Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Example – Configuring site-to-site VPNs between SRX and Cisco ASA, with multiple networks behind the SRX (Route-based VPNs)

0

0

Article ID: KB28198 KB Last Updated: 21 Feb 2020Version: 3.0
Summary:

This article contains a configuration example of site-to-site, route-based VPNs between a Juniper Networks SRX and Cisco ASA device with multiple networks behind the SRX.

For additional configuration examples, see KB28861 - Examples – Configuring site-to-site VPNs between SRX and Cisco ASA.

For related technical documentation, see IPsec VPN Feature Guide for Security Devices.


 
Symptoms:

Goal:

Configure a site-to-site, route-based VPN between SRX and Cisco ASA, with multiple networks behind the SRX
 

Network Topology:


 

Solution:

 



Configuration for SRX

root# show |no-more 
system {
     root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
   ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                filter {
                    input ASA;
                }
                address 192.168.3.1/24;
            }
        }
    }
st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet myrib;
    }
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
        route 192.168.1.0/24 next-hop st0.0;
    }
    rib-groups {
        myrib {
            import-rib [ inet.0 ASA.inet.0 ];
            import-policy import-sunnyvale_1;
        }
    }
}
policy-options {
    policy-statement import-sunnyvale_1 {
        term 1 {
            from {
                route-filter 192.168.3.0/24 exact;
            }
            then accept;
        }
        term 2 {
            then reject;
        }
   }
}
security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text "$9$6qsMAtOrlMXNbp0MX"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal phase-2 {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals phase-2;
        }
        vpn ike-vpn-chicago {
            bind-interface st0.0;
            ike {
                gateway gw-chicago;
                proxy-identity {
                    local 192.168.2.0/24;
                    remote 192.168.1.0/24;
                    service any;
                }
                ipsec-policy phase2-policy;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn-chicago_1 {
            bind-interface st0.1;
            ike {
                gateway gw-chicago;
                proxy-identity {
                    local 192.168.3.0/24;
                    remote 192.168.1.0/24;
                    service any;
                }
                ipsec-policy phase2-policy;
            }
            establish-tunnels immediately;
          }
       }
       policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
       from-zone trust to-zone untrust_2 {
             policy vpn-tr-untr_1 {
                match {
                    source-address sunnyvale_1;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
           
       from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                       permit ;
                     }
                }
            }   
         from-zone untrust_2 to-zone trust {
            policy vpn-untr-tr_1 {
                match {
                    source-address chicago;
                    destination-address sunnyvale_1;
                    application any;
                }
                then {
                    permit ;
                     }
                }
            }  

    }

    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
                address sunnyvale_1 192.168.3.0/24;
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
            }
        }
        security-zone untrust {
            address-book {
                address chicago 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
                st0.0;
            }
        }
       security-zone untrust_2 {
            address-book {
                address chicago 192.168.1.0/24;
            }
            interfaces {
                st0.1;
            }
        }
    }
}
firewall {
    family inet {
        filter ASA {
            term 1 {
                from {
                    source-address {
                        192.168.3.0/24;
                    }
                    destination-address {
                        192.168.1.0/24;
                    }
                }
                then {
                     routing-instance ASA;
                    }
                }
            term 2 {
                then accept;
            }
        }
    }
}
routing-instances {
    ASA {
        instance-type virtual-router;
        interface st0.1;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop st0.1;
            }
        }
    }
}



VPN Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
------------------------------------------------------------------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!

Policy Configuration :   ------------------------------------------------------------------------------------------------------------------
access-list 1to2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 1to3 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 

IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map mymap 10 match address 1to2
crypto map mymap 10 set pfs 
crypto map mymap 10 set peer 100.1.1.2 
crypto map mymap 10 set ikev1 transform-set CISCO
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 20 match address 1to3
crypto map mymap 20 set pfs 
crypto map mymap 20 set peer 100.1.1.2 
crypto map mymap 20 set ikev1 transform-set CISCO
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

SRX:

root> show security ike sa                        
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1286965 UP     755c0b36446c59c8  32e6f87164c2b0c9  Main           100.1.1.1  
  
root> show security ipsec sa  
   Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:des/ md5  7224024b 28335/unlim   -   root 500   100.1.1.1       
  >131073 ESP:des/ md5  56783db3 28335/unlim   -   root 500   100.1.1.1       
  <131074 ESP:3des/sha1 bb9bcbc8 28366/unlim   -   root 500   100.1.1.1       
  >131074 ESP:3des/sha1 5857802  28366/unlim   -   root 500   100.1.1.1        
      

root> show security ipsec sa detail                            
    ID: 131073 Virtual-system: root, VPN Name: ike-vpn-chicago
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.0

    Direction: inbound, SPI: 7224024b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28331 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27693 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 56783db3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28331 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27693 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 131074 Virtual-system: root, VPN Name: ike-vpn-chicago_1
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.3.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.1

    Direction: inbound, SPI: bb9bcbc8, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28362 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27722 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 5857802, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28362 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 27722 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

root> show security ipsec statistics | no-more    
ESP Statistics:
  Encrypted bytes:           110840
  Decrypted bytes:            64932
  Encrypted packets:            815
  Decrypted packets:            773
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0


For VPN troubleshooting on the SRX, refer to the Resolution Guides:
Resolution Guides - SRX-VPN
 

 
Modification History:
2020-02-21: Changed encrypted password to “$ABC123".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search