Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
0
Helpful
3
Replies

One way communication site to site VPN between ASA and SRX

adamabel
Level 1
Level 1

‎05-13-2020 04:04 PM

Hello I'm having some trouble getting two specific networks over a site to site VPN to talk properly. 

On the ASA network 10.0.4.0/24 needs to reach networks 10.34.0.0/16 and 172.18.5.0/24 which are on the Juniper SRX and visa versa.  At the moment I can get the 10.0.4.0/24 and other networks on the ASA to start a session to any of the networks on the SRX but the reserve does not work.  I have looked at a number of threads already and gone over my configuration several times and can't see why it's not working.  At moment I'm trying to rule out the Cisco while I rule out the Juniper as the problem. 

My configuration is quite large so to help the relevant access-lists and interfaces are as follows

 

access-list acl-NOCAR-CORP-cust-manage-vpn

access-list nonat-dmz1

interface gig0/1.40

nameif dmz1

cryptomap map RAmap 50

 

 

 

 

Preview file
201 KB
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎05-14-2020 05:30 AM

It seems that your acls aren't mirrored between both sites. The masks on
the SRX are larger than the one on ASA hence ASA can initiate but not the
other way around.

Ensure mirrors ACLs

**** please remember to rate useful posts
0 Helpful

adamabel
Level 1
Level 1
In response to Mohammed al Baqari

‎05-14-2020 09:02 AM

Attached is the SRX configuration. 

Preview file
29 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to adamabel

‎05-14-2020 12:51 PM - edited ‎05-14-2020 12:53 PM

Your encryption domain on the SRX are inconsistent and missing entries compared to the ASA.  I suggest correcting this and then let us know the updated status.

Trusted to untrusted is missing 3 entries while untrusted to trusted is missing 2 entries.  Also, the 10.0.4.0/24 to 10.34.0.0/16 covers many of the other entries so perhaps consider cleaning up the configuration at both ends by removing the more specific entries and keeping the full subnet entries.

 

Trusted to untrusted missing entries:

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 10.0.4.0 255.255.255.0 10.34.0.0 255.255.0.0

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.11 172.18.5.0 255.255.255.0

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 10.0.4.0 255.255.255.0 172.18.5.0 255.255.255.0

 

Trusted to untrusted missing entries:

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 10.0.4.0 255.255.255.0 10.34.0.0 255.255.0.0

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.11 172.18.5.0 255.255.255.0

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card