Cisco ASA – Juniper SRX tunnels

Troubles with somewhat complicated ASA-SRX tunnels


This is close to the simplest setup you may encounter. There is only one source network on the SRX side, and two destinations on the PIX side. This allows for simple static destination NAT. The SRX device will NAT its own network for use through the VPN.

Alternate setups would have two or more source networks, in which case policy-based routing would need to be employed, or may require that the SRX NAT the traffic for the remote network, in which case the NAT clauses would need to be constructed a little differently.

Tunnel interface and NHTB

st0 {
  unit 0 {
   family inet {
     next-hop-tunnel ipsec-vpn CiscoASA-VPN-P2;
     next-hop-tunnel ipsec-vpn CiscoASA-VPN-P2-2;
  • st0 has an address of Note the large mask: This is to allow for expansion in the future, as each proxy ID will need one “ephemeral” IP address. I have seen configurations with up to 400 different proxy IDs, in which case a /23 would be needed.
  • multipoint enables NHTB
  • next-hop-tunnel statements bind an “ephemeral” IP address to a specific Phase 2 configuration, and thus specific proxy ID. I call these IP addresses “ephemeral” because they do not actually exist on the Cisco PIX side: They are only used for purposes of NHTB


routing-options { static { route next-hop; route next-hop; } }


This entry was posted in Juniper. Bookmark the permalink.

One Response to Cisco ASA – Juniper SRX tunnels

  1. PeteLong says:

    Here’s some more information that might be helpful

    Cisco ASA to Juniper SRX Site to Site VPN


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s