Juniper SRX to Cisco ASA Site to Site with source NAT

This article will describe how to create a Site to Site (Lan to Lan) VPN from a site running a Juniper SRX firewall to another site running a Cisco ASA firewall. The traffic from Site A (Juniper) will source NAT it’s local traffic through the VPN to meet the encryption domain defined at Site B (Cisco).

The Juniper part will be created as a route-based VPN, and Cisco as policy-based. It is not possible to source NAT on Juniper, if a policy-based VPN is used.

The goal is to create the following:

Site to Site

Juniper SRX configuration:

The configuration is pretty basic, we define the phase 1 and 2 settings, set the NAT options for the source NAT, defines access-lists, address-book entries etc. The only thing you have to notice, is that we create a tunnel interface, called st0.0, which we route the remote net for Site B to (172.25.56.0/25). The st0.0 interface IP-address is inside the local encryption domain (172.25.50.1/28).

This is called “Route based VPN” instead of “Policy based VPN”. To do source NAT over VPN on Juniper SRX you have to use the RB VPN.

Lets continue to the SITE B configuration, which is on a Cisco ASA, and here we’ll use a policy based VPN

Cisco ASA configuration:

The Cisco configuration is pretty much straight forward, no routing, no NAT, just basic VPN configuration, cryptomap (encryption domain), phase 1 and 2 and the access-lists.

And thats it! You should now be able to bring the tunnel up if you initiate some traffic.

If you have any questions feel free to leave a comment or contact me!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.