SRX

last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Foward Traffic VPN

    Posted 07-21-2015 19:14
      |   view attached

     Hi Guy, right now I have a infrastructure like the attachment below. what i have an issue is Juniper don't route traffic to vpn server (192.168.178.12) from client 192.168.178.0/24 to destion partner. on Juniper i configure static route of destination partner sto vpn server (192.168.178.12) to encrypt traffic over ipsec, and configure static nat (119.15.93.99<-> 192.168.178.12). 
    Note: when i add route manually on my computer (ex: route addd x.x.x.x mask x.x.x.x 192.168.178.12) 
    i can reach destination normally, but when i delete route and based on route of juniper, it can't. 

    Anything you don't clarify, please let me know. Thank.



  • 2.  RE: Foward Traffic VPN

     
    Posted 07-21-2015 21:54

    Hello ,

     

    This can be rectified by applying a source NAT rule from internet to LAN  with source NAT interface . The issue is because the Source IP from internet have different route basically asymetric routing is happening .

     

    So once you configure a source NAT from "INTERNET" to "LAN " , it will help .



  • 3.  RE: Foward Traffic VPN

    Posted 07-22-2015 00:13

    Hi Joses, 

    I am a bit confusing what you told me. but I willl show the configuation NAT on my device.

     

    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 192.168.178.0/24
    set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

    set security nat static rule-set NatRule from zone untrust
    set security nat static rule-set NatRule rule to-VPNServer then static-nat prefix 192.168.178.12/32
    set security nat proxy-arp interface ge-0/0/0.0 address 119.15.93.99/32

     



  • 4.  RE: Foward Traffic VPN
    Best Answer

     
    Posted 07-22-2015 00:23

    Hello ,

     

     

    Sorry that I mistook your configuration and  network setup . So the issue is that When users from 192.168.178.0/24  connects the VPN server on  IP "119.15.93.99 "  the connection wis not working even if we have a static NAT rule (119.15.93.99<-> 192.168.178.12) .

     

    So this look like a Static NAT hairpinning .  Please check the attached KB for the same : http://kb.juniper.net/InfoCenter/index?page=content&id=KB24639 .

     

    So to be simple : Just add the static NAT rule set  from zone to TRUST .

     

    And configure source NAT from "trust to trust "  .

     

    This will solve the issue .



  • 5.  RE: Foward Traffic VPN

    Posted 07-22-2015 06:17
    Hi joses
    Thank for your time to help me. Now I achieved the configuration and VPN run smoothly.
    The issues I don't set security policy from trust zone to trust zone. But the article u provide me is useful for me to configure webserver. Thank


  • 6.  RE: Foward Traffic VPN

     
    Posted 07-22-2015 06:25

    Hello ,

     

    Thanks for the update and posting your outcome . Glad that it helped  someway Smiley Wink