Cisco ASA | Juniper site-to-dynamic VPN

Leave a Comment / ASA, Cisco, Juniper, Networking, Tech Blog / By

Cisco ASA Configuration part
When you want to connect to a Juniper Netscreen SG5 device which has a Dynamic IP address. It can be difficult to find what the correct specs are for this type of setup.
First you need to go: Configuration > site-to-site VPN > advanced > Tunnel-Groups
You have to edit the DefaultL2LGroup
 
121515_1337_CiscoJunipe3.pngEnter a preshared key and disable IKE v2

Go to Configuration > Site-to-Site VPN > Advanced > Crypto Maps

Create a new dynamic map. And ensure that the transform set is ESP-AES-128-SHA and permit ip any any,
enable nat-t and reverse route. SA lifetime default settings.
These are de primary settings for the Cisco ASA (which is in my case the only device with static ip address) The Juniper device has a dynamic ip address.
Juniper configuration part.

The easiest way to do this is via the CLI.

! Create a tunnel interface
set interface “tunnel.1” zone “Untrust”
set interface tunnel.1 ip unnumbered interface ethernet0/0
! Create the Gateway (IKE Settings)
set ike gateway “VPN-GATEWAY” address <remote ip> Main outgoing-interface “ethernet0/0” preshare “<fantastic password>” sec-level compatible
! Configure VPN IPSEC settings
set vpn “VPN” gateway “VPN-GATEWAY” replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”
set vpn “VPN” id 0x1 bind interface tunnel.1
set vpn “VPN” proxy-id local-ip 172.16.1.0/24 remote-ip 192.168.1.0/24 “ANY”
! Configure a route for the remote end traffic
set route 192.168.1.0/24 interface tunnel.1

! Create 2 address book entries and create 2 policies to permit this traffic
set address “Untrust” “192.168.1.0/24” 192.168.1.0 255.255.255.0
set address “Trust” “172.16.1.0/24” 172.16.1.0 255.255.255.0
set policy id 3 from “Untrust” to “Trust” “192.168.1.0/24” “172.16.1.0/24” “ANY” permit log count
set policy id 2 from “Trust” to “Untrust” “172.16.1.0/24” “192.168.1.0/24” “ANY” permit log count

The juniper will connect to the default policy on the Cisco ASA which is by default a site to any configuration. The connection will be set up fast. And after wards you need to be able to connect to a device on the remote site.
To see on the juniper if the VPN tunnel is up. You have to logon to the administration page. This page gives a proper view on the VPN connection if it’s up or down.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.