IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

aeroplane · ‎06-30-2009

Hi Experts

I have scenario like, SRX100 with dynamic IP and Cisco ASA with static public IP. I need to configure site to site IPSEC VPN. My question is that, on SRX100 we will define the ike gateway and local identity as below:

set security ike gateway CISCO-ASA local-identity srx100

But what is the equivalent command of JUNOS on Cisco ASA to define the SRX100 as dynamic peer as below?????

set security ike gateway JUNIPER-SRX100 dynamic hostname srx100

rasmus · ‎02-28-2010

In juniper you will have to for "aggressive" mode vpn instead of "main" mode ....

see http://forums.juniper.net/t5/SRX-Services-Gateway/Full-mesh-route-based-VPN-with-one-odd-ball/td-p/7...

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

rasmus · ‎02-28-2010

which cisco asa firewall you are using ... tell me if i could write a config for you ...

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

venu · ‎01-24-2011

Hi,

In cisco ASA there is a command to specify the ike identity of the peer as either ip address or hostname based on the requirement. If the peer end is having dynamic ip, you can go for the below config and you can sepcify the local ike identity value as below.

cisco(config)#crypto isakmp peer hostname srx100.juniper.net -> peer end ike identification

cisco10(config)#crypto isakmp identity address -> local ike identification type

aeroplane · ‎06-30-2009

Hi Venu

So just for understanding what you wrote, If I have ASA with static IP at one side and on the other side there is ASA with dynamic IP address then you means, in static side ASA I need to run below command to specify the peer ID:

cisco(config)#crypto isakmp peer hostname srx100.juniper.net -> peer end ike identification

AND in dynamic side ASA side I need to specify below command to specify the local ID:

cisco10(config)#crypto isakmp identity hostname srx100.juniper.net

Am I right in understanding???

Thanks

venu · ‎01-24-2011

Yes, If you are using ASA on both ends, 1st command reflects the ike-identity of the peer and second command to specify the local identity values. If the dynamic end is our srx, and don't mention the remote-identity value explicitly, srx will take gateway address as remote ike-identity which is defalut behavior. In this case use the below command

cisco10(config)#crypto isakmp identity address

aeroplane · ‎06-30-2009

Thanks Dear

IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)