Solved

Setting up address translation for policy based VPN between Juniper Firewalls

Posted on 2008-06-12
11
804 Views
Last Modified: 2008-07-08
I have two Juniper Firewalls at two different sites and I am trying to setup a policy based VPN between the two networks.  The one firewall has alot of VPNs on it, specifically there is already a VPN that is using the subnet range of the remote network I am trying to nail a VPN to.

For example purposes lets say:
My local subnet (Firewall A) is 192.168.1.0/24
The remote subnet (Firewall B) is: 192.168.2.0/24 (this is already being used by another VPN)

How do I setup address translation for a policy based VPN so that I can specify a remote subnet of 192.168.3.0/24 on Firewall A and have that translated to 192.168.2.0/24 on Firewall B?

I was trying to do destination translation on Firewall B and I am getting the error "VPN policies cannot be used with the destination translation option"

Thanks,
Jeff
0
Comment
Question by:jmoser220
  • 5
  • 4
11 Comments
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
You need to use another device to do the  translation - pre-translation - if you like.

So you have:

Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

you need to do

Net 192.168.1.0 --- Firewall A -------0.0.0.0/0-------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                             192.168.3.0/24
                                     |
                                Firewall C
                                     |
                             192.168.2.0/24

Firewall C and A could be the same physical device and you could use virtualisation to create them...

-Rowan
0
 
LVL 2

Author Comment

by:jmoser220
Comment Utility
I am looking for a Juniper specific recommendation - and this cannot be a bandaid - this is a problem I can see myself running into more often so I need a definative solution.

Thanks,
Jeff
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

If this is what you have then you can not do it with out another device to do  pre-translation.  The NAT Technology simply doesn't support it.

Is the above what you have?  If not let me know what you have.

Devices on the 1.0 network needs to make a decision as to which of the 2.0/24 networks they want to talk to, the only way this can be done is by sending the traffic to the correct IP Address and to do this those IP Addresses have to be translated before the packets leave Firewall-A.

-Rowan
0
 
LVL 2

Author Comment

by:jmoser220
Comment Utility
Maybe I wasn't clear enough - my problem is that I *currently* have a policy based VPN where the remote LAN address is 192.168.2.0/24.  I need to create another VPN where the remote LAN address is *also* 192.168.2.0/24.  The VPNs are to separate companies so the remote gateway IP addresses are different.  I need to find a way to create the second VPN while leaving the first VPN intact.

While I agree that a second firewall would solve the problem there has to be a better way!  There has to be a way to do this using translation or an IP shift specific to each VPN.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
Comment Utility
Right, so you actually need to virtualise your Juniper.  Creating a Virtual Firewall for each customer.  Each Virtual firewall will not be aware of the other unless they are specifically made aware of each other through rules.

Does your Juniper support virtulisation?
0
 
LVL 2

Author Comment

by:jmoser220
Comment Utility
No it does not.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 500 total points
Comment Utility
Well you need another device to do the NAT, if can not create another device via virtualisation then you need to get another physically separate device.
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
A valid answer has been given with no feedback from the author.
0
 
LVL 2

Author Comment

by:jmoser220
Comment Utility
While this solution may be correct, it was not Juniper specific as I requested several times above.  In addition there was no way for me to test it because it required adding another device I did not have - so I don't know if it would really work or what the ramifications would be.

In the end I removed one of the VPNs from my firewall so I could create the second VPN without the address conflict.

Please use at your own risk.

Thanks,
Jeff
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now