cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
866
Views
10
Helpful
4
Replies

VPN between ASA and Juniper failing for RDP

jimmycher
Level 1
Level 1

I have a Site-to-site tunnel built between Virginia (VA) and California (CA).  He has a Juniper Firewall, and I have a FirePower running ASA.  I define interesting traffic as  VA-to-CA for all IP (one direction).  Because of the Juniper set-up, he defines interesting traffic as CA-to-VA for all IP, and VA-to-CA for all IP (Juniper requires both directions).   When we do that, he can RDP into my VA workstation, which is what we want.

 

The problem is when we remove the IP-ALL statements, and just use VA-to-CA for TPC 3389, and UDP 3389, the RDP fails.  We continually get Crypto Map Mismatch, which I believe is related to the interesting traffic statements.

 

I believe Cisco requires one-way access-lists, and Juniper requires two-way, but we tried every conceivable perturbation, (he goes to one-way, then two-way, I go to two-way, etc) and it won't work.

 

It's not Application layer, since that works for IP-Any.

 

Really need a Juniper savvy expert on this one; the standard Cisco textbooks are no help.

1 Accepted Solution

Accepted Solutions

I had similar problems and I am not an expert on Juniper so I moved to
route based VPN (VTI) instead of crypto ACL and got it working.

View solution in original post

4 Replies 4

I had similar problems and I am not an expert on Juniper so I moved to
route based VPN (VTI) instead of crypto ACL and got it working.

TAC advises to never use port numbers to define interesting traffic.  I'll advise when I implement their suggestion.

 

If you implement TACs suggestion and establish the tunnel between ip rather than port(s), you could use VPN Filter to restrict traffic.

Eventually, that is what TAC did for me, and it fixed it.   Seems Juniper uses policy based for one host to one host, but moves to route based for group to group, which the Cisco device must match.  Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: