Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Setting up address translation for policy based VPN between Juniper Firewalls

Posted on 2008-06-12
11
Medium Priority
?
848 Views
Last Modified: 2008-07-08
I have two Juniper Firewalls at two different sites and I am trying to setup a policy based VPN between the two networks.  The one firewall has alot of VPNs on it, specifically there is already a VPN that is using the subnet range of the remote network I am trying to nail a VPN to.

For example purposes lets say:
My local subnet (Firewall A) is 192.168.1.0/24
The remote subnet (Firewall B) is: 192.168.2.0/24 (this is already being used by another VPN)

How do I setup address translation for a policy based VPN so that I can specify a remote subnet of 192.168.3.0/24 on Firewall A and have that translated to 192.168.2.0/24 on Firewall B?

I was trying to do destination translation on Firewall B and I am getting the error "VPN policies cannot be used with the destination translation option"

Thanks,
Jeff
0
Comment
Question by:jmoser220
  • 5
  • 4
9 Comments
 
LVL 11

Expert Comment

by:rowansmith
ID: 21776609
You need to use another device to do the  translation - pre-translation - if you like.

So you have:

Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

you need to do

Net 192.168.1.0 --- Firewall A -------0.0.0.0/0-------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                             192.168.3.0/24
                                     |
                                Firewall C
                                     |
                             192.168.2.0/24

Firewall C and A could be the same physical device and you could use virtualisation to create them...

-Rowan
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21804065
I am looking for a Juniper specific recommendation - and this cannot be a bandaid - this is a problem I can see myself running into more often so I need a definative solution.

Thanks,
Jeff
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21808747
Net 192.168.1.0 --- Firewall A ----------------------- Firewall B --- 192/168.2.0/24
                                     |
                                     |
                                192.168.2.0/24

If this is what you have then you can not do it with out another device to do  pre-translation.  The NAT Technology simply doesn't support it.

Is the above what you have?  If not let me know what you have.

Devices on the 1.0 network needs to make a decision as to which of the 2.0/24 networks they want to talk to, the only way this can be done is by sending the traffic to the correct IP Address and to do this those IP Addresses have to be translated before the packets leave Firewall-A.

-Rowan
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 2

Author Comment

by:jmoser220
ID: 21809113
Maybe I wasn't clear enough - my problem is that I *currently* have a policy based VPN where the remote LAN address is 192.168.2.0/24.  I need to create another VPN where the remote LAN address is *also* 192.168.2.0/24.  The VPNs are to separate companies so the remote gateway IP addresses are different.  I need to find a way to create the second VPN while leaving the first VPN intact.

While I agree that a second firewall would solve the problem there has to be a better way!  There has to be a way to do this using translation or an IP shift specific to each VPN.
0
 
LVL 11

Accepted Solution

by:
rowansmith earned 2000 total points
ID: 21809300
Right, so you actually need to virtualise your Juniper.  Creating a Virtual Firewall for each customer.  Each Virtual firewall will not be aware of the other unless they are specifically made aware of each other through rules.

Does your Juniper support virtulisation?
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21827885
No it does not.
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 2000 total points
ID: 21828752
Well you need another device to do the NAT, if can not create another device via virtualisation then you need to get another physically separate device.
0
 
LVL 11

Expert Comment

by:rowansmith
ID: 21931279
A valid answer has been given with no feedback from the author.
0
 
LVL 2

Author Comment

by:jmoser220
ID: 21953298
While this solution may be correct, it was not Juniper specific as I requested several times above.  In addition there was no way for me to test it because it required adding another device I did not have - so I don't know if it would really work or what the ramifications would be.

In the end I removed one of the VPNs from my firewall so I could create the second VPN without the address conflict.

Please use at your own risk.

Thanks,
Jeff
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question