Junos
Highlighted
Junos

LAN to LAN VPN Source NAT

[ Edited ]
‎03-10-2020 06:54 AM

Hi people,

 

Is it possible to spoof the sending IP address being sent across a LAN to LAN VPN?

I’m guessing this is a very vague question so I thought it best to explain why, how we got to where we are today and what we are hoping to achive.

 

The why; our client has a customer that uses 3x class B subnets internally for all there devices (it’s a fairly big customer the there’s!).  Our client has a small 27-bit public IP subnet that they used to use for there internally LAN.  Our clients customer insists on a registers public to registers public IP addresses for there LAN to LAN VPN’s and this we have no say in.

Our client has out grown there 27-bit subnet so now uses a 192.268 subnet internally.

 

To get around the requirement that all traffic to there customer needs to come from the registers (27-bit) IP subnet they installed an  additional device (NetScreen 5GT would you believe!) that connected the 192.168 subnet to the 27-bit subnet that performed NAT.  The existing Netscreen SSG5 has PBR configured so any traffic destined for the 3x Class-B subnets was forwarded to the 5GT which NAT’d it to one of the 27-bit subnet IP’s and this traffic was passed back to the SSG5 to be passed across the LAN to LAN VPN.

As an aside this has worked for many years but the performance wasn’t good until I setup a Trusted to Trusted rule that took any traffic destined for the 3x Class-B’s and NAT’d the traffic so as far as the 5GT was concerned all the traffic was coming from the SSG’s IP address so the return traffic went back through the same route and stopped the SSG having to deal with lots of incomplete sessions; anyway.

Annotation 2020-03-10 135002.jpg

What we would like to do is replace the two Netscreen firewalls with one SRX300.

 

My first question is; is this achievable using 1x SRX300?

If so can someone point me in the direction of a similar example?

 

Thank you in anticipation.

Charles Carter
2 REPLIES 2
Highlighted
Junos

Re: LAN to LAN VPN Source NAT

‎03-10-2020 10:12 AM

Hi!

Firstly, no you'd need a SRX3xx at each end and do a IPSEC VPN between them to complete the tunnel.

Around doing it, it's a little old but should still work on latest versions of JunOS as the config page was updated in 2019

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/task/configuration/lan2la...

 

KR

Adam

~~~~~~~~~~~~~~~~~~~~~~~
- Please Kudos if you found my response helpful
- Please accept my response as a 'Accepted Solution' if it solved your query
Highlighted
Junos

Re: LAN to LAN VPN Source NAT

‎04-05-2020 09:07 AM

yes combining the SSG and NS5GT into an SRX300 will be possible but I don't know a specific kb for you to follow so will have to outline the steps.  Let me know if any require more detail.

 

Use a route based vpn for the SRX side of this tunnel and put the st0 interface into the desired security zone

Create the tunnel using traffic selectors for compatiblity to the remote site these should duplicate the proxy-id pairs you have on the current screenos tunnel.

Point the routes for the remote site to the tunnel interface

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

 

I assume all the traffic is initiated outbound from your clients to the outside devices.

Create a source nat rule for the desired internal source zones with the destination of the external ranges that changes the source to your selected public address.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback