SRX

Hi guys,

In my topologe i use vsrx and asa(8.4). I make Route-based IPSEC on SRX and standart s2s-ipsec on ASA.
For my topology need to  Static NAT internal network to NAT networks for this VPN. Remote side network (ASA)- 192.168.1,0/24, local side network (SRX) - 192.168.2.0/24.

When packet from internal network host (10.20.30.40) go to 192.168.1.0/24 it nat translated to IP 192.168.2.1/24, on remote side i make this too. On asa this features is called Static NAT Policy.

When i use network 192.168.2.0/24 as internal (No NAT using), ping and other packet works fine. Packets go to tunnel, enc and decrem,  When i use NAT on SRX - packets don't  go from SRX, and from ASA.
I think that trouble in internal process of SRX, and you VR how ping host< but packets don't go.

Maybe i don't undestand how works SRX with this features, but i don't find any example for this topology, only without this "NAT"

Config and topology in attach.

set version 12.1X47-D10.4
set system root-authentication encrypted-password "$1$LfRNmTFY$oB.PNlUHaquwXUhIFinzq1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet address 30.0.0.1/30
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet address 30.0.0.2/30
set interfaces ge-0/0/1 unit 0 family inet filter input PCAP
set interfaces ge-0/0/1 unit 0 family inet filter output PCAP
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
deactivate interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/1 unit 0 family inet address 99.99.99.1/24
set interfaces lo0 unit 0 family inet address 10.20.30.40/24
set interfaces st0 unit 0 family inet address 9.9.9.9/24
set forwarding-options sampling input rate 1
set forwarding-options sampling input run-length 1
set forwarding-options sampling family inet output file filename SRX
set routing-options static route 192.168.1.0/24 next-hop st0.0
set protocols ospf export export_default
set protocols ospf area 0.0.0.0 interface lt-0/0/0.1
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set policy-options policy-statement export_default from protocol static
set policy-options policy-statement export_default then accept
set security ike proposal ike_proporsal authentication-method pre-shared-keys
set security ike proposal ike_proporsal dh-group group5
set security ike proposal ike_proporsal authentication-algorithm sha1
set security ike proposal ike_proporsal encryption-algorithm aes-256-cbc
set security ike policy ike_policy mode main
set security ike policy ike_policy proposals ike_proporsal
set security ike policy ike_policy pre-shared-key ascii-text "$9$11Whcl7Nb2oGSrb2"
set security ike gateway ike_gateway ike-policy ike_policy
set security ike gateway ike_gateway address 1.1.1.2
set security ike gateway ike_gateway external-interface ge-0/0/0
set security ipsec proposal ipsec_proporsal protocol esp
set security ipsec proposal ipsec_proporsal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_proporsal encryption-algorithm aes-256-cbc
set security ipsec policy ipsec_policy proposals ipsec_proporsal
set security ipsec vpn ipsec_vpn bind-interface st0.0
set security ipsec vpn ipsec_vpn ike gateway ike_gateway
set security ipsec vpn ipsec_vpn ike proxy-identity local 192.168.2.0/24
set security ipsec vpn ipsec_vpn ike proxy-identity remote 192.168.1.0/24
set security ipsec vpn ipsec_vpn ike ipsec-policy ipsec_policy
set security ipsec vpn ipsec_vpn establish-tunnels immediately
set security address-book global address 192.168.1.0/24 192.168.1.0/24
set security address-book global address 192.168.2.0/24 192.168.2.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat traceoptions file nat_ipsec
set security nat traceoptions flag all
set security nat destination pool VPN_1 address 192.168.2.1/32
set security nat destination rule-set 1 from zone trust
set security nat destination rule-set 1 rule 1 match source-address 10.20.30.40/32
set security nat destination rule-set 1 rule 1 match destination-address 192.168.1.0/24
set security nat destination rule-set 1 rule 1 then destination-nat pool VPN_1
set security nat proxy-arp interface st0.0 address 192.168.2.1/24
deactivate security nat proxy-arp interface st0.0
set security nat proxy-arp interface lt-0/0/0.1 address 192.168.2.1/24
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone vpn to-zone trust policy PERMIT match source-address 192.168.1.0/24
set security policies from-zone vpn to-zone trust policy PERMIT match destination-address 192.168.2.0/24
set security policies from-zone vpn to-zone trust policy PERMIT match application any
set security policies from-zone vpn to-zone trust policy PERMIT then permit
set security policies from-zone trust to-zone vpn policy PERMIT match source-address 192.168.2.0/24
set security policies from-zone trust to-zone vpn policy PERMIT match destination-address 192.168.1.0/24
set security policies from-zone trust to-zone vpn policy PERMIT match application any
set security policies from-zone trust to-zone vpn policy PERMIT then permit
set security policies from-zone trust to-zone vr_2 policy permit match source-address any
set security policies from-zone trust to-zone vr_2 policy permit match destination-address any
set security policies from-zone trust to-zone vr_2 policy permit match application any
set security policies from-zone trust to-zone vr_2 policy permit then permit
set security policies from-zone vr_2 to-zone trust policy permit match source-address any
set security policies from-zone vr_2 to-zone trust policy permit match destination-address any
set security policies from-zone vr_2 to-zone trust policy permit match application any
set security policies from-zone vr_2 to-zone trust policy permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces lt-0/0/0.1 host-inbound-traffic system-services all
set security zones security-zone trust interfaces lt-0/0/0.1 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone vpn host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vr_2 host-inbound-traffic system-services all
set security zones security-zone vr_2 host-inbound-traffic protocols all
set security zones security-zone vr_2 interfaces lt-0/0/0.0
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set routing-instances 123 instance-type virtual-router
set routing-instances 123 interface lt-0/0/0.0
set routing-instances 123 interface lo0.0
set routing-instances 123 routing-options static route 192.168.1.0/24 next-hop 99.99.99.1
set routing-instances 123 routing-options static route 0.0.0.0/0 next-hop 99.99.99.1
set routing-instances 123 protocols ospf area 0.0.0.0 interface lo0.0
set routing-instances 123 protocols ospf area 0.0.0.0 interface lt-0/0/0.0

On ASA

ASA Version 9.2(1)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description to SRX
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 40.30.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.20.20.11 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN
host 40.30.20.10
object-group network LAN_for_VPN
network-object 192.168.1.0 255.255.255.0
object-group network LAN_REMOTE
network-object 192.168.2.0 255.255.255.0
object-group network obg-192.168.1.1
network-object host 192.168.1.1
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN2 extended permit ip any any
access-list VPN3 extended permit ip any any
pager lines 23
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN obg-192.168.1.1 destination static LAN_REMOTE LAN_REMOTE
route management 0.0.0.0 0.0.0.0 10.20.20.1 1
route outside 192.168.2.0 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map MAP 1 match address VPN
crypto map MAP 1 set peer 1.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy default internal
group-policy default attributes
vpn-tunnel-protocol ikev1
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 1 type remote-access
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect rtsp
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:546973509767703cf7bbe644813672e8
: end

Hi MonaxGT,

I can see 10.20.30.40 is configured on lo0 which is part of routing-instance 123. In this case your nat rule-should say from/to-routing-intsnace then only the packet will hit NAT rules.

Also lo0 is not part of any security-zones, please configure the same.

Additional to that your security policy should have IP before source NAT as policy lookup happens before source NAT

 This is actually similar to configuration of site-to-site vpn with overlapping subnets on both sides and you can follow the NAT?policy configurations as in below document

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28183

Hi rsuraj,

I read KB and did as there, and IPSEC+NAT works fine, thx. But, i don't undestand, why Static NAT works on untrust zone, but doesn't works on trust zone. In scheme process SRX i see that Static NAT use in untrust zone, but if i want use static nat on trust zone and set dest-add REMOTE_NETWORK, my nat don't work...

Can you share the trust-zone static NAT configuration that you are referring to , to have a better understanding and avoid confusion