SRX

 View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  IPSEC VPN with STATIC NAT

    Posted 08-11-2021 08:43
    I setup IPSEC VPN tunnel. There is a public IP on my side on the encryption domain and the private IP one on the client side, ex:

    ENCRYPTION_DOMAIN:
    MY_CORPORATE: 1.1.1.1/32
    REMOTE: 172.32.0.1/32

    However - the 172.32.0.1/32 overlaps with my LAN network. I need to AVOID any NAT on the peer side. So I need to make a static NAT on my side:
    10.32.0.1 -> 172.32.0.1

    So traffic should go like this:
    1. Computer on my LAN sends the packet to the 10.32.0.1
    2. The packet is routed to the SRX.
    3. SRX routes it into the tunnel interface:
    set routing-options static route 10.32.0.1/32 next-hop st0.22
    4. After that SRX should make static NAT
    10.32.0.1 -> 172.32.0.1
    5. After that the DST_IP matches to encryption domain (172.32.0.1):
    set security ipsec vpn vpn-myclient ike proxy-identity remote 172.32.0.1/32
    and the traffic is send to the client via tunnel.

    But such configuration does not work because SRX makes static NAT first:
    10.32.0.1 -> 172.32.0.1
    and then SRX routes the traffic to my LAN (instead to the tunnel interface).

    Is it possible to configure SRX to make the routing decision based on 10.32.0.1 (before static NAT) and make a static NAT just before encapsulating the packet into the tunnel?

    I saw on NET solution which ask the peer to make the dst nat on his side (10.32.0.1 -> 172.32.0.1) but I would like to do it on my side.




    ------------------------------
    LUKASZ RZESZOTARSKI
    ------------------------------