SRX Services Gateway
SRX Services Gateway

Routing based vpn - default route

01.17.12   |  
‎01-17-2012 10:23 AM

So here is the scenario:

 

I have a routing-based vpn between an srx and a fortigate, using unnumbered address on the tunnell. What I would like is to provide the default route for the remote network, i.e. NAT behind the same interface which is used for the unnumbered configuration.

 

I have source nat rules configured, but when tracing the flow, I can see the traffic leaving the correct interface, but it is not NAT'ed.

 

Does anyone know if this is possible, or if it might be possible to set up PBR with this configuration?

1 REPLY
SRX Services Gateway

Re: Routing based vpn - default route

01.19.12   |  
‎01-19-2012 07:15 AM

Yes its possible.

 

   st0 {
        unit 0 {
            family inet {
                mtu 1350;

 

routing-options {
    static {
        route 10.118.0.0/16 next-hop st0.0;  ( this is the route for the VPN)
        route 0.0.0.0/0 next-hop *.*.*.*/*

 

    nat {
        source {
            rule-set trust-to-vpn {
                from zone trust;
                to zone vpn;
                rule vpn-no-NAT {
                    match {
                        source-address 10.118.73.160/28;
                        destination-address 10.118.0.0/16;
                    }
                    then {
                        source-nat {
                            off;

 

 rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-NAT-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;