SRX Services Gateway
Highlighted
SRX Services Gateway

Destination natting on Site to Site VPN

‎10-15-2014 09:35 PM

Hi Guys,

 

A scenario i will be trying to setup is this:

 

site A LAN: 192.168.1.0/24

 

Site B LAN: 192.168.10.0/24

Site C LAN: 192.168.10.0/24

Site D LAN: 192.168.10.0/24.. and so on

 

B C and D do not need to talk to each other. Communication will always be A to x

 

I have read this guide: http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/lan2lan-vpn-jseries-srx-se... about connecting two similair subnets together, so I thought of adapting that instead of using snat, using a dnat. So The idea being, the user on Site A lan would connect to 10.10.1.10 which would actually be site B 192.168.10.10 and 10.10.2.10 which would actually be site C 192.168.10.10 etc.

 

However the hurdle I am at is the proxy ID's, what do I set on each side? at what point does the Juniper know which is the correct tunnel to push the traffic down and at what point does it translate the destination back to the real destination? 

 

Also, is this even possible to work?

 

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Destination natting on Site to Site VPN

‎10-16-2014 12:16 AM

 

 

Ok I think I can answer my own question and say it isn't possible.

 

I had a working vpn, local 192.168.1.0 and remote 192.168.10.0

 

so I allocated a new virtual IP block 10.0.20.0/24 and did this:

 

set routing-options static route 10.0.20.0/24 next-hop st0.0

 

set security nat destination pool pool1 address 192.168.10.0/24
set security nat destination rule-set nat from zone trust
set security nat destination rule-set nat rule 1 match destination-address 10.0.20.0/24
set security nat destination rule-set nat rule 1 then destination-nat pool pool1

 

and that worked fine (no changes to proxy ID or anything, vpn stayed up with no issues). I could connect to 10.0.20.x and it would connect me to 192.168.10.x on the remote side (the destination nat seems pretty cool, hadn't used it before, seems to do a 1 to 1 static nat if the blocks are the same size, so using .100 translated to .100 with just the commands above which was nice)

 

However I also realised I could still connect using the 192.168.10.x aswell. so I removed that existing route, because when new sites came online that address should not be tied to any specific tunnel:

 

del routing-options static route 192.168.10.0/24 next-hop st0.0

 

Thinking that I could just do the following:

set routing-options static route 10.0.20.0/24 next-hop st0.0

set routing-options static route 10.0.30.0/24 next-hop st0.1

set routing-options static route 10.0.40.0/24 next-hop st0.2

etc

 

and then create new pools for each one. (It did let me create multiple destination nats with the same pool).

 

However, problem lay in the fact once the route for 192.168.10.0/24 was removed it broke the connectivity. I believe the way it happens is the dnat happens before the routing decision is made. so therefore it looks for a route for 192.168.10.0 doesnt see it so pushes it out to the internet rather than via the tunnel.

 

 

If anyone can think of a way around this then please let me know!

 

 

 

 

 

 

Feedback