SRX Services Gateway
Highlighted
SRX Services Gateway

IPSec tunnel NAT not working - SRX210

‎02-19-2014 11:11 PM

Hi. 

 

We've created an IPSec tunnel between an SRX210 and a Cisco (model unknown) device and the tunnel is up and working fine, but due to the nature of the remote network, we need to NAT traffic from our network from a private to a public address. However we cannot get this to work at all. Herewith some details:

 

IKE:

 

Auth: Preshare

DH G2

Auth Alg: sha1

Mode main

No-Nat traversal

general-ikeid

 

IPSec: 

 

ESP

hmac-sha1-96

3des-cbc

pfs group 2

 

Nat: 

 

set security nat source pool SA-VPN address 1.1.1.1/32 (for security I had to change the IP)
set security nat source rule-set SA-VPN from zone Trust
set security nat source rule-set SA-VPN to zone SA_ZONE
set security nat source rule-set SA-VPN rule SA-VPN match source-address 0.0.0.0/0
set security nat source rule-set SA-VPN rule SA-VPN then source-nat pool SA-VPN

The remote technician keeps advisising that he is seeing only the private IP come through and that the natting is not working at all. 

 

If you need any other infoplease don't hesitate to ask. 

 

Regards, 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: IPSec tunnel NAT not working - SRX210

‎02-19-2014 11:28 PM

Hello 

 

Is the traffic from Trust to SA_Zone being forwarded through external interface (public)  or through st0 (tunnel) ? check that by running  show route <destination-ip> 

 

when doing your test (example ping) ; please run this command and send the output to see the session table

 

> show security flow session destination-prefix <put-yr-destination-ip>

 

Regards

 


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: IPSec tunnel NAT not working - SRX210

[ Edited ]
‎02-20-2014 12:04 AM

Hi Red, 

 

Thanks for the reply. I am routing the destination /32 down the tunnel. Herewith requested output. 

 

rudi@EXA001-GP-MR-Head_Office-SRX210-NO-F> show route 196.37.41.81

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

196.37.41.81/32 *[Static/5] 00:00:14
> via st0.1

 

 

rudi@EXA001-GP-MR-Head_Office-SRX210-NO-F> ping 196.37.41.81 source 172.19.0.6
PING 196.37.41.81 (196.37.41.81): 56 data bytes
^C
--- 196.37.41.81 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

 

 

rudi@EXA001-GP-MR-Head_Office-SRX210-NO-F> show security flow session destination-prefix 196.37.41.81
Session ID: 1193, Policy name: self-traffic-policy/1, Timeout: 20, Valid
In: 172.19.0.6/4 --> 196.37.41.81/21412;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 196.37.41.81/21412 --> 172.19.0.6/4;icmp, If: st0.1, Pkts: 0, Bytes: 0

Session ID: 1783, Policy name: self-traffic-policy/1, Timeout: 18, Valid
In: 172.19.0.6/3 --> 196.37.41.81/21412;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 196.37.41.81/21412 --> 172.19.0.6/3;icmp, If: st0.1, Pkts: 0, Bytes: 0

Session ID: 11980, Policy name: self-traffic-policy/1, Timeout: 20, Valid
In: 172.19.0.6/5 --> 196.37.41.81/21412;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 196.37.41.81/21412 --> 172.19.0.6/5;icmp, If: st0.1, Pkts: 0, Bytes: 0

Session ID: 17442, Policy name: self-traffic-policy/1, Timeout: 18, Valid
In: 172.19.0.6/2 --> 196.37.41.81/21412;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 196.37.41.81/21412 --> 172.19.0.6/2;icmp, If: st0.1, Pkts: 0, Bytes: 0

Session ID: 20893, Policy name: self-traffic-policy/1, Timeout: 16, Valid
In: 172.19.0.6/0 --> 196.37.41.81/21412;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 196.37.41.81/21412 --> 172.19.0.6/0;icmp, If: st0.1, Pkts: 0, Bytes: 0

Session ID: 30612, Policy name: self-traffic-policy/1, Timeout: 22, Valid
In: 172.19.0.6/6 --> 196.37.41.81/21412;icmp, If: .local..0, Pkts: 1, Bytes: 84
Out: 196.37.41.81/21412 --> 172.19.0.6/6;icmp, If: st0.1, Pkts: 0, Bytes:

Highlighted
SRX Services Gateway

Re: IPSec tunnel NAT not working - SRX210

‎02-20-2014 11:27 AM

Hello 

 

if you ping from your SRX , even using source parameter , the SRX use specific zone called junos-host as source zone , which doesn't match your nat policy criteria (source zone), so I prefer to use a machine behind the SRX (part of Trust zone) and do ping , and show session table again

 

could you please post the output for this command :

 

show security nat source summary

 

Regards 


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )

Highlighted
SRX Services Gateway

Re: IPSec tunnel NAT not working - SRX210

[ Edited ]
‎02-20-2014 11:36 AM

Another thing to check , when the traffic will reach the other firewall over ipsec tunnel , make sure that security policy at the remote firewall allow the post NAT traffic (source ip has changed due to src NAT policy )

 

and you should have static route on the remote firewall , to route the return traffic destined to 1.1.1.1 to SRX over tunnel , 

 

 

Regards

 


if this worked for you, kindly help other visitors/members of our community by tagging this post as "Accepted Solution".
Kudos are good way of appreciation.
-------------
Red1
JNCIE-SEC #158, JNCIP-SP, JNCIS- ( FWV, SA, AC )