Juniper SRX to Cisco ASA Site to Site with source NAT
This article will describe how to create a Site to Site (Lan to Lan) VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. The traffic from Site A (Juniper) will source NAT it’s local traffic through the VPN to meet the encryption domain defined at Site B (Cisco).
The Juniper part will be created as a route-based VPN, and Cisco as policy-based. It is not possible to source NAT on Juniper, if a policy-based VPN is used.
The goal is to create the following:
Juniper SRX configuration:
##### Phase 1 configuration ##### set security ike proposal ike-proposal-SITEB authentication-method pre-shared-keys set security ike proposal ike-proposal-SITEB authentication-algorithm sha1 set security ike proposal ike-proposal-SITEB encryption-algorithm aes-256-cbc set security ike proposal ike-proposal-SITEB lifetime-seconds 86400 set security ike policy ike-policy-SITEB mode main set security ike policy ike-policy-SITEB proposals ike-proposal-SITEB set security ike policy ike-policy-SITEB pre-shared-key ascii-text SHARED-SECRET-KEY set security ike gateway ike-gate-SITEB ike-policy ike-policy-SITEB set security ike gateway ike-gate-SITEB address 40.50.60.78 set security ike gateway ike-gate-SITEB external-interface ge-0/0/0 ##### Phase 2 configuration ##### set security ipsec proposal ipsec-proposal-SITEB protocol esp set security ipsec proposal ipsec-proposal-SITEB authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-proposal-SITEB encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-proposal-SITEB lifetime-seconds 28800 set security ipsec policy ipsec-policy-SITEB perfect-forward-secrecy keys group1 set security ipsec policy ipsec-policy-SITEB proposals ipsec-proposal-SITEB set security ipsec vpn ipsec-vpn-SITEB bind-interface st0.0 set security ipsec vpn ipsec-vpn-SITEB ike gateway ike-gate-SITEB set security ipsec vpn ipsec-vpn-SITEB ike proxy-identity local 172.24.50.0/28 set security ipsec vpn ipsec-vpn-SITEB ike proxy-identity remote 172.25.56.0/24 set security ipsec vpn ipsec-vpn-SITEB ike ipsec-policy ipsec-policy-SITEB set security ipsec vpn ipsec-vpn-SITEB establish-tunnels immediately ##### Address book entrys ##### set security address-book global address SITEB 172.25.56.0/24 set security address-book global address SITEA-VPN-SCOPE 172.24.50.0/28 ##### NAT Options ##### set security nat source pool src-nat-SITEB address 172.24.50.0/28 set security nat source pool src-nat-SITEB port no-translation set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB match destination-address 172.25.56.0/24 set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB then source-nat pool src-nat-SITEB ##### Basic Firewall rules ##### set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match source-address SITEA-VPN-SCOPE set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match destination-address SITEB set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match application any set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB then permit ##### MISC configuration ##### set interfaces st0 unit 0 family inet address 172.24.50.1/28 set routing-options static route 172.25.56.0/24 next-hop st0.0 set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces st0.0
The configuration is pretty basic, we define the phase 1 and 2 settings, set the NAT options for the source NAT, defines access-lists, address-book entries etc. The only thing you have to notice, is that we create a tunnel interface, called st0.0, which we route the remote net for Site B to (172.25.56.0/25). The st0.0 interface IP-address is inside the local encryption domain (172.25.50.1/28).
This is called “Route based VPN” instead of “Policy based VPN”. To do source NAT over VPN on Juniper SRX you have to use the RB VPN.
Lets continue to the SITE B configuration, which is on a Cisco ASA, and here we’ll use a policy based VPN
Cisco ASA configuration:
##### Cryptomap / Encryption domain definition ##### access-list Outside_SITEA_cryptomap extended permit ip 172.24.50.0 255.255.255.240 172.25.56.0 255.255.255.0 ##### Basic Firewall rules ##### access-list L2L-tunnel-vpn-filter remark START - ID:SITEA NETWORK: 172.25.56.0 PEER: 80.70.60.51 access-list L2L-tunnel-vpn-filter extended permit ip 172.24.50.0 255.255.255.240 172.25.56.0 255.255.255.0 access-list L2L-tunnel-vpn-filter remark STOP - ID:SITEA NETWORK: 172.25.56.0 PEER: 80.70.60.51 ##### Phase 1 configuration ##### tunnel-group 80.70.60.51 type ipsec-l2l tunnel-group 80.70.60.51 general-attributes default-group-policy L2L-tunnel-group-policy tunnel-group 80.70.60.51 ipsec-attributes pre-shared-key SHARED-SECRET-KEY ##### Phase 2 configuration ##### crypto map Outside_map SITEA match address Outside_SITEA_cryptomap crypto map Outside_map SITEA set pfs group1 crypto map Outside_map SITEA set peer 80.70.60.51 crypto map Outside_map SITEA set transform-set ESP-AES-256-SHA
The Cisco configuration is pretty much straight forward, no routing, no NAT, just basic VPN configuration, cryptomap (encryption domain), phase 1 and 2 and the access-lists.
And thats it! You should now be able to bring the tunnel up if you initiate some traffic.
If you have any questions feel free to leave a comment or contact me!