juniper srx site-to-site vpn with 2 destination overlapping networks

I have an existing site-to-site VPN (SiteA to SiteB) 172.16.60.0/24 to 192.168.2.0/24 [route based vpn between juniper srx devices]

I need to setup a new site-to-site VPN (SiteA to SiteC) 172.16.60.0/24 to 192.168.0.0/22

As you can see, 192.168.0.0 - 192.168.3.255 overlaps my current network in Site B 192.168.2.0/24

Site A to B  vpn bind to st0.x interface in the "vpn" zone.

I am confused on how to setup destination NAT (if that is what I need)

I want to setup 192.168.240.0/22 and use that to route to an st0.x interface
then NAT will translate to 192.168.0.0/22 through the tunnel to site C

I cant break the tunnel between site A & B

I was wondering if anybody has any advice on how to set this up? I was thinking a different zone to bind the st0.x interface and then a destination NAT rule (from-zone to-zone) but not sure after reading how Juniper applies the NAT process.

I attached a basic diagram. Thanks for your help.

Visio-Drawing1.pdf
Brady PocockConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
I'll be very interested to see if anyone has a solution for this.
Here is how I see it:
A packet is launched from 172.16.60.xxx destined for 192.168.2.xxx.
Where is that packet supposed to go?  There are TWO such addresses.  So that would seem to be an ambiguous case that can't be resolved.
0
Brady PocockConsultantAuthor Commented:
My vision is to send traffic to 192.168.242.33. This would route to st0.2 interface for site C where NAT would translate the destination IP to 192.168.2.33 through the tunnel.

If I send traffic to 192.168.2.33 then that would be routed to the st0.1 interface for site B.

From a routing and rule perspective they would be 2 separate networks

Site B = 192.168.2.0/24
Site C = 192.168.240.0/22

NAT would change 192.168.240.0/22 to 192.168.0.0/22 after routing and rules. This way I can route and apply security policy to separate networks.

I'm not sure my vision is possible. I have to believe that overlapping destination networks is something the Juniper SRX can support. All the documentation I see is referring to overlapping subnets between source and destination not multiple destinations.

Thanks.
0
Fred MarshallPrincipalCommented:
Well, there may be something but you might explain where 192.168.240.0 resides?

You have mentioned and, in some cases, shown:
172.16.60.0/24
192.168.2.0/24
192.168.0.0/22
192.168.240.0/22

Where does the 192.168.240.0/22 reside?

I still don't understand how you resolve the ambiguity at the computer where the packets initiate from 172.16.60.xxx.
They would be destined from the beginning to 192.168.2.xxx would they not?
If they are, then how does one distinguish one from another regarding your *intended* destination?
Or, do you have some other addressing scheme in mind?
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Brady PocockConsultantAuthor Commented:
192.168.240.0/22 is a dummy subnet defined in site A. NAT will translate any traffic to that subnet on a one-to-one ratio to 192.168.0.0/24 in site C.
0
Fred MarshallPrincipalCommented:
So the idea is to address on the site A side using 240.0 and vice versa.

I guess that might work but I'm sorry I don't know how to implement it.
0
dpk_walCommented:
What was advised earlier NAT over IPSec is the way to go.

Have a look at link below:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/lan2lan-vpn-jseries-srx-series-configuring.html

As already explained the network would look something like this:
172.16.60.0/24 SiteA <============> SiteB 192.168.2.0/24
                                      ^
                                      ^<===========> SiteC 192.168.240.0/22 ### Actual IP subnet: 192.168.0.0/22

Site C would be translated to say 192.168.240.0/22 using static NAT.

With static NAT any outbound traffic from Site C would get source NAT and the source IP would be masqueraded to 192.168.240.0/22 from existing 192.168.0.0/22; similarly, any inbound packet would get destination NAT to destination IP 192.168.240.0/22.

Please implement and update.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.