Route based site-to-site IPSec VPN between Juniper SRX and Cisco ASA

Let’s say that you got a request to create site-to-site IPSec VPN between Juniper SRX and Cisco ASA firewalls. You would automatically assume that you have to use policy based VPN on SRX as Cisco ASA supports only policy based VPNs. Well, you can, but there is another option. You can use route based VPN.

Before we continue, I would like to stress out, that it is really important, that you have VPN settings identical on both sides or VPN tunnel will not come up or it will be unstable.

Network diagram
IPSecVPN
VPN Settings on Cisco ASA and Juniper SRX
Parameters\Device Cisco ASA Juniper SRX
Phase1(IKE) authentication sha1 sha1
encryption aes128 aes128
dh-group group2 group2
lifetime(seconds) 86400 86400
Mode main main
pre-shared-key Bingo1 Bingo1
Phase2(IPSec) protocol esp esp
authentication sha1 sha1
encription aes128 aes128
lifetime-seconds 3600 3600
lifetime-kilobytes 46000 46000

I would like to point out two things on which you have to pay attention, when you will be configuring route based IPSec VPN between SRX and ASA:

  • on SRX when you are creating virtual st0 interface, it has to be unnumbered
example:
edit interfaces st0 
set unit 0 family inet
  • on SRX under section security -> ipsec -> vpn -> VPNName -> ike  you have to configure proxy-identity. This will essentially tell SRX which networks it has to use for creating IPSec SA.
example:
edit security ipsec vpn VPN1-Cisco 
set ike proxy-identity local 172.30.1.0/24
set ike proxy-identity remote 192.168.1.0/24
Juniper SRX configuration

edit interfaces st0 
set unit 0 family inet

edit security ike proposal Proposal-Cisco
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400

edit security ike policy IKE-Policy-Cisco 
set mode main
set proposals Proposal-Cisco
set pre-shared-key ascii-text "Bingo1"

edit security ike gateway IKE-GW1-Cisco
set ike-policy IKE-Policy-Cisco
set address 1.1.1.1
set external-interface ge-0/0/0

edit security ipsec proposal Cisco-Proposal-IPSec
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 46000

edit security ipsec policy Cisco-Policy-IPSec 
set proposals Cisco-Proposal-IPSec

edit security ipsec vpn VPN1-Cisco
set bind-interface st0.0
set ike gateway IKE-GW1-Cisco
set ike proxy-identity local 172.30.1.0/24
set ike proxy-identity remote 192.168.1.0/24
set ike ipsec-policy Cisco-Policy-IPSec

edit routing-options
set static route 192.168.1.0/24 next-hop st0.0

edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0

edit security zones security-zone LOCAL
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces ge-0/0/1.0

edit security policies from-zone LOCAL to-zone VPN
set policy LOCAL-to-VPN match source-address any
set policy LOCAL-to-VPN match destination-address any
set policy LOCAL-to-VPN match application any
set policy LOCAL-to-VPN then permit

edit security policies from-zone VPN to-zone LOCAL
set policy VPN-to-LOCAL match source-address any
set policy VPN-to-LOCAL match destination-address any
set policy VPN-to-LOCAL match application any
set policy VPN-to-LOCAL then permit
Cisco ASA Configuration
object network Nat_Site-A
 subnet 192.168.1.0 255.255.255.0

object-group network SiteB-Juniper
 network-object 172.30.1.0 255.255.255.0

object-group network Site-A
 network-object 192.168.1.0 255.255.255.0

object-group network Nat0
 group-object SiteB-Juniper

access-list VPN-SiteB-Juniper-10000 extended permit ip object-group Site-A object-group SiteB-Juniper
nat (inside,outside) source static Site-A Site-A destination static Nat0 Nat0 no-proxy-arp route-lookup

object network Nat_Site-A
 nat (inside,outside) dynamic interface

crypto ipsec ikev1 transform-set ASET-SHA esp-aes esp-sha-hmac

crypto map VPNMap 10000 match address VPN-SiteB-Juniper-10000
crypto map VPNMap 10000 set peer 2.2.2.2
crypto map VPNMap 10000 set ikev1 transform-set ASET-SHA
crypto map VPNMap 10000 set security-association lifetime seconds 3600
crypto map VPNMap 10000 set security-association lifetime kilobytes 46000

crypto map VPNMap interface outside

crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key Bingo1

On Juniper SRX Firewall disable SIP ALG within firewall policy

In previous post I mentioned how can SIP ALG be of benefit on Juniper SRX firewalls. But in some cases where phone clients do not support RFC 3581 and SIP ALG is enabled, SRX firewall will drop the traffic. When SIP ALG is enabled, it is applied globally. Basically it is on or off for “whole” firewall.

In this example Private PBX is located in LAN A subnet and phone clients are located in LAN B subnet. SIP ALG is enabled on SRX firewall and it is used for communication between Provider PBX and Private PBX.

For the communication between phone clients and Private PBX, SIP ALG is disabled within firewall policy.

DisableSIPALG

[edit applications]
set application DisableSIP_ALG term t1 alg ignore
set application DisableSIP_ALG term t1 protocol udp

[edit security]
set zones security-zone LAN-A address-book address PrivatePBX 192.168.1.100/32

[edit security]
set zones security-zone LAN-B address-book address LAN-B-NET 172.30.1.0/24

[edit security policies from-zone LAN-A to-zone LAN-B]
set policy PBX-to-LAN-B-DisableSIPALG match source-address PrivatePBX
set policy PBX-to-LAN-B-DisableSIPALG match destination-address LAN-B-NET
set policy PBX-to-LAN-B-DisableSIPALG match application DisableSIP_ALG
set policy PBX-to-LAN-B-DisableSIPALG then permit

[edit security policies from-zone LAN-B to-zone LAN-A]
set policy LAN-B-to-PBX-DisableSIPALG match source-address LAN-B-NET
set policy LAN-B-to-PBX-DisableSIPALG match destination-address PrivatePBX
set policy LAN-B-to-PBX-DisableSIPALG match application DisableSIP_ALG
set policy LAN-B-to-PBX-DisableSIPALG then permit

Permit SIP traffic through Juniper SRX with the help of SIP ALG

Have you ever wondered how to allow traffic from providers PBX to your PBX without creating additional firewall policy with dynamic port ranges for RTP stream?

Well here comes SIP ALG into play. SIP ALG recognizes SIP traffic and opens pinhole into firewall to allow RTP stream from one PBX to another for the duration of the session/call. There is no need for additional firewall policy for RTP stream if the SIP ALG is used.

This kind of setup will work only if both PBX-es have support for RFC 3581.

On Juniper SRX firewalls SIP ALG is enabled by default. To check SIP ALG status, enter command “show security alg status”.

SIP ALG Status

In this example additional IP address 1.1.1.100 was provided from ISP and it is assigned a static NAT mapping to IP address 192.168.1.100. IP address 1.1.1.100 will be used for SIP and RTP traffic.

SIP firewall diagram

[edit security nat static]
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address 1.1.1.100/32
set rule-set rs1 rule r1 then static-nat prefix 192.168.1.100/32

[edit security nat]
set proxy-arp interface ge-0/0/0.0 address 1.1.1.100/32
[edit security]
set zones security-zone trust address-book address LocalPBX 192.168.1.100/32
[edit security]
set zones security-zone untrust address-book address ProviderPBX 2.2.2.200/32
[edit security policies from-zone untrust to-zone trust]
set policy PBX-Access-SIP match source-address ProviderPBX destination-address LocalPBX application junos-sip
set policy PBX-Access-SIP then permit