Hi,
I am trying to establish a site-to-site IPSec tunnel with our client. The VPN would be in a seperate router but behind it, we have SRX1500 firewalls. I am needing help with NAT configuration and understanding return traffic flow.
Here, is the HW and path setup:
Client ----> Internet ----> (IPSec Router) -> (SRX FW1) -> (SRX FW2) -> InternalHost
Here is the details:
The client has host IP 10.10.1.0/24 (one end of VPN host) and asked us to use IP 10.10.2.0/24 (our end of VPN host) for their convenience of routing. So, we will NAT/translate this 10.10.2.0/24 (taking one IP 10.10.2.1) in SRX FW1 with our actual Internal Host IP 192.168.2.1. I would need help to verify this configuration,
==
set security nat destination rule-set rulesetname rule rulename match source-address-name 10.10.1.0_24
set security nat destination rule-set rulesetname rule rulename match destination-address-name 10.10.2.1
set security nat destination rule-set rulesetname rule rulename then destination-nat pool pool_192-168-2-1
set security policies from-zone untrustzone to-zone trustzone policy policyname match source-address 10.10.1.0/24
set security policies from-zone untrustzone to-zone trustzone policy policyname match destination-address 192.168.2.1
set security policies from-zone untrustzone to-zone trustzone policy policyname match application junos-https
set security policies from-zone untrustzone to-zone trustzone policy policyname match application junos-ping
set security policies from-zone untrustzone to-zone trustzone policy policyname then permit
==
Now, we do not want to add their host route (10.10.1.0/24) in our environment and hence we intend to configure source-nat. The IP for source NAT we want to use is 192.168.1.1. Now, because the Internal host (192.168.2.1) is behind my 2nd FW (SRX FW2) hence I am kind a confuse and need help to understand,
-> What would be the policy (Source & destination) I should put in SRX FW2 for my return traffic from Internal Host.
-> What would be the source-NAT configuration in SRX FW1 and
-> Do any configuration needed inside the Internal host, for the return traffic which will be for 10.10.1.1 (translated IP 192.168.1.1 in SRX FW2).
Appreciate your help.
BR//
Adnan