SRX Services Gateway
Highlighted
SRX Services Gateway

Route based VPN in and out same interface?

‎04-18-2016 03:53 PM

I'm configuring a VPN on a SRX550 that sits behind a SRX650.

 

I *think* I have figured out the config for the VPN NATing out the other firewall.

 

The piece I'm not sure will work is if I Have traffic coming in reth20 set the route to point to st0.100 to encrypt, then bind the tunnel to reth20 so it goes back out same interface. Will that work?

2 REPLIES 2
Highlighted
SRX Services Gateway
Solution
Accepted by topic author sumcallmetim
‎04-19-2016 09:53 AM

Re: Route based VPN in and out same interface?

‎04-19-2016 02:55 AM

Hi,

 

It depends on how you have your zones set up.

 

For example, are reth20 and st0.100 in the same security zone?  Then you need an interzone policy configured.

 

user@srx# show security policies from-zone DMZ to-zone DMZ
policy permit-inter-zone {
match {
source-address 192.168.1.0/24;
destination-address 10.10.10.0/24;
application any;
}
then {
permit;
}
}

If the Secure Tunnel interface resides in its own zone, then you will need a regular policy from your incoming traffic zone to this security zone.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Route based VPN in and out same interface?

‎04-19-2016 09:56 AM

Perfect. Thanks for the reply.

 

I was planning on doing them in seperate security zones. So making the policies between zones makes sense to me. 

 

Now hopefully I can get the tunnel working through the NAT on the other firewall....

Feedback