SRX Services Gateway
Reply
New User
Ralphie
Posts: 1
Registered: ‎09-26-2011
0

NAT subnet over just one VPN tunnel interface

Hi all,

 

I've got a situation which I'm having little troubles with. My Customer has a SRX100 firewall with behind it a 192.168.2.0/24 subnet. This subnet contains all their servers. The SRX is located in a datacenter and they all connect from their office over the VPN. The subnet in the office is 192.168.3.0/24 so routing and everything works fine! The tunnel is route based

 

My problem is that they need another VPN from the SRX to a financial company that is also using the 192.168.2.0/24 subnet. I somehow have to NAT (source?) the 192.168.2.0 subnet to something different, so the VPN can be made. I can't just do a NAT from 192.168.2.0 to 192.168.16.0 for example, because then the VPN from the datacenter to their office isn't working anymore.

 

Before I mess up things, I want to know how to do this. I've created a new VPN to the finacial office on a new ST0 interface (st0.4 in this case). Next to this I've created a source nat rule as stated below:

 

rule-set Nat-ctb {
    from zone trust;
    to interface st0.4;
    rule source-nat-ctb {
        match {
            source-address 192.168.2.0/24;
            destination-address 192.168.16.0/24;
        }
        then {
            source-nat {
                interface;
            }
Is this the way to go, or with it nat all 192.168.2.0 addresses to 192.168.16.0? I only want to have it NAT on the ST0.4 interface.. Maybe use destination NAT for the incoming traffice from the remote VPN?

 

Any help would be very appreciated.

Distinguished Expert
MMcD
Posts: 628
Registered: ‎07-20-2010
0

Re: NAT subnet over just one VPN tunnel interface

If im correct in what you are trying to do then the following will documentation should help:

 

http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_VPN_with_Overlapping_Subnets_v11.pdf

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.