In this blog, we will discuss what Cisco ASA and Juniper SRX are and how to configure both for site-to-site VPN.
What is Cisco ASA? What does ASA do?
Cisco Adaptive Security Appliance (ASA) is a security device that combines the functioning of a firewall, antivirus, intrusion prevention, and virtual private network (VPN). It provides you with proactive protection by stopping attacks before they spread through the network.
The term Cisco ASA is an umbrella term for the family of security devices by Cisco that protects corporate networks and data centers of all sizes. Using Cisco ASA allows companies to get highly secure access to data and network resources.
Cisco ASA Software is the core operating system that comes in the family of Cisco ASA devices. It is known to deliver enterprise-grade firewall protection for ASA devices in a wide range of form factors, such as standalone appliances, blades, and virtual appliances for any distributed network environment.
Additionally, it also comes with integrated IPS, VPN, Unified communications, and various other capabilities.
What is Juniper SRX? What does SRX do?
Juniper Networks SRX Series Services Gateways are high-performance network security devices for enterprises and service providers that provide routing, networking, and security capabilities. The SRX Series combines the functionality of a next-generation firewall, application visibility and control, IPS, and other security services. It is designed to provide complete security to protect and control business resources and assets.
Juniper SRX devices offer high port density, advanced security, and flexible connectivity. Based on Junos, SRX gateways allow you to deliver secure and manageable networks of up to thousands of sites. The combination of routing, WAN connectivity, switching, and unified threat management (UTM), which include services such as antivirus, anti-spam, URL filtering, firewall/VPN, and App Secure simplifies the deployment and administration while delivering fast and consistent service quality, no matter where a user is located.
What is a Site-to-Site VPN? Why do we need to create a Site-to-Site VPN?
Site-to-site VPNs are virtual private networks available for secure use between different sites and are widely used by various organizations around the world. Technically, a site-to-site VPN provides a single corporate WAN to support secure cross-site communication by creating an encrypted link between VPN gateways located at each site, even when sites are geographically separated.
Site-to-site VPNs offer a wide range of benefits, such as:
- Encrypted traffic for secure connectivity so that any business data crossing over the public Internet remains protected from eavesdropping and modification
- Simplified network architecture as traffic from one LAN to another remains internal, which means all sites can use internal addresses for each other’s resources
- Access control rules are easier to define because any traffic that is not emerging from inside the network or entering via VPN tunnels can be blocked from accessing business resources
How to Configure Cisco ASA to Juniper SRX Site-to-Site VPN
In some cases, you might need to configure Cisco ASA to Juniper SRX for site-to-site VPN. You can do this configuration by following the below steps:
Phase #1 Configure Cisco ASA
- Go to the ASDM. Open Wizards > VPN Wizards > Site-to-Site VPN Wizard, and click Next.
- Enter the Juniper Firewall’s public IP address and click Next. (Assuming that the VPN is already terminated on the outside interface. If not, change it).
- Choose IKE Version 1 and click Next.
- Enter the Local – behind the ASA network and then the Remote – behind the Juniper network. Click Next.
- On the Authentication Methods dialog box, enter a pre-shared key. Make sure you remember it or note it down because you will need to enter it on the Juniper as well.
- Now, accept the default of 3DES and SHA1 and click Next.
- Enable PFS > and tick the box to exempt traffic from NAT. Click Next.
- Review the settings and click Finish.
- Save the changes by going to File > Save running Configuration to Flash.
Phase #2 Configure the Juniper SRX (Model SRX100B version 11.2R4.3) for Router-Based VPN
- Go to the Juniper Web Device Manager and log in.
- Go to Tasks > Configure VPN > Launch VPN Wizard
- When you are asked to select VPN type, choose the default Site-to-Site option and Start.
- Give a name to the tunnel, set the local zone to trust, and add in the local subnet (behind the Juniper Network).
- Give a name to the Secure Tunnel Interface (just use a 0).
- Set the secure tunnel zone to Untrusty. Enter the physical address the VPN will be ending on. Click Next. Use the short subnet notation when specifying a subnet.
- Enter the public IP address of the ASA and add in the subnet at the far end of the tunnel (i.e. behind the ASA) and click Next.
- Set the IKE phase 1 settings to Compatible and Main Mode. Enter the same pre-shared key you used while configuring the ASA.
- Set the IPSEC settings to compatible, IPsec Perfect Forward Secrecy to Group 2, and click Next.
- Accept the defaults and click Next.
- Review the settings and click Commit.
Phase #3 Additional Steps Needed for Cisco ASA
- Go to the IPsec VPN in Juniper Web Device Manager. Then, navigate to Auto Tunnel > Phase II > Select Your Tunnel > Edit > IPSec VPN Options > Tick ‘use proxy identity’.
- Enter the local and remote subnets and click Ok.
- Go to Security > Zones / Screen.
- Select the untrusty zone.
- Edit > Host Inbound Traffic – Interface.
- Select the physical address that the VPN is terminating on.
- Add the IKE as an Interface service and click Ok.
- Save the changes by clicking Action and Commit.
- Test the VPN by trying to ping a host on the other end.