10-23-2019 11:29 AM
I have a Site-to-site tunnel built between Virginia (VA) and California (CA). He has a Juniper Firewall, and I have a FirePower running ASA. I define interesting traffic as VA-to-CA for all IP (one direction). Because of the Juniper set-up, he defines interesting traffic as CA-to-VA for all IP, and VA-to-CA for all IP (Juniper requires both directions). When we do that, he can RDP into my VA workstation, which is what we want.
The problem is when we remove the IP-ALL statements, and just use VA-to-CA for TPC 3389, and UDP 3389, the RDP fails. We continually get Crypto Map Mismatch, which I believe is related to the interesting traffic statements.
I believe Cisco requires one-way access-lists, and Juniper requires two-way, but we tried every conceivable perturbation, (he goes to one-way, then two-way, I go to two-way, etc) and it won't work.
It's not Application layer, since that works for IP-Any.
Really need a Juniper savvy expert on this one; the standard Cisco textbooks are no help.
Solved! Go to Solution.
10-23-2019 10:51 PM
10-23-2019 10:51 PM
10-24-2019 05:26 AM
TAC advises to never use port numbers to define interesting traffic. I'll advise when I implement their suggestion.
10-24-2019 05:42 AM
10-24-2019 03:53 PM
Eventually, that is what TAC did for me, and it fixed it. Seems Juniper uses policy based for one host to one host, but moves to route based for group to group, which the Cisco device must match. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: