SRX Services Gateway
Reply
Visitor
Max Sammet
Posts: 2
Registered: ‎06-17-2011
0

SRX - Source NAT and Site-2-Site IPSec VPN

All, 

i have a SRX210 connected to my cable modem that provides a public internet IP (Zone UNTRUST).

On the SRX i have a zone PRIVATE that holds my private VLAN . I configured a Source NAT from zone PRIVATE to UNTRUST so i can surf with my private devices in the internet. This just works fine.

Furthermore i have a zone VPN and TRUST (corporate VLAN) and an IPSec VPN configuration. An IPSec VPN tunnel (st0.0 in zone VPN) will be established and the respective security policies are set so that corporate traffic can flow from TRUST into the zone VPN. A static route is configured that routes any corporate traffic form TRUST into the st0.0 tunnel interface

Interestingly, the tunnel is established (IKE and IPSEC security associations are up )  but i cannot  send traffic (e.g. Ping) into the tunnel. When I connect the SRX to a NAT Router (ISP WiFi Router) instead of directly to the cable modem, i can ping into the tunnel and everything works as expected.

Any ideas ? Did i miss something within the NAT config ?

cheers

Max
 
Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: SRX - Source NAT and Site-2-Site IPSec VPN

Hi,

 

"When I connect the SRX to a NAT Router (ISP WiFi Router) instead of directly to the cable modem, i can ping into the tunnel and everything works as expected" -  does this mean the other end of the IPsec Tunnel is execting NATed traffic from the Corporate VLAN ? 

 

Hows the other end configured , to allow which traffic ?

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Visitor
Max Sammet
Posts: 2
Registered: ‎06-17-2011
0

Re: SRX - Source NAT and Site-2-Site IPSec VPN

Hi....

 

no , the other end does not receive any traffic nor any traffic from the other end arrives in the corporate VLAN. IKE and IPSec is configured identical on both ends . Both ends show the IKE and IPSec SAs as up.

 

As I said...the same configuration works just fine when connecting the SRX 210 to my standard ISP router that is obviously doing a hard configured NAT. Thus, i believe i am missing some additional NAT rules/config on my SRX.

 

See below my current Source  NAT configuration

 

set security nat source rule-set A from zone PRIVATE
set security nat source rule-set A to zone UNTRUST
set security nat source rule-set A rule source-nat-rule match source-address 192.168.1.0/24
set security nat source rule-set A rule source-nat-rule then source-nat interface

 

Max

Juniper Employee
sharanagoud
Posts: 12
Registered: ‎12-02-2009
0

Re: SRX - Source NAT and Site-2-Site IPSec VPN

Hi Max,
Can you please share the configuration like which are the interfaces are configured in all the 4 zones and also security configuration in detail.

Thanks,
Sharan

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.