[j-nsp] VPN between SRX with dynamic IP address to Cisco ASA

Hans Kristian Eiken hans.kristian.eiken at gmail.com
Thu Mar 17 19:03:30 EDT 2011


2011/3/17 James S. Smith <JSmith at windmobile.ca>

> I'm having a bit of trouble with this configuration:   I have an SRX 240
> (JunOS 10.0R3.10) that is connected to the Internet with a CX-111.  The
> CX-111 has a 3G stick for its Internet.  The SRX receives a DHCP address on
> ge-0/0/0.0 and can reach the Internet without a problem.
>
> I'd now like to setup a site-to-site style VPN between the SRX and a Cisco
> ASA 5540.  The traditional site-to-site VPN configuration won't work since
> the Juniper IP address is dynamic.  Additionally, the Juniper cannot receive
> traffic initiated from the Internet.  It can only initiate traffic itself.
>
> I've setup a similar configuration using the Cisco 800 series and Cisco
> EZVPN.  Anyone know a any sort of configuration for the Juniper that will
> work in this situation?
>

This is supported in standard ipsec using aggressive mode. I have not done
this in srx, but I have done the same thing between two different ipsec
implementations using cisco ios with dynamic ip and screenos with static ip.
It should be quite standard as both of your boxes support standard ipsec.
The trick is to use an email-address or fqdn as identity for the tunnel
instead of a static ip address. To be able to keep the tunnel up all the
time, I guess the configuration "set security vpn vpn-name establish-tunnels
immediately" might do the trick. I expect this config statement will keep
the tunnel up and make it possible to initiate traffic inside the tunnel
from the asa side.

-- 
Hans Kristian Eiken


More information about the juniper-nsp mailing list