Hello,
I would like to setup ipsec connection between SRX340 and Cisco asa firewall. Inside my network i have SRX directly connected via interconnect supplier (datacenter network) towards ISP. We are using their dedicated servers/srx/switches also we received a public range of 5.200.5.80/29. The firewall has reth0.100 as "internet" interface and the firewall itself has 5.200.5.81 as IP address. Then interfaces ge-0/0/7.1409 and ge-5/0/7.2409 are directly connected towards datacenter with private range. Also within my network i have different zones ot-application, ap-application etc... .
Now i need to setup ipsec, do i need to use policy-based vpn or routing-based vpn?. I know that Cisco asa only support policy-based vpn. So in regarding SRX of having different zones, which one do i need the most to setup ipsec connection?. how do i implement this with combination of different zones?. Also do i need to create NAT exemption to exclude traffic from NAT operation"IPSEC does not work over NAT"?. Anyone has an example how to set this up or idea?.
Zones:
untrust - ge-0/0/7.1409 and ge-5/0/7.2409 towards datacenter interconnect routers have private IP's
trust - reth0.100 internet ("public range", source-NAT ip of the public range)
ot-application - reth1.30
ap-application - reth1.20
i have attached a topology.
thanks