SRX

HI, I a very beginner on SRX. I have to build a site to site vpn. Between srx on my end to Cisco on the other end. - The tunnel is for SFTP service. -The subnet on my end are different but the subnet on cisco end is the same. My two questions are simple : 1) DO I have to use Policy based vpn or Route based VPN ? 2) Do I need NAT ? that's confuse me on site to site vpn context I don't know if I need NAT. The the local and and the remote are on different subnets.. Could you please explain when NAT is or is not justified on site to site vpn context ( please look at this exemple below I can't figure out why he didn't use NAT) PLEASE HELP !!!! http://www.tunnelsup.com/tup/2013/01/16/site-to-site-vpn-tunnel-between-cisco-asa-and-juniper-srx-junos/ Amélie

you may use policy based VPN, or route based VPN.

 

if you use policy based VPN, then you need to exclude NAT so your private address wouldnt be NATed to your public IP before entering tunnel.

if you use route based VPN, you dont need to exclude NAT because SRX does route lookup before source NAT, thus it will pass your traffic to tunnel before its NATed

 

if your question is when to use Static NAT, answer is when you have same private subnets on both end of tunnel.  lets say you have site that need to access your server which is on your private network(lets say IP adrress of your server is 192.168.1.100). lets say site no1 wants to access your server from its private network which is 192.168.1.0/24, which is same as your server network, so to avoid confusion, you NAT your server IP to for example 10.1.1.100, and create tunnel... other end will then create tunnel to 10.1.1.100 and SRX will NAT that address to your server IP thus creating VPN tunnel between same subnets.

Oh man What a relief. Thanks so much ! I understand now !!!!

Sharing knowledge is really kind and very usefull.

Have a nice day