SRX

Hello All,

New to the board and new to Juniper. We have an SRX210 and have questions on setting up a VPN at a remote site to a Cisco ASA at the main site. The SRX at the remote site is not Internet facing. There is an ISP managed router in front of the SRX that we would connect to with a local IP.

I'm familiar with setting up VPN's, but I was wondering what kind of problems I could run into in this kind of scenario.

If the managed device is set to pass through VPN tunnel traffic, can I just go ahead and use the external IP of the remote device as my ike gateway, and just configure the VPN as normal?

Thanks,

Keith

You will need to configure your devices to use NAT-T (NAT Traversal) for your VPN connections, becuase the NAT router in front of your SRX would bugger up the GRE part of the IPsec tunnel.

Your peer address is going to be the reachable (public) IP for the router in front of the SRX, which would then do the NAT back to the SRX, but you would need to make sure you configure your Peer-IDs to match up on both sides, rather than let them use the defaults which would be the interface IP.  The SRX interface would try to send it's private address as its peer ID, but the ASA is going to think it's connecting to a peer on the public address.

That makes sense, the peer address for the SRX would be the public IP on the router in front of the SRX. Since the ASA at the main site is Internet facing, it looks like it's peer would be the same public IP (public IP on router in front of SRX) ?

The ASA is configured that its remote peer is the public IP of the router in front of the SRX.

The SRX is configured that its remote peer is the public IP of the ASA.

Set the peer-ids for local and remote to reflect the fact that the SRX shouldn't actually send it's interface IP as its peer ID, but rather the public IP of the router doing the NAT.