07-28-2019 08:39 AM
I have 2 locations with Juniper SRX 550 and needed to migrate these Juniper firewall to Cisco FTDs on HA managed by FMC. All the required configurations have been completed on the FMC. But I need to test the VPN connections between the newly configured Cisco FTDs and the old Juniper SRX.
When I launched the VPN setup for P2P on the cisco FMC, it can only see the Cisco HA. how do I make Juniper SRX endpoints connected to the Cisco FMC? Just for testing purpose before I swap out the Juniper.
Is it possible to setup VPN connection from Cisco FTD HA to the Juniper SRX, and test the connections?
07-28-2019 12:11 PM - edited 07-28-2019 12:12 PM
Couple of questions :
1. you have both the sides for now working Juniper SRX VPN ?
2. you wish you upgrade one of site from Juniper SRX to FTD. ( other side remains same as Juniper SRX )
3. FMC can not see Juniper SRX device, since FMC for cisco device only.
here is the example config of ASA to SRX ( same should be work with FTD.)
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28120&actp=METADATA
You can only test as below :
1. You connnect the new FTD where SRX connected. (but in shutdown mode) - other than Management IP.
2. When you have maintenance window, shutdown SRX interface and bring up the FTD interface if you like to use same IP and same Setup.
Other Option :
you can build with new IP on FTD and New Tunnel to Juniper SRX with far end. ( so you have both the tunnel running same time).
shift the load once VPN working and testing. if not move the traffic back to Old VPN.
Make sense ?
07-28-2019 12:49 PM
Thanks Balaji for your response, greatly helpful.
Couple of questions :
1. you have both the sides for now working Juniper SRX VPN ? Yes, both sides are working.
2. you wish you upgrade one of site from Juniper SRX to FTD. ( other side remains same as Juniper SRX ). Correct, just one SITE was upgraded to Cisco FTD for a test.
3. FMC can not see Juniper SRX device, since FMC for cisco device only. That's the main problem.
here is the example config of ASA to SRX ( same should be work with FTD.)
https://kb.juniper.net/InfoCenter/index?page=content&id=KB28120&actp=METADATA
This link is for Cisco ASA, not for Cisco FTD managed by FMC, but the issue are: -
1. How to configure the Cisco FTD thru FMC for site-to-site VPN between the SRX and FMC.
2. When Adding Endpoints in the VPN Configuration on the FMC, for Node A(Cisco FTD), Its easy to add the node from the "Device" drop down option, but for Node B(SRX), unable to add the node.
I will follow your TESTING approach, thanks.
Let me know if you need more clarification.
07-28-2019 12:57 PM - edited 07-28-2019 12:58 PM
As per the orginal post you have mentioned, all the configuration in place.
2. When Adding Endpoints in the VPN Configuration on the FMC, for Node A(Cisco FTD), Its easy to add the node from the "Device" drop down option, but for Node B(SRX), unable to add the node.
Node B you need to create with SRX IP, follow below video :
https://www.youtube.com/watch?v=2ivWnEQfdzU
07-28-2019 01:24 PM
Thanks Balaji, that link was so helpful.
I also got this below link: Create site-to-site with Cisco firepower and 3rd party firewall
07-28-2019 03:31 PM
Glad it was helpfull and you able to resolve the issue soon, keep us posted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide