SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN

  • 1.  static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN

    Posted 15 days ago
    I have 2 route based VPN tunnel that work fine but one just recently broke with the addition of a static nat. 

    How can I have a static nat for one VPN and route traffic to another VPN without the static NAT?

    The zones are:
    vpn--zone 
    trust zone 

    VPN-1 works without NAT. The source network on trust zone is 192.168.1.0/24 and dest network off vpn--zone is 172.30.250.0/24 

    VPN-2 needs NAT 129.x.x.249 to nat to 192.168.1.55 on trust zone to talk to remote side on a public segment 74.x.x.6   

    The NAT configuration. 
    set security nat static rule-set vpn_to_prot from zone vpn--zone
    set security nat static rule-set vpn_to_prot rule server-1-nat match destination-address 10.0.0.249/32
    set security nat static rule-set vpn_to_prot rule server-1-nat then static-nat prefix 192.168.1.55/32

    Is there a way I have my nat and vpn it without the NAT conflicting with my other VPN but still having the public NAT off the vpn--zone?  

    Or without creating another zone? The challenge is that 192.168.1.55 talks to a lot of other end point VPNs but one of them requires a NAT. 
    Thanks!

    ------------------------------
    Juan
    ------------------------------


  • 2.  RE: static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN

     
    Posted 15 days ago
    The easy solution is to do the nat on the other side of the tunnel so that this device and use a non-overlapping address.  But you likely don't control that side and it is not an option.

    To do this on the your side you will need to change the nat type off of static.  As static nat has an exclusive nature to it so one and only static rule can exist per ip address.

    So then for each of the two rules you will need to have a source nat rule for one direction and the destination nat rule for the other.  You might need only one direction anyway because the rule only needs to exist in the direction of session initiation.  Most of these vpn connections are about making a server on one side of the vpn available to clients on the other side.  Thus all the traffic is always initiated from client to server and that is the only direction then you need a nat rule.

    If you are lucky one vpn is via destination nat and the other source nat so the overlap has disappeared.

    Once sorted out which source and destination directions are needed.  The next step is to create additional criteria that can distinguish the two overlapping addresses.  Adding the ip addresses on the other side of the connection to the rule so that they are now unique to each other.  Or adding ports/protocols that are different so they no longer overlap.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN

    Posted 15 days ago
    I have a similar issue. I'm doing route based VPN tunnel between SRX340s and require static NAT on both SRX340s. 

    It's a catch 22 for me because it helps when I have static NAT configured, but also the VPN traffic is negatively affected.

    With Static NAT:
    On the host server with Static NAT (1 to 1) configured I'm unable to ping the VPN tunnel SRX interface both sides.

    Without Static NAT:
    On the host server with Static NAT (1 to 1) not configured I'm able to ping the VPN tunnel SRX interface both sides.

    Effectively I need static NAT as we require multiple services (Email, Skype, FTP servers etc..) that need the internal interface mapped to the public interface. 

    I've read this link: Traffic Processing on SRX Series Devices Overview | Flow-Based and Packet-Based Processing User Guide for Security Devices | Juniper Networks TechLibrary, and spoke with Juniper Engineer about these issues and they mentioned Static NAT is processed before VPN traffic, so basically once it's processes on these host services/servers it redirects the traffic accordingly without acknowledging the VPN traffic tunnel.

    He did mention traffic selectors as an option within the route-based VPN configuration as I have proxy-IDs currently. The other configuration I have is I only have security policies for Inbound Traffic for the SRX340 mapping external public interface to internal interface. Perhaps I need to add Outbound Traffic security policies as well? The only other consideration I had was scratching static NAT off and using only source and destination NAT, but I'm not 100% how the order of traffic and how it is processed in relation to ipsec VPN. 

    All this being said my last 3 options are:
    1) traffic selectors
    2) source and destination nat
    3) Outbound traffic security policies for Public Mapping IP's (trust to untrust zone-?) Currently my Inbound traffic is untrust to trust zone.

    This may need to be moved to another thread, so I just copy my message just in case :) 




    ------------------------------
    DEREK HILL
    ------------------------------



  • 4.  RE: static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN

    Posted 15 days ago
    Thank you for your reply and after reviewing the options below on the other reply I think I'm going to place the VPN tunnel that requires the NAT on its own zone that way that Static NAT does not conflict with the other VPN tunnels. 

    So in theory I have one zone used for vpn. Lets call it  vpn--green--zone.  This zone today has hundreds of tunnels with one tunnel that requires public IP communications.  Having said that if I create a zone call it vpn--red--zone and stuff my vpn in that zone along with polices etc then I can create my Static NAT off the vpn--red--zone and not have it conflict with my vpn--green--zone. 

    Thanks for your input!!

    ------------------------------
    Juan
    ------------------------------



  • 5.  RE: static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN

    Posted 15 days ago
    Hi Derek,
    I'm going to consider option 4 which is using a zone for that one off VPN that needs a NAT and if more of them come I will spin up zones as needed to keep my NATs off the other zones that do not require NATS. 

    I'm open to thoughts on using zones!

    ------------------------------
    Juan
    ------------------------------