Link to home
Create AccountLog in
Avatar of jmoser220
jmoser220

asked on

Setting up address translation for policy based VPN between Juniper Firewalls

I have two Juniper Firewalls at two different sites and I am trying to setup a policy based VPN between the two networks.  The one firewall has alot of VPNs on it, specifically there is already a VPN that is using the subnet range of the remote network I am trying to nail a VPN to.

For example purposes lets say:
My local subnet (Firewall A) is 192.168.1.0/24
The remote subnet (Firewall B) is: 192.168.2.0/24 (this is already being used by another VPN)

How do I setup address translation for a policy based VPN so that I can specify a remote subnet of 192.168.3.0/24 on Firewall A and have that translated to 192.168.2.0/24 on Firewall B?

I was trying to do destination translation on Firewall B and I am getting the error "VPN policies cannot be used with the destination translation option"

Thanks,
Jeff
Avatar of rowansmith
rowansmith

You need to use another device to do the  translation - pre-translation - if you like.

So you have:

Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

you need to do

Net 192.168.1.0 --- Firewall A -------0.0.0.0/0-------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                             192.168.3.0/24
                                     |
                                Firewall C
                                     |
                             192.168.2.0/24

Firewall C and A could be the same physical device and you could use virtualisation to create them...

-Rowan
Avatar of jmoser220

ASKER

I am looking for a Juniper specific recommendation - and this cannot be a bandaid - this is a problem I can see myself running into more often so I need a definative solution.

Thanks,
Jeff
Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

If this is what you have then you can not do it with out another device to do  pre-translation.  The NAT Technology simply doesn't support it.

Is the above what you have?  If not let me know what you have.

Devices on the 1.0 network needs to make a decision as to which of the 2.0/24 networks they want to talk to, the only way this can be done is by sending the traffic to the correct IP Address and to do this those IP Addresses have to be translated before the packets leave Firewall-A.

-Rowan
Maybe I wasn't clear enough - my problem is that I *currently* have a policy based VPN where the remote LAN address is 192.168.2.0/24.  I need to create another VPN where the remote LAN address is *also* 192.168.2.0/24.  The VPNs are to separate companies so the remote gateway IP addresses are different.  I need to find a way to create the second VPN while leaving the first VPN intact.

While I agree that a second firewall would solve the problem there has to be a better way!  There has to be a way to do this using translation or an IP shift specific to each VPN.
ASKER CERTIFIED SOLUTION
Avatar of rowansmith
rowansmith

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
No it does not.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
A valid answer has been given with no feedback from the author.
While this solution may be correct, it was not Juniper specific as I requested several times above.  In addition there was no way for me to test it because it required adding another device I did not have - so I don't know if it would really work or what the ramifications would be.

In the end I removed one of the VPNs from my firewall so I could create the second VPN without the address conflict.

Please use at your own risk.

Thanks,
Jeff