SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Site-to-site route-based VPN between Juniper SRX and Cisco ASA

    Posted 08-09-2013 06:16

    Hello everyone!

     

    I'm trying to create route-based VPN connection between Cisco ASA and Juniper SRX, but I have a problem with ACL and Proxy IDs. Cisco ASA log states that

    [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic

    I don't know how to make B.B.B.B/255.255.255.0/6/22 and where the problem is. The aim is to pass only SSH traffic through this VPN.

    Notation:

    A.A.A.A - Juniper public IP

    B.B.B.B - Juniper private IP

    Y.Y.Y.Y - Cisco public IP

    Z.Z.Z.Z - Cisco private IP

     

    Configuration is attached. Does anyone have any ideas?

    Attachment(s)

    txt
    juniper_srx_conf.txt   4 KB 1 version
    txt
    cisco_asa_conf.txt   2 KB 1 version
    txt
    cisco-log.txt   3 KB 1 version


  • 2.  RE: Site-to-site route-based VPN between Juniper SRX and Cisco ASA
    Best Answer

    Posted 08-09-2013 10:35

    Hello,

    You have to use source-port number for local proxy-id in SRX config:

     

    set applications application my-ssh source-port 22
set applications application my-ssh protocol tcp
delete security ipsec vpn ipsec-vpn-remote-cfgr ike proxy-identity service junos-ssh
set security ipsec vpn ipsec-vpn-remote-cfgr ike proxy-identity service my-ssh

     

    HTH

    Thanks

    Alex



  • 3.  RE: Site-to-site route-based VPN between Juniper SRX and Cisco ASA

    Posted 08-12-2013 22:54

    Thank you! It seems VPN is established now. But why doesn't junos-ssh work? Is it about destination port?