Hi guys,
In my topologe i use vsrx and asa(8.4). I make Route-based IPSEC on SRX and standart s2s-ipsec on ASA.
For my topology need to Static NAT internal network to NAT networks for this VPN. Remote side network (ASA)- 192.168.1,0/24, local side network (SRX) - 192.168.2.0/24.
When packet from internal network host (10.20.30.40) go to 192.168.1.0/24 it nat translated to IP 192.168.2.1/24, on remote side i make this too. On asa this features is called Static NAT Policy.
When i use network 192.168.2.0/24 as internal (No NAT using), ping and other packet works fine. Packets go to tunnel, enc and decrem, When i use NAT on SRX - packets don't go from SRX, and from ASA.
I think that trouble in internal process of SRX, and you VR how ping host< but packets don't go.
Maybe i don't undestand how works SRX with this features, but i don't find any example for this topology, only without this "NAT"
Config and topology in attach.
set version 12.1X47-D10.4
set system root-authentication encrypted-password "$1$LfRNmTFY$oB.PNlUHaquwXUhIFinzq1"
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet address 30.0.0.1/30
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet address 30.0.0.2/30
set interfaces ge-0/0/1 unit 0 family inet filter input PCAP
set interfaces ge-0/0/1 unit 0 family inet filter output PCAP
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
deactivate interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/1 unit 0 family inet address 99.99.99.1/24
set interfaces lo0 unit 0 family inet address 10.20.30.40/24
set interfaces st0 unit 0 family inet address 9.9.9.9/24
set forwarding-options sampling input rate 1
set forwarding-options sampling input run-length 1
set forwarding-options sampling family inet output file filename SRX
set routing-options static route 192.168.1.0/24 next-hop st0.0
set protocols ospf export export_default
set protocols ospf area 0.0.0.0 interface lt-0/0/0.1
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set policy-options policy-statement export_default from protocol static
set policy-options policy-statement export_default then accept
set security ike proposal ike_proporsal authentication-method pre-shared-keys
set security ike proposal ike_proporsal dh-group group5
set security ike proposal ike_proporsal authentication-algorithm sha1
set security ike proposal ike_proporsal encryption-algorithm aes-256-cbc
set security ike policy ike_policy mode main
set security ike policy ike_policy proposals ike_proporsal
set security ike policy ike_policy pre-shared-key ascii-text "$9$11Whcl7Nb2oGSrb2"
set security ike gateway ike_gateway ike-policy ike_policy
set security ike gateway ike_gateway address 1.1.1.2
set security ike gateway ike_gateway external-interface ge-0/0/0
set security ipsec proposal ipsec_proporsal protocol esp
set security ipsec proposal ipsec_proporsal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_proporsal encryption-algorithm aes-256-cbc
set security ipsec policy ipsec_policy proposals ipsec_proporsal
set security ipsec vpn ipsec_vpn bind-interface st0.0
set security ipsec vpn ipsec_vpn ike gateway ike_gateway
set security ipsec vpn ipsec_vpn ike proxy-identity local 192.168.2.0/24
set security ipsec vpn ipsec_vpn ike proxy-identity remote 192.168.1.0/24
set security ipsec vpn ipsec_vpn ike ipsec-policy ipsec_policy
set security ipsec vpn ipsec_vpn establish-tunnels immediately
set security address-book global address 192.168.1.0/24 192.168.1.0/24
set security address-book global address 192.168.2.0/24 192.168.2.0/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat traceoptions file nat_ipsec
set security nat traceoptions flag all
set security nat destination pool VPN_1 address 192.168.2.1/32
set security nat destination rule-set 1 from zone trust
set security nat destination rule-set 1 rule 1 match source-address 10.20.30.40/32
set security nat destination rule-set 1 rule 1 match destination-address 192.168.1.0/24
set security nat destination rule-set 1 rule 1 then destination-nat pool VPN_1
set security nat proxy-arp interface st0.0 address 192.168.2.1/24
deactivate security nat proxy-arp interface st0.0
set security nat proxy-arp interface lt-0/0/0.1 address 192.168.2.1/24
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone vpn to-zone trust policy PERMIT match source-address 192.168.1.0/24
set security policies from-zone vpn to-zone trust policy PERMIT match destination-address 192.168.2.0/24
set security policies from-zone vpn to-zone trust policy PERMIT match application any
set security policies from-zone vpn to-zone trust policy PERMIT then permit
set security policies from-zone trust to-zone vpn policy PERMIT match source-address 192.168.2.0/24
set security policies from-zone trust to-zone vpn policy PERMIT match destination-address 192.168.1.0/24
set security policies from-zone trust to-zone vpn policy PERMIT match application any
set security policies from-zone trust to-zone vpn policy PERMIT then permit
set security policies from-zone trust to-zone vr_2 policy permit match source-address any
set security policies from-zone trust to-zone vr_2 policy permit match destination-address any
set security policies from-zone trust to-zone vr_2 policy permit match application any
set security policies from-zone trust to-zone vr_2 policy permit then permit
set security policies from-zone vr_2 to-zone trust policy permit match source-address any
set security policies from-zone vr_2 to-zone trust policy permit match destination-address any
set security policies from-zone vr_2 to-zone trust policy permit match application any
set security policies from-zone vr_2 to-zone trust policy permit then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces lt-0/0/0.1 host-inbound-traffic system-services all
set security zones security-zone trust interfaces lt-0/0/0.1 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone vpn host-inbound-traffic system-services ike
set security zones security-zone vpn host-inbound-traffic system-services ping
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vr_2 host-inbound-traffic system-services all
set security zones security-zone vr_2 host-inbound-traffic protocols all
set security zones security-zone vr_2 interfaces lt-0/0/0.0
set firewall filter PCAP term 1 then sample
set firewall filter PCAP term 1 then accept
set routing-instances 123 instance-type virtual-router
set routing-instances 123 interface lt-0/0/0.0
set routing-instances 123 interface lo0.0
set routing-instances 123 routing-options static route 192.168.1.0/24 next-hop 99.99.99.1
set routing-instances 123 routing-options static route 0.0.0.0/0 next-hop 99.99.99.1
set routing-instances 123 protocols ospf area 0.0.0.0 interface lo0.0
set routing-instances 123 protocols ospf area 0.0.0.0 interface lt-0/0/0.0
On ASA
ASA Version 9.2(1)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
description to SRX
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 40.30.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.20.20.11 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN
host 40.30.20.10
object-group network LAN_for_VPN
network-object 192.168.1.0 255.255.255.0
object-group network LAN_REMOTE
network-object 192.168.2.0 255.255.255.0
object-group network obg-192.168.1.1
network-object host 192.168.1.1
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list VPN2 extended permit ip any any
access-list VPN3 extended permit ip any any
pager lines 23
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN obg-192.168.1.1 destination static LAN_REMOTE LAN_REMOTE
route management 0.0.0.0 0.0.0.0 10.20.20.1 1
route outside 192.168.2.0 255.255.255.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map MAP 1 match address VPN
crypto map MAP 1 set peer 1.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 500
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy default internal
group-policy default attributes
vpn-tunnel-protocol ikev1
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 1 type remote-access
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect rtsp
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 8
subscribe-to-alert-group configuration periodic monthly 8
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:546973509767703cf7bbe644813672e8
: end