Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Source based NAT on ingress interface

    Posted 07-12-2011 07:39

    Hi All

     

    I'm creating a few VPN's between our data centre and some of our customers.  Because of overlapping subnets etc, we want want to enable source based NAT for each of the VPN's.  In order to do this, we are using numbered tunnel interfaces with a DIP pool configured on them.  But of course, when we configure the policy to use NAT, it will NAT using the egress interface.  Is there any way that we can configure a policy to NAT on the ingress interface instead without using a MIP (ie, using a DIP pool instead) ?

     

    Thanks in advance



  • 2.  RE: Source based NAT on ingress interface

    Posted 07-12-2011 16:38

    You are correct that the source nat occurs on an egress interface.

     

    The solution is to create the dip address or pool on the interface where your data center destination subnet is configured.  Then you will be able to select it in the menu.



  • 3.  RE: Source based NAT on ingress interface

    Posted 07-13-2011 03:48

    Thanks for the reply, that works fine in my lab.  However, the tunnel interface is in a /28 subnet and the address I want to NAT to is within the /28 subnet, not on the egress interface.  Any ideas how I can do this ?  Or is there any way to create a DIP pool on the egress interface without having to configure the extended IP option ?



  • 4.  RE: Source based NAT on ingress interface
    Best Answer

    Posted 07-13-2011 03:57

    The only option is to use the egress interface for source nat.

     

    I usually set these up using the dip option "In the same subnet as the extended IP" instead of a secondary interface ip.  Using this option the ip address or pool can by anywhere at all you want.  These can even overlap or be the same as other interfaces on the same device.

     

    Naturally you can't use the dip addresses for any other active devices or there will be a conflict, but the range itself does not need to be assigned to the actual egress interface to use the dip address.

     

    I've used this method for remote vpn nat on a number of connections successfully.



  • 5.  RE: Source based NAT on ingress interface

    Posted 07-13-2011 03:59

    Yea I did try that out and I wondered why I was able to use an IP which overlapped.  So out of curiosity what's the difference between a secondary IP and an extended IP ?

     

    Good to hear that you've used it on VPN's, I guess this will be my way forward then, thanks



  • 6.  RE: Source based NAT on ingress interface

    Posted 07-13-2011 04:04

    The secondary ip address is applied to the actual interface and owned by it for all traffic.  This also means that the address will be in the zone of that interface.

     

    The extended function allows you to access the addresses but they are not in the interface zone or direct control.  So you need to be aware of what zone policies actually apply to the traffic based on address objects, interface source and zone assignments.