SRX Services Gateway
Reply
Contributor
GustavO
Posts: 72
Registered: ‎04-29-2009
0

Destination- and Source-NAT through route based VPN, Destination-NAT not working

 

I have an SRX650 running with two external interfaces (ge-0/0/1 and ge-0/0/2) running BGP to two other routers in my network. I have an inside interface ge-0/0/3 with a public address 1.1.1.1 which terminates a VPN connection running route based vpn through

interface st0.1. Traffic from the network on interface ge-0/0/0 (192.168.0.0/24) is source NAT:ed to 1.1.1.1 before sent out through st0.1. This works OK and a can send traffic this way out the tunnel and get a response back from the other end.

 

I also need to use destination NAT for traffic coming from the other end to be able to reach specific hosts/ports on the internal network 192.168.0.0/24. A specific host on the other network (2.2.2.1/24) should be able to connect to 1.1.1.1:21 which i then

use destination nat to map to 192.168.0.4:21 and 1.1.1.1:80 is mapped to 192.168.0.6:80. This does not work.

 

I have followed the guide here http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf regarding destination nat. The only thing described in that guide i have _not_ done is enable proxy-arp for the IP address (1.1.1.1 in this case) on interface

st0.1.

 

Relevant parts of the configuration below:

 

 

routing-options {
 static {
  route 2.2.2.1/32 next-hop st0.1;
 }
}
 security {          
 ike {           
  policy ike_policy_1 {
    mode main;
    description "IKE policy 1";
    proposal-set standard;
    pre-shared-key ascii-text some-password;
  }
  gateway ike_gateway_1 {
    ike-policy ike_policy_1;
    address 2.2.2.9;
    external-interface ge-0/0/3;
  }
 }
 ipsec {         
  policy ipsec_policy_1 {
    description "IPSec policy 1";
    perfect-forward-secrecy {
      keys group2;
    }       
    proposal-set standard;
  }           
  vpn vpn1 {
    bind-interface st0.1;
    ike {   
      gateway ike_gateway_1;
      ipsec-policy ipsec_policy_1;
    }
    establish-tunnels immediately;
  }           
  nat {
    source {
      pool vpn-pool {
        address {
          1.1.1.1/32;
        }
      }
      rule-set vpn-nat {
        from interface ge-0/0/0.0;
        to interface st0.1;
        rule to-vpn-nat {
          match {
            source-address 192.168.0.0/24;
          }
          then {
            source-nat {
              pool {
                vpn-pool;
              }
            }
          }
        }
      }
    }
    destination {
      pool inside_host1 {
        address 192.168.0.4/32;
      }
      rule-set from_vpn_to_insde {
        from zone vpn;
        rule ftp_to_inside {
          match {
            source-address 2.2.2.1/32;
            destination-address 1.1.1.1/32;
            destination-port 21;
          }
          then {
            destination-nat pool inside_host1;
          }
        }
      }
    }
  }
  zones {
    security-zone vpn {
      address-book {
        address vpn_ftp_host 2.2.2.1/32;
      }
      interfaces {
        st0.1;
      }
    }
    security-zone trust {
      address-book {
        address inside_network 192.168.0.0/24;
      }       
      host-inbound-traffic {
        system-services {
          ssh;
          ping;
        }   
      }       
      interfaces {
        ge-0/0/0.0;
      }       
    }           
  }
  policies {
    from-zone vpn to-zone trust {
      policy default-permit {
        match {
          source-address vpn_ftp_host;
          destination-address inside_network;
          application [ junos-ping junos-ftp ];
        }   
        then {
          permit;
        }   
      }       
    }           
    from-zone trust to-zone vpn {
      policy default-permit {
        match {
          source-address inside_network;
          destination-address vpn_ftp_host;
          application [ junos-ping junos-ftp ];
        }   
        then {
          permit;
        }   
      }       
    }           
  }
 }
}

 

 

 

Super Contributor
colemtb
Posts: 312
Registered: ‎09-30-2009
0

Re: Destination- and Source-NAT through route based VPN, Destination-NAT not working

On all my hosted services behind a firewall that where destination-nat-ed, and didn't carry the same IP as the external firewall interface...  I had to enable Proxy-arp on the interface for those IPs.  Give it a shot.  :smileywink:

Contributor
GustavO
Posts: 72
Registered: ‎04-29-2009
0

Re: Destination- and Source-NAT through route based VPN, Destination-NAT not working

Thanks for the hint colemtb. I've enabled proxyarp (on interface st0.1 for address 1.1.1.1, right?) Will have the other end try it out tomorrow to see if it works better. I actually found this "When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface" (as a condition under which you need to use proxy-arp) which is kind of my case here so I'll see how thata works out...
Contributor
GustavO
Posts: 72
Registered: ‎04-29-2009
0

Re: Destination- and Source-NAT through route based VPN, Destination-NAT not working

Ok so I enabled proxy-arp for the address on interface st0.1 but still no luck. Since I don't manage the other end I am quite limited in what troubleshooting I can do.

I have enabled traceoptions for traffic involving the IP's, outbound traffic (and the response to this from the other end) is picked up by the filter but it doesn't show any incoming traffic when it's initiated from the other end (ie. have no source-nat mappings available).

 

Any other clues on this? I'm quite stuck at the moment so any ideas are more than welcome!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.