topic Re: VPN issue between Cisco FTD and SRX 550 in Network Security

VPN issue between Cisco FTD and SRX 550

shinerner — Sun, 28 Jul 2019 15:39:40 GMT

I have 2 locations with Juniper SRX 550 and needed to migrate these Juniper firewall to Cisco FTDs on HA managed by FMC. All the required configurations have been completed on the FMC. But I need to test the VPN connections between the newly configured Cisco FTDs and the old Juniper SRX.

When I launched the VPN setup for P2P on the cisco FMC, it can only see the Cisco HA. how do I make Juniper SRX endpoints connected to the Cisco FMC? Just for testing purpose before I swap out the Juniper.

Is it possible to setup VPN connection from Cisco FTD HA to the Juniper SRX, and test the connections?

Re: VPN issue between Cisco FTD and SRX 550

balaji.bandi — Sun, 28 Jul 2019 19:12:41 GMT

Couple of questions :

1. you have both the sides for now working Juniper SRX VPN ?

2. you wish you upgrade one of site from Juniper SRX to FTD. ( other side remains same as Juniper SRX )

3. FMC can not see Juniper SRX device, since FMC for cisco device only.

here is the example config of ASA to SRX ( same should be work with FTD.)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28120&actp=METADATA

You can only test as below :

1. You connnect the new FTD where SRX connected. (but in shutdown mode) - other than Management IP.

2. When you have maintenance window, shutdown SRX interface and bring up the FTD interface if you like to use same IP and same Setup.

Other Option :

you can build with new IP on FTD and New Tunnel to Juniper SRX with far end. ( so you have both the tunnel running same time).

shift the load once VPN working and testing. if not move the traffic back to Old VPN.

Make sense ?

Re: VPN issue between Cisco FTD and SRX 550

shinerner — Sun, 28 Jul 2019 19:49:43 GMT

Thanks Balaji for your response, greatly helpful.

Couple of questions :

1. you have both the sides for now working Juniper SRX VPN ? Yes, both sides are working.

2. you wish you upgrade one of site from Juniper SRX to FTD. ( other side remains same as Juniper SRX ). Correct, just one SITE was upgraded to Cisco FTD for a test.

3. FMC can not see Juniper SRX device, since FMC for cisco device only. That's the main problem.

here is the example config of ASA to SRX ( same should be work with FTD.)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28120&actp=METADATA

This link is for Cisco ASA, not for Cisco FTD managed by FMC, but the issue are: -

1. How to configure the Cisco FTD thru FMC for site-to-site VPN between the SRX and FMC.

2. When Adding Endpoints in the VPN Configuration on the FMC, for Node A(Cisco FTD), Its easy to add the node from the "Device" drop down option, but for Node B(SRX), unable to add the node.

I will follow your TESTING approach, thanks.

Let me know if you need more clarification.

Re: VPN issue between Cisco FTD and SRX 550

balaji.bandi — Sun, 28 Jul 2019 19:58:55 GMT

As per the orginal post you have mentioned, all the configuration in place.

2. When Adding Endpoints in the VPN Configuration on the FMC, for Node A(Cisco FTD), Its easy to add the node from the "Device" drop down option, but for Node B(SRX), unable to add the node.

Node B you need to create with SRX IP, follow below video :

https://www.youtube.com/watch?v=2ivWnEQfdzU

Re: VPN issue between Cisco FTD and SRX 550

shinerner — Sun, 28 Jul 2019 20:24:17 GMT

Thanks Balaji, that link was so helpful.

I also got this below link: Create site-to-site with Cisco firepower and 3rd party firewall

https://www.youtube.com/watch?v=3F5u_AGp7Us

Re: VPN issue between Cisco FTD and SRX 550

balaji.bandi — Sun, 28 Jul 2019 22:31:11 GMT

Glad it was helpfull and you able to resolve the issue soon, keep us posted.