Is it possible to spoof the sending IP address being sent across a LAN to LAN VPN?
I’m guessing this is a very vague question so I thought it best to explain why, how we got to where we are today and what we are hoping to achive.
The why; our client has a customer that uses 3x class B subnets internally for all there devices (it’s a fairly big customer the there’s!). Our client has a small 27-bit public IP subnet that they used to use for there internally LAN. Our clients customer insists on a registers public to registers public IP addresses for there LAN to LAN VPN’s and this we have no say in.
Our client has out grown there 27-bit subnet so now uses a 192.268 subnet internally.
To get around the requirement that all traffic to there customer needs to come from the registers (27-bit) IP subnet they installed an additional device (NetScreen 5GT would you believe!) that connected the 192.168 subnet to the 27-bit subnet that performed NAT. The existing Netscreen SSG5 has PBR configured so any traffic destined for the 3x Class-B subnets was forwarded to the 5GT which NAT’d it to one of the 27-bit subnet IP’s and this traffic was passed back to the SSG5 to be passed across the LAN to LAN VPN.
As an aside this has worked for many years but the performance wasn’t good until I setup a Trusted to Trusted rule that took any traffic destined for the 3x Class-B’s and NAT’d the traffic so as far as the 5GT was concerned all the traffic was coming from the SSG’s IP address so the return traffic went back through the same route and stopped the SSG having to deal with lots of incomplete sessions; anyway.
What we would like to do is replace the two Netscreen firewalls with one SRX300.
My first question is; is this achievable using 1x SRX300?
If so can someone point me in the direction of a similar example?