Juniper SRX to Cisco ASA Site to Site with source NAT

This article will describe how to create a Site to Site (Lan to Lan) VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. The traffic from Site A (Juniper) will source NAT it’s local traffic through the VPN to meet the encryption domain defined at Site B (Cisco).

The Juniper part will be created as a route-based VPN, and Cisco as policy-based. It is not possible to source NAT on Juniper, if a policy-based VPN is used.

The goal is to create the following:

Juniper SRX configuration:

##### Phase 1 configuration #####

set security ike proposal ike-proposal-SITEB authentication-method pre-shared-keys
set security ike proposal ike-proposal-SITEB authentication-algorithm sha1
set security ike proposal ike-proposal-SITEB encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-SITEB lifetime-seconds 86400
set security ike policy ike-policy-SITEB mode main
set security ike policy ike-policy-SITEB proposals ike-proposal-SITEB
set security ike policy ike-policy-SITEB pre-shared-key ascii-text SHARED-SECRET-KEY
set security ike gateway ike-gate-SITEB ike-policy ike-policy-SITEB
set security ike gateway ike-gate-SITEB address 40.50.60.78
set security ike gateway ike-gate-SITEB external-interface ge-0/0/0

##### Phase 2 configuration #####

set security ipsec proposal ipsec-proposal-SITEB protocol esp
set security ipsec proposal ipsec-proposal-SITEB authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-SITEB encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-proposal-SITEB lifetime-seconds 28800
set security ipsec policy ipsec-policy-SITEB perfect-forward-secrecy keys group1
set security ipsec policy ipsec-policy-SITEB proposals ipsec-proposal-SITEB
set security ipsec vpn ipsec-vpn-SITEB bind-interface st0.0
set security ipsec vpn ipsec-vpn-SITEB ike gateway ike-gate-SITEB
set security ipsec vpn ipsec-vpn-SITEB ike proxy-identity local 172.24.50.0/28
set security ipsec vpn ipsec-vpn-SITEB ike proxy-identity remote 172.25.56.0/24
set security ipsec vpn ipsec-vpn-SITEB ike ipsec-policy ipsec-policy-SITEB
set security ipsec vpn ipsec-vpn-SITEB establish-tunnels immediately

##### Address book entrys #####

set security address-book global address SITEB 172.25.56.0/24
set security address-book global address SITEA-VPN-SCOPE 172.24.50.0/28

##### NAT Options #####

set security nat source pool src-nat-SITEB address 172.24.50.0/28
set security nat source pool src-nat-SITEB port no-translation
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB match destination-address 172.25.56.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB then source-nat pool src-nat-SITEB

##### Basic Firewall rules #####

set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match source-address SITEA-VPN-SCOPE
set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match destination-address SITEB
set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB then permit

##### MISC configuration #####
set interfaces st0 unit 0 family inet address 172.24.50.1/28
set routing-options static route 172.25.56.0/24 next-hop st0.0
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.0

The configuration is pretty basic, we define the phase 1 and 2 settings, set the NAT options for the source NAT, defines access-lists, address-book entries etc. The only thing you have to notice, is that we create a tunnel interface, called st0.0, which we route the remote net for Site B to (172.25.56.0/25). The st0.0 interface IP-address is inside the local encryption domain (172.25.50.1/28).

This is called “Route based VPN” instead of “Policy based VPN”. To do source NAT over VPN on Juniper SRX you have to use the RB VPN.

Lets continue to the SITE B configuration, which is on a Cisco ASA, and here we’ll use a policy based VPN

Cisco ASA configuration:

##### Cryptomap / Encryption domain definition #####

access-list Outside_SITEA_cryptomap extended permit ip 172.24.50.0 255.255.255.240 172.25.56.0 255.255.255.0

##### Basic Firewall rules #####

access-list L2L-tunnel-vpn-filter remark START - ID:SITEA NETWORK: 172.25.56.0 PEER: 80.70.60.51 
access-list L2L-tunnel-vpn-filter extended permit ip 172.24.50.0 255.255.255.240 172.25.56.0 255.255.255.0 
access-list L2L-tunnel-vpn-filter remark STOP - ID:SITEA NETWORK: 172.25.56.0 PEER: 80.70.60.51

##### Phase 1 configuration #####

tunnel-group 80.70.60.51 type ipsec-l2l
tunnel-group 80.70.60.51 general-attributes
default-group-policy L2L-tunnel-group-policy
tunnel-group 80.70.60.51 ipsec-attributes
pre-shared-key SHARED-SECRET-KEY

##### Phase 2 configuration #####

crypto map Outside_map SITEA match address Outside_SITEA_cryptomap
crypto map Outside_map SITEA set pfs group1
crypto map Outside_map SITEA set peer 80.70.60.51
crypto map Outside_map SITEA set transform-set ESP-AES-256-SHA

The Cisco configuration is pretty much straight forward, no routing, no NAT, just basic VPN configuration, cryptomap (encryption domain), phase 1 and 2 and the access-lists.

And thats it! You should now be able to bring the tunnel up if you initiate some traffic.

If you have any questions feel free to leave a comment or contact me!

Facebook

Google

Twitter

8 Responses to "Juniper SRX to Cisco ASA Site to Site with source NAT"

Tibor B says:

December 27, 2014 at 02:29

Hi Marc,

I am really scratching my head as my Tunnel doesn’t want to work :/. I have an SRX 100H2 and a Cisco1800. Basically emulating the ASA with the router and the setting – all ACL / Cryptomaps are perfectly fine but I am very new to Junos.

Many people are having VPN related problems with SRX – so I tried various combinations with no luck.

Basically all I want is two locations with DNAT internett access via both device and an IPSEC tunnel between the two routers to reach the internal subnets. This is really basic and probablt the most common scenario that I’ve done many times with various equipment but not Juniper.

Could you describe me this scenario a bit better as this hybrid route/policy based seems to be a good idea but something but something not clear with it..I think you swapped the sides and some IPs are wrong. Or I am completely wrong – but want to understand and implement.

Thanks,
T

Reply
1. Marc Zacho says:
  
  December 30, 2014 at 16:53
  
  Hello Tibor,
  
  If you need to source NAT from the Juniper device you need to create to configuration as “route-based”. But if you don’t need to NAT between the two sites, you can use “policy-based” aswell.
  
  You can try to look at these two examples from Juniper:
  Policy Based Example
  Route Based Example
  
  Otherwise show me the Junos configuration, and I’ll try to help you out 🙂
  
  /Marc
  
  Reply
Carpua says:

March 25, 2015 at 13:57

Hi Marc

i am trying to build a tunnel between an SRX650 and ASA 5510, the tunnel keeps flapping, and the error message received when it flaps is invalid cookies from x.x.x.x (ASA address). can you maybe please point me in the right direction.

regards
Carpua

Reply
1. Marc Zacho says:
  
  March 26, 2015 at 19:58
  
  Hi Carpua,
  
  It sounds like a Phase 1 (IKE) issue to me.
  
  Do you see any error logs on the ASA site?
  
  I think its because the SRX does not like the way the ASA is identifying it self, could be some duplication error or that the ASA is trying to identify by hostname and not IP.
  
  The ASA identification config looks something like:
  hostname
  domain-name
  crypto isakmp identity hostname
  
  The likewise Junos config is:
  set security ike gateway remote-identity hostname.domain
  
  Reply
Amar says:

December 2, 2015 at 21:27

How about a scenario, where you have multiple subnets at destination behind Cisco.
Do i create a different St interface and bind it to a different Phase2
or
use same St interface as next hop and just create different phase2 with prody-id of second destination subnet.

Reply
1. Marc Zacho says:
  
  December 9, 2015 at 23:04
  
  Hi Amar,
  
  Yes, AFAIK the only way is to create multiple P2 and St interfaces to accomplish connectivity to multiple subnets.
  
  It would be nice if you were able to add multiple proxy-id’s to a single SA.
  
  But take a look at this KB article from Juniper, it describes the situation and how to solve it:
  
  http://kb.juniper.net/InfoCenter/index?page=content&id=KB20543&actp=search
  
  Reply
Arasu says:

January 4, 2016 at 05:32

Hello Marc,

I have the same kind of connectivity, instead of 2 different subnet i had used 2 IPs using traffic-selector.

Whenever Cisco ASA become S2S VPN Initiator for this VPN tunnel, which is being established through UDP-500 at Juniper SRX end and UDP-4500 at Cisco ASA end as per the logs; in this scenario one of the server (either A nor B) is not accessible; however VPN phase -1 and phase -2 are UP and the other server is working without any issues (Local: UDP-500 & Remote: UDP-4500).

If the Juniper SRX become S2S VPN Initiator for this VPN tunnel, which is being established through UDP-4500 at Juniper SRX end and UDP-4500 at Cisco ASA end; in this scenario both jump server (A&B) are accessible; Both VPN phases are UP.

Could you help me on this

Reply
1. Marc Zacho says:
  
  January 17, 2016 at 02:09
  
  Hi Arasu,
  
  Sorry for the late reply, but I am very busy at the moment 🙁
  
  Regarding your question; I am not sure that I fully understand your setup, so please help me clarify that.
  
  What do you mean by you are using a traffic selector? I assume you have two firewalls, an ASA and a SRX in a S2S setup. But instead of subnet in each end, you have a single IP address?
  
  Do you use NAT? You mention UDP 4500, so I assume that you have some NAT-T configured/enabled?.
  
  You say that it works fine when the SRX is the initiator? But if the ASA tries to establish the tunnel (p1+p2) is established, but its random which server you are able to acces? (from where?).
  
  For me it sounds like you have a VPN mesh, but correct me if I am wrong (as said, I don’t get the traffic selector part). If you could show me a quick drawing it would help understading the setup.
  
  Reply

Juniper SRX configuration:

Leave a Reply Cancel reply