ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

MIP private to private IP? Need help with NAT on tunnel

‎07-17-2013 12:39 AM

So this is my setup.

 

I got an ssg with a s2s tunnel to a remote site. Tunnel 1. I need to create a 1 to 1 static nat between a server on my trust network and a server to that remote site.

 

hq server - 192.168.1.100 (Trust Zone)

remote server - 1.1.1.1

nat ip - 10.0.1.100 

tunnel 1 - Untrust zone

 

 

So basically the traffic i'm trying to accomplish is like this.

 

Inbound from remote server to hq server 


1. Remote server pings 10.0.1.100

2. It goes through the tunnel 1 and gets to the ssg

3. SSG dst nat's the dst ip to 192.168.1.100

 

Outbound from hq server to remote server

 


1. HQ server pings 1.1.1.1

2. It goes to it's gateway which is the ssg and then performs a src-nat to 10.0.1.100.

3. Then through the tunnel (static route any traffic towards 1.1.1.1 next hop is tunnel.1) going to remote.

 

I researched a bit and saw two options which not sure if it works or if i'm doing it right.

 

Option 1:

Create a policy based src and dst nats.

1. Create policy and then nat dst.

Something like any traffic from Untrust to Trust src ip of 1.1.1.1 and dst ip of 10.0.1.100 then permit and nat the dst ip to 192.168.1.100.

2. Create policy and then nat src.

Trust to Untrust src ip of 192.168.1.100 to dst ip of 1.1.1.1 then permit then src nat it to 10.0.1.100.

 

Would this technically work? 

For number 1. Based on this link http://www.juniperforum.com/index.php?topic=4976.0 .  Because 10.0.1.100 is a virtual ip in a sort (there is no network that is 10.0.1.100 internally and not bound to any zone) how does it match to be in trust? Does the SSG dst nat it first to 192.168.1.100 (which is an actual network and is bound to zone trust) and then match the policy to be permitted?

 

Option 2:

Create a MIP

1. Create mip on the tunnerl.1 interface 

something like "set interface tunnel.3 mip 10.0.1.100 host 192.168.1.100"

2. Create the policy inbound (based on ssg documents when creating a MIP it is bidirectional and only policy i need to configure is inbound is this correct?)

from untrust to trust and source ip of 1.1.1.1 to 192.168.1.100 permit

 

is that all? or should i create the policy to be from 1.1.1.1 to the MIP of 10.0.1.100 instead? I want it bidirectional whoever initiates the traffic.

 

Thanks for any help.

5 REPLIES 5
ScreenOS Firewalls (NOT SRX)

Re: MIP private to private IP? Need help with NAT on tunnel

‎07-17-2013 01:27 AM

Hi,

 

The option 2 is much simpler to configure.

You need one outbound policy on each firewall.

The MIP bidirectionality does not relate to the access policy. The MIP consist of two parts - namely the MIP (eg. 1.1.1.1) and the host (eg 192.168.1.100). If the host establishes an outbound connection through the egress interface accomodating the MIP, the connection appears on this interface as originating from the MIP. This is the sense of the MIP bidirectionality. It has nothing to do with the responce packets in a session which has a MIP as it's destination. Any statefull inspection firewall maintains the responces in the backgound. You do not need to configure any "responce" rules to define the reverse NATs, routing etc.

Kind regards,
Edouard
ScreenOS Firewalls (NOT SRX)

Re: MIP private to private IP? Need help with NAT on tunnel

‎07-17-2013 09:41 AM

Thanks for the reply.

So how am I going to configure the policies? I'm still being confused.

 

set interface tunnel.1 mip 10.0.1.100 host 192.168.1.100

set policy id X from "Untrust" to "Trust" "1.1.1.1" "MIP(10.0.1.100)" permit log <-- is this right?

How about traffic from the server to the Untrust (tunnel.1 1.1.1.1.) ?

 

Thanks

ScreenOS Firewalls (NOT SRX)

Re: MIP private to private IP? Need help with NAT on tunnel

‎07-17-2013 10:27 AM

bup

ScreenOS Firewalls (NOT SRX)

Re: MIP private to private IP? Need help with NAT on tunnel

‎07-17-2013 10:59 AM


How about traffic from the server to the Untrust (tunnel.1 1.1.1.1.) ?

 


Create a policy from Trust to Untrust with source-NAT enabled (on the 'Advanced' page, tick the 'Source Translation' box). Normally this would translate the source to the interface IP address, but a MIP will override this.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: MIP private to private IP? Need help with NAT on tunnel

‎07-18-2013 12:48 AM

Hi,

 

For the access to the remote server you should configure a Trust-to-Untrust policy. The source is the address object "192.168.1.100" and the destination is the address object "1.1.1.1". When the packet leaves the tunnel interface it's source IP is replaced with 10.0.1.10 because the IP 192.168.1.100 is the host in the MIP definiton "set interface tunnel.1 mip 10.0.1.100 host 192.168.1.100"

For the access from the remote server to the HQ server you should configure an Untrust-to-Trust policy. The source is the address object "1.1.1.1" and the destination is the MIP(10.0.1.100). When the packet enters the tunnel interface it's destination IP is replaced with 192.168.1.100.

 

 

Kind regards,
Edouard