cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
169
Views
10
Helpful
4
Replies
Beginner

VPN between ASA and Juniper failing for RDP

I have a Site-to-site tunnel built between Virginia (VA) and California (CA).  He has a Juniper Firewall, and I have a FirePower running ASA.  I define interesting traffic as  VA-to-CA for all IP (one direction).  Because of the Juniper set-up, he defines interesting traffic as CA-to-VA for all IP, and VA-to-CA for all IP (Juniper requires both directions).   When we do that, he can RDP into my VA workstation, which is what we want.

 

The problem is when we remove the IP-ALL statements, and just use VA-to-CA for TPC 3389, and UDP 3389, the RDP fails.  We continually get Crypto Map Mismatch, which I believe is related to the interesting traffic statements.

 

I believe Cisco requires one-way access-lists, and Juniper requires two-way, but we tried every conceivable perturbation, (he goes to one-way, then two-way, I go to two-way, etc) and it won't work.

 

It's not Application layer, since that works for IP-Any.

 

Really need a Juniper savvy expert on this one; the standard Cisco textbooks are no help.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: VPN between ASA and Juniper failing for RDP

I had similar problems and I am not an expert on Juniper so I moved to
route based VPN (VTI) instead of crypto ACL and got it working.

View solution in original post

4 REPLIES 4
VIP Advisor

Re: VPN between ASA and Juniper failing for RDP

I had similar problems and I am not an expert on Juniper so I moved to
route based VPN (VTI) instead of crypto ACL and got it working.

View solution in original post

Beginner

Re: VPN between ASA and Juniper failing for RDP

TAC advises to never use port numbers to define interesting traffic.  I'll advise when I implement their suggestion.

 

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: VPN between ASA and Juniper failing for RDP

If you implement TACs suggestion and establish the tunnel between ip rather than port(s), you could use VPN Filter to restrict traffic.
Beginner

Re: VPN between ASA and Juniper failing for RDP

Eventually, that is what TAC did for me, and it fixed it.   Seems Juniper uses policy based for one host to one host, but moves to route based for group to group, which the Cisco device must match.  Thanks.