[ScreenOS] Configuring an MIP in a policy-based VPN

  [KB9924] Show Article Properties


Summary:

This article provides a workaround for configuring a Mapped Internet Protocol (MIP) address in a policy-based VPN, when the MIPs are typically created on tunnel interfaces in a route-based VPN. The workaround applies when the customer requirement does not allow for a route-based VPN.

 

Symptoms:

Customer requirements: 

  • A site-to-site VPN tunnel between a ScreenOS firewall and a Cisco site.
  • The Cisco Peer IP address and the remote subnet must use the same Public IP address.
  • MIPs need to be configured for the servers behind the ScreenOS firewall.

Example Setup for MIP

             ScreenOS                                           Cisco
Server ----- Firewall (Eth0/0 Untrust 1.1.1.1) ---- Internet --- Firewall ---- User

20.20.20.5             tunnel.1-4.4.4.10/24                      25.34.5.7     2.2.2.2

 

User at 2.2.2.2 wants to access the internal server with IP 4.4.4.11, whose real IP is 20.20.20.5.

 

Solution:

The following points must be considered before implementing the customer’s requirements:

  • For these requirements, a route-based VPN on the ScreenOS firewall is not an option because a route is needed to the remote network pointing to the tunnel interface. If the peer IP and remote IP addresses are the same for both devices, the IKE negotiation cannot be established.
  • A policy-based VPN can be configured for this design because only a default route is needed, and then a policy can be used to determine the VPN.
  • On the ScreenOS firewall, an MIP needs to be configured for the servers on the private network, which need to be accessed via a VPN from the Cisco site. However, MIPs are not directly supported in policy-based VPN.
  • If the outgoing interface is in a zone other than Untrust (for example, zone is ISP), see KB27122- [ScreenOS] How to configure a MIP in a policy based VPN when outgoing interface is in zone other than Untrust for instructions.

Execute the following commands to accomplish the requirements, listed above, on the ScreenOS firewall and activate the VPN:

  1. Set Untrust-Tun, which is the Tunnel type zone, carrier zone that helps encryption-decryption:
    set interface tunnel.1 zone Untrust-Tun

  2. Set Fixed IP on the tunnel interface
    set interface tunnel.1 ip 4.4.4.10/24

  3. MIP is used by the cisco-remote network to connect to server behind the Juniper firewall's local network:
    set interface tunnel.1 mip 4.4.4.11 host 20.20.20.5 netmask 255.255.255.255

  4. Add a route to send the traffic to the tunnel interface:
    set route 2.2.2.2/32 interface tunnel.1

  5. Configure Phase 1 as follows:
    set ike gateway Netscreen-Cisco-IKE address 25.34.5.7 main outgoing-interface ethernet4 preshare test sec-level standard

  6. Configure Phase 2 as follows:
    set vpn Netscreen-Cisco-VPN gateway Netscreen-Cisco-IKE sec-level standard

  7. Bind the tunnel zone (Juniper firewall will recognize the MIP configured on the tunnel interface):
    set vpn Netscreen-Cisco-VPN bind zone Untrust-Tun

  8. Then configure an appropriate access-list on the Cisco end to support Proxy-IDs generated by the policies in the ScreenOS firewall.
    set policy from untrust to trust 2.2.2.2/32 MIP (4.4.4.10) any tunnel vpn Netscreen-Cisco-VPN log
    set policy from trust to untrust 20.20.20.5/32 2.2.2.2/32 any tunnel vpn Netscreen-Cisco-VPN log

 

Modification History:

2018-06-27: Article reviewed for accuracy. Note removed in Solution section and the set route command modified. Other minor grammatical changes made.

 

Related Links: