SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SIR Policy-Based VPN

    Posted 09-23-2013 10:28

    Greetings,

     

    I'm configuring a policy-based VPN between a SRX and a Cisco ASA. But the networks that the SRX is protecting are located in different zone and have more networks to protect compare to the remote Site. So i was wondering if this will not create any issue as the networks to protect are located in different zones within the same LAN and the SRX derived the proxy-ids form the policy

     

    Thanks in advance



  • 2.  RE: SIR Policy-Based VPN

    Posted 09-23-2013 17:35

    What issues do you think it will create or what issues are you concerned about? If you have the VPN between the SRX and he ASA terminating in different zone from your protected resources, then the security policies that allow communication from the VPN zone to protected zone are your main concern.

    Unless there is something else I am missing here. 



  • 3.  RE: SIR Policy-Based VPN

    Posted 09-24-2013 01:14

    Thank for your reply.But my main concern is the proxy-id, should it be fixed manually or I can let it by default. And also if you have any advice regarding configuring policy-based VPN between a SRX and Cisco ASA



  • 4.  RE: SIR Policy-Based VPN
    Best Answer

    Posted 09-24-2013 03:07

    Hi,

     

    You need to create a separate policy or a policy pair to match every Cisco ACL entry.  Depending on how specific the ACL is on the Cisco, then the more policies you have to create on the SRX to match each one.

     

    The Proxy IDs are then derived from the security policies and if all is set up correct, it should work.



  • 5.  RE: SIR Policy-Based VPN

    Posted 09-25-2013 04:29

    That is a good point. And I also created a VPN phase 2 for each traffic flow and I manually set the proxy-id. This is just to avoid proxy-id mismatches and to make sure that the ASA at the other site will have a VPN that matches every ACL entry



  • 6.  RE: SIR Policy-Based VPN

    Posted 09-25-2013 04:40

    One quick question: what about also if we have this situation :

     

     a.a.a.a----------------SRX650-----------------INTERNET-----------------ASA5520---------------b.b.b.b

                       Trust                         untrust                                 untrust                            trust

     
     
    1- What if some of the source network in the policy-based in Site A are not listed in Crypto ACL at Site B
    2- If this will not work , what would you recommend?


  • 7.  RE: SIR Policy-Based VPN

    Posted 09-25-2013 04:51

    That is the thing, if there is not an exact match in the Cisco ACL to the policy referencing the vpn, then it will not work.  There has to be a matching ACL for each SRX Policy referencing the VPN.

     

    In my experience making the ACL as simple as possible results in less headaches. 



  • 8.  RE: SIR Policy-Based VPN

    Posted 09-25-2013 04:57

    So how comes it was previously working with two Cisco firewalls using the same config?Because this was before we migrate one of the Site with a Juniper SRX