Setting up a VPN IPSEC tunnel
I need help in setting up a ipsec tunnel between a Juniper SRX firewall and a Cisco ASA firewall. I have spent time with Cisco support and it has been largely unrewarding. The Juniper has a VPN Wizard which operates with completely different language then the Cisco Firewall. I have tried using CLI code and it will not take the code. I have done some pretty thorough Google searches and found sites which have a wizard to help you configure as well as expert sites like this one.
I am kind of at a loss as to what my next step should be. I can try calling Juniper support but I don't give that high hopes. Is there a resource I can turn to to help me bring up the Ipsec tunnel? I seem to find people with experience with one firewall but not the other.
Any suggestions would be appreciated.
Thanks.
I am kind of at a loss as to what my next step should be. I can try calling Juniper support but I don't give that high hopes. Is there a resource I can turn to to help me bring up the Ipsec tunnel? I seem to find people with experience with one firewall but not the other.
Any suggestions would be appreciated.
Thanks.
hypercube
If you have support with Juniper then it's well worth setting up a case. They are very helpful.
can you please give the device model?
ASKER
Sure, Juniper SRX 210
ASKER
SRX-210HE
what cisco FW ur using?
I will giv you config template
I will giv you config template
ASKER
Sorry missed this, I am trying to interface with RACKSPACE. I will call them and get the specs for my CISCO router on their system.
ASKER
Btw- I think part of the problem is instead of a route based tunnel I should do a policy based tunnel. So I need to do the policy thing right as well. The following script fails because it says the zones are not established.
## Host-inbound services for each zone
set security zones security-zone untrust host-inbound-traffic system-services ike
## Address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_X-X-X-x--24 X.X.X.0/24
set security zones security-zone trust address-book address net-cfgr_y-Y-Y-Y--24 YYY.YYY.Y.Y/24
set security zones security-zone untrust address-book address net-cfgr_zzz-zz-z-z--22 zzz.zz.Z.z/22
## IKE policy
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "******************"
## IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address xx.xx.xx.xx
set security ike gateway ike-gate-cfgr external-interface qq-q/q/q.q
## IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
## IPsec vpn
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately
## Security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
## Security policies for tunnel traffic in inbound direction
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
## End - VPN Configuration Generator Output
## Host-inbound services for each zone
set security zones security-zone untrust host-inbound-traffic system-services ike
## Address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_X-X-X-x--24 X.X.X.0/24
set security zones security-zone trust address-book address net-cfgr_y-Y-Y-Y--24 YYY.YYY.Y.Y/24
set security zones security-zone untrust address-book address net-cfgr_zzz-zz-z-z--22 zzz.zz.Z.z/22
## IKE policy
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "******************"
## IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address xx.xx.xx.xx
set security ike gateway ike-gate-cfgr external-interface qq-q/q/q.q
## IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
## IPsec vpn
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately
## Security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cf
## Security policies for tunnel traffic in inbound direction
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cf
## End - VPN Configuration Generator Output
ASKER
The device is an cisco ASA 5505 running 8.2(5)48 code (Or standard code base)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great article, I will try it and get back to you. Thanks.
ASKER
Worked with Rackspace to get their end and our end communicating, and still no luck.