I have a Site-to-site tunnel built between Virginia (VA) and California (CA). He has a Juniper Firewall, and I have a FirePower running ASA. I define interesting traffic as VA-to-CA for all IP (one direction). Because of the Juniper set-up, he defines interesting traffic as CA-to-VA for all IP, and VA-to-CA for all IP (Juniper requires both directions). When we do that, he can RDP into my VA workstation, which is what we want.
The problem is when we remove the IP-ALL statements, and just use VA-to-CA for TPC 3389, and UDP 3389, the RDP fails. We continually get Crypto Map Mismatch, which I believe is related to the interesting traffic statements.
I believe Cisco requires one-way access-lists, and Juniper requires two-way, but we tried every conceivable perturbation, (he goes to one-way, then two-way, I go to two-way, etc) and it won't work.
It's not Application layer, since that works for IP-Any.
Really need a Juniper savvy expert on this one; the standard Cisco textbooks are no help.
Solved! Go to Solution.
Eventually, that is what TAC did for me, and it fixed it. Seems Juniper uses policy based for one host to one host, but moves to route based for group to group, which the Cisco device must match. Thanks.