SRX

Expand all | Collapse all

Site 2 Site VNP with overlapping networks srx300 to srx240

Jump to Best Answer
  • 1.  Site 2 Site VNP with overlapping networks srx300 to srx240

    Posted 09-24-2018 09:48
    Hi!

    I have the followig problem:
    Site A: Network 192.168.12.0/22
    Site B: Network 192.168.20.0/24 (Networks 192.168.13.0/24, 192.168.14.0/24 and 192.168.15.0/24 are assigned to other services on Site B)

    How do I manage to get traffic from 192.168.12.0/22 to 192.168.20.0/24?
    I assigned the IP address 172.21.8.1/22 to the st0.1 interface.
    I thought to static NAT from 192.168.12.0/22 to 192.168.20.0/24 using 172.21.8.0/22 but srx said that the subnet masks from source to host didn't match (/22 to /24).
    I want NAT from 192.168.12.0/22 to this network 192.168.20.0/24 using this transfer network 172.21.8.0/22.
    Can please someone tell me how to configure this?

    Kind regards
    Andy


  • 2.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240

    Posted 09-24-2018 11:31

    I think I messed something up in the policies.

    I cannot check it right now since I don't have access to the srx300. I will have a look at the policies tomorrow and post my results 😉



  • 3.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240

     
    Posted 09-24-2018 17:20

    You do need to use nat on both sides to resolve the conflict.  The example config is here.

    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/task/configuration/lan2lan-vpn-jseries-srx-series-configuring.html

     



  • 4.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240

    Posted 09-24-2018 20:45

    In the example I have on both side the same /24 network.

    In my example I have one one side a /22 network that includes 4 of my /24 networks on the other side.

    So my thinking was, that I only need to NAT the side with the /22 network from 192.168.12.0/22 to 172.21.8.0/22. The other sides gets only traffic from the network 172.21.8.0/22 and routes this network through the VPN tunnel and everything is fine.

    It can work that way, can't it?

     

    Kind regards

    Andy



  • 5.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240

    Posted 09-25-2018 00:09

    I configured source and destination NAT rule-sets:

     

    Site A source-nat:

    set security nat source pool pool1 address 172.21.8.0/22
    set security nat source rule-set rule-set1 from zone Internal
    set security nat source rule-set rule-set1 to zone vpn
    set security nat source rule-set rule-set1 rule rule1 match source-address 192.168.12.0/22
    set security nat source rule-set rule-set1 rule rule1 match destination-address 192.168.20.0/24
    set security nat source rule-set rule-set1 rule rule1 then source-nat pool pool1
    

    Site A destination-nat:

    set security nat destination pool pool_site_a address 192.168.12.0/22
    set security nat destination rule-set rule-set_from_site_b from zone vpn
    set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b match source-address 192.168.20.0/24
    set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b match destination-address 172.21.8.0/22
    set security nat destination rule-set rule-set_from_site_b rule rule_from_site_b then destination-nat pool pool_site_a 

    Ping from host 192.168.14.31 to 192.168.20.1, 192.168.20.2 etc. successful!

    Strange thing though is that each ICMP paket sent from 192.168.14.31 to 192.168.20.1 is NATed with a different source address:

    root@site_a> show security flow session destination-prefix 192.168.20.1
    Session ID: 6919, Policy name: site_a_to_site_b/4, Timeout: 2, Valid
      In: 192.168.14.31/13318 --> 192.168.20.1/1;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 60,
      Out: 192.168.20.1/1 --> 172.21.9.77/22815;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 60,
    
    Session ID: 6921, Policy name: site_a_to_site_b/4, Timeout: 2, Valid
      In: 192.168.14.31/13319 --> 192.168.20.1/1;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 1, Bytes: 60,
      Out: 192.168.20.1/1 --> 172.21.9.78/6102;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 60,
    Total sessions: 2
    

    Ping from site b to site a is always the same source address:

    Session ID: 7555, Policy name: site_b_to_site_a/5, Timeout: 8, Valid
      In: 192.168.8.39/1371 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
      Out: 192.168.14.3/1127 --> 192.168.8.39/1371;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
    
    Session ID: 7556, Policy name: site_b_to_site_a/5, Timeout: 8, Valid
      In: 192.168.8.39/1372 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
      Out: 192.168.14.3/1127 --> 192.168.8.39/1372;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
    
    Session ID: 7557, Policy name: site_b_to_site_a/5, Timeout: 10, Valid
      In: 192.168.8.39/1373 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
      Out: 192.168.14.3/1127 --> 192.168.8.39/1373;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
    
    Session ID: 7558, Policy name: site_b_to_site_a/5, Timeout: 10, Valid
      In: 192.168.8.39/1374 --> 172.21.10.3/1127;icmp, Conn Tag: 0x0, If: st0.1, Pkts: 1, Bytes: 84,
      Out: 192.168.14.3/1127 --> 192.168.8.39/1374;icmp, Conn Tag: 0x0, If: irb.0, Pkts: 0, Bytes: 0,
    

    Why's that? Did I something wrong with the source nat rules?

     

    Kind regards

    Andy



  • 6.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240
    Best Answer

    Posted 09-25-2018 00:27

    Isn't it more simple to do static nat on the srx300 like shown below? That would at least be my approach.

     

    This example will static nat 192.168.12.0/22 one-to-one to 172.21.8.0/22 when traffic arrives or leaves the vpn security zone.

     

    user@fw# show security nat static rule-set VPN
    from zone vpn;
    rule overlapping-net {
        match {
            destination-address 172.21.8.0/22;
        }
        then {
            static-nat {
                prefix {
                    192.168.12.0/22;
                }
            }
        }
    }
    
    


  • 7.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240

    Posted 09-25-2018 00:46

    Thanks Jonas! That's it!

    My first approach was to do a static nat, but I configured the 192.168.20.0/24-net as destination address...

     

    Thumbs up!



  • 8.  RE: Site 2 Site VNP with overlapping networks srx300 to srx240

     
    Posted 09-25-2018 02:20

    Yes you only need to nat the actually overlapping addresses not the entire 22.

     

    You do both sides to allow either to be the initiator in the example.  If the traffic always initiates one way then only one side is needed.