Archive

Archive for the ‘Sysadmin’ Category

VPN Tunnel Between Cisco ASA and Juniper SSG Firewalls

November 3rd, 2009
1 comment

Recently at work I was tasked with configuring a VPN tunnel between Cisco ASA 5505 to a Juniper SSG 320M. After hearing that it wasn’t compatible from many sources including our partners I just could not believe that this was the case, ipsec tunnels are a standard protocol and both Juniper and Cisco should be compatible with ipsec.

After a day of google searches and troubleshooting I couldn’t find a proper solution that was easy and explained properly for my type of standard setup. Here is how I configured an ipsec VPN tunnel between the SSG and ASA.

Cisco ASA 5505

  • IP: 1.1.1.1
  • Network: 192.168.1.0/24

Juniper SSG 320M

  • IP: 2.2.2.2
  • Network: 192.168.2.0/24

192.168.1.0/24 < -> 1.1.1.1 < --VPN Tunnel--> 2.2.2.2 < -> 192.168.2.0/24

Here is the actual configuration including all the access list to allow all traffic through, you will probably want to lock this down as it will allow all traffic through.

Cisco ASA 5505 Configuration

object-group network local_cisco_network
network-object 192.168.1.0 255.255.255.0
object-group network remote_juniper_network
network-object 192.168.2.0 255.255.255.0

access-list ciscovpn_nat_junipervpn extended permit ip object-group local_cisco_network object-group remote_juniper_network
access-list ciscovpn_nat_junipervpn extended permit ip object-group remote_juniper_network object-group local_cisco_network

access-list ciscotojuniper_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto map outside_map 1 match address ciscotojuniper_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key

Juniper SSG 320M Configuration

set address “Trust” “192.168.2.0/24″ 10.248.1.0 255.255.255.0
set address “Untrust” “192.168.1.0/24″ 10.0.10.0 255.255.255.0

set ike gateway “1.1.1.1″ address 1.1.1.1 Main outgoing-interface “ethernet0/1″ preshare “” proposal “pre-g2-3des-sha”

set vpn “1.1.1.1″ gateway “1.1.1.1″ no-replay tunnel idletime 0 proposal “g2-esp-3des-sha”
set policy id 2 name “1.1.1.1″ from “Trust” to “Untrust” “192.168.2.0/24″ “192.168.1.0/24″ “ANY” tunnel vpn “1.1.1.1″ id 0xa pair-policy 1
set policy id 2
exit
set policy id 1 name “1.1.1.1″ from “Untrust” to “Trust” “192.168.1.0/24″ “192.168.2.0/24″ “ANY” tunnel vpn “1.1.1.1″ id 0xa pair-policy 2
set policy id 1
exit

This configuration will allow traffic from 192.168.1.0/24 to 192.168.2.0/24 and vice versa. On the Juniper side the name of the vpn and gateway I think are important otherwise the Phase 1 negotiation will not work. If I’ve missed something or if you don’t understand something please let me know.

I will probably need to configure this against a Cisco router in the near future so stay tuned for an update for the cisco side.

Labor, Sysadmin, Technology , ,

New URL and Design

February 19th, 2009
2 comments

As some might have noticed, I’ve recently updated my domain to abirendon.com and I’ve also applied a new wordpress theme, just made a few tweaks but it all seems to be working splendidly and it looks good.

I’ll be posting some guides on setting up and configuring VMWare ESXi, converting VMWare Server VMs to ESXi format, configuring a raid 5 array on an MSA20 via linux command line and hopefully some more interesting pictures.

I’ve also just bought an iphone so I’ll probably be messing around with doing updates on the go.

Current Mood: (good) good

Home, Personal, Sysadmin, Technology , , ,

Splunk on SUSE with Firefox 3, forever loading…

October 13th, 2008
No comments

If you’re using SLES or any other Suse variant you might be wondering why your Splunk installation is constantly in a loading loop unless you browse to it using Internet Explorer. After lots of hacking around, reboots and google searches I emailed the splunk team about my problem. At first they didn’t seem to understand my problem but they did suggest I take a look at this article in their troubleshooting documentation.

http://www.splunk.com/doc/latest/admin/UnableToGetAProperlyFormattedResponseFromTheServer

Read more…

Current Mood: (accomplished) accomplished

Sysadmin , , ,

My Job, Syslog, and Splunk

September 29th, 2008
No comments

I have been working as the Senior Systems Engineer in the operations group at a company called Airbiquity for the past year or so.

As part of my daily job I come into contact with many new and interesting products and things that help me do my job better.

Firstly, how often do you find that you need to constantly debug several machines at one? Tailing syslogs on each box can become a nightmare when you have more than one machine to look at. Consider these options…

  1. Configure your systems with syslog-ng to forward to a centralized syslog server where you can “tail -f” your problems easily.
  2. Buy expensive products such as SolarWinds syslog and snmp trap collector.
  3. Use a free (500mb/day) syslog collector and search utility called Splunk

After messing with the SolarWinds products for a while I decided to move against it towards open source and free/cheaper options.

At Airbiquity I configured all of our servers and network equipment to send their syslog requests to a centralized syslog server. This was great for work debugging but I had trouble letting my boss have an easy utility that they could search with.

This is when I setup Splunk, it’s easy to install and while it can be load intensive it was a lot more intuitive and easy to use than the SolarWinds offering. So far it’s been great and we’re going to start looking into AD integration and clustering to support our multiple data centers.

Read more…

Sysadmin , ,