Setting up a VPN IPSEC tunnel

I need help in setting up a ipsec tunnel between a Juniper SRX firewall and a Cisco ASA firewall.  I have spent time with Cisco support and it has been largely unrewarding.  The Juniper has a VPN Wizard which operates with completely different language then the Cisco Firewall.  I have tried using CLI code and it will not take the code.  I have done some pretty thorough Google searches and found sites which have a wizard to help you configure as well as expert sites like this one.

I am kind of at a loss as to what my next step should be.  I can try calling Juniper support but I don't give that high hopes.  Is there a resource I can turn to to help me bring up the Ipsec tunnel?  I seem to find people with experience with one firewall but not the other.

Any suggestions would be appreciated.

Thanks.
aovikingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
If you have support with Juniper then it's well worth setting up a case.  They are very helpful.
0
Sandeep GuptaConsultantCommented:
can you please give the device model?
0
aovikingAuthor Commented:
Sure, Juniper SRX 210
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

aovikingAuthor Commented:
SRX-210HE
0
Sandeep GuptaConsultantCommented:
what cisco FW ur using?

I will giv you config template
0
aovikingAuthor Commented:
Sorry missed this, I am trying to interface with RACKSPACE.  I will call them and get the specs for my CISCO router on their system.
0
aovikingAuthor Commented:
Btw-  I think part of the problem is instead of a route based tunnel I should do a policy based tunnel. So I need to do the policy thing right as well.  The following script fails because it says the zones are not established.

## Host-inbound services for each zone
set security zones security-zone untrust host-inbound-traffic system-services ike
## Address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_X-X-X-x--24 X.X.X.0/24
set security zones security-zone trust address-book address net-cfgr_y-Y-Y-Y--24 YYY.YYY.Y.Y/24
set security zones security-zone untrust address-book address net-cfgr_zzz-zz-z-z--22 zzz.zz.Z.z/22
## IKE policy
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "******************"
## IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address xx.xx.xx.xx
set security ike gateway ike-gate-cfgr external-interface qq-q/q/q.q
## IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
## IPsec vpn
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately
## Security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_xx-xx-X-x--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_yyy-yyy-Y-y--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match destination-address net-cfgr_zzz-zz-Z-z--22
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel pair-policy vpnpolicy-untrust-trust-cfgr
## Security policies for tunnel traffic in inbound direction
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match source-address net-cfgr_zzz-zz-Z-z--22
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_xx-xx-X-x--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_yyy-yyy-y-y--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match application any
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel pair-policy vpnpolicy-trust-untrust-cfgr
## End - VPN Configuration Generator Output
0
aovikingAuthor Commented:
The device is an cisco ASA 5505 running 8.2(5)48 code (Or standard code base)
0
Sandeep GuptaConsultantCommented:
Hello I would like to review follwoing points first:

about the SRX and ASA:
•1.     SRX can keep local copies of the configuration on the hard disk up 49 rollbacks so if you keep good track of changes then you can roll back to a specific one without much work

•2.     Cisco ASA you need to restore from backup or keep the rollback as a manual process not part of the system feature set but using a good tool like kiwi cat Tools you can be fine.

•3.     Restricting local access to the firewall on SRX requires firewall filters and not so easy to configure at a glance unlike the netscreen with the manager IP configuration

•4.     Restricting local access to the firewall on ASA is a snap configured at the management protocol level

•5.     SRX has a nice system restore point feature that if all else fails you can restore to that point

•6.     ASA does not

•7.     SRX has a nice feature to allow a service to be restarted without having to restart the firewall for example a VPN issue

•8.     ASA does not a reboot is required

•9.     SRX runs two operating system free BSD and JUNOS

•10.  ASA does not to the best of my knowledge so it is easier from an OS to debug and troubleshoot and does not require special access to any other place but the ASA OS itself

•11.  SRX does a great job with all types of NATS

•12.  ASA on 8.3 and great has added many nice NAT feature

•13.  SRX is a zone based firewall which is a handy feature for a busy SRX with a lot of interfaces or sub interfaces

•14.  ASA does not support zones to the best of my knowledge

•15.  SRX Ip gateway monitor requires an external script to run

•16.  ASA has a nice IP gateway monitor built in (IP SLA)

and then try this guide in setting up the IPSEC tunnel:

http://www.petenetlive.com/KB/Article/0000710.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aovikingAuthor Commented:
Great article,  I will try it and get back to you.  Thanks.
0
aovikingAuthor Commented:
Worked with Rackspace to get their end and our end communicating, and still no luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.