Hello all :
I'm having problems with a policy based VPN tunnel between a Juniper SRX 220 running 10.4R7.5 and a Cisco ASA Firewall on the remote end.
SRX side :
Inside Server IP : 192.168.1.7
Zone : trust
Cisco Side : 192.168.21.0/24
The problem is that traffic sourcing from 192.168.1.7 to 192.168.21.0/24 is being translated to the external IP address and I need to stop the translation when going over the VPN tunnel.
I've tried the following :
nat {
source {
rule-set LAN_OUTBOUND {
from zone trust;
to zone untrust;
rule no-nat-vpn {
match {
source-address 192.168.1.7/32;
destination-address 192.168.21.0/24;
}
then {
source-nat {
off;
}
}
}
rule LAN_OUTBOUND {
match {
source-address 192.168.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set rule1 {
from zone untrust;
rule server_1 {
match {
destination-address xxx.xxx.xxx.59/32;
}
then {
static-nat prefix 192.168.1.5/32;
}
}
rule server_2 {
match {
destination-address xxx.xxx.xxx.60/32;
}
then {
static-nat prefix 192.168.1.7/32;
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
xxx.xxx.xxx.59/32;
xxx.xxx.xxx.60/32;
}
}
}
policies {
from-zone trust to-zone untrust {
policy policy_out_srx-to-asa {
match {
source-address addr_192_168_1_7_32;
destination-address addr_192_168_21_0_24;
application any;
}
then {
permit {
tunnel {
ipsec-vpn srx-to-asa;
}
}
count;
}
}
The VPN tunnel is working from sourcing traffic from the ASA to the SRX, but not from the SRX to the ASA, because the ASA is seeing the traffic coming from the external NAT IP assigned to the server ( xxx.xxx.xxx.60 ) instead of 192.168.1.7
Anyone seen this issue before and know how to resolve ?