SRX Services Gateway
Reply
Juniper Employee
rayado
Posts: 50
Registered: ‎04-26-2010
0

configuration preview: example for overlapping static nat ranges for distinct IPSec tunnels

[ Edited ]

Coming soon in 10.4 you will be able to put ST interfaces in routing instances, this allows overlapping static NAT configurations for distinct tunnels whose endpoints terminate in inet0.
 

Reth1.1     St0.1
[nat1]-------[vr1]---\     Reth0.1
                      >----[inet0]----------{internet}
[nat2]-------[vr2]---/     Reth0.2
Reth1.2     St0.2


 

Here’s the nat configuration used:

 

    nat {
        static {            
            rule-set nat1 {
                from routing-instance VR1;
                rule n1rule {
                    match {
                        destination-address 10.1.1.1/32;
                    }
                    then {
                        static-nat prefix 10.2.2.2/32 routing-instance VR1;
                    }
                }
            }
            rule-set nat2 {
                from routing-instance VR2;
                rule n2rule {
                    match {
                        destination-address 10.1.1.1/32;
                    }
                    then {
                        static-nat prefix 10.2.2.2/32 routing-instance VR2;
                    }
                }
            }
        }
    }


Here's the routing instance configuration:

    routing-instances {
        VR1 {
            instance-type virtual-router;
            interface reth1.1;
            interface st0.1;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop st0.1;
                }
            }
        }
        VR2 {
            instance-type virtual-router;
            interface reth1.2;
            interface st0.2;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop st0.2;
                }
            }
        }
     }


Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.