SRX

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  How to apply NAT before policy based IPSEC VPN? Virtual router an option?

    Posted 06-08-2016 06:10

     

    Hi all,

     

    have an issue.

    Need to set up an IPSEC VPN from Juniper SRX 240  to a third party, running PFSense firewall.

     

    LAN subnet on my end is 10.0.0.0/24

    The requirement is to have it NAT-ed (source NAT, dynamic ports) to 172.16.1.1/32 before sending into the IPSEC tunnel.

    LAN subnet behind the remote PFSense is 192.168.1.0/24

     

    I was wondering if I could create a virtual router, use it just for the purpose of NAT, and once NAT is done, to send it to current router?

     

    The sequence should look like this:

    10.0.0.0/24 -NAT- > 172.16.1.1/32 ->IPSEC tunnel -> 192.168.1.0/24

     

    Thanks for your time!

     

    Cheers,

     

    Alex

     

     


    #policy-based
    #NAT
    #VirtualRouter
    #IPSEC-VPN


  • 2.  RE: How to apply NAT before policy based IPSEC VPN? Virtual router an option?
    Best Answer

    Posted 06-08-2016 06:50

    Hi Alex,

     

    As you have mentioned , you can nat the traffic first and send it to a VR , you may terminate the VPN on the interface 

    inside the VR and this should solve your problem.

    However there are few points that you need to consider:

    # The throuput would go down as for same traffic is traversing the SRX twice.

    # The number of session would reduce.

    # In short the overall efficiency of the SRX would reduce as for SRX traffic is doubled.

    # It may work but Juniper doesn't support NAT on policy based VPN's so JTAC will not be able to move ahead on this issue.

     

    Regards

    Hemant



  • 3.  RE: How to apply NAT before policy based IPSEC VPN? Virtual router an option?

    Posted 06-08-2016 17:29

    You can connect to a policy vpn on the remote device while still configuring a route based vpn on the SRX.  then you can apply nat to the vpn traffic without any extra configuration oddities.