SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Static NAT with IPsec

    Posted 09-23-2011 00:35

    Hello,

     

    Last night I replaced our Cisco PIX with a Juniper SRX Gateway. We run an IPsec tunnel to one of our remote offices (currently still using a PIX) which I have successfully established and packets are passing through the tunnel.

     

    With one exception.

     

    A number of our servers are configured with a static NAT on the firewall. Hosts on the remote office can talk to the servers on their private IPs without trouble, however the servers cannot talk to hosts at the remote office. Other hosts on the trust zone can talk to hosts at the remote office.

     

    From what I can tell, because the IPsec tunnel is effectively on the untrust zone, Junos is applying the static nat and trying to forward the public IP across the tunnel, which obviously won't work.

     

    Has anyone else had this problem? Is there a way around it?

     

    root@ci-syd-srx100# show security nat | display set
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule no-nat match destination-address 172.14.0.0/16
set security nat source rule-set trust-to-untrust rule no-nat then source-nat off
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat static rule-set OneToOneMappings from interface fe-0/0/0.0
set security nat static rule-set OneToOneMappings rule revelation match destination-address 123.45.67.89/32
set security nat static rule-set OneToOneMappings rule revelation then static-nat prefix 172.18.0.2/32
set security nat proxy-arp interface fe-0/0/0.0 address 123.45.67.89/32

     

    root@ci-syd-srx100# ...om-zone trust to-zone untrust | display set
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt match source-address local-net
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt match destination-address ci-brisbane
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt then permit tunnel ipsec-vpn CI-ipsecvpn
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt then permit tunnel pair-policy vpnpolicy-unt-tr
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

     

     



  • 2.  RE: Static NAT with IPsec

    Posted 09-23-2011 00:52

     

    root@ci-syd-srx100# ...ies from-zone untrust to-zone trust | display set
set security policies from-zone untrust to-zone trust policy server-policy match source-address any
set security policies from-zone untrust to-zone trust policy server-policy match destination-address server
set security policies from-zone untrust to-zone trust policy server-policy match application junos-http
set security policies from-zone untrust to-zone trust policy server-policy match application junos-https
set security policies from-zone untrust to-zone trust policy server-policy then permit
set security policies from-zone untrust to-zone trust policy vpnpolicy-unt-tr match source-address ci-brisbane
set security policies from-zone untrust to-zone trust policy vpnpolicy-unt-tr match destination-address local-net
set security policies from-zone untrust to-zone trust policy vpnpolicy-unt-tr match application any
set security policies from-zone untrust to-zone trust policy vpnpolicy-unt-tr then permit tunnel ipsec-vpn CI-ipsecvpn
set security policies from-zone untrust to-zone trust policy vpnpolicy-unt-tr then permit tunnel pair-policy vpnpolicy-tr-unt

     

    I have tried using a destination nat off rule, which didn't work. I can't seem to find a way to turn static nat off. Surely this is a common situation?



  • 3.  RE: Static NAT with IPsec
    Best Answer

    Posted 09-23-2011 06:02

    I have experienced this issue and there is no way around it with policy based vpns

     

    You will need to move this to a tunnel vpn and create a VPN zone to termintate the st.0 interface



  • 4.  RE: Static NAT with IPsec

    Posted 09-23-2011 07:22

    Thanks Digs,

     

    I had avoided route based vpn on the assumption that PIX did not support it. I didn't realise how easy it was to implement!

     

    So far this seems to have worked perfectly, though I won't know for sure until Monday. Thanks!