Junos OS

Hi,

I am trying to establish a site-to-site IPSec tunnel with our client. The VPN would be in a seperate router but behind it, we have SRX1500 firewalls. I am needing help with NAT configuration and understanding return traffic flow.

Here, is the HW and path setup:

Client ----> Internet ----> (IPSec Router) -> (SRX FW1) -> (SRX FW2) -> InternalHost

Here is the details:

The client has host IP 10.10.1.0/24 (one end of VPN host) and asked us to use IP 10.10.2.0/24 (our end of VPN host) for their convenience of routing. So, we will NAT/translate this 10.10.2.0/24 (taking one IP 10.10.2.1) in SRX FW1 with our actual Internal Host IP 192.168.2.1. I would need help to verify this configuration,

==

set security nat destination rule-set rulesetname rule rulename match source-address-name 10.10.1.0_24

set security nat destination rule-set rulesetname rule rulename match destination-address-name 10.10.2.1

set security nat destination rule-set rulesetname rule rulename then destination-nat pool pool_192-168-2-1

set security policies from-zone untrustzone to-zone trustzone policy policyname match source-address 10.10.1.0/24

set security policies from-zone untrustzone to-zone trustzone policy policyname match destination-address 192.168.2.1

set security policies from-zone untrustzone to-zone trustzone policy policyname match application junos-https

set security policies from-zone untrustzone to-zone trustzone policy policyname match application junos-ping

set security policies from-zone untrustzone to-zone trustzone policy policyname then permit

==

Now, we do not want to add their host route (10.10.1.0/24) in our environment and hence we intend to configure source-nat. The IP for source NAT we want to use is 192.168.1.1. Now, because the Internal host (192.168.2.1) is behind my 2nd FW (SRX FW2) hence I am kind a confuse and need help to understand,

-> What would be the policy (Source & destination) I should put in SRX FW2 for my return traffic from Internal Host.

-> What would be the source-NAT configuration in SRX FW1 and

-> Do any configuration needed inside the Internal host, for the return traffic which will be for 10.10.1.1 (translated IP 192.168.1.1 in SRX FW2).

Appreciate your help.

BR//

Adnan

Hi Adnan,

First, I would use static NAT instead of destination/source nat.  

Regarding policies, think about it this way: 

- Destination NAT happens BEFORE a policy is applied.

- Source NAT happens AFTER the policy is applied. 

So when you write a policy, you need to match on the translated destination address (and port when applicable) and the unnatted source address. 

Let me know if this helps,

Regards,

Yasmin. 

Not sure the picture was added to my previous post, so here it is:

Hi Yasmin,

Thank you for your reply. 

This setup is only inbound connection only (meaning Client to InternalHost) (InternalHost will not make any outbound connection, otherthan replying to inbound connections from client). Hence, I believe, I do not need the right hand side configuration on your diagram. Can you please confirm?

I do not want to route 10.10.1/24 to my FW2 (Trying not to inject any external route to my FW2). Do Static NAT is enough? or Do I need addition configuration (Such as sourceNAT?)?

Thank you again.

BR//

Adnan

When you configure static NAT you are configuring destination NAT AND source NAT.  For example:

OK, I think I understand your scenario a little better now. So you have two options: 
- w/ static NAT

- w/ Source and Destination NAT

Let me know if this helps or if you have any questions. 

This was awesome - the diagrams illustrated the process very clearly - this helped me troubleshoot and fix an issue we were having with an ippsec tunnel with source and destination NAT at the same time. Thanks a lot!

Client ----> Internet ----> (IPSec Router) -> (SRX FW1) -> (SRX FW2) -> InternalHost

If I follow you description correctly, you want on the inbound traffic from the VPN to destination nat the subnet 10.10.2.0/24 to 192.168.2.0/24

At the same time you need to nat the incoming traffic 10.10.1.0/24 to 192.168.1.0/24.

So we need to do double nat both source and destination translation in both directions of traffic.  

This is best done on the SRX FW1 terminating the VPN using the zone of the st0.x interface of your route based VPN.

Security policies will be with the zone of the st0.x interface and the interface zone facing SRX FW2

Inbound:

set security nat source pool src-nat-pool-1 address 192.168.1.0/24
set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat source rule-set rs1 rule r1 match source-address 10.10.1.0/24
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
set security nat destination pool dst-nat-pool-1 address 192.168.2.0/24
set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat destination rule-set rs1 rule r1 match destination-address 10.10.2.0/32
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

Outbound

set security nat source pool src-nat-pool-1 address 10.10.2.0/24
set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat source rule-set rs1 rule r1 match source-address 192.168.2.0/24
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
set security nat destination pool dst-nat-pool-1 address 10.10.1.0/24
set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat destination rule-set rs1 rule r1 match destination-address 192.168.1.0/32
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

Hi Steve,

Thank you for your reply. 

This setup is only inbound connection only (meaning Client to InternalHost) (InternalHost will not make any outbound connection, otherthan replying to inbound connections from client). Hence, I believe, I do not need the Outbound configuration that you have provided.

I rewrite the configuration that you have provided. Additionally, the Client will only accessing single InternalHost, so I changes few lines from /24 to /32 (using 192.168.2.2/32 as InternalHost, 10.10.2.2/32 as Natted IP for InternalHost. Can you please,

1) Verify the below configuration:

FW1:
set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32
set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat destination rule-set rs1 rule r1 match source-address 10.10.1.0/24
set security nat destination rule-set rs1 rule r1 match destination-address 10.10.2.2/32
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

set security policies from-zone vpn to-zone internal policy yyyy match source-address 10.10.1.0/24
set security policies from-zone vpn to-zone internal policy yyyy match destination-address 192.168.2.2/32
set security policies from-zone vpn to-zone internal policy yyyy match application junos-ping
set security policies from-zone vpn to-zone internal policy yyyy then permit

set security nat source pool src-nat-pool-1 address 192.168.1.0/24
set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat source rule-set rs1 rule r1 match source-address 10.10.1.0/24
set security nat source rule-set rs1 rule r1 match destination-address 192.168.2.2/32
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1

FW2:
set security policies from-zone fw1 to-zone fw2internal policy yyyy match source-address 192.168.1.0/24
set security policies from-zone fw1 to-zone fw2internal policy yyyy match destination-address 192.168.2.2/32
set security policies from-zone fw1 to-zone fw2internal policy yyyy match application junos-ping
set security policies from-zone fw1 to-zone fw2internal policy yyyy then permit

2) Can you please confirm if I can change 192.168.1.0/24 to 192.168.1.2/32 in the following line and will still work.

"set security nat source pool src-nat-pool-1 address 192.168.1.0/24" ---> change to "set security nat source pool src-nat-pool-1 address 192.168.1.2/32"

Thank you again. 

BR//

Adnan

Since the traffic is inbound only you will need only one direction of nat. 

Static nat is only needed when the device initiates communications in both directions.  

Also in this case you need to double nat, change the incoming packets both source and destination.  I have found using source nat at the same time as static nat does not work.

So your configuration is double nat in one dirction only changing both the source and destination address of the same packet.

1) Verify the below configuration:

FW1:

Looks good
set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32
set security nat destination rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat destination rule-set rs1 rule r1 match source-address 10.10.1.0/24
set security nat destination rule-set rs1 rule r1 match destination-address 10.10.2.2/32
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1

Looks good

set security policies from-zone vpn to-zone internal policy yyyy match source-address 10.10.1.0/24
set security policies from-zone vpn to-zone internal policy yyyy match destination-address 192.168.2.2/32
set security policies from-zone vpn to-zone internal policy yyyy match application junos-ping
set security policies from-zone vpn to-zone internal policy yyyy then permit

I assume this pool changes based on question below

set security nat source pool src-nat-pool-1 address 192.168.1.2/32 
set security nat source rule-set rs1 from zone vpn_interface <<<<YOUR ZONE NAME
set security nat source rule-set rs1 rule r1 match source-address 10.10.1.0/24
set security nat source rule-set rs1 rule r1 match destination-address 192.168.2.2/32
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1

FW2: 

Looks good:
set security policies from-zone fw1 to-zone fw2internal policy yyyy match source-address 192.168.1.0/24
set security policies from-zone fw1 to-zone fw2internal policy yyyy match destination-address 192.168.2.2/32
set security policies from-zone fw1 to-zone fw2internal policy yyyy match application junos-ping
set security policies from-zone fw1 to-zone fw2internal policy yyyy then permit

2) Can you please confirm if I can change 192.168.1.0/24 to 192.168.1.2/32 in the following line and will still work.

Yes, this is good

"set security nat source pool src-nat-pool-1 address 192.168.1.0/24" ---> change to

"set security nat source pool src-nat-pool-1 address 192.168.1.2/32"

You will also need to be sure the return route on FW2 points the nat pool address 192.168.1.2/32 back to FW1 or it otherwise has this route in the table.

I assume the destination nat address is the real address of the local device so that route is already available.

Thank you very much Steve, for reviewing the config. 

I will proceed with the solution that you mentioned. In case, anything need to change, I will let you know. Thanks again for your quick reply.