Solved

Setting up a VPN IPSEC tunnel

Posted on 2014-09-02
11
63 Views
Last Modified: 2016-01-14
I need help in setting up a ipsec tunnel between a Juniper SRX firewall and a Cisco ASA firewall.  I have spent time with Cisco support and it has been largely unrewarding.  The Juniper has a VPN Wizard which operates with completely different language then the Cisco Firewall.  I have tried using CLI code and it will not take the code.  I have done some pretty thorough Google searches and found sites which have a wizard to help you configure as well as expert sites like this one.

I am kind of at a loss as to what my next step should be.  I can try calling Juniper support but I don't give that high hopes.  Is there a resource I can turn to to help me bring up the Ipsec tunnel?  I seem to find people with experience with one firewall but not the other.

Any suggestions would be appreciated.

Thanks.
0
Comment
Question by:aoviking
  • 7
  • 3
11 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40300261
If you have support with Juniper then it's well worth setting up a case.  They are very helpful.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40300594
can you please give the device model?
0
 

Author Comment

by:aoviking
ID: 40301119
Sure, Juniper SRX 210
0
 

Author Comment

by:aoviking
ID: 40301599
SRX-210HE
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40301764
what cisco FW ur using?

I will giv you config template
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:aoviking
ID: 40306251
Sorry missed this, I am trying to interface with RACKSPACE.  I will call them and get the specs for my CISCO router on their system.
0
 

Author Comment

by:aoviking
ID: 40306326
Btw-  I think part of the problem is instead of a route based tunnel I should do a policy based tunnel. So I need to do the policy thing right as well.  The following script fails because it says the zones are not established.

## Host-inbound services for each zone
set security zones security-zone untrust host-inbound-traffic system-services ike
## Address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_X-X-X-x--24 X.X.X.0/24
set security zones security-zone trust address-book address net-cfgr_y-Y-Y-Y--24 YYY.YYY.Y.Y/24
set security zones security-zone untrust address-book address net-cfgr_zzz-zz-z-z--22 zzz.zz.Z.z/22
## IKE policy
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "******************"
## IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address xx.xx.xx.xx
set security ike gateway ike-gate-cfgr external-interface qq-q/q/q.q
## IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
## IPsec vpn
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately
## Security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_xx-xx-X-x--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_yyy-yyy-Y-y--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match destination-address net-cfgr_zzz-zz-Z-z--22
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel pair-policy vpnpolicy-untrust-trust-cfgr
## Security policies for tunnel traffic in inbound direction
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match source-address net-cfgr_zzz-zz-Z-z--22
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_xx-xx-X-x--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_yyy-yyy-y-y--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match application any
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel pair-policy vpnpolicy-trust-untrust-cfgr
## End - VPN Configuration Generator Output
0
 

Author Comment

by:aoviking
ID: 40309260
The device is an cisco ASA 5505 running 8.2(5)48 code (Or standard code base)
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 500 total points
ID: 40309652
Hello I would like to review follwoing points first:

about the SRX and ASA:
•1.     SRX can keep local copies of the configuration on the hard disk up 49 rollbacks so if you keep good track of changes then you can roll back to a specific one without much work

•2.     Cisco ASA you need to restore from backup or keep the rollback as a manual process not part of the system feature set but using a good tool like kiwi cat Tools you can be fine.

•3.     Restricting local access to the firewall on SRX requires firewall filters and not so easy to configure at a glance unlike the netscreen with the manager IP configuration

•4.     Restricting local access to the firewall on ASA is a snap configured at the management protocol level

•5.     SRX has a nice system restore point feature that if all else fails you can restore to that point

•6.     ASA does not

•7.     SRX has a nice feature to allow a service to be restarted without having to restart the firewall for example a VPN issue

•8.     ASA does not a reboot is required

•9.     SRX runs two operating system free BSD and JUNOS

•10.  ASA does not to the best of my knowledge so it is easier from an OS to debug and troubleshoot and does not require special access to any other place but the ASA OS itself

•11.  SRX does a great job with all types of NATS

•12.  ASA on 8.3 and great has added many nice NAT feature

•13.  SRX is a zone based firewall which is a handy feature for a busy SRX with a lot of interfaces or sub interfaces

•14.  ASA does not support zones to the best of my knowledge

•15.  SRX Ip gateway monitor requires an external script to run

•16.  ASA has a nice IP gateway monitor built in (IP SLA)

and then try this guide in setting up the IPSEC tunnel:

http://www.petenetlive.com/KB/Article/0000710.htm
0
 

Author Comment

by:aoviking
ID: 40313217
Great article,  I will try it and get back to you.  Thanks.
0
 

Author Comment

by:aoviking
ID: 40331484
Worked with Rackspace to get their end and our end communicating, and still no luck.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now