SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos
Accepted Solution

Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

[ Edited ]

Hello,

 

I have a VPN box on a separate VLAN that you can see in my config that I attached connected to an openvpn box that is dedicated for this. It is listening on the right port, I have the config right the clients configs are right and are attempting to connect to the right place. I see translation hits in the log to the right port but nothing is showing up on tcpdump or anywhere on the VPN box.  I only have one external IP address so I am just using a port to determine it is VPN traffic.

 

Can someone please look at this and see what the heck I am doing wrong?

 

I should mention, this is for remote users to connect to my home network from a hotel wireless, cafe, etc. that I don't trust on my phone, tablet, laptop, etc.

 

Thank you!!

Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

Can someone please help Smiley Sad

Highlighted
Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

I just need help with my destination NAT - nothing is showing up on my vpn box

Distinguished Expert
Posts: 4,785
Registered: ‎03-30-2009

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

From the configuration it looks like you are missing the security policy to permit the inbound vpn traffic.  It looks like you may have both the zone names mis matched and the addresses used in the policies incorrect.  But I'm not positive is both are wrong

 

Basically, you write the security policy from the internet zone to the translated address zone, not the nat address as I think you are doing in your config.  Here is the example:

 

https://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/nat-security-destination-sin...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

thank you for your help I will give this a try and review your comments on the mismatches!

Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

Is there a way to do this through the J-Web interface?  I don't see a way to manipulate trust and untrust zones

Distinguished Expert
Posts: 4,785
Registered: ‎03-30-2009

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

Jweb should allow you to create the security policies.  If you have some already you may need to delete them as the main framework for the policy is zone to zone.  And yours will need to change to the post nat zone.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

Ok.

 

I have no idea what I am missing, I am showing logging hits on the NAT rule but it shows failure as a status in the logs.  I don't see anything in my tcpdump for the VPN server/destination.  Does the failure mean a session is not established or does it mean that the firewall is blocking it or something else?  I am just running a port scan on that port to see if it is working so something should be showing up.  I have attached my updated configuration.

Distinguished Expert
Posts: 1,767
Registered: ‎06-06-2011

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

I think this should help.

https://forums.juniper.net/t5/SRX-Services-Gateway/Destination-NAT-Port-Forwarding-Passthrough-for-V...

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 4,785
Registered: ‎03-30-2009

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

Your security policy to permit the inbound VPN traffic needs to be to the destination pool address not the public address.

 

Change this:

 

  address-book {

        ext-ip-vpn-address-book {

            address ext-ip-vpn 75.72.76.40/32;  <<<<  172.19.143.14/32

            attach {

                zone Internet;

                zone VPN;

            }

        }

    }

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 21
Registered: ‎02-22-2017
0 Kudos

Re: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

this was it - thank you so much - i followed the example too closely but didn't see that server1 in the example was the VPN box i was looking at it like the destination from the internet was the public IP, but i see now that doesn't make sense with the NAT rule.

 

thank you!!!!