SRX Services Gateway
Reply
New User
iam.michaelmyers
Posts: 1
Registered: ‎12-18-2011
0

IPSC VPN - J to Cisco ASA - need help with NAT - external IP to intenal IP for IPSEC tunnel only

I'm lookng for help with a IPSEC tunnel that i need to make.  I have a client that needs us to provide him an Pubic IP address that we can then nat to our internal host IP.   We normally use only one Public IP that we give out for our clients to create our IPSEC tunnels, but we have a client who needs to connect to us from his Cisco ASA 5510 and he needs us to provide him with a Public IP.   I can't nat our original IP as it will break all my other existing IPSEC tunnels.  I have another Public IP I can use but I am uncertain how make this work.

 

I am attaching my normal VPN IPSEC tunnel which utilizes our primary public IP.   If you can help, please contact me back and perhaps i can explain my goal in better detail.

 


+    policy Hospital1 {
+        mode main;
+        description "connection to hospital1";
+        proposals AES128_SHA1_Long;
+        pre-shared-key ascii-text "$9$kqmfTz3tu1hSaUHqf5RhcSvLX7-wsgdVDk"; ## SECRET-DATA
+    }
[edit security ike]
     
+    gateway Hospital1 {
+        ike-policy Hospital1;
+        address 208.89.120.5;
+        external-interface reth0.0;
+    }
[edit security ipsec]
    
+    policy Hospital1 {
+        proposals AES128_SHA1_Long;
+    }
[edit security ipsec]
     vpn Group_Health { ... }
+    vpn Hospital1 {
+        ike {
+            gateway Hospital1;
+            ipsec-policy Hospital1;
+        }
+        establish-tunnels immediately;
+    }
[edit security nat source rule-set 0]
       rule 008 { ... }
+      /* Hospital1 Nonat for VPN */
+      rule 009 {
+          match {
+              source-address 10.216.41.114/32;
+              destination-address [ 208.89.127.224/32 208.89.125.246/32 208.89.125.244/32 208.89.127.225/32 208.89.127.25/32 208.89.127.106/32 67.215.65.132/32 ];
+          }
+          then {
+              source-nat {
+                  off;
+              }
+          }
+      }
       rule 255 { ... }
[edit security zones security-zone untrust address-book]
       address Server_Interfaces { ... }
+      address Hospital1_1 208.89.127.224/32;
+      address Hospital1_2 208.89.125.246/32;
+      address Hospital1_3 208.89.125.244/32;
+      address Hospital1_4 208.89.127.225/32;
+      address Hospital1_5 208.89.127.25/32;
+      address Hospital1_6 208.89.127.106/32;
[edit security zones security-zone untrust address-book]
       address-set Wayne_memorial_IP { ... }
+      address-set Hospital1_IPs {
+          address Hospital1_1;
+          address Hospital1_2;
+          address Hospital1_3;
+          address Hospital1_4;
+          address Hospital1_5;
+          address Hospital1_6;
+      }
[edit security policies from-zone untrust to-zone trust]
     
+     policy U2T_Hospital1 {
+         match {
+             source-address Hospital1_IPs;
+             destination-address Server_Interface_PAML;
+             application any;
+         }
+         then {
+             permit {
+                 tunnel {
+                     ipsec-vpn Hospital1;
+                     pair-policy T2U_Hospital1;
+                 }
+             }
+         }
+     }
[edit security policies from-zone trust to-zone untrust]
      policy allow_int_out { ... }
+     policy T2U_Hospital1 {
+         match {
+             source-address Server_Interface_PAML;
+             destination-address Hospital1_IPs;
+             application any;
+         }
+         then {
+             permit {
+                 tunnel {
+                     ipsec-vpn Hospital1;
+                     pair-policy U2T_Hospital1;
+                 }
+             }
+         }
+     }

{primary:node0}[edit]

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.