Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Juniper Firewall double nat

Posted on 2011-10-14
14
Medium Priority
?
1,849 Views
Last Modified: 2012-05-12
How do you configure double natting for the Juniper Firewall?  So basically, going coming from one ip address but tranlating to another.
0
Comment
Question by:Jack_son_
  • 5
  • 3
  • 3
  • +2
13 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 36972920
Is this SRX or SOS in question; have a look at link below and then browse for specific product:
http://kb.juniper.net/InfoCenter/index?page=content&id=TN81&actp=LIST

Update if you need specific help.

Thank you.
0
 
LVL 63

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 500 total points
ID: 36972945
Are you sure you mean double NAT? That's usually when you have two devices connected in stream that both use NAT.  Do you mean port-forwarding instead?  If you're not sure just describe what you're trying to do and with what devices attached to the Juniper.
0
 

Author Comment

by:Jack_son_
ID: 36972986
trying to mask an ip coming inbound to a certain subnet so it is seen as a different ip.  I have a range for the mask, although I am unsure of how to do this in juniper.  I just need the firewall to be aware of this subnet of ip addresses and where they should translate to.  These are all internal ip's.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 500 total points
ID: 36973430
I think what you want to use is a DIP pool. I use dynamic ip pool to translate one subnet to another so that I can use specific source ips for VPNs
0
 

Author Comment

by:Jack_son_
ID: 36974011
Ok, or what if I have it translated from another appliance first, then it comes to this device, how can I make it aware of this, using a DIP as well?

Thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 36974495
Using a DIP pool only handles the actual translation. It can not be used to determine the original source IP if another device has already done the translation for you.

What are you trying to accomplish? If you give us an example of what you would like to do i am sure that if it is possible we can find a solution.
0
 

Author Comment

by:Jack_son_
ID: 36974630
Basically I am brining in traffic from another  one of our sites via ipsec tunnel, the ip's are being natted internally to appear as a different ip address from that network since there are overlapping ip ranges on the 2 networks.  So I have them coming in properly, but once they hit the juniper it does not recognize this range.  How can I fix it so it knows this range and where to send the packets?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 36974675
Ah i see, The best way to accomplish this is to configure the DIP pool on the remote site. Hopefully the remote site also has a Juniper firewall. If it does, i would configure a policy based VPN on the remote site and on that policy add a DIP pool to translate the source IP addresses into a new subnet before sending the traffic through the VPN.
One disadvantage of this is that you will not be able to ping the remote site ip addresses directly. Ill have to research how to send traffic back to the remote site.
0
 
LVL 72

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 36975694
To get it working both ways you will need to use a 1:1 NAT (per DIP, as mentioned). As soon as you NAT to a single address, traffic can only originate from one side. Nevertheless, replies should work even with a single IP, as the session table holds all necessary information to do the reversed translation.

If traffic is not passing or coming pack, e.g. pings, you need to check the firewall policies for proper usage of the DIP address(es). If you do the translation in the policy (versus in the tunnel), it is more straight-forward.
0
 

Author Comment

by:Jack_son_
ID: 36975775
Great, thanks; do you have any information on setting up the DIP in this way?  
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 36976801
Could you show us the relevant part of the (VPN) config?
0
 

Author Comment

by:Jack_son_
ID: 37082063
yes, its below:
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 37082618
(still waiting for the config ...)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question