SRX

Expand all | Collapse all

Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

Jump to Best Answer
  • 1.  Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 04-17-2017 20:16
      |   view attached

    Hello,

     

    I have a VPN box on a separate VLAN that you can see in my config that I attached connected to an openvpn box that is dedicated for this. It is listening on the right port, I have the config right the clients configs are right and are attempting to connect to the right place. I see translation hits in the log to the right port but nothing is showing up on tcpdump or anywhere on the VPN box.  I only have one external IP address so I am just using a port to determine it is VPN traffic.

     

    Can someone please look at this and see what the heck I am doing wrong?

     

    I should mention, this is for remote users to connect to my home network from a hotel wireless, cafe, etc. that I don't trust on my phone, tablet, laptop, etc.

     

    Thank you!!


    #vlan
    #NAT
    #firewall
    #DHCP
    #dns
    #logging
    #vpn
    #SRX240H2
    #openvpn

    Attachment(s)

    rtf
    srx240h2_config.rtf   89K 1 version


  • 2.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 04-19-2017 12:59

    Can someone please help 😞



  • 3.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 04-20-2017 03:29

    I just need help with my destination NAT - nothing is showing up on my vpn box



  • 4.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems
    Best Answer

     
    Posted 04-22-2017 05:39

    From the configuration it looks like you are missing the security policy to permit the inbound vpn traffic.  It looks like you may have both the zone names mis matched and the addresses used in the policies incorrect.  But I'm not positive is both are wrong

     

    Basically, you write the security policy from the internet zone to the translated address zone, not the nat address as I think you are doing in your config.  Here is the example:

     

    https://www.juniper.net/documentation/en_US/junos12.1x46/topics/example/nat-security-destination-single-address-translation-configuring.html



  • 5.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 04-24-2017 07:09

    thank you for your help I will give this a try and review your comments on the mismatches!



  • 6.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 05-08-2017 07:51

    Is there a way to do this through the J-Web interface?  I don't see a way to manipulate trust and untrust zones



  • 7.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

     
    Posted 05-08-2017 16:00

    Jweb should allow you to create the security policies.  If you have some already you may need to delete them as the main framework for the policy is zone to zone.  And yours will need to change to the post nat zone.



  • 8.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 05-09-2017 14:27
      |   view attached

    Ok.

     

    I have no idea what I am missing, I am showing logging hits on the NAT rule but it shows failure as a status in the logs.  I don't see anything in my tcpdump for the VPN server/destination.  Does the failure mean a session is not established or does it mean that the firewall is blocking it or something else?  I am just running a port scan on that port to see if it is working so something should be showing up.  I have attached my updated configuration.

    Attachment(s)



  • 9.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 05-09-2017 15:49


  • 10.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

     
    Posted 05-09-2017 16:39

    Your security policy to permit the inbound VPN traffic needs to be to the destination pool address not the public address.

     

    Change this:

     

      address-book {

            ext-ip-vpn-address-book {

                address ext-ip-vpn 75.72.76.40/32;  <<<<  172.19.143.14/32

                attach {

                    zone Internet;

                    zone VPN;

                }

            }

        }



  • 11.  RE: Non-SRX VPN Setup - passthrough/NAT to VPN Box Problems

    Posted 05-10-2017 06:23

    this was it - thank you so much - i followed the example too closely but didn't see that server1 in the example was the VPN box i was looking at it like the destination from the internet was the public IP, but i see now that doesn't make sense with the NAT rule.

     

    thank you!!!!