SRX

Hello,

I have a VPN box on a separate VLAN that you can see in my config that I attached connected to an openvpn box that is dedicated for this. It is listening on the right port, I have the config right the clients configs are right and are attempting to connect to the right place. I see translation hits in the log to the right port but nothing is showing up on tcpdump or anywhere on the VPN box.  I only have one external IP address so I am just using a port to determine it is VPN traffic.

Can someone please look at this and see what the heck I am doing wrong?

I should mention, this is for remote users to connect to my home network from a hotel wireless, cafe, etc. that I don't trust on my phone, tablet, laptop, etc.

Thank you!!

Attachment(s)

srx240h2_config.rtf   89 KB 1 version

Can someone please help 😞

I just need help with my destination NAT - nothing is showing up on my vpn box

From the configuration it looks like you are missing the security policy to permit the inbound vpn traffic.  It looks like you may have both the zone names mis matched and the addresses used in the policies incorrect.  But I'm not positive is both are wrong

Basically, you write the security policy from the internet zone to the translated address zone, not the nat address as I think you are doing in your config.  Here is the example:

https://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/nat-security-destination-single-address-translation-configuring.html

thank you for your help I will give this a try and review your comments on the mismatches!

Is there a way to do this through the J-Web interface?  I don't see a way to manipulate trust and untrust zones

Jweb should allow you to create the security policies.  If you have some already you may need to delete them as the main framework for the policy is zone to zone.  And yours will need to change to the post nat zone.

Ok.

I have no idea what I am missing, I am showing logging hits on the NAT rule but it shows failure as a status in the logs.  I don't see anything in my tcpdump for the VPN server/destination.  Does the failure mean a session is not established or does it mean that the firewall is blocking it or something else?  I am just running a port scan on that port to see if it is working so something should be showing up.  I have attached my updated configuration.

Attachment(s)

vpn_config_05_09_2017.rtf   21 KB 1 version

I think this should help.

https://forums.juniper.net/t5/SRX-Services-Gateway/Destination-NAT-Port-Forwarding-Passthrough-for-VPN/m-p/264369#M32554

Your security policy to permit the inbound VPN traffic needs to be to the destination pool address not the public address.

Change this:

  address-book {

        ext-ip-vpn-address-book {

            address ext-ip-vpn 75.72.76.40/32;  <<<<  172.19.143.14/32

            attach {

                zone Internet;

                zone VPN;

            }

        }

    }

this was it - thank you so much - i followed the example too closely but didn't see that server1 in the example was the VPN box i was looking at it like the destination from the internet was the public IP, but i see now that doesn't make sense with the NAT rule.

thank you!!!!