Solved

Setting up address translation for policy based VPN between Juniper Firewalls

Posted on 2008-06-12
11
822 Views
Last Modified: 2008-07-08
I have two Juniper Firewalls at two different sites and I am trying to setup a policy based VPN between the two networks.  The one firewall has alot of VPNs on it, specifically there is already a VPN that is using the subnet range of the remote network I am trying to nail a VPN to.

For example purposes lets say:
My local subnet (Firewall A) is 192.168.1.0/24
The remote subnet (Firewall B) is: 192.168.2.0/24 (this is already being used by another VPN)

How do I setup address translation for a policy based VPN so that I can specify a remote subnet of 192.168.3.0/24 on Firewall A and have that translated to 192.168.2.0/24 on Firewall B?

I was trying to do destination translation on Firewall B and I am getting the error "VPN policies cannot be used with the destination translation option"

Thanks,
Jeff
0
Comment
Question by:jmoser220
  • 5
  • 4
11 Comments
 
LVL 11

Expert Comment

by:rowansmith
ID: 21776609
You need to use another device to do the  translation - pre-translation - if you like.

So you have:

Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

you need to do

Net 192.168.1.0 --- Firewall A -------0.0.0.0/0-------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                             192.168.3.0/24
                                     |
                                Firewall C
                                     |
                             192.168.2.0/24

Firewall C and A could be the same physical device and you could use virtualisation to create them...

-Rowan
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21804065
I am looking for a Juniper specific recommendation - and this cannot be a bandaid - this is a problem I can see myself running into more often so I need a definative solution.

Thanks,
Jeff
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21808747
Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

If this is what you have then you can not do it with out another device to do  pre-translation.  The NAT Technology simply doesn't support it.

Is the above what you have?  If not let me know what you have.

Devices on the 1.0 network needs to make a decision as to which of the 2.0/24 networks they want to talk to, the only way this can be done is by sending the traffic to the correct IP Address and to do this those IP Addresses have to be translated before the packets leave Firewall-A.

-Rowan
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Author Comment

by:jmoser220
ID: 21809113
Maybe I wasn't clear enough - my problem is that I *currently* have a policy based VPN where the remote LAN address is 192.168.2.0/24.  I need to create another VPN where the remote LAN address is *also* 192.168.2.0/24.  The VPNs are to separate companies so the remote gateway IP addresses are different.  I need to find a way to create the second VPN while leaving the first VPN intact.

While I agree that a second firewall would solve the problem there has to be a better way!  There has to be a way to do this using translation or an IP shift specific to each VPN.
0
 
LVL 11

Accepted Solution

by:
rowansmith earned 500 total points
ID: 21809300
Right, so you actually need to virtualise your Juniper.  Creating a Virtual Firewall for each customer.  Each Virtual firewall will not be aware of the other unless they are specifically made aware of each other through rules.

Does your Juniper support virtulisation?
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21827885
No it does not.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 500 total points
ID: 21828752
Well you need another device to do the NAT, if can not create another device via virtualisation then you need to get another physically separate device.
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21931279
A valid answer has been given with no feedback from the author.
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21953298
While this solution may be correct, it was not Juniper specific as I requested several times above.  In addition there was no way for me to test it because it required adding another device I did not have - so I don't know if it would really work or what the ramifications would be.

In the end I removed one of the VPNs from my firewall so I could create the second VPN without the address conflict.

Please use at your own risk.

Thanks,
Jeff
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question