ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

How do we NAT our local network in a VPN?

‎07-03-2014 07:10 AM

Hi Guys,

 

We are trying to setup a VPN with a client and here’s what they are requesting.

 

“These are the settings we would like to use to configure the VPN, do they work for you? (Specifically Phase 1 & 2 settings.)

 

IPSec Peer: 66.xxx.xxx.xxx

Remote Net: 216.xxx.xxx.xxx/23

 

Phase 1: AES-256, SHA1, Group5, life = 86,400 sec.

Phase 2: AES-256, SHA1, life = 28,800 sec.

 

We would like for you to NAT your local network to 172.18.11.0/24 if possible.”

 

 

So we have Juniper NS5GT and my questions are,

 

  1. Are these Phases (Phase 1 and Phase 2) supported in our firewall? If so, can you tell me the corresponding phases for them as I'm not sure if we have them on our NS5GT.
  2. How do we NAT our local network (192.168.1.0/24) to 172.18.11.0/24?

 

Thanks in advanced!

 

Arnel

7 REPLIES 7
ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-03-2014 09:15 AM

Those proposals are support, however, you would have to create a custom proposal set.

 

For example:

set ike p1-proposal pre-g5-aes256-sha preshare group5 esp aes256 sha-1 seconds 86400

set ike p2-proposal esp-aes256-sha1 esp aes256 sha-1 seconds 28800

 


As for the NAT portion, you would need to configure this as a route based VPN, then use a MIP to perform a one-to-one translation.

 

For example:

set interface "tunnel.1" mip 172.18.11.1 host 192.168.1.1 netmask 255.255.255.0 vr "trust-vr"

 

This would translate anything via the VPN to/from the addresses required.  For example, anything destined to 172.18.11.5 will be translated to 192.168.1.5, and anything sourced from 192.168.1.5 will be translated to 172.18.11.5.

ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-03-2014 09:54 AM

Thank you very mcuh rseibert!

 

Just to confirm. We can create these proposals but executting these commands in the firewall? Then after we created them by these commands, we were now able to see them in the GUI, is that correct? 

 

set ike p1-proposal pre-g5-aes256-sha preshare group5 esp aes256 sha-1 seconds 86400

set ike p2-proposal esp-aes256-sha1 esp aes256 sha-1 seconds 28800

 

 

And as for the NAT, nothing will be accessed on our side (192.168.1.0/24). We will be the one accessing their servers. So I think they (the client) would like to avoid the conflict at this IP range so they would like us to move to 172.18.11.0/24. As I understand it, looks like this can be done by the use of tunnel interface, then fixed IP range to 172.18.11.0/24 and Zone (VR) = Untrust (trust-vr), is this correct? Please advise.

 

Thanks again!

 

Arnel

 

ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-03-2014 10:02 AM

Yes, it would be available in the WebUI after creating it.  You can also create the proposals in the WebUI.

 

VPNs -> AutoKey Advanced -> P1 Proposal, then click "New" in the upper right corner.

VPNs -> AutoKey Advanced -> P2 Proposal, then click "New" in the upper right corner.

 

If you only need to NAT the one direction, then you could also use a DIP on the tunnel interface.  This would allow for multiple to multiple source translation.

 

Please refer to http://kb.juniper.net/InfoCenter/index?page=content&id=KB11909 for NAT.  You can also refer to our Concepts and Examples guide located at https://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_AddressTranslation.pdf

ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-07-2014 07:44 AM

Hi rseibert,

 

Apologies for my late response. Im not sure I follow it correctly so I want to describe our requirements below where we are the site A. 

 

Site

A

B

Untrust IP of Firewall

216.xxx.xxx.xxx (eth0/0)

66.xxx.xxx.xxx  (eth0/0)

Trust Network

192.168.1.0/24

192.168.1.0/24

Phase 1 Proposal

aes-256-sha1-g5

aes-256-sha1-g5

Phase 2 Proposal

aes-256-sha1-g2

aes-256-sha1-g2

 

Note: I just put 192.168.1.0/24 for Site B's LAN because they said there will be issues if we use this subnet.

 

Site B said there will be conflict/ issues if we use 192.168.1.0/24 so they would like us to NAT it to 172.18.11.0/24. Can you help me how to set this up or can you correct me if Im wrong? Because this is how I understand it.

 

This is going to be a route based VPN so we need to create a tunnel interface that will be set to Fixed IP (172.18.11.0/24). What will be the Zone (VR) for this tunnet interface? Is it better to create a new zone for this? Please advise.

 

Thank You!

 

Arnel

ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-07-2014 09:52 AM

You can create the tunnel interface as an unnumbered interface.  Tunnel interfaces allow you to use any zone for the traffic, so that doesn't matter as long as you have policies in place for the unencrypted traffic.

 

You would need to create either a MIP (for one-to-one) or DIP (many-to-many) on the tunnel interface.  This would allow the traffic to be translated before being encrypted. 

ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-07-2014 12:02 PM

Okay. So when I placed the tunnel interface in the Untrust (trust-vr) zone, I would need to create policies for it in the Trust to Untrust and vice versa, correct?

 

By the way, Im not really sure how to setup the DIP in this case. Can you provide me the overview of the steps I need to accomplish for it?

 

Thanks!

 

Arnel

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How do we NAT our local network in a VPN?

‎07-08-2014 09:14 AM

In order for this to work, both sides has to be NAT'd.  Please refer to https://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf page 147.