ASA to SRX Route-based IPSec VPN (part 1)

ASA to SRX Topology

Yes, you can have an IPSec tunnel between a Cisco and Juniper firewall!

It’s actually pretty easy to set up a tunnel between an ASA and an SRX. The above topology is set up as a traditional branch with an inside subnet being NAT’ted to the internet with a WAN address.

This is a two page post with this page going over the initial setup of the above topology covering addressing, NAT’ing, security policies and so on. If you’re just looking for the VPN config, skip to page 2!

ASA Initial Configuration

To get started on the ASA we’ll assign the interfaces IP Addresses, Security Zones, NAT and a default route like so:

ciscoasa(config-if)# int gi0/0 
ciscoasa(config-if)# nameif OUTSIDE INFO: Security level for "OUTSIDE" set to 0 by default. 
ciscoasa(config-if)# ip add 198.51.100.1 255.255.255.252 ciscoasa(config-if)# no shut 

ciscoasa(config)# int gi0/1 
ciscoasa(config-if)# nameif INSIDE INFO: Security level for "INSIDE" set to 100 by default. 
ciscoasa(config-if)# ip add 172.16.100.1 255.255.255.0 
ciscoasa(config-if)# no shut 

ciscoasa(config)# nat (INSIDE,OUTSIDE) after-auto source dynamic any interface description "PAT out the OUTSIDE interface from the INSIDE interface"

ciscoasa(config)# route OUTSIDE 0.0.0.0 0.0.0.0 198.51.100.2

One additional note for the ASA: by default ICMP passing through the firewall will be dropped. To get around this you need to inspect ICMP like so:

ciscoasa# conf t
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)#  class inspection_default
ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config-pmap-c)# end

SRX Initial Configuration

Here we set the interfaces IP Addresses, assign Zones and set a Default Route.

set interfaces ge-0/0/0 unit 0 family inet address 203.0.113.1/30                                                       set interfaces ge-0/0/1 unit 0 family inet address 192.168.50.1/24

set security zones security-zone UNTRUST interfaces ge-0/0/0.0
set security zones security-zone TRUST interfaces ge-0/0/1.0

set routing-options static route 0.0.0.0/0 next-hop 203.0.113.2

In addition on the SRX we’ll need to enable host inbound traffic for ICMP-PING and IKE. We’ll have a security policy allowing TRUST zone traffic to the UNTRUST zone.

set security zones security-zone UNTRUST host-inbound-traffic system-services ping
set security zones security-zone UNTRUST host-inbound-traffic system-services ike

set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL match application any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT-ALL then permit

set security zones security-zone TRUST host-inbound-traffic system-services any-service
set security zones security-zone TRUST host-inbound-traffic protocols all

NAT is more than a one-liner on the SRX but performs the same exact function as above:

set security nat source rule-set UNTRUST-TO-TRUST from zone TRUST
set security nat source rule-set UNTRUST-TO-TRUST to zone UNTRUST
set security nat source rule-set UNTRUST-TO-TRUST rule RULE-1 match source-address 192.168.50.0/24
set security nat source rule-set UNTRUST-TO-TRUST rule RULE-1 then source-nat interface

Quick Sanity Checks

A ping from the East Host behind the SRX to the WAN interface and vice versa is successful.

EastPC> ping 198.51.100.1
84 bytes from 198.51.100.1 icmp_seq=1 ttl=253 time=3.665 ms
84 bytes from 198.51.100.1 icmp_seq=2 ttl=253 time=3.844 ms

WestPC> ping 203.0.113.1
84 bytes from 203.0.113.1 icmp_seq=1 ttl=63 time=4.912 ms
84 bytes from 203.0.113.1 icmp_seq=2 ttl=63 time=2.034 ms

Alright, after all that, we’re now ready to move on to the actual VPN set up on Page 2!

Leave a Reply

Your email address will not be published. Required fields are marked *