Screen OS

Hi Hopefully someone more learned then myself can help with my VPN NAT issue.

I need to use NAT at both ends of the tunnel as there is a requirement to mask real IP ranges at both ends, following the words of wisdom in "Concepts and examples" has led to the two policies below, as a start I am just trying to get from one machine to another to pove the concept then, will expand it to the whole network.

When I try and ping, the tunnel comes up, and the policy logs show the NAT is talking place, however at the remote end nothing is being logged as hitting the inbound policy, I assume it's a routing issue but I can't see where I have gone wrong, can anyone help please ?

Truncated versions of the policies.

set interface eth0/1 zone trust
set interface eth0/1 ip 192.168.84.1/24
set interface eth0/1 nat

set interface eth0/0 zone untrust
set interface eth0/0 ip 11.11.11.11/24

set interface tunnel.1 zone untrust
set interface tunnel.1 ip 10.199.20.1/24
set interface tunnel.1 dip 5 10.199.20.2 10.199.20.2

set address trust UntyInt 192.168.84.0/24
set address trust UntyVirt 10.199.20.121/32

set address untrust HostedNat 10.199.16.2/32
set address untrust HstSvrNat 10.199.16.121/32

set ike gateway OSS-Gate address 22.22.22.22 outgoing-interface eth0/0 preshare netscreen1 sec-level compatible
set vpn OSS-IKE gateway OSS-Gate sec-level compatible
set vpn OSS-IKE bind interface tunnel.1
set vpn OSS-IKE proxy-id local-ip 10.199.20.0/24 remote-ip 10.199.16.0/24 any

set vrouter trust-vr route 0.0.0.0/0 interface eth0 gateway 11.11.11.1
set vrouter trust-vr route 10.199.16.0/24 interface tunnel.1
set vrouter trust-vr route 10.199.16.0/24 interface null metric 10

set policy top from trust to untrust UntyInt HstSvrNat any nat src dip-id 5 permit
set policy top from untrust to trust HostedNat UntyVirt any nat dst ip 192.168.84.121 permit


And

set interface eth0/7 zone DMZ
set interface eth0/7 ip 172.16.50.9/24
set interface eth0/7 nat

set interface eth0/9 zone untrust
set interface eth0/9 ip 22.22.22.22

set interface tunnel.33 zone untrust
set interface tunnel.33 ip 10.199.16.1/24
set interface tunnel.33 dip 6 10.199.16.2 10.199.16.2

set address DMZ HostedNet 172.16.50.0/24
set address DMZ HstVirtSvr 10.199.16.121/32

set address untrust Unty 10.199.20.2/32
set address untrust UntySrv 10.199.20.121/32

set ike gateway UntyGate2 address 11.11.11.11 outgoing-interface eth0/9 preshare netscreen1 sec-level compatible
set vpn UnityIKE2 gateway UntyGate2 sec-level compatible
set vpn UnityIKE2 bind interface tunnel.33
set vpn UnityIKE2 proxy-id local-ip 10.199.16.0/24 remote-ip 10.199.20.0/24 any

set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 22.22.22.1
set vrouter trust-vr route 10.199.20.0/24 interface tunnel.33
set vrouter trust-vr route 10.199.20.0/24 interface null metric 10

set policy top from DMZ to untrust HostedNet UntySrv any nat src dip-id 6 permit
set policy top from untrust to DMZ Unty HstVirtSvr any nat dst ip 172.16.50.121 permit

Hi,

I believe this is not a good config for a scenario where requirement is to hide internal IPs on both sides.

Try the overlapping VPN config as mentioned in KB at below link:

http://kb.juniper.net/KB5346

Here too since the internal subnets are overlapping hence we configure NAT to hide them.

Sarab
------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

Excellent, thanks for the pointer.