?
Solved

Setting up address translation for policy based VPN between Juniper Firewalls

Posted on 2008-06-12
11
Medium Priority
?
844 Views
Last Modified: 2008-07-08
I have two Juniper Firewalls at two different sites and I am trying to setup a policy based VPN between the two networks.  The one firewall has alot of VPNs on it, specifically there is already a VPN that is using the subnet range of the remote network I am trying to nail a VPN to.

For example purposes lets say:
My local subnet (Firewall A) is 192.168.1.0/24
The remote subnet (Firewall B) is: 192.168.2.0/24 (this is already being used by another VPN)

How do I setup address translation for a policy based VPN so that I can specify a remote subnet of 192.168.3.0/24 on Firewall A and have that translated to 192.168.2.0/24 on Firewall B?

I was trying to do destination translation on Firewall B and I am getting the error "VPN policies cannot be used with the destination translation option"

Thanks,
Jeff
0
Comment
Question by:jmoser220
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 11

Expert Comment

by:rowansmith
ID: 21776609
You need to use another device to do the  translation - pre-translation - if you like.

So you have:

Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

you need to do

Net 192.168.1.0 --- Firewall A -------0.0.0.0/0-------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                             192.168.3.0/24
                                     |
                                Firewall C
                                     |
                             192.168.2.0/24

Firewall C and A could be the same physical device and you could use virtualisation to create them...

-Rowan
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21804065
I am looking for a Juniper specific recommendation - and this cannot be a bandaid - this is a problem I can see myself running into more often so I need a definative solution.

Thanks,
Jeff
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21808747
Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

If this is what you have then you can not do it with out another device to do  pre-translation.  The NAT Technology simply doesn't support it.

Is the above what you have?  If not let me know what you have.

Devices on the 1.0 network needs to make a decision as to which of the 2.0/24 networks they want to talk to, the only way this can be done is by sending the traffic to the correct IP Address and to do this those IP Addresses have to be translated before the packets leave Firewall-A.

-Rowan
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 2

Author Comment

by:jmoser220
ID: 21809113
Maybe I wasn't clear enough - my problem is that I *currently* have a policy based VPN where the remote LAN address is 192.168.2.0/24.  I need to create another VPN where the remote LAN address is *also* 192.168.2.0/24.  The VPNs are to separate companies so the remote gateway IP addresses are different.  I need to find a way to create the second VPN while leaving the first VPN intact.

While I agree that a second firewall would solve the problem there has to be a better way!  There has to be a way to do this using translation or an IP shift specific to each VPN.
0
 
LVL 11

Accepted Solution

by:
rowansmith earned 2000 total points
ID: 21809300
Right, so you actually need to virtualise your Juniper.  Creating a Virtual Firewall for each customer.  Each Virtual firewall will not be aware of the other unless they are specifically made aware of each other through rules.

Does your Juniper support virtulisation?
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21827885
No it does not.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 2000 total points
ID: 21828752
Well you need another device to do the NAT, if can not create another device via virtualisation then you need to get another physically separate device.
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21931279
A valid answer has been given with no feedback from the author.
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21953298
While this solution may be correct, it was not Juniper specific as I requested several times above.  In addition there was no way for me to test it because it required adding another device I did not have - so I don't know if it would really work or what the ramifications would be.

In the end I removed one of the VPNs from my firewall so I could create the second VPN without the address conflict.

Please use at your own risk.

Thanks,
Jeff
0

Featured Post

Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question