Juniper Firewall double nat

How do you configure double natting for the Juniper Firewall?  So basically, going coming from one ip address but tranlating to another.
Jack_son_Asked:
Who is Participating?
 
dpk_walCommented:
Is this SRX or SOS in question; have a look at link below and then browse for specific product:
http://kb.juniper.net/InfoCenter/index?page=content&id=TN81&actp=LIST

Update if you need specific help.

Thank you.
0
 
☠ MASQ ☠Commented:
Are you sure you mean double NAT? That's usually when you have two devices connected in stream that both use NAT.  Do you mean port-forwarding instead?  If you're not sure just describe what you're trying to do and with what devices attached to the Juniper.
0
 
Jack_son_Author Commented:
trying to mask an ip coming inbound to a certain subnet so it is seen as a different ip.  I have a range for the mask, although I am unsure of how to do this in juniper.  I just need the firewall to be aware of this subnet of ip addresses and where they should translate to.  These are all internal ip's.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Sanga CollinsSystems AdminCommented:
I think what you want to use is a DIP pool. I use dynamic ip pool to translate one subnet to another so that I can use specific source ips for VPNs
0
 
Jack_son_Author Commented:
Ok, or what if I have it translated from another appliance first, then it comes to this device, how can I make it aware of this, using a DIP as well?

Thanks
0
 
Sanga CollinsSystems AdminCommented:
Using a DIP pool only handles the actual translation. It can not be used to determine the original source IP if another device has already done the translation for you.

What are you trying to accomplish? If you give us an example of what you would like to do i am sure that if it is possible we can find a solution.
0
 
Jack_son_Author Commented:
Basically I am brining in traffic from another  one of our sites via ipsec tunnel, the ip's are being natted internally to appear as a different ip address from that network since there are overlapping ip ranges on the 2 networks.  So I have them coming in properly, but once they hit the juniper it does not recognize this range.  How can I fix it so it knows this range and where to send the packets?
0
 
Sanga CollinsSystems AdminCommented:
Ah i see, The best way to accomplish this is to configure the DIP pool on the remote site. Hopefully the remote site also has a Juniper firewall. If it does, i would configure a policy based VPN on the remote site and on that policy add a DIP pool to translate the source IP addresses into a new subnet before sending the traffic through the VPN.
One disadvantage of this is that you will not be able to ping the remote site ip addresses directly. Ill have to research how to send traffic back to the remote site.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
To get it working both ways you will need to use a 1:1 NAT (per DIP, as mentioned). As soon as you NAT to a single address, traffic can only originate from one side. Nevertheless, replies should work even with a single IP, as the session table holds all necessary information to do the reversed translation.

If traffic is not passing or coming pack, e.g. pings, you need to check the firewall policies for proper usage of the DIP address(es). If you do the translation in the policy (versus in the tunnel), it is more straight-forward.
0
 
Jack_son_Author Commented:
Great, thanks; do you have any information on setting up the DIP in this way?  
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Could you show us the relevant part of the (VPN) config?
0
 
Jack_son_Author Commented:
yes, its below:
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
(still waiting for the config ...)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.