SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  How to apply NAT before policy based IPSEC VPN? Virtual router an option?

    Posted 06-08-2016 06:10

     

    Hi all,

     

    have an issue.

    Need to set up an IPSEC VPN from Juniper SRX 240  to a third party, running PFSense firewall.

     

    LAN subnet on my end is 10.0.0.0/24

    The requirement is to have it NAT-ed (source NAT, dynamic ports) to 172.16.1.1/32 before sending into the IPSEC tunnel.

    LAN subnet behind the remote PFSense is 192.168.1.0/24

     

    I was wondering if I could create a virtual router, use it just for the purpose of NAT, and once NAT is done, to send it to current router?

     

    The sequence should look like this:

    10.0.0.0/24 -NAT- > 172.16.1.1/32 ->IPSEC tunnel -> 192.168.1.0/24

     

    Thanks for your time!

     

    Cheers,

     

    Alex

     

     


    #policy-based
    #NAT
    #VirtualRouter
    #IPSEC-VPN


  • 2.  RE: How to apply NAT before policy based IPSEC VPN? Virtual router an option?
    Best Answer

    Posted 06-08-2016 06:50

    Hi Alex,

     

    As you have mentioned , you can nat the traffic first and send it to a VR , you may terminate the VPN on the interface 

    inside the VR and this should solve your problem.

    However there are few points that you need to consider:

    # The throuput would go down as for same traffic is traversing the SRX twice.

    # The number of session would reduce.

    # In short the overall efficiency of the SRX would reduce as for SRX traffic is doubled.

    # It may work but Juniper doesn't support NAT on policy based VPN's so JTAC will not be able to move ahead on this issue.

     

    Regards

    Hemant



  • 3.  RE: How to apply NAT before policy based IPSEC VPN? Virtual router an option?

     
    Posted 06-08-2016 17:29

    You can connect to a policy vpn on the remote device while still configuring a route based vpn on the SRX.  then you can apply nat to the vpn traffic without any extra configuration oddities.