [Top] [All Lists]