We have a unique issue. We install Juniper SRX 300 firewalls at customer sites. We do not know what firewall they are using for their main network. We use a NAT to send from our Juniper (Private network) to thier network using a static IP (sometimes DHCP) that they provide. This particualr customer wants us to connect to thier network so they can push updates, and password changes to our PC behind the Juniper. The older PC we have onsite is using 2 - NICs for this with no firewall. My question is, how can I allow traffic through our Juniper so, that we can connect to their domain? We would not know any specifications in order to setup a VPN tunnel.
I'm not sure if I got your point, but it seems you have a central site which needs to get some sort of L2/L3 connectivity with your local site behind SRX. Is it correct?
If so, why don't you establish an IPSEC VPN with Central Site?
If I understand your requirement correctly, currently you have the following setup: -
PC ----- Switching network ---- SRX ----- Internet ---- Main Network Firewall ------ Client Domain network
- In this setup, SRX is using a source NAT to send the traffic out to the Domain network.
- Now the requirement is to initiate the traffic from Domain Network towards PC.
Please correct me if this is NOT what you mean in your question. [ And I will be sorry to write a long answer without understanding the question :)]
1. This would require a Destination/Static NAT on SRX side to enable communication. But that would require Public block of IPs on the SRX side too.
2. Use Persistent NAT feature. In this case, the traffic can be initiated from the other end as long as a session exists from the PC to the other network.
3. Create an IPSEC VPN between the clients and central site. (I know , you mentioned that you don't know the parameters but you can always ask them to create one for you).
4. Use a Client VPN software (which is supported by the firewall at main site) on each of the PCs in question.
Personally, I would avoid the first 2 options because that leaves the communication unencrypted in the Internet. I would prefer option#3 as it is more scalable than option 4.
Thank you for the informative reply. That is sort of the configuration. I am going to attach a net diagram, and my current config file if you dont mind, and when you find time if you could please review it?
I beleive we are using a Static NAT currently. Maybe, my best bet would be to do number 3 that you have pointed out. Getting in contact with the sites IT is a whole other story.
Based on the provided configuration you have source-nat and not static-nat; all the traffic in your network will be source-natted to the IP address configured on the SRX300's external interface. Does the external interface of the SRX300 has a public IP? is it connected to the Internet? I am asking this because in the diagram your network seems to be inside the main network and I am trying to confirm if this is true or if your network is actually on a separate location.
If your network (behind SRX300) is on a separate location, then the best way to go will be to implement an IPsec VPN between your SRX300 and the Main Network firewall. This way the traffic from the internal PCs will be sent encrypted and protected over the VPN when it flows to the DC located on the Main Network over the Internet.
In case your LAN's subnet (192.168.0.0/24) is the same subnet being used on the Main Network, you may want to implement static NAT over the IPsec VPN in order to avoid a duplicate subnets conflict:
Hope this helps.
Thanks for the reply. My network is not a seperate location. Same location. We always have our Private like 192.168.0.101 and NAT to a static that they provide. Could be an IP like: 192.168.199.160/32, or: 10.16.4.151/32
It's an interesting diagram. It appears that your Private network sits inside the customer network with limited access to outside world.
In your configuration, there is no static NAT or destination NAT. Also, Source interface NAT is being used.
That means all the traffic from zone 1 to Internet are being NAT-ed to only 1 IP i.e. on ge-0/0/0 interface.
Therefore, I believe generally there is no traffic initiated from outside to reach this PC.
Also from your replies, I see that you are looking for a solution which does NOT involve talking to customer IT admins 🙂 .
I think a proper solution will be #3 in my previous update.
But if you want , you can also try to see if "persistent-nat" may have a solution. It is different from already configured "address-persistent" which IMHO is not needed in your setup.
Persistent NAT allows the firewall to maintain the IP/PORT mapping upto a configurable time-interval even after the initial session expires. This is NOT a true destination NAT and will need your PC to initiate a session once before the customer's domain can send updates to the PC.
Take a look at it :-
Be cautious while testing it as it may have some impact on the network which I can't predict without knowing the details of your network.
Thank you for the reply. Even though we are at the same location at the Main Network, you would still suggest using an IPSEC VPN to connect to their domain? I was under the impression that as longs as I create rules in the Juniper (ldap, etc), I would be able to reach their domain through Source NAT (current config)?
I could talk to IT, it just takes an insane amount of effort and patients, so the solution doesnt necessarily need to be to NOT involve talking to customer IT admins.
Since you are inside the same main network, your assumption is correct.
You should be able to add your PC to the domain and get it managed by the server.
I am just unsure whether you would need the Domain controllers to initiate a session or NOT.
Therefore, I think STATIC NAT is the best option.
Using Static NAT allows :-
1. PC will always use the same IP when talking to outside your SRX.
2. Your incoming traffic (when initiated by the other side of SRX) will not have any issue reaching your PC.
If your requirement does NOT include traffic initiation from the Domain Controller side, then a simple source NAT is fine.
Hopefully it is useful.
I'm glad a solution was provided. Please note that the Static NAT will work if you only have 1 PC behind the SRX firewall, which I believe is the case. The traffic from that PC will be always translated to the address of the external interface of the SRX (assuming you will configure the NAT rule this way).
If you have multiple PCs you could configure them within a subnet that is not used on the main network and just don't NAT the traffic when it is destined to the DC, using the "nat-off" option. See some examples of using the nat-off option:
A new security-policy might be needed to allow the communication between the Internal PCs and the DC. With the no-nat option, the traffic from your internal network can reach the DC and you could still provide security with the SRX300; the only thing you need to make sure is that you use a subnet that is not in use on the main network and configure the routing accordingly so that the main network routers point to the SRX when sending the traffic back to the PCs in your internal network. Now when the PCs send traffic to the Internet, the traffic will hit the same security-policies and NAT rules that you already have in place.
Thank you for the wonderful information.
I will only have 1 pc behind the srx. That being said, are there any special security policies needed to reach the DC other than adding the IP as an object, e.g., ldap, or anything else?