HOW TO: configure site2site VPN between Juniper SRX and Cisco ASA firewalls

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/s2s-vpn-srx-vs-asa-firewalls/
RSS
Follow by Email

This article describes how to create a Site to Site IPSec VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. You can use this article as a quick reference while creating similar VPN setup with https://gizlilikveguvenlik.com/. VPN troubleshooting will be covered in a separate article.

Let’s say that you have a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy-based VPNs. Well, you can, but there is another option. You can use route based VPN on the Juniper SRX firewall and Policy based VPN on the Cisco ASA firewall. Here is how you can do that using traffic selector on the Juniper SRX firewall.

As of Junos version 12.1X46, Juniper SRX finally supports multiple Proxy-ID’s on the route based VPN using traffic-selectors. A traffic selector (also known as a proxy ID in IKEv1), is an agreement between IKE peers to permit traffic through a tunnel if the traffic matches a specified pair of local and remote addresses. Only traffic that conforms to a traffic selector is permitted through the associated IPsec SA.

Example

In this article, I am demonstrating the VPN configuration for following requirements between Juniper SRX and Cisco ASA firewalls. Refer to the above-mentioned diagram as well to determine segments behind the firewalls. For this example, I am using Juniper vSRX running the Junos OS 15.1X49-D60 and Cisco ASA running 9.4(1) software code.

Phase 1 parameters: Pre-shared-keys, DH-group2, Sha1, Aes-128, 86400 sec, Main mode.
Phase 2 parameters: ESP, Hmac-sha1, Aes-128, 3600 sec
Juniper SRX VPN Configuration
Interface and Zone configuration
edit interfaces st0 
 set unit 0 family inet
!
edit security zones security-zone VPN-REMOTE-ASA 
 set interfaces st0.0 
!
edit security zones security-zone OUTSIDE 
 set host-inbound-traffic system-services ike

NOTE: When you create the virtual st0 interface for this type of VPN, it has to be unnumbered, meaning it should not have an IP address assigned just like we do with other route-based VPNs.

IKE Phase 1 configuration
edit security ike proposal pre-gr2-sha1-aes128
 set authentication-method pre-shared-keys
 set dh-group group2
 set authentication-algorithm sha1
 set encryption-algorithm aes-128-cbc
!
edit security ike policy ike-pol-vpn-REMOTE-ASA
 set mode main
 set proposals pre-gr2-sha1-aes128
 set pre-shared-key ascii-text 395psksecr3t
!
edit security ike gateway gw-vpn-REMOTE-ASA
 set external-interface reth0.0
 set ike-policy ike-pol-vpn-REMOTE-ASA
 set address 30.30.30.30

NOTE: There is an order of operation for this configuration; IKE gateway requires an IKE policy. IKE policy requires an IKE proposal .

IKE Phase 2 configuration
edit security ipsec proposal esp-hmac-sha-aes128
 set protocol esp
 set authentication-algorithm hmac-sha1-96
 set encryption-algorithm aes-128-cbc
!
edit security ipsec policy ipsec-pol-vpn-REMOTE-ASA
 set proposals esp-hmac-sha-aes128
 set perfect-forward-secrecy keys group2
!
edit security ipsec vpn vpn-REMOTE-ASA
 set ike gateway gw-vpn-REMOTE-ASA
 set ike ipsec-policy ipsec-pol-vpn-REMOTE-ASA
 set bind-interface st0.0
!
 set traffic-selector TS1-DMZ-VPN-REMOTE-ASA local-ip 192.168.50.0/24 
 set traffic-selector TS1-DMZ-VPN-REMOTE-ASA remote-ip 172.16.50.0/24
 set traffic-selector TS1-INSIDE-VPN-REMOTE-ASA local-ip 192.168.60.0/24 
 set traffic-selector TS1-INSIDE-VPN-REMOTE-ASA remote-ip 172.16.50.0/24

NOTE: There is an order of operation for this configuration; IPSec gateway requires an IPSec policy. IPSec policy requires an IPSec proposal .

Security Policies configuration
edit security address-book global
 set address 192.168.50.0/24 192.168.50.0/24
 set address 172.16.50.0/24 172.16.50.0/24
 set address-set VPN-REMOTE-ASA-REMOTE address 172.16.50.0/24
!
edit security policies from-zone DMZ to-zone VPN-REMOTE-ASA
 set policy VPN-DMZ-REMOTE-ASA match source-address 192.168.50.0/24
 set policy VPN-DMZ-REMOTE-ASA match destination-address VPN-REMOTE-ASA-REMOTE
 set policy VPN-DMZ-REMOTE-ASA match application any
 set policy VPN-DMZ-REMOTE-ASA then permit
!
edit security policies from-zone VPN-REMOTE-ASA to-zone DMZ
 set policy VPN-REMOTE-ASA-DMZ match source-address VPN-REMOTE-ASA-REMOTE
 set policy VPN-REMOTE-ASA-DMZ match destination-address 192.168.50.0/24
 set policy VPN-REMOTE-ASA-DMZ match application any
 set policy VPN-REMOTE-ASA-DMZ then permit
!
edit security policies from-zone INSIDE to-zone VPN-REMOTE-ASA
 set policy VPN-INSIDE-REMOTE-ASA match source-address 192.168.60.0/24
 set policy VPN-INSIDE-REMOTE-ASA match destination-address VPN-REMOTE-ASA-REMOTE
 set policy VPN-INSIDE-REMOTE-ASA match application any
 set policy VPN-INSIDE-REMOTE-ASA then permit
!
edit security policies from-zone VPN-REMOTE-ASA to-zone DMZ
 set policy VPN-REMOTE-ASA-INSIDE match source-address VPN-REMOTE-ASA-REMOTE
 set policy VPN-REMOTE-ASA-INSIDE match destination-address 192.168.60.0/24
 set policy VPN-REMOTE-ASA-INSIDE match application any
 set policy VPN-REMOTE-ASA-INSIDE then permit
Cisco ASA VPN configuration

ASA VPN configuration is very straight forward just like any regular IKEv1 site 2 site VPN configuration.

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp identity address
!
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
 ikev1 pre-shared-key 395psksecr3t
!
object-group network VPN-INSIDE-NET
 network-object 172.16.50.0 255.255.255.0
!
object-group network VPN-REMOTE-NET
 network-object 192.168.50.0 255.255.255.0
 network-object 192.168.60.0 255.255.255.0
!
access-list VPN2SRX permit ip object-group VPN-INSIDE-NET object-group VPN-REMOTE-NET
!
nat (any,OUTSIDE) source static VPN-INSIDE-NET VPN-INSIDE-NET destination static VPN-REMOTE-NET VPN-REMOTE-NET
! 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map S2S-VPN-CMAP 11 match address VPN2SRX
crypto map S2S-VPN-CMAP 11 set peer 20.20.20.20
crypto map S2S-VPN-CMAP 11 set transform-set ESP-AES-SHA
!
crypto map S2S-VPN-CMAP interface OUTSIDE
!
crypto ikev1 enable OUTSIDE
!
access-list INSIDE-OUT permit ip object-group VPN-INSIDE-NET object-group VPN-REMOTE-NET

I hope you enjoyed this article. Please feel free to leave a comment or feedback.

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/s2s-vpn-srx-vs-asa-firewalls/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

One thought on “HOW TO: configure site2site VPN between Juniper SRX and Cisco ASA firewalls

  • December 4, 2017 at 4:59 AM
    Permalink

    Hi Ashutosh

    Great article

    But can you please demonstrate the same in GUI as well (ASDM & JWEB) to make life easy for us

    Its just a suggestion ok

    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)