SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Route-Based VPN from SRX to Cisco ASA with Static NAT

    Posted 09-21-2016 18:49

    We're setting up a VPN link to a 3rd party provider (a financial clearing broker) that uses a Cisco ASA on the other side in order to exchange trade clearing messages via FIX protocol (a TCP-based protocol for financial transactions).

     

    Our local subnet is 10.1.0.0/22. The relevant external IP for our firewall is 96.1.1.1 on ge-0/0/1. The provider's subnet is 192.168.10.0/24. Their ASA's public address (for example) is 206.1.1.1. We need our server (10.1.0.3) to connect to a server on their end (192.168.10.5) and vice-versa. However, we need our server to be accessible (and outbound traffic to look like it's coming) from 10.172.5.3. Presumably, you would use source-NAT for this.

     

    Our theorized configuration looks like:

    [show security ike]
proposal broker-phase1-proposal {
    authentication-method pre-shared-keys;
    dh-group group19;
    authentication-algorithm sha1;
    encryption-algorithm aes-128-cbc;
}

policy broker-phase1-policy {
    mode main;
    proposals broker-phase1-proposal;
    pre-shared-key ascii-text "<SECRET KEY>"; ## SECRET-DATA
}

gateway gw-broker {
    ike-policy mordor-ike-phase1-policy;
    address 206.1.1.1
    local-identity inet 96.1.1.1;
    remote-identity inet 206.1.1.1;
    external-interface ge-0/0/1.0;
}

[show security ipsec]
proposal broker-ipsec-phase2-proposal {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-128-cbc;
}

policy broker-ipsec-phase2-policy {
    perfect-forward-secrecy {
        keys group19;
    }
    proposals broker-ipsec-phase2-proposal;
}

vpn vpn-broker {
    bind-interface st0.0;
    ike {
        gateway gw-broker;
        ipsec-policy broker-ipsec-phase2-policy;
    }
    proxy-identity {
        local 10.172.5.0/24;
        remote 192.168.10.0/24;
        service any;
    }
}

[show interfaces]
...
st0 {
    unit 0 {
        family inet {
            address 10.172.5.1/24;
        }
    }
}

[show security nat]
static {
    rule-set vpn-snat {
        from zone broker-zone;
        rule oms1 {
            match {
                destination-address 10.172.5.3/32;
            }
            then {
                static-nat {
                    prefix {
                        10.1.0.3/32;
                    }
             }
     }
}

proxy-arp {
    interface st-0.0 {
        address {
            10.172.5.3/32
        }
    }
}

    Does this configuration in general accomplish what I'm looking for? Is proxy-arp on st-0.0 necessary if I'm doing static-NAT? What address should I be using for the proxy-id? The NATed address or the original one? Anything special you have to do to get this to work with an ASA?



  • 2.  RE: Route-Based VPN from SRX to Cisco ASA with Static NAT
    Best Answer

     
    Posted 09-22-2016 01:06

    Hello,

     

    Configuration looks ok provided you have routing and connectity.

     

    You do not need proxy-arp as cisco ASA does not have any 'tunnel' interfaces & provided that on Cisco you have route to 10.172.5.0/24 pointing towards its ISP next-hop.

     

    In general for proxy-arp, NATed IP address is used in such context.

     

    Regards,

     

    Rushi