SRX

Hello,

I have an SRX210be [12.1X44-D10.4] and my peer an ASA 5515X.

I was asked for a network for the "Interesting Traffic" and supplied the private subnet of my network I wanted to share. I was told it needed to be a public IP. So I have given X.X.X.76 which is included in the block of adresses allocated to me by my ISP.

On my SRX I have ge-0/0/0 interface X.X.X.75/29 (zone: Internet)

I also have vlan.10 interface 192.168.22.1/24 (zone: Staff)

I created the Internet -> Staff (in) policy and Staff -> Internet (out) policy with match source and destination traffic as X.X.X.76/32 and the X.X.X.X/32 I received from my peer.

I can see the tunnel comes up with:

show security ike security-associations
show security ipsec security-associations

But statistics shows no traffic, and I cannot ping the remote peer from my device.

I suspect that it is not working because traffic from my Staff zone does not come from the network that is specified on the policy.

How should I resolve this? Can I NAT traffic destined for my remote peer to X.X.X.76 as specified in the policy?

Thank you.

Hi cw_chris, 

I would recommend you to follow the steps in the below KB:

How to troubleshoot a VPN that is up, but is not passing traffic

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=METADATA

We might need logs/outputs and configuration in case this doesn't solve the issue.

Please mark "Accept as solution" if this answers your query. 

Kudos are appreciated too! 

Regards, 

Sharat Ainapur

Hello,

---

@cw_chris wrote:

Hello,

 

 

I was asked for a network for the "Interesting Traffic" and supplied the private subnet of my network I wanted to share. I was told it needed to be a public IP. So

I haven't touched this for a while but with Policy-based VPN, "interesting traffic" is defined in IOS crypto ACL and in JUNOS security policy, and then it directly translated into IKE Ph2 proxy-ids.

I.e. if Your LAN subnet is 10/8 and peer LAN subnet is 172.16/12, then Your local proxy-id is 10/8 and remote proxy-id is 172.16/12, and if You are using Policy-based VPN on both sides, You just define an IOS crypto ACL "permit  172.16.0.0 255.240.0.0  10.0.0.0 255.0.0.0" , then define a JUNOS security policy with 10/8 and 172.16/12 in opposite positions and You are done. The IOS will automatically check the src.IP and dst.IP for each packet against this crypto ACL and if it is matched, it will get encrypted. JUNOS Policy-based VPN will do the same.

To get the long story short - for "interesting traffic", You should supply Your LAN subnet, not a public IP from Your untrust interface, and request the same from Cisco ASA side.

HTH

Thx

Alex

Thank you aarseniev,

My counterpart was not interested in configuring my private subnet on the ASA side. So I switched to route based.

Hello Chris,

NAT of any kind will only be possible with route based VPN and NOT policy based VPN because of the following :- 

1. Policy based VPNs take up the proxy-id (interested traffic subnet) from the source-address/destination-address combination.

2. This proxy-id must match between the ASA & SRX to bring up the VPN. i.e. you will have to use the public IPs in these policy.

3. In Junos FLOW design, Destination NAT happens before policy lookup and Source NAT happens after policy look up.

a. This means if we apply Destination NAT to convert x.x.x.76 to 192.168.22.0/24 , it won't match the policy. 

b. Also, Source NAT of traffic from staff zone will happen after the policy look up and hence won't match the policy.

Now lets see how I think it can be resolved.

First of all, you have only 1 public IP x.x.x.76 accepted as proxy-id on ASA for a /24 network. Therefore, my assumption is that in your network, the communication across the VPN is always being started by Staff users & it will never have a session initiated by the ASA end.

If this assumption is not correct, then we would need an equal number of IPs in the Public & Private subnet.

Now that we know that we only have to initiate the traffic from STAFF towards VPN, I would suggest you configure the following :- 

1. Configure Route based VPN using proxy-ids or traffic-selector (from 12.1X46-D10 release). The proxy-ids will contain your pubic IPs as interested subnets.

2. Configure a static route for ASA side's "Interesting traffic" pointing towards st0 interface.

3.  Configure a source NAT for all the traffic coming from STAFF zone and going into st0 interface to get NAT-ed to x.x.x.76 .

4. Configure your security policy to allow source-address 192.168.22.0/24 to talk to destination X.X.X.X/32 (CISCO side IP) .

This should take care of the traffic.

Hopefully this helped.

Thanks!

Thank you TheDisciple.
I think I was missing the proxy-identity config on my first go around.

The tunnel came up and I was able to ping from the SRX (but not other hosts on the network). I needed to redo my source NAT as it was previously set to Internet zone and not the new zone I created to for the st0 interface.

Thank you for your detailed reply.

Great to hear that my answer helped.

Cheers!