cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2292
Views
15
Helpful
5
Replies

VPN issue between Cisco FTD and SRX 550

shinerner
Level 1
Level 1

I have 2 locations with Juniper SRX 550 and needed to migrate these Juniper firewall to Cisco FTDs on HA managed by FMC. All the required configurations have been completed on the FMC. But I need to test the VPN connections between the newly configured Cisco FTDs and the old Juniper SRX. 

 

When I launched the VPN setup for P2P on the cisco FMC, it can only see the Cisco HA. how do I make Juniper SRX endpoints connected to the Cisco FMC? Just for testing purpose before I swap out the Juniper.

 

Is it possible to setup VPN connection from Cisco FTD HA to the Juniper SRX, and test the connections?

 

 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

Couple of questions :

 

1. you have both the sides for now working Juniper SRX VPN ?

2. you wish you upgrade one of site from Juniper SRX  to FTD. ( other side remains same as Juniper SRX )

3. FMC can not see Juniper SRX device, since FMC for cisco device only.

 

here is the example config of ASA to SRX ( same should be work with FTD.)

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28120&actp=METADATA

 

You can only test as below :

 

1. You connnect the new FTD where SRX  connected. (but in shutdown mode) - other than Management IP.

2. When you have maintenance window, shutdown SRX interface and bring up the FTD interface if you like to use same IP and same Setup.

 

Other Option :

 

you can build with new IP on FTD  and New Tunnel to Juniper SRX with far end. ( so you have both the tunnel running same time).

shift the load once VPN working and testing. if not move the traffic back to Old VPN.

 

Make sense ?

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji for your response, greatly helpful.

 

Couple of questions :

1. you have both the sides for now working Juniper SRX VPN ? Yes, both sides are working.

2. you wish you upgrade one of site from Juniper SRX  to FTD. ( other side remains same as Juniper SRX ). Correct, just one SITE was upgraded to Cisco FTD for a test.

3. FMC can not see Juniper SRX device, since FMC for cisco device only. That's the main problem.

 

here is the example config of ASA to SRX ( same should be work with FTD.)

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28120&actp=METADATA

This link is for Cisco ASA, not for Cisco FTD managed by FMC,  but the issue are: -

 

1. How to configure the Cisco FTD thru FMC for site-to-site VPN between the SRX and FMC.

2. When Adding Endpoints in the VPN Configuration on the FMC, for Node A(Cisco FTD), Its easy to add the node from the "Device" drop down option, but for Node B(SRX), unable to add the node.

 

I will follow your TESTING approach, thanks.

 

Let me know if you need more clarification.

 

As per the orginal post you have mentioned, all the configuration in place.

 

2. When Adding Endpoints in the VPN Configuration on the FMC, for Node A(Cisco FTD), Its easy to add the node from the "Device" drop down option, but for Node B(SRX), unable to add the node.

 

Node B you need to create with SRX  IP,  follow below video :

https://www.youtube.com/watch?v=2ivWnEQfdzU

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji, that link was so helpful.

 I also got this below link: Create site-to-site with Cisco firepower and 3rd party firewall

Glad it was helpfull and you able to resolve the issue soon, keep us posted.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card