Solved

Juniper Netscreen L2L VPN with Public IP Addresses

Posted on 2013-05-20
7
756 Views
Last Modified: 2013-06-10
I have a requirement to implement multiple VPN L2L tunnels to a number of different peers.

Some of the resources behind my side of the VPN will need to be accessed by several of the remote sites.

To avoid same-private-subnet issues a number of the peers that I need to connect to insist on having pubic IP NATs applied to the hosts to be accessed on either side of the tunnel.

I can set this up with no issues on my Cisco ASA. I just setup the static NAT for each host that needs to be accessed over a tunnel and then apply whatever access rules are needed per tunnel in the interface and crypto ACLs.

This seems to be an issue, however, on the Juniper.

It seems that, on the Juniper, once a host has been NAT'd to a public IP and applied to a tunnel it cannot be applied to another tunnel. This means that those resources on my side of the VPN that need to be shared by multiple peers can only be accessed by one peer.

Is this correct ? Is there no way around this ?

If this is correct it would appear to be a fairly fundamental issue with regard to the functionality of this kit.

TIA.
0
Comment
Question by:ccfcfc
  • 3
  • 2
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
With juniper devices you can use a Dynamic IP pool (DIP) to assign IPs to be NATd to private network servers and devices. This will get around the limitations of using a MIP.
0
 

Author Comment

by:ccfcfc
Comment Utility
sangamc,

Thanks for the quick response.

Can you point me at any info on this ? I am from the Cisco world and am new to Juniper so any relevant how-to or configuration example would be really useful.

Thanks.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 350 total points
Comment Utility
here is the KB article for DIP pool on juniper devices with ScreenOS. If you have an srx serise device thats running Junos firmware, let me know and I will post the KB article for DIP configurations.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4748
0
NetScaler Deployment Guides and Resources

Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 150 total points
Comment Utility
Are you are using different public IPs for each server, or perform port forwarding on one or a few public IPs?

DIPs only work as source address, that is for outgoing traffic. This needs to be set up in the respective policy. You would have to combine that with a incoming policy applying destination NAT. This allows for a bidrectional communication, if necessary.

VIPs only work for incoming traffic, and are used commonly for port-mapping.

MIPs implement 1:1 NAT.

Having said that, what your peers demand is nonsense. It makes sense to map to another private network, but usually only one party has to do that. It also makes sense to use a "transfer network" type of translation on both sides - this can be done on your side with either MIPs or DIPs and appropriately set up policies, as described above.
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
I had some concerns about what the remote site admin was asking as well, but didn't want to step on any toes inadvertently.
0
 

Author Comment

by:ccfcfc
Comment Utility
I agree on the issue of the requirement for Public IP address utilisation. However, when you are dealing with huge global organisations and that is their policy it can be difficult to get them to change it.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Well, public IPs are likely to collide with not yet used public IPs ;-) IPv4 doesn't allow for many "free" IP addresses any more.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now