SRX

last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IPSec VPN from SRX to ASA -- including NAT

    Posted 01-21-2013 09:41

    Hello, all

     

    So, I've got a VPN tunnel setup between us and another vendor. Since our internal IP's overlap, NAT has to come into play. The remote VPN device is a Cisco ASA. I have a policy-based VPN setup, and the tunnel comes up no problem. However, our internal resources that they need to access are NAT'ed.

     

    Within their config, they are using our NAT'ed IP's to build the SA (proxy-id's). I have found that I have to use our NAT'ed IP's as well in the policies, or we get the whole "proxy-id's do not match" errors.

     

    I just want to know if anyone has had success setting up a VPN between an SRX and an ASA while using NAT at the same time. I'd like to think that there is someone out there who has. I have looked into route-based as well, and I'm open to that also...but the issue still remains that I will have to NAT some of our internal IP's.

     

    Thanks in advance!



  • 2.  RE: IPSec VPN from SRX to ASA -- including NAT
    Best Answer

    Posted 01-23-2013 10:46

    Scott,

     

    I saw no one responded to you yet, I've done a bunch of VPN's between every combination of devices you can imagine. My first thought with what you're trying to do is that with a policy based VPN on SRX, unless it has been recently changed, doesn't support NAT. So you must use a route based VPN, the issue here, however, that until Q3 this year (so I read somewhere) you cannot specificy multiple Proxy ID's on a route based VPN. 

     

    You are correct that you will want to use the NAT IP's as the proxy ID's and not the pre-NAT IP's, what is actually being sent over the tunnel is what needs to be specified, as a general rule of thumb to keep in mind.

     

    Which side or both is doing the NAT for the VPN?



  • 3.  RE: IPSec VPN from SRX to ASA -- including NAT

    Posted 01-24-2013 04:45

    Chowza,

    Thanks for the reply! A couple of hours after I posted this, I actually got the tunnel up and running. From searching around the forums and the Interwebs, I started to look more into using a route-based VPN, and ultimately that's what ended up fixing the issue(s)....along with the customer tweaking their configs as well.

     

    I did have success setting up multiple SA's for each proxy-id, but now I'm looking into NHTB, instead of using a route like:

     

    set routing-options static route 192.168.x.x next-hop [ st0.1 st0.2 st0.3 ]

     

    Each SA is going to the same destination, so there has to be a better way of doing this, I would think.

     

    Thanks again your your reply and advice, you were very helpful!



  • 4.  RE: IPSec VPN from SRX to ASA -- including NAT

    Posted 01-24-2013 06:38

    Scott,

     

    I don't know for certain this is your requirements based on what you provided, but lets suppose you had networks A, B, C behind the SRX that need to reach network Z behind the ASA.

     

    Since you have 3 tunnel interfaces, we'll assume you configured 3 tunnels each with a proxy id of:

    st0.1 Local: Network A,    Remote: Network Z

    st0.2 Local: Network B,    Remote: Network Z

    st0.3 Local: Network C,    Remote: Network Z

     

    For example,

    If Network Z routes out st0.1, only network A will work, not B and C.

     

    The workaround here would be to filter base forward traffic from Network B, when Destined to Network Z and route this over st0.2 (and Network C to Network Z over st0.3). This would be a temporary workaround until Junos supports multiple proxy id's on a route based tunnel, allowing you to add, Network B to Z, and Network C to Z on st0.1, then just a destination route over st0.1 would cover all 3.

     

    Again not sure if this is your obstacle, but it may help you regardless.