SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  IPSEC VPN with STATIC NAT

    Posted 08-11-2021 08:43
    I setup IPSEC VPN tunnel. There is a public IP on my side on the encryption domain and the private IP one on the client side, ex:

    ENCRYPTION_DOMAIN:
    MY_CORPORATE: 1.1.1.1/32
    REMOTE: 172.32.0.1/32

    However - the 172.32.0.1/32 overlaps with my LAN network. I need to AVOID any NAT on the peer side. So I need to make a static NAT on my side:
    10.32.0.1 -> 172.32.0.1

    So traffic should go like this:
    1. Computer on my LAN sends the packet to the 10.32.0.1
    2. The packet is routed to the SRX.
    3. SRX routes it into the tunnel interface:
    set routing-options static route 10.32.0.1/32 next-hop st0.22
    4. After that SRX should make static NAT
    10.32.0.1 -> 172.32.0.1
    5. After that the DST_IP matches to encryption domain (172.32.0.1):
    set security ipsec vpn vpn-myclient ike proxy-identity remote 172.32.0.1/32
    and the traffic is send to the client via tunnel.

    But such configuration does not work because SRX makes static NAT first:
    10.32.0.1 -> 172.32.0.1
    and then SRX routes the traffic to my LAN (instead to the tunnel interface).

    Is it possible to configure SRX to make the routing decision based on 10.32.0.1 (before static NAT) and make a static NAT just before encapsulating the packet into the tunnel?

    I saw on NET solution which ask the peer to make the dst nat on his side (10.32.0.1 -> 172.32.0.1) but I would like to do it on my side.




    ------------------------------
    LUKASZ RZESZOTARSKI
    ------------------------------