SRX Services Gateway
Highlighted
SRX Services Gateway

Site 2 Site VNP with overlapping networks srx300 to srx240

[ Edited ]
‎09-24-2018 09:47 AM
Hi!

I have the followig problem:
Site A: Network 192.168.12.0/22
Site B: Network 192.168.20.0/24 (Networks 192.168.13.0/24, 192.168.14.0/24 and 192.168.15.0/24 are assigned to other services on Site B)

How do I manage to get traffic from 192.168.12.0/22 to 192.168.20.0/24?
I assigned the IP address 172.21.8.1/22 to the st0.1 interface.
I thought to static NAT from 192.168.12.0/22 to 192.168.20.0/24 using 172.21.8.0/22 but srx said that the subnet masks from source to host didn't match (/22 to /24).
I want NAT from 192.168.12.0/22 to this network 192.168.20.0/24 using this transfer network 172.21.8.0/22.
Can please someone tell me how to configure this?

Kind regards
Andy
7 REPLIES 7
Highlighted
SRX Services Gateway

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

‎09-24-2018 11:30 AM

I think I messed something up in the policies.

I cannot check it right now since I don't have access to the srx300. I will have a look at the policies tomorrow and post my results 😉

Highlighted
SRX Services Gateway

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

‎09-24-2018 05:19 PM

You do need to use nat on both sides to resolve the conflict.  The example config is here.

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/task/configuration/lan2la...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

[ Edited ]
‎09-24-2018 08:44 PM

In the example I have on both side the same /24 network.

In my example I have one one side a /22 network that includes 4 of my /24 networks on the other side.

So my thinking was, that I only need to NAT the side with the /22 network from 192.168.12.0/22 to 172.21.8.0/22. The other sides gets only traffic from the network 172.21.8.0/22 and routes this network through the VPN tunnel and everything is fine.

It can work that way, can't it?

 

Kind regards

Andy

Highlighted
SRX Services Gateway

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

‎09-25-2018 12:08 AM

I configured source and destination NAT rule-sets:

 

Site A source-nat:

set security nat source pool pool1 address 172.21.8.0/22
set security nat source rule-set rule-set1 from zone Internal
set security nat source rule-set rule-set1 to zone vpn
set security nat source rule-set rule-set1 rule rule1 match source-address 192.168.12.0/22
set security nat source rule-set rule-set1 rule rule1 match destination-address 192.168.20.0/24
set security nat source rule-set rule-set1 rule rule1 then source-nat pool pool1

Site A destination-nat:

set security nat destination pool pool_site_a address 192.168.12.0/22
set security nat destination rule-set rule-set_from_site_b from zone vpn
set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b match source-address 192.168.20.0/24
set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b match destination-address 172.21.8.0/22
set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b then destination-nat pool pool_site_a 

Ping from host 192.168.14.31 to 192.168.20.1, 192.168.20.2 etc. successful!

Strange thing though is that each ICMP paket sent from 192.168.14.31 to 192.168.20.1 is NATed with a different source address:

root@site_a> show security flow session destination-prefix 192.168.20.1
Session ID: 6919, Policy name: site_a_to_site_b/4, Timeout: 2, Valid
  In: 192.168.14.31/13318 --> 192.168.20.1/1;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 60,
  Out: 192.168.20.1/1 --> 172.21.9.77/22815;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 60,

Session ID: 6921, Policy name: site_a_to_site_b/4, Timeout: 2, Valid
  In: 192.168.14.31/13319 --> 192.168.20.1/1;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 60,
  Out: 192.168.20.1/1 --> 172.21.9.78/6102;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 60,
Total sessions: 2

Ping from site b to site a is always the same source address:

Session ID: 7555, Policy name: site_b_to_site_a/5, Timeout: 8, Valid
  In: 192.168.8.39/1371 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
  Out: 192.168.14.3/1127 --> 192.168.8.39/1371;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,

Session ID: 7556, Policy name: site_b_to_site_a/5, Timeout: 8, Valid
  In: 192.168.8.39/1372 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
  Out: 192.168.14.3/1127 --> 192.168.8.39/1372;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,

Session ID: 7557, Policy name: site_b_to_site_a/5, Timeout: 10, Valid
  In: 192.168.8.39/1373 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
  Out: 192.168.14.3/1127 --> 192.168.8.39/1373;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,

Session ID: 7558, Policy name: site_b_to_site_a/5, Timeout: 10, Valid
  In: 192.168.8.39/1374 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
  Out: 192.168.14.3/1127 --> 192.168.8.39/1374;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,

Why's that? Did I something wrong with the source nat rules?

 

Kind regards

Andy

Highlighted
SRX Services Gateway
Solution
Accepted by topic author MetzingerAn
‎09-25-2018 12:42 AM

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

‎09-25-2018 12:27 AM

Isn't it more simple to do static nat on the srx300 like shown below? That would at least be my approach.

 

This example will static nat 192.168.12.0/22 one-to-one to 172.21.8.0/22 when traffic arrives or leaves the vpn security zone.

 

user@fw# show security nat static rule-set VPN
from zone vpn;
rule overlapping-net {
    match {
        destination-address 172.21.8.0/22;
    }
    then {
        static-nat {
            prefix {
                192.168.12.0/22;
            }
        }
    }
}


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

‎09-25-2018 12:45 AM

Thanks Jonas! That's it!

My first approach was to do a static nat, but I configured the 192.168.20.0/24-net as destination address...

 

Thumbs up!

Highlighted
SRX Services Gateway

Re: Site 2 Site VNP with overlapping networks srx300 to srx240

‎09-25-2018 02:19 AM

Yes you only need to nat the actually overlapping addresses not the entire 22.

 

You do both sides to allow either to be the initiator in the example.  If the traffic always initiates one way then only one side is needed.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback