Juniper SRX to Cisco ASA Site to Site with source NAT

This article will describe how to create a Site to Site (Lan to Lan) VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. The traffic from Site A (Juniper) will source NAT it’s local traffic through the VPN to meet the encryption domain defined at Site B (Cisco).

The Juniper part will be created as a route-based VPN, and Cisco as policy-based. It is not possible to source NAT on Juniper, if a policy-based VPN is used.

The goal is to create the following:

Site to Site

Juniper SRX configuration:

##### Phase 1 configuration #####

set security ike proposal ike-proposal-SITEB authentication-method pre-shared-keys
set security ike proposal ike-proposal-SITEB authentication-algorithm sha1
set security ike proposal ike-proposal-SITEB encryption-algorithm aes-256-cbc
set security ike proposal ike-proposal-SITEB lifetime-seconds 86400
set security ike policy ike-policy-SITEB mode main
set security ike policy ike-policy-SITEB proposals ike-proposal-SITEB
set security ike policy ike-policy-SITEB pre-shared-key ascii-text SHARED-SECRET-KEY
set security ike gateway ike-gate-SITEB ike-policy ike-policy-SITEB
set security ike gateway ike-gate-SITEB address 40.50.60.78
set security ike gateway ike-gate-SITEB external-interface ge-0/0/0

##### Phase 2 configuration #####

set security ipsec proposal ipsec-proposal-SITEB protocol esp
set security ipsec proposal ipsec-proposal-SITEB authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-SITEB encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-proposal-SITEB lifetime-seconds 28800
set security ipsec policy ipsec-policy-SITEB perfect-forward-secrecy keys group1
set security ipsec policy ipsec-policy-SITEB proposals ipsec-proposal-SITEB
set security ipsec vpn ipsec-vpn-SITEB bind-interface st0.0
set security ipsec vpn ipsec-vpn-SITEB ike gateway ike-gate-SITEB
set security ipsec vpn ipsec-vpn-SITEB ike proxy-identity local 172.24.50.0/28
set security ipsec vpn ipsec-vpn-SITEB ike proxy-identity remote 172.25.56.0/24
set security ipsec vpn ipsec-vpn-SITEB ike ipsec-policy ipsec-policy-SITEB
set security ipsec vpn ipsec-vpn-SITEB establish-tunnels immediately

##### Address book entrys #####

set security address-book global address SITEB 172.25.56.0/24
set security address-book global address SITEA-VPN-SCOPE 172.24.50.0/28

##### NAT Options #####

set security nat source pool src-nat-SITEB address 172.24.50.0/28
set security nat source pool src-nat-SITEB port no-translation
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB match destination-address 172.25.56.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule-SITEB then source-nat pool src-nat-SITEB

##### Basic Firewall rules #####

set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match source-address SITEA-VPN-SCOPE
set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match destination-address SITEB
set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-SITEA-to-SITEB then permit

##### MISC configuration #####
set interfaces st0 unit 0 family inet address 172.24.50.1/28
set routing-options static route 172.25.56.0/24 next-hop st0.0
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.0

The configuration is pretty basic, we define the phase 1 and 2 settings, set the NAT options for the source NAT, defines access-lists, address-book entries etc. The only thing you have to notice, is that we create a tunnel interface, called st0.0, which we route the remote net for Site B to (172.25.56.0/25). The st0.0 interface IP-address is inside the local encryption domain (172.25.50.1/28).

This is called “Route based VPN” instead of “Policy based VPN”. To do source NAT over VPN on Juniper SRX you have to use the RB VPN.

Lets continue to the SITE B configuration, which is on a Cisco ASA, and here we’ll use a policy based VPN

Cisco ASA configuration:

##### Cryptomap / Encryption domain definition #####

access-list Outside_SITEA_cryptomap extended permit ip 172.24.50.0 255.255.255.240 172.25.56.0 255.255.255.0

##### Basic Firewall rules #####

access-list L2L-tunnel-vpn-filter remark START - ID:SITEA NETWORK: 172.25.56.0 PEER: 80.70.60.51 
access-list L2L-tunnel-vpn-filter extended permit ip 172.24.50.0 255.255.255.240 172.25.56.0 255.255.255.0 
access-list L2L-tunnel-vpn-filter remark STOP - ID:SITEA NETWORK: 172.25.56.0 PEER: 80.70.60.51

##### Phase 1 configuration #####

tunnel-group 80.70.60.51 type ipsec-l2l
tunnel-group 80.70.60.51 general-attributes
default-group-policy L2L-tunnel-group-policy
tunnel-group 80.70.60.51 ipsec-attributes
pre-shared-key SHARED-SECRET-KEY

##### Phase 2 configuration #####

crypto map Outside_map SITEA match address Outside_SITEA_cryptomap
crypto map Outside_map SITEA set pfs group1
crypto map Outside_map SITEA set peer 80.70.60.51
crypto map Outside_map SITEA set transform-set ESP-AES-256-SHA

The Cisco configuration is pretty much straight forward, no routing, no NAT, just basic VPN configuration, cryptomap (encryption domain), phase 1 and 2 and the access-lists.

And thats it! You should now be able to bring the tunnel up if you initiate some traffic.

If you have any questions feel free to leave a comment or contact me!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.