SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Dual NAT with IPSec VPN

    Posted 05-10-2011 03:50

    I have a problem whereby I would like to configure DUAL NAT across an IPSEC VPN i.e. I have overlapping address space between the two VPN endpoints.

     

    10/8 -- SRX ------INTERNET ------- Cisco IOS------ 10/8

                 <----------- IPSEC VPN --------->

              ^

              |

    Dual NAT (Static)

     

    The problem I have is that if I configure a policy VPN the policy will not reflect the proxy-ids of the remote side. i.e. the policy will include the pre-NAT source address and the post NAT destination address. Whereas the remote side (IOS) proxy-id will have the two post natted addresses.

    If I manually define the proxy-ids as the two pre-natted addresses so as to match the IOS VPN. The SRX sends any any proxy-ids.

    Has anyone got any hints that may help out in this case.

     

    Thanks very much

     

    Tom



  • 2.  RE: Dual NAT with IPSec VPN

    Posted 05-10-2011 05:01

    Hi

     

    For such a task, it is usually suggested to use a route-based vpn. Create a unit x on st0 interface

    and bind your vpn to st0.x. Create a route directing traffic to this interface.

    Then configure static nat  - it should be working perfectly.

     

    As for proxy-id mismatch, this sounds like a different problem. For any vpn (policy or route based)

    configuring manual proxy-ids should work. If it doesn't then please show us your config.



  • 3.  RE: Dual NAT with IPSec VPN

    Posted 05-10-2011 05:12

    pk is right on the money. NAT and policy-based VPN do not mix. This has to do with the way NAT is processed - both pre- and post-policy - which means your traffic won't match your policy, or if you make the policy match, the proxy-ids are off. Use route-based instead.

     

    In this case, it's pretty simple, since it's 10/8 either side. If you have multiple objects / networks on the IOS side, you'll need multiple proxy IDs. Use NHTB for that. If you search the forums for NHTB, I think you may find a post showing an example.

     



  • 4.  RE: Dual NAT with IPSec VPN

    Posted 05-11-2011 13:17

    Thanks very much tbehrens. I'll let you know how I go with it.

     

    cheers Tom



  • 5.  RE: Dual NAT with IPSec VPN

    Posted 05-12-2011 05:19
      |   view attached

    Got that going thanks for the help.

     

    Configs here if anyone needs them.  SRX config has some D-VPN config in it which should be ignored any policies profiles etc starting with DVPN

     

    cheers Tom

    Attachment(s)

    txt
    IPSEC-VPN-Dual-NAT to CIsco IOS-juniper.txt   10 KB 1 version


  • 6.  RE: Dual NAT with IPSec VPN
    Best Answer

    Posted 05-12-2011 05:21
      |   view attached

    Attachment(s)

    txt
    IPSEC-VPN-Dual-NAT to CIsco IOS-Cisco-Conf.txt   2 KB 1 version


  • 7.  RE: Dual NAT with IPSec VPN

    Posted 05-11-2011 13:16

    Thanks very much pk I'll give it a try and let you know how it goes.

     

    cheers Tom