Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Example – Configuring site-to-site VPN between SRX and Cisco ASA, with overlapping subnets at the two sites (Route-based VPNs)

0

0

Article ID: KB28183 KB Last Updated: 21 Feb 2020Version: 3.0
Summary:

This article contains a configuration example of a site-to-site, route-based VPN with overlapping subnets between SRX and ASA.

For additional configuration examples, see KB28861 - Examples – Configuring site-to-site VPNs between SRX and Cisco ASA.

For related technical documentation, see IPsec VPN Feature Guide for Security Devices.

 


 
Symptoms:

Goal:

Configure a site-to-site, route-based VPN with overlapping subnets between SRX and ASA
 

Network Topology:


                                                                          Static 1-1 NAT mapping
                       Cisco LAN                                                                                                                 SRX LAN
  192.168.1.0/24 mapped to 1.1.1.0/24                                                                   192.168.1.0/24 mapped to 2.2.2.0/24

 

Cause:

Overlapping subnets requires Network Address Translation (NAT) in order to allow inside LAN hosts to route traffic to respective ASA / SRX devices and be placed into the VPN tunnel to the remote LAN network.

SRX Proxy-ID usage must reflect ACL use on ASA reflecting NAT IP scheme.

Solution:

 



Configuration for SRX

root# show |no-more 
system {
root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
           family inet {
                address 192.168.1.1/24;
            }
        }
    }
    st0 {
        unit 0 {
          family inet;
       }
     }
 }
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
        route 1.1.1.0/24 next-hop st0.0;
    }
}
security {
    ike { 
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "$9$6qsMAtOrlMXNbp0MX"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }

    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago {
            bind-interface st0.0;
            proxy-identity {
            local 2.2.2.0/24;
            remote 1.1.1.0/24;
            service any;
            }
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        
    }
 nat {
    static {
       rule-set 1 {
            from zone untrust;
            rule 1 {
                match {
                  destination-address 2.2.2.0/24;
                      }
                then {
                  static-nat prefix 192.168.1.0/24;
                }
          }
       }
   }
}

    policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
               then
                    {
                     permit;
                   }
            }
            
        }
        from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then 
                     {
                      permit;
                     }
                
            }

    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.1.0/24;
               
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            address-book {
                address chicago 1.1.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
    }
}


Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
------------------------------------------------------------------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!

Policy Configuration :  
------------------------------------------------------------------------------------------------------------------
access-list OVERLAPPING extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list POLICY_NAT extended permit ip 192.168.1.0 255.255.255.0 2.2.2.0 255.255.255.0
IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map outside_map 20 match address OVERLAPPING
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal


tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

SRX:

root> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2498200 UP 8ba8408da126a3e6 5e2f43a8b83404a0 Main 100.1.1.1

root> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:des/ md5 b13d12f1 28079/ 4608000 - root 500 100.1.1.1
>131073 ESP:des/ md5 9ee278dd 28079/ 4608000 - root 500 100.1.1.1

root> show security ipsec security-associations detail
Virtual-system: root
Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=2.2.2.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=1.1.1.0/24)
DF-bit: clear
Direction: inbound, SPI: b13d12f1, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 28074 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 27511 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 9ee278dd, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 28074 seconds
Lifesize Remaining: 4608000 kilobytes
Soft lifetime: Expires in 27511 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64

root> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 7792
Decrypted bytes: 7620
Encrypted packets: 61
Decrypted packets: 91
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0


For VPN troubleshooting on the SRX, refer to the Resolution Guides:
Resolution Guides - SRX-VPN
 

 
Modification History:
2020-02-21: Changed encrypted password to “$ABC123".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search