I have a similar issue. I'm doing route based VPN tunnel between SRX340s and require static NAT on both SRX340s.
It's a catch 22 for me because it helps when I have static NAT configured, but also the VPN traffic is negatively affected.
With Static NAT:
On the host server with Static NAT (1 to 1) configured I'm unable to ping the VPN tunnel SRX interface both sides.
Without Static NAT:
On the host server with Static NAT (1 to 1) not configured I'm able to ping the VPN tunnel SRX interface both sides.
Effectively I need static NAT as we require multiple services (Email, Skype, FTP servers etc..) that need the internal interface mapped to the public interface.
I've read this link:
Traffic Processing on SRX Series Devices Overview | Flow-Based and Packet-Based Processing User Guide for Security Devices | Juniper Networks TechLibrary, and spoke with Juniper Engineer about these issues and they mentioned Static NAT is processed before VPN traffic, so basically once it's processes on these host services/servers it redirects the traffic accordingly without acknowledging the VPN traffic tunnel.
He did mention traffic selectors as an option within the route-based VPN configuration as I have proxy-IDs currently. The other configuration I have is I only have security policies for Inbound Traffic for the SRX340 mapping external public interface to internal interface. Perhaps I need to add Outbound Traffic security policies as well? The only other consideration I had was scratching static NAT off and using only source and destination NAT, but I'm not 100% how the order of traffic and how it is processed in relation to ipsec VPN.
All this being said my last 3 options are:
1) traffic selectors
2) source and destination nat
3) Outbound traffic security policies for Public Mapping IP's (trust to untrust zone-?) Currently my Inbound traffic is untrust to trust zone.
This may need to be moved to another thread, so I just copy my message just in case :)
------------------------------
DEREK HILL
------------------------------
Original Message:
Sent: 09-30-2021 20:54
From: Juan
Subject: static nat from -zone to trust zone for one VPN works fine but conflicts with another VPN
I have 2 route based VPN tunnel that work fine but one just recently broke with the addition of a static nat.
How can I have a static nat for one VPN and route traffic to another VPN without the static NAT?
The zones are:
vpn--zone
trust zone
VPN-1 works without NAT. The source network on trust zone is 192.168.1.0/24 and dest network off vpn--zone is 172.30.250.0/24
VPN-2 needs NAT 129.x.x.249 to nat to 192.168.1.55 on trust zone to talk to remote side on a public segment 74.x.x.6
The NAT configuration.
set security nat static rule-set vpn_to_prot from zone vpn--zone
set security nat static rule-set vpn_to_prot rule server-1-nat match destination-address 10.0.0.249/32
set security nat static rule-set vpn_to_prot rule server-1-nat then static-nat prefix 192.168.1.55/32
Is there a way I have my nat and vpn it without the NAT conflicting with my other VPN but still having the public NAT off the vpn--zone?
Or without creating another zone? The challenge is that 192.168.1.55 talks to a lot of other end point VPNs but one of them requires a NAT.
Thanks!
------------------------------
Juan
------------------------------