Hello,
Last night I replaced our Cisco PIX with a Juniper SRX Gateway. We run an IPsec tunnel to one of our remote offices (currently still using a PIX) which I have successfully established and packets are passing through the tunnel.
With one exception.
A number of our servers are configured with a static NAT on the firewall. Hosts on the remote office can talk to the servers on their private IPs without trouble, however the servers cannot talk to hosts at the remote office. Other hosts on the trust zone can talk to hosts at the remote office.
From what I can tell, because the IPsec tunnel is effectively on the untrust zone, Junos is applying the static nat and trying to forward the public IP across the tunnel, which obviously won't work.
Has anyone else had this problem? Is there a way around it?
root@ci-syd-srx100# show security nat | display set
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule no-nat match destination-address 172.14.0.0/16
set security nat source rule-set trust-to-untrust rule no-nat then source-nat off
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat static rule-set OneToOneMappings from interface fe-0/0/0.0
set security nat static rule-set OneToOneMappings rule revelation match destination-address 123.45.67.89/32
set security nat static rule-set OneToOneMappings rule revelation then static-nat prefix 172.18.0.2/32
set security nat proxy-arp interface fe-0/0/0.0 address 123.45.67.89/32
root@ci-syd-srx100# ...om-zone trust to-zone untrust | display set
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt match source-address local-net
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt match destination-address ci-brisbane
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt match application any
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt then permit tunnel ipsec-vpn CI-ipsecvpn
set security policies from-zone trust to-zone untrust policy vpnpolicy-tr-unt then permit tunnel pair-policy vpnpolicy-unt-tr
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit