# please please your help, VPN site to site between ASA and Netscreen



## ozoubi (May 7, 2009)

Dear Juniper experts,

please i need your help its urgent to me, we have a managed services center and we connect to our customers networks through site to site VPN, our firewall ( cisco ASA 5510 ) is the VPN first end, and from other side all of our clients has Cisco firewalls ( Cisco ASA ) and its working fine, we got a new client who use Juniper netscreen SSG Firmware Version: 6.1.0r2.0, and have no good experience with Juniper products, i can try and test till it successed but its a production device and dont want to interrupt thier work, following is my side configuration on the ASA which is working fine with other cisco firewalls:

My local netwok subnet 192.168.200.0/24 i use nat with vpn to be translated to 192.168.248.0/24, and the other side inside network 192.168.249.0/24
its one of our customers config and its working fine.

interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.178 255.255.255.240 standby x.x.x.181 

interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0 standby 192.168.100.253 

access-list 151 extended permit ip host 192.168.248.32 host 192.168.249.13 
access-list 151 extended permit ip host 192.168.248.32 host 192.168.249.16 
access-list 151 extended permit ip host 192.168.248.32 host 192.168.249.17 

access-list Labnat34 extended permit ip host 192.168.200.34 192.168.249.0 255.255.255.0 

static (Inside,Outside) 192.168.248.34 access-list Labnat34 

route Outside 192.168.249.0 255.255.255.0 x.x.x.177 1

crypto ipsec transform-set lanlab esp-3des esp-sha-hmac 

crypto map lanlab 20 match address 151
crypto map lanlab 20 set peer y.y.y.132 
crypto map lanlab 20 set transform-set lanlab
crypto map lanlab interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside

crypto isakmp policy 40
authentication pre-share
encryption 3des 
hash sha
group 2
lifetime 86400

tunnel-group y.y.y.132 type ipsec-l2l
tunnel-group y.y.y.132 ipsec-attributes
pre-shared-key *



Please what i should configure on netscreen to work with this configuration? its urgent now..
many thanks in advance... the new customer local network is 192.168.40.0 and lets say its public ip (peer) 1.1.1.50


----------

