SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Site-to-site VPN to ASA

    Posted 12-08-2011 15:24

    Hello All,

     

    Here's my network setup. I'm not 100% sure if this is a supported scenario. The SRX210 is running Junos 11.2R4.3.

     

    SRX210(Private IP)---NAT-device---INTERNET CLOUD---(Public IP address)ASA

     

    I came up with a VPN config for the SRX, and was wondering if someone would be so kind to check it out for me. I would really appreciate it. Hopefully I'm not too far off here. Thanks!

     

    set interfaces st0 unit 0 family inet
    set security zones security-zone trust interfaces st0.0
    set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ike

    set routing-options static route 192.168.20.0/24 next-hop st0.0

    set security ike policy ike-policy-cfgr mode main
    set security ike policy ike-policy-cfgr proposal-set standard
    set security ike policy ike-policy-cfgr pre-shared-key ascii-text
       
    set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
    set security ike gateway ike-gate-cfgr address 203.206.130.138;
    set security ike gateway ike-gate-cfgr external-interface reth0.0
        
    set security ipsec policy ipsec-policy-cfgr proposal-set standard
    set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
    set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
    set security ipsec vpn ipsec-vpn-cfgr no-anti-replay;
    set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy cfgr

     

    set security policies from-zone trust to-zone untrust policy test match source-address <private ip of source>
    set security policies from-zone trust to-zone untrust policy test match destination-address <private ip of destination>
    set security policies from-zone trust to-zone untrust policy test match application any
    set security policies from-zone trust to-zone untrust policy test then permit




  • 2.  RE: Site-to-site VPN to ASA

    Posted 12-09-2011 13:38

    You probably don't want your st0 interface in your trust zone.

     

    Because of your static route with next-hop of st0.0, traffic from your hosts in the trust zone will then be going from trust->trust zones, not from trust->untrust.  You have your security policies set for trust->untrust.

     

    I would recommend you put st0 in the untrust zone, or even in a new zone (which is what I do sometimes with route-based VPNs).  You can put st0 in a "VPN" zone, then set your security policies from trust->VPN and vice versa.  It helps separate VPN traffic going over the tunnel from non-VPN traffic. Keeps things cleaner in my opinion.

     

    Also, you have your ike external interface set to reth0.0, but you put ge-0/0/0 into your untrust zone.  Unless you have a cluster, you won't have any reth interfaces.  If you do have a cluster, ge-0/0/0 becomes fxp0 and you can't use it anyway.  Either way, you've got an issue.  I suspect that you're not using a cluster, so your external interface for your ike config would be ge-0/0/0.0 and also you'll want to specify the unit number when you assign it to the untrust zone -- ge-0/0/0.0 rather than just ge-0/0/0.

     

    When interoperating with ASA devices, proxy IDs have big teeth and tend to bite hard.   I would recommend you manually set your proxy IDs on the SRX side in the ipsec vpn configuration to match exactly what's going to be matched by your "interesting traffic" ACLs on the ASA side.



  • 3.  RE: Site-to-site VPN to ASA

    Posted 12-11-2011 17:53

    kr, I really appreciate your input. I'm new to the Juniper world, so I'm trying to sort out my config ahead of time.

     

    When you mention manually setting proxy ID's, are you referring to statements such as these;

     

    set security ipsec vpn asd ike proxy-identity local <subnet on your side>

    set security ipsec vpn asd ike proxy-identity remote <subnet behind cisco>

    set security ipsec vpn asd ike proxy-identity service any

     

    Thanks,

    keith



  • 4.  RE: Site-to-site VPN to ASA

    Posted 12-12-2011 09:48

    By the way, the static route statement in the config was taken from a Juniper sample config for a route based VPN. The 192.168.20.0 network is the private network behind the ASA on the other side of the VPN.

     

    Is setting the next hop to st0.0 is the standard way of setting up your routing options for a route based VPN? Or can I point the next hop to a public IP? For example if I knew the next hop public IP of the Cisco router on the SRX side can I use that?

     

     

    Thanks everyone.



  • 5.  RE: Site-to-site VPN to ASA

    Posted 12-12-2011 13:44
    @keithkar wrote:

     

    Is setting the next hop to st0.0 is the standard way of setting up your routing options for a route based VPN? Or can I point the next hop to a public IP? For example if I knew the next hop public IP of the Cisco router on the SRX side can I use that?

    If you set the next-hop to be the public IP of the ASA, then the traffic will not egress through the st0.0 "port" (the IPsec tunnel), because the routing table will show that the public IP of the ASA is reachable via the standard egress interface.

     

    Setting the next-hop to st0.0 is the "proper" way to do a route-based VPN with a non-Juniper device on the remote side.



  • 6.  RE: Site-to-site VPN to ASA
    Best Answer

    Posted 12-12-2011 13:41
    @keithkar wrote:

     

    set security ipsec vpn asd ike proxy-identity local <subnet on your side>

    set security ipsec vpn asd ike proxy-identity remote <subnet behind cisco>

    set security ipsec vpn asd ike proxy-identity service any

    Yes.  More specifically, the subnets must match what is defined in your ACLs on the ASA side.  The ASA uses the ACLs to set the proxy ID based on what the ACL ("interesting traffic" in common Cisco terminology) is matching.