SRX

Expand all | Collapse all

Routing between site to site vpn with destination NAT

Jump to Best Answer
  • 1.  Routing between site to site vpn with destination NAT

    Posted 08-07-2018 14:27

    I have two route based VPN's each termanating at the same srx550,  Site1 - UKRN  Site2 - GER  Site3 - PHX

    Both VPN tunnels from UKRN and GER terminate at PHX, and can talk to resources in PHX withough issues.

     

    I am trying to get the UKRN (10.47.0.0/16) site to talk to the GER (10.0.0.0/16) site, but to do so I need to NAT the traffic going to GER to something in the PHX range 10.213.0.0/16, I pulled a range just for NAT purposes (10.213.54.128/26)

     

    GER routes 10.213.0.0/16 to PHX, UKRN routes 10.213.0.0/16 and 10.0.0.0/16 to PHX. 

     

    I also setup a destination nat from the UKRN interface

    set security nat destination pool xxxxx address 10.213.54.129/32
    set security nat destination rule-set xxxxx from interface st0.2
    set security nat destination rule-set xxxxx rule xxxxxxxxx-nat match destination-address 10.0.0.0/16
    set security nat destination rule-set xxxxx rule xxxxxxxxx-nat then destination-nat pool xxxxx

     

    I see hits on the nat rule, but no successful nats and anything in the 10.0.0.0/16 range isn't reachable from UKRN

    I attempted to add the NAT IP to the st0.2 interface, but doesn't seem to help, not sure if it is needed.  

    Both tunnels terminate in the same untrust-vpn zone. 

     

    Is there a way to pull this off? 

     

    Thanks in advance.



  • 2.  RE: Routing between site to site vpn with destination NAT
    Best Answer

    Posted 08-07-2018 22:51

    Some pointers based on the information available from your post;

     

    First off, you are missing source-nat from UKRN 10.47.0.0/16 towards GER 10.0.0.0/16 to ensure traffic is routed back to PHX.

    So you should create a source-nat rule which hides 10.47.0.0/16 behind one or more 10.213.x.x addresses.

     

    Secondly. I don't see the need for the destination-nat, as you have alreade put in a route for 10.0.0.0/16 on UKRN towards PHX.

     

    Third; you don't need to add the NAT address on the st0.2 interface to get NAT working.

     

    And last; ensure there are security policies in place which allows the traffic in the untrust-vpn zone. Per default traffic with source and destination in the same zone is not implicit allowed.