I have two route based VPN's each termanating at the same srx550, Site1 - UKRN Site2 - GER Site3 - PHX
Both VPN tunnels from UKRN and GER terminate at PHX, and can talk to resources in PHX withough issues.
I am trying to get the UKRN (10.47.0.0/16) site to talk to the GER (10.0.0.0/16) site, but to do so I need to NAT the traffic going to GER to something in the PHX range 10.213.0.0/16, I pulled a range just for NAT purposes (10.213.54.128/26)
GER routes 10.213.0.0/16 to PHX, UKRN routes 10.213.0.0/16 and 10.0.0.0/16 to PHX.
I also setup a destination nat from the UKRN interface
set security nat destination pool xxxxx address 10.213.54.129/32set security nat destination rule-set xxxxx from interface st0.2set security nat destination rule-set xxxxx rule xxxxxxxxx-nat match destination-address 10.0.0.0/16set security nat destination rule-set xxxxx rule xxxxxxxxx-nat then destination-nat pool xxxxx
I see hits on the nat rule, but no successful nats and anything in the 10.0.0.0/16 range isn't reachable from UKRN
I attempted to add the NAT IP to the st0.2 interface, but doesn't seem to help, not sure if it is needed.
Both tunnels terminate in the same untrust-vpn zone.
Is there a way to pull this off?
Thanks in advance.
Some pointers based on the information available from your post;
First off, you are missing source-nat from UKRN 10.47.0.0/16 towards GER 10.0.0.0/16 to ensure traffic is routed back to PHX.
So you should create a source-nat rule which hides 10.47.0.0/16 behind one or more 10.213.x.x addresses.
Secondly. I don't see the need for the destination-nat, as you have alreade put in a route for 10.0.0.0/16 on UKRN towards PHX.
Third; you don't need to add the NAT address on the st0.2 interface to get NAT working.
And last; ensure there are security policies in place which allows the traffic in the untrust-vpn zone. Per default traffic with source and destination in the same zone is not implicit allowed.