Mailing List Archive: route-based VPNs between SRX and ASA with multiple subnets behind SRX and single subnet behind ASA

I'm trying to set up a config very similar to the one described here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28198

which is basically: route-based VPN between SRX and ASA with multiple subnets behind SRX and single subnet behind ASA.

Difference in my situation is I need to set up 4 subnets behind the SRX as opposed to 2 in the example. I think that means similar setup to example, but creating 3 virtual-router instances as opposed to 1.

Anyway, I think I understand the example, but I had some questions I hoped someone could answer:

* It seems to me the interface-routes object, the rib-groups object and the policy-statement object are all required to allow the return traffic to 192.168.3.0/24 subnet in its own virtual router.

If that is the case, why does the rib-group import both inet.0 and ASA.inet.0?

Should it not just need import ASA.inet.0 which actually has the route to 192.168.3.0/24?

Secondly, I have some questions about the policy statement:

* In my case, I have 4 subnets behind SRX I want to pass over vpn. Can I just add extra subnets as term 2, term 3, term 4 in the existing policy-statement?

* the route-filter in the policy-statement has an 'exact' suffix after the subnet. Is that required?
In my case, one of the subnets I want to permit over the vpn is a /20 with 16 /24s within. How should I create the route-filter? As a /20 but without the 'exact'? would the 'orlonger' match type be what I should be using?

Why would you put in the 'exact' in any case?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

On the run, but shortly:

Don’t do it that way, much easier ways available.

What version are you running on the SRX?

Traffic-selectors are what you want.

/Per

PS: I’ll try to get back with more details later.

> 1 dec. 2019 kl. 13:26 skrev Tom Meadows <networker@hotmail.co.uk>:
>
> ?I'm trying to set up a config very similar to the one described here:
>
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB28198
>
> which is basically: route-based VPN between SRX and ASA with multiple subnets behind SRX and single subnet behind ASA.
>
> Difference in my situation is I need to set up 4 subnets behind the SRX as opposed to 2 in the example. I think that means similar setup to example, but creating 3 virtual-router instances as opposed to 1.
>
> Anyway, I think I understand the example, but I had some questions I hoped someone could answer:
>
> * It seems to me the interface-routes object, the rib-groups object and the policy-statement object are all required to allow the return traffic to 192.168.3.0/24 subnet in its own virtual router.
>
> If that is the case, why does the rib-group import both inet.0 and ASA.inet.0?
>
> Should it not just need import ASA.inet.0 which actually has the route to 192.168.3.0/24?
>
> Secondly, I have some questions about the policy statement:
>
> * In my case, I have 4 subnets behind SRX I want to pass over vpn. Can I just add extra subnets as term 2, term 3, term 4 in the existing policy-statement?
>
> * the route-filter in the policy-statement has an 'exact' suffix after the subnet. Is that required?
> In my case, one of the subnets I want to permit over the vpn is a /20 with 16 /24s within. How should I create the route-filter? As a /20 but without the 'exact'? would the 'orlonger' match type be what I should be using?
>
> Why would you put in the 'exact' in any case?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp