Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

juniper srx site-to-site vpn with 2 destination overlapping networks

Posted on 2014-11-16
7
Medium Priority
?
243 Views
Last Modified: 2015-09-08
I have an existing site-to-site VPN (SiteA to SiteB) 172.16.60.0/24 to 192.168.2.0/24 [route based vpn between juniper srx devices]

I need to setup a new site-to-site VPN (SiteA to SiteC) 172.16.60.0/24 to 192.168.0.0/22

As you can see, 192.168.0.0 - 192.168.3.255 overlaps my current network in Site B 192.168.2.0/24

Site A to B  vpn bind to st0.x interface in the "vpn" zone.

I am confused on how to setup destination NAT (if that is what I need)

I want to setup 192.168.240.0/22 and use that to route to an st0.x interface
then NAT will translate to 192.168.0.0/22 through the tunnel to site C

I cant break the tunnel between site A & B

I was wondering if anybody has any advice on how to set this up? I was thinking a different zone to bind the st0.x interface and then a destination NAT rule (from-zone to-zone) but not sure after reading how Juniper applies the NAT process.

I attached a basic diagram. Thanks for your help.

Visio-Drawing1.pdf
0
Comment
Question by:Brady Pocock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40445977
I'll be very interested to see if anyone has a solution for this.
Here is how I see it:
A packet is launched from 172.16.60.xxx destined for 192.168.2.xxx.
Where is that packet supposed to go?  There are TWO such addresses.  So that would seem to be an ambiguous case that can't be resolved.
0
 

Author Comment

by:Brady Pocock
ID: 40445996
My vision is to send traffic to 192.168.242.33. This would route to st0.2 interface for site C where NAT would translate the destination IP to 192.168.2.33 through the tunnel.

If I send traffic to 192.168.2.33 then that would be routed to the st0.1 interface for site B.

From a routing and rule perspective they would be 2 separate networks

Site B = 192.168.2.0/24
Site C = 192.168.240.0/22

NAT would change 192.168.240.0/22 to 192.168.0.0/22 after routing and rules. This way I can route and apply security policy to separate networks.

I'm not sure my vision is possible. I have to believe that overlapping destination networks is something the Juniper SRX can support. All the documentation I see is referring to overlapping subnets between source and destination not multiple destinations.

Thanks.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40446038
Well, there may be something but you might explain where 192.168.240.0 resides?

You have mentioned and, in some cases, shown:
172.16.60.0/24
192.168.2.0/24
192.168.0.0/22
192.168.240.0/22

Where does the 192.168.240.0/22 reside?

I still don't understand how you resolve the ambiguity at the computer where the packets initiate from 172.16.60.xxx.
They would be destined from the beginning to 192.168.2.xxx would they not?
If they are, then how does one distinguish one from another regarding your *intended* destination?
Or, do you have some other addressing scheme in mind?
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:Brady Pocock
ID: 40446067
192.168.240.0/22 is a dummy subnet defined in site A. NAT will translate any traffic to that subnet on a one-to-one ratio to 192.168.0.0/24 in site C.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40446189
So the idea is to address on the site A side using 240.0 and vice versa.

I guess that might work but I'm sorry I don't know how to implement it.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 40485288
What was advised earlier NAT over IPSec is the way to go.

Have a look at link below:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/lan2lan-vpn-jseries-srx-series-configuring.html

As already explained the network would look something like this:
172.16.60.0/24 SiteA <============> SiteB 192.168.2.0/24
                                      ^
                                      ^<===========> SiteC 192.168.240.0/22 ### Actual IP subnet: 192.168.0.0/22

Site C would be translated to say 192.168.240.0/22 using static NAT.

With static NAT any outbound traffic from Site C would get source NAT and the source IP would be masqueraded to 192.168.240.0/22 from existing 192.168.0.0/22; similarly, any inbound packet would get destination NAT to destination IP 192.168.240.0/22.

Please implement and update.

Thank you.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question