One way traffic issue between Juniper-NS5GT Firewall and ASA
henp25 last edited by
We have a an IPSEC VPN tunnel configured between (A)Juniper-NS5GT firewall and a (b)Cisco ASA5505. My tunnel is up between both devices, LAN traffic sitting behind the Juniper (a) is able to ping / RDP to hosts on the LAN side that sits behind the ASA (b). The problem is neither ping / RDP work from the ASA to the Juniper. I’m not too familiar with Junipers tools, but on the ASA I was able to replicate a virtual packet that would mimic RDP traffic leaving the ASA’s LAN interface traversing over the VPN and finally getting to its destination network which lives behind the Juniper FW. More interestingly is the fact that a packet capture shows LAN traffic entering the ASA in turn leaving however it’s not returning. This is when I began to investigate what could possibly be wrong with the Juniper configuration - in fact it’s confusing since I was able to successfully test RDP from the Juniper to the ASA.
I’ve checked the following on the Juniper:
VPN Gateway - checked
Outgoing interface is that of the WAN (Untrusted Zone)
Peer IP address - checked
preshared key - checked (Of course otherwise the tunnel would have never came up)
For the “AutoKe IKE” settings
Remote Gateway - predefined - correct gateway is selected - checked
Outgoing interface is that of the LAN (Trusted Zone) - checked
Tunnel binding - checked
Proxy-ID - checked
phase 1 & 2 settings - checked
Tunnel interface settings - checked
route statements - checked
Policies from trusted to untrusted networks and vice versa - checked
Trust to untruest zones - it references the correct tunnel IF for the specified Remote-LAN networks - checked
Maybe I’ve wasted too many hours on this - but I’m at freeze and can’t seem to figure out what ping / RDP works from one end and not the other.
I’m hoping someone has either been through this problem and has a resolution they can point to or at the very least maybe shed some light as I have sort of exhausted my ideas on what the problem might be.