In this blog, we will discuss Cisco ASA and Juniper SRX, along with how to configure both for a site-to-site VPN.

What is Cisco ASA?

The Cisco Adaptive Security Appliance (ASA) is a comprehensive security device that combines the functions of a firewall, antivirus, intrusion prevention system (IPS), and virtual private network (VPN). This device proactively protects your network, stopping attacks before they can spread.

The term “Cisco ASA” encompasses a range of security devices designed to safeguard corporate networks and data centers of all sizes. Utilizing Cisco ASA enables companies to gain highly secure access to critical data and network resources. Additionally, Cisco

ASA Software serves as the core operating system for these devices. It delivers enterprise-grade firewall protection across various form factors, including standalone appliances, blades, and virtual appliances for distributed network environments. Furthermore, it integrates IPS, VPN, unified communications, and several other capabilities.

What is Juniper SRX?

Juniper Networks SRX Series Services Gateways are high-performance network security devices designed for enterprises and service providers. These devices combine routing, networking, and security capabilities, functioning as a next-generation firewall. They offer application visibility, control, IPS, and various other security services. As a result, they ensure comprehensive protection and control over business resources and assets.

Juniper SRX devices provide high port density and advanced security features, allowing flexible connectivity. Built on the Junos operating system, SRX gateways facilitate secure and manageable networks across thousands of sites. Moreover, the integration of routing, WAN connectivity, switching, and unified threat management (UTM) simplifies deployment and administration while maintaining fast and consistent service quality, regardless of user location.

Understanding Site-to-Site VPN

A site-to-site VPN is a secure virtual private network connecting different physical locations, widely used by organizations worldwide. This type of VPN creates an encrypted link between VPN gateways at each site, effectively supporting secure cross-site communication over the internet.

The benefits of site-to-site VPNs include:

• Encrypted Traffic: This ensures that business data transmitted over the public internet remains protected from eavesdropping and unauthorized modification.
• Simplified Network Architecture: Since traffic remains internal between LANs, all sites can utilize internal addresses for accessing each other’s resources.
• Streamlined Access Control: It becomes easier to define access control rules, as any traffic not originating from within the network or entering through VPN tunnels can be blocked from accessing sensitive resources.

How to Configure Cisco ASA to Juniper SRX Site-to-Site VPN

In some scenarios, configuring a Cisco ASA to a Juniper SRX for site-to-site VPN may be necessary. Follow these steps to complete the configuration:

Phase 1: Configure Cisco ASA

1. Open ASDM and navigate to Wizards > VPN Wizards > Site-to-Site VPN Wizard, then click Next.
2. Enter the public IP address of the Juniper Firewall and click Next. (Assume the VPN is already terminated on the outside interface; if not, adjust accordingly.)
3. Choose IKE Version 1 and click Next.
4. Enter the local network behind the ASA and the remote network behind the Juniper, then click Next.
5. In the Authentication Methods dialog, enter a pre-shared key. Remember to note it down, as you will need it for the Juniper configuration.
6. Accept the defaults of 3DES and SHA1, then click Next.
7. Enable PFS and check the box to exempt traffic from NAT. Click Next.
8. Review the settings and click Finish.
9. Save the changes by navigating to File > Save Running Configuration to Flash.

Phase 2: Configure the Juniper SRX (Model SRX100B, version 11.2R4.3)

1. Log in to the Juniper Web Device Manager.
2. Navigate to Tasks > Configure VPN > Launch VPN Wizard.
3. When prompted, select the Site-to-Site VPN type and click Start.
4. Name the tunnel, set the local zone to trust, and enter the local subnet (behind the Juniper network).
5. Assign a name to the Secure Tunnel Interface (you can simply use 0).
6. Set the secure tunnel zone to untrusty, then enter the physical address where the VPN will terminate. Click Next and use a short subnet notation for the subnet specification.
7. Enter the public IP address of the ASA and specify the subnet behind the ASA, then click Next.
8. Set the IKE Phase 1 setting to Compatible and Main Mode, entering the same pre-shared key you used for the ASA.
9. Adjust the IPSec settings to compatible and set IPsec Perfect Forward Secrecy to Group 2, then click Next.
10. Accept the defaults and click Next.
11. Review the settings and click Commit.

 3: Additional Steps for Cisco ASA

1. In the Juniper Web Device Manager, go to IPsec VPN, then navigate to Auto Tunnel > Phase II > Select Your Tunnel > Edit > IPSec VPN Options. Tick ‘Use Proxy Identity’.
2. Enter the local and remote subnets, then click OK.
3. Navigate to Security > Zones / Screen.
4. Select the untrusty zone and edit the Host Inbound Traffic – Interface settings.
5. Choose the physical address where the VPN terminates and add IKE as an interface service. Click OK.
6. Finally, save the changes by clicking Action and then Commit.

To verify the configuration, test the VPN by attempting to ping a host on the other end.