Solved

Setting up a VPN IPSEC tunnel

Posted on 2014-09-02
11
85 Views
Last Modified: 2016-01-14
I need help in setting up a ipsec tunnel between a Juniper SRX firewall and a Cisco ASA firewall.  I have spent time with Cisco support and it has been largely unrewarding.  The Juniper has a VPN Wizard which operates with completely different language then the Cisco Firewall.  I have tried using CLI code and it will not take the code.  I have done some pretty thorough Google searches and found sites which have a wizard to help you configure as well as expert sites like this one.

I am kind of at a loss as to what my next step should be.  I can try calling Juniper support but I don't give that high hopes.  Is there a resource I can turn to to help me bring up the Ipsec tunnel?  I seem to find people with experience with one firewall but not the other.

Any suggestions would be appreciated.

Thanks.
0
Comment
Question by:aoviking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
11 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40300261
If you have support with Juniper then it's well worth setting up a case.  They are very helpful.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40300594
can you please give the device model?
0
 

Author Comment

by:aoviking
ID: 40301119
Sure, Juniper SRX 210
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:aoviking
ID: 40301599
SRX-210HE
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40301764
what cisco FW ur using?

I will giv you config template
0
 

Author Comment

by:aoviking
ID: 40306251
Sorry missed this, I am trying to interface with RACKSPACE.  I will call them and get the specs for my CISCO router on their system.
0
 

Author Comment

by:aoviking
ID: 40306326
Btw-  I think part of the problem is instead of a route based tunnel I should do a policy based tunnel. So I need to do the policy thing right as well.  The following script fails because it says the zones are not established.

## Host-inbound services for each zone
set security zones security-zone untrust host-inbound-traffic system-services ike
## Address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_X-X-X-x--24 X.X.X.0/24
set security zones security-zone trust address-book address net-cfgr_y-Y-Y-Y--24 YYY.YYY.Y.Y/24
set security zones security-zone untrust address-book address net-cfgr_zzz-zz-z-z--22 zzz.zz.Z.z/22
## IKE policy
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "******************"
## IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address xx.xx.xx.xx
set security ike gateway ike-gate-cfgr external-interface qq-q/q/q.q
## IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
## IPsec vpn
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr establish-tunnels immediately
## Security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_xx-xx-X-x--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match source-address net-cfgr_yyy-yyy-Y-y--24
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match destination-address net-cfgr_zzz-zz-Z-z--22
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone trust to-zone untrust policy vpnpolicy-trust-untrust-cfgr then permit tunnel pair-policy vpnpolicy-untrust-trust-cfgr
## Security policies for tunnel traffic in inbound direction
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match source-address net-cfgr_zzz-zz-Z-z--22
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_xx-xx-X-x--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match destination-address net-cfgr_yyy-yyy-y-y--24
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr match application any
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel ipsec-vpn ipsec-vpn-cfgr
set security policies from-zone untrust to-zone trust policy vpnpolicy-untrust-trust-cfgr then permit tunnel pair-policy vpnpolicy-trust-untrust-cfgr
## End - VPN Configuration Generator Output
0
 

Author Comment

by:aoviking
ID: 40309260
The device is an cisco ASA 5505 running 8.2(5)48 code (Or standard code base)
0
 
LVL 9

Accepted Solution

by:
Sandeep Gupta earned 500 total points
ID: 40309652
Hello I would like to review follwoing points first:

about the SRX and ASA:
•1.     SRX can keep local copies of the configuration on the hard disk up 49 rollbacks so if you keep good track of changes then you can roll back to a specific one without much work

•2.     Cisco ASA you need to restore from backup or keep the rollback as a manual process not part of the system feature set but using a good tool like kiwi cat Tools you can be fine.

•3.     Restricting local access to the firewall on SRX requires firewall filters and not so easy to configure at a glance unlike the netscreen with the manager IP configuration

•4.     Restricting local access to the firewall on ASA is a snap configured at the management protocol level

•5.     SRX has a nice system restore point feature that if all else fails you can restore to that point

•6.     ASA does not

•7.     SRX has a nice feature to allow a service to be restarted without having to restart the firewall for example a VPN issue

•8.     ASA does not a reboot is required

•9.     SRX runs two operating system free BSD and JUNOS

•10.  ASA does not to the best of my knowledge so it is easier from an OS to debug and troubleshoot and does not require special access to any other place but the ASA OS itself

•11.  SRX does a great job with all types of NATS

•12.  ASA on 8.3 and great has added many nice NAT feature

•13.  SRX is a zone based firewall which is a handy feature for a busy SRX with a lot of interfaces or sub interfaces

•14.  ASA does not support zones to the best of my knowledge

•15.  SRX Ip gateway monitor requires an external script to run

•16.  ASA has a nice IP gateway monitor built in (IP SLA)

and then try this guide in setting up the IPSEC tunnel:

http://www.petenetlive.com/KB/Article/0000710.htm
0
 

Author Comment

by:aoviking
ID: 40313217
Great article,  I will try it and get back to you.  Thanks.
0
 

Author Comment

by:aoviking
ID: 40331484
Worked with Rackspace to get their end and our end communicating, and still no luck.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question