SRX Services Gateway
Highlighted
SRX Services Gateway

NAT over a VPN

‎08-18-2014 07:11 AM

Looking for help on a NAT/VPN configuration.  


Our network needs to communicate over a VPN to a provider. Here is what is needed.

 

Our firewall, 50.60.70.80, will establish a VPN with their primary and secondary sites, 4.4.4.4 and 8.8.8.8

 

Our network is 192.168.10.x and we will need to NAT the two hosts that will communicate over the VPN. So,
our host 192.168.10.100 will be NAT to 50.60.70.88 and 192.168.10.101 will be 50.60.70.89. On their side, the 4.4.4.4 peer has a network of 161.220.22.208/28, and the 8.8.8.8 peer is 196.220.24.208/28

 

So, configuring the VPN I know, but setting the interesting traffic, and doing the NAT is the part I am having trouble with. I am assuming that I just set a static NAT just as I would for a connection to the Internet like I was setting up a web server, but how to limit this to just VPN traffic? I need to bind this to the st.2 and st.3 tunnels.

 

Thanks,

 

Gordon

4 REPLIES 4
SRX Services Gateway

Re: NAT over a VPN

‎08-20-2014 02:50 AM

Hi,

 

You are basically faced with a situation where you need to choose how to define interesting traffic. I juniper, how you define interesting traffic determines the type of VPN.

 

Two options are available and the various reasons why to choose one over the other are listed in this KB article. 

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15745

 

Summary:

For Route-based VPN.. ( You will define a static route that point to the tunnel interface). 

For Policy-based VPN.. (You will define a security policy that matches the interesting traffic). 

 

From the KB, you will probably end up with a Route-based VPN..which you configure Like below illustrated;

 

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-route-based-vpn-configuring....

 

 

Regards,
Willys W.
SRX Services Gateway

Re: NAT over a VPN

‎08-20-2014 07:59 PM

,

 

You need to use, route based vpna nd write a nat rule for traffic from your internal zone to to zone where your tunnel interface is present.

 Rgeards,

c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

SRX Services Gateway

Re: NAT over a VPN

‎08-21-2014 06:56 AM

Thanks for the replies.  I am using a route based VPN, but the biggest question is the NAT.  Do I use source, destination or static?

 

Our server, 192.168.10.100 needs be seen by the 161.220.22.208/28 and 161.220.24.208/28 networks as 50.60.70.88.  192.168.10.101 will be 50.60.70.88.  My thought would be a static NAT, but not sure about the requirements.  The documentation that I read on this seems to say that the NAT needs to be the same size, so how two /32 hosts going to a /28 network won't work?

 

My best understanding at this point is that I set a NAT Source rule from each remote peer to NAT traffic to the 50. address, and then a NAT Destination rule for the .100 and .101 to each peer to change to the 50. address as well.

 

Is there a way to do this with static NAT?  And do I set the route from trust to untrust, or trust to the VPN st.2 and st.3?

 

Thanks,

 

Gordon


@GordonB wrote:

 

 

Our network is 192.168.10.x and we will need to NAT the two hosts that will communicate over the VPN. So,
our host 192.168.10.100 will be NAT to 50.60.70.88 and 192.168.10.101 will be 50.60.70.89. On their side, the 4.4.4.4 peer has a network of 161.220.22.208/28, and the 8.8.8.8 peer is 196.220.24.208/28

 

 

SRX Services Gateway

Re: NAT over a VPN

‎08-21-2014 07:22 PM

Ok here is what I would suggest.

 

Build a route based vpn and say you bind it to st0.0

Put st0..0 ina zone called VPN

Now write a static nat rule-set as from zone VPN.

Write two rules r1 and r2 

matching 50.60.70.88. --> to internal ip 192.168.10.100 

50.60.70.89 --> 192.168.10.101This should woprk finr for you.

 

For traffic initiated form ither direction.

 

Also write a route 161.220.22.208/28 and 161.220.24.208/28  pointing towards st0

 

Hope thsi helps.

Regards,

c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too