Abi Rendon – Sysadmin

Recently at work I was tasked with configuring a VPN tunnel between Cisco ASA 5505 to a Juniper SSG 320M. After hearing that it wasn’t compatible from many sources including our partners I just could not believe that this was the case, ipsec tunnels are a standard protocol and both Juniper and Cisco should be compatible with ipsec.

After a day of google searches and troubleshooting I couldn’t find a proper solution that was easy and explained properly for my type of standard setup. Here is how I configured an ipsec VPN tunnel between the SSG and ASA.

Cisco ASA 5505

• IP: 1.1.1.1
• Network: 192.168.1.0/24

Juniper SSG 320M

• IP: 2.2.2.2
• Network: 192.168.2.0/24

192.168.1.0/24 < -> 1.1.1.1 < --VPN Tunnel--> 2.2.2.2 < -> 192.168.2.0/24

Here is the actual configuration including all the access list to allow all traffic through, you will probably want to lock this down as it will allow all traffic through.

Cisco ASA 5505 Configuration

object-group network local_cisco_network
network-object 192.168.1.0 255.255.255.0
object-group network remote_juniper_network
network-object 192.168.2.0 255.255.255.0

access-list ciscovpn_nat_junipervpn extended permit ip object-group local_cisco_network object-group remote_juniper_network
access-list ciscovpn_nat_junipervpn extended permit ip object-group remote_juniper_network object-group local_cisco_network

access-list ciscotojuniper_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto map outside_map 1 match address ciscotojuniper_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key

Juniper SSG 320M Configuration

set address “Trust” “192.168.2.0/24″ 10.248.1.0 255.255.255.0
set address “Untrust” “192.168.1.0/24″ 10.0.10.0 255.255.255.0

set ike gateway “1.1.1.1″ address 1.1.1.1 Main outgoing-interface “ethernet0/1″ preshare “” proposal “pre-g2-3des-sha”

set vpn “1.1.1.1″ gateway “1.1.1.1″ no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set policy id 2 name “1.1.1.1″ from “Trust” to “Untrust” “192.168.2.0/24″ “192.168.1.0/24″ “ANY” tunnel vpn “1.1.1.1″ id 0xa pair-policy 1
set policy id 2
exit
set policy id 1 name “1.1.1.1″ from “Untrust” to “Trust” “192.168.1.0/24″ “192.168.2.0/24″ “ANY” tunnel vpn “1.1.1.1″ id 0xa pair-policy 2
set policy id 1
exit

This configuration will allow traffic from 192.168.1.0/24 to 192.168.2.0/24 and vice versa. On the Juniper side the name of the vpn and gateway I think are important otherwise the Phase 1 negotiation will not work. If I’ve missed something or if you don’t understand something please let me know.

I will probably need to configure this against a Cisco router in the near future so stay tuned for an update for the cisco side.

Labor, Sysadmin, Technology cisco, juniper, work

So as some of you may know, I’ve been looking for a new job. If anyone knows of any job openings just let me know.

So far I’ve applied to a few but due to the holiday season only a couple have gotten back to me in a timely manner. I hope to get some word back come the new year, otherwise I’ll be posting from a much more homeless place.

Labor work

NetRiver is officially using Joomla as a CMS solution. Because of this I’m working on a way to automate installation and templating from our development team. Currently it takes me about 3 hours of modification to successfully template a Joomla install.

I’m working on a way to automate most of the process and basically get those 3 hours of my time back to put towards other things.

So far I’ve made a base SVN trunk for our Joomla installs. The trunk has a default basic template and a set of our “supported” modules. We currently have a similar setup for our Chambergate product and I’m going to be maintaining our joomla base install. Hopefully the way I’m doing it will make it easier to roll out mass updates for people and also allow us to document a set of static features.

You can check out my default install here

Labor joomla, php, work

I was recently contracted to do work for a fellow goon over at the something awful forums, so far it’s going pretty great.

The project is called “I Heart Chinese“, it’s a really neat idea. Teaching Chinese with online flash animations, it’s online learning but in a fun and easy way. So far I’ve been working on the base system, the base system is built around my own database abstraction layer working with ADODB. It’s also using the smarty template engine, no particular reason other than it helps keep the code managable.

I’ll be updating as I write more, but so far it’s hard to show any recognizable progress.

Labor php, work

Recently I’ve started a new marketing idea for NetRiver, we moved into our new facility and I’m tired of it being mostly empty so I’ve taken it upon myself to help fill it up. I have connections all over so it shouldn’t be too hard to bring clients the only hassle is going to be the countless hours it is taking me to fill the content and design the website.

If you want to track my progress (anybody actually read this?) check out http://netriver.nr-dev.com.

Labor work