SRX Services Gateway
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0
Accepted Solution

IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Hi Experts

 

I have scenario like, SRX100 with dynamic IP and Cisco ASA with static public IP. I need to configure site to site IPSEC VPN. My question is that, on SRX100 we will define the ike gateway and local identity  as below:

 

set security ike gateway CISCO-ASA local-identity srx100

 

But what is the equivalent command of JUNOS on Cisco ASA  to define the SRX100 as dynamic peer as below?????

 

set security ike gateway JUNIPER-SRX100 dynamic hostname srx100

Recognized Expert
rasmus
Posts: 379
Registered: ‎02-28-2010
0

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

In juniper you will have to for "aggressive" mode vpn instead of "main" mode ....

see http://forums.juniper.net/t5/SRX-Services-Gateway/Full-mesh-route-based-VPN-with-one-odd-ball/td-p/7...
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Recognized Expert
rasmus
Posts: 379
Registered: ‎02-28-2010
0

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

which cisco asa firewall you are using ... tell me if i could write a config for you ...
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Visitor
venu
Posts: 7
Registered: ‎01-24-2011

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Hi,

In cisco ASA there is a command to specify the ike identity of the peer as either ip address or hostname based on the requirement. If the peer end is having dynamic ip, you can go for the below config and you can sepcify the local ike identity value as below.

 

cisco(config)#crypto isakmp peer hostname srx100.juniper.net  -> peer end ike identification

 

cisco10(config)#crypto isakmp identity address  -> local ike identification type

Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Hi Venu

 

So just for understanding what you wrote, If I have ASA with static IP at one side and on the other side there is ASA with dynamic IP address then you means, in static side ASA I need to run below command to specify the peer ID:

 

cisco(config)#crypto isakmp peer hostname srx100.juniper.net  -> peer end ike identification

 

AND in dynamic side ASA side I need to specify below command to specify the local ID:

 

cisco10(config)#crypto isakmp identity hostname srx100.juniper.net

 

Am I right in understanding???

 

Thanks

 

Visitor
venu
Posts: 7
Registered: ‎01-24-2011
0

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Yes, If you are using ASA on both ends, 1st command reflects the ike-identity of the peer and second command to specify the local identity values. If the dynamic end is our srx, and don't mention the remote-identity value explicitly, srx will take gateway address as remote ike-identity which is defalut behavior. In this case use the below command

 

cisco10(config)#crypto isakmp identity address 

Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Thanks Dear

Contributor
skiebrian@yahoo.com
Posts: 23
Registered: ‎08-13-2013
0

Re: IPSEC VPN between SRX100 (dynamic IP) and Cisco ASA (Static IP)

Hi Venu,

 

 

                Can you give us sample configs to your post? This is a good source of this forum.

 

 

Thanks a lot

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.