Solved

juniper srx site-to-site vpn with 2 destination overlapping networks

Posted on 2014-11-16
7
161 Views
Last Modified: 2015-09-08
I have an existing site-to-site VPN (SiteA to SiteB) 172.16.60.0/24 to 192.168.2.0/24 [route based vpn between juniper srx devices]

I need to setup a new site-to-site VPN (SiteA to SiteC) 172.16.60.0/24 to 192.168.0.0/22

As you can see, 192.168.0.0 - 192.168.3.255 overlaps my current network in Site B 192.168.2.0/24

Site A to B  vpn bind to st0.x interface in the "vpn" zone.

I am confused on how to setup destination NAT (if that is what I need)

I want to setup 192.168.240.0/22 and use that to route to an st0.x interface
then NAT will translate to 192.168.0.0/22 through the tunnel to site C

I cant break the tunnel between site A & B

I was wondering if anybody has any advice on how to set this up? I was thinking a different zone to bind the st0.x interface and then a destination NAT rule (from-zone to-zone) but not sure after reading how Juniper applies the NAT process.

I attached a basic diagram. Thanks for your help.

Visio-Drawing1.pdf
0
Comment
Question by:Brady Pocock
  • 3
  • 2
7 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40445977
I'll be very interested to see if anyone has a solution for this.
Here is how I see it:
A packet is launched from 172.16.60.xxx destined for 192.168.2.xxx.
Where is that packet supposed to go?  There are TWO such addresses.  So that would seem to be an ambiguous case that can't be resolved.
0
 

Author Comment

by:Brady Pocock
ID: 40445996
My vision is to send traffic to 192.168.242.33. This would route to st0.2 interface for site C where NAT would translate the destination IP to 192.168.2.33 through the tunnel.

If I send traffic to 192.168.2.33 then that would be routed to the st0.1 interface for site B.

From a routing and rule perspective they would be 2 separate networks

Site B = 192.168.2.0/24
Site C = 192.168.240.0/22

NAT would change 192.168.240.0/22 to 192.168.0.0/22 after routing and rules. This way I can route and apply security policy to separate networks.

I'm not sure my vision is possible. I have to believe that overlapping destination networks is something the Juniper SRX can support. All the documentation I see is referring to overlapping subnets between source and destination not multiple destinations.

Thanks.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40446038
Well, there may be something but you might explain where 192.168.240.0 resides?

You have mentioned and, in some cases, shown:
172.16.60.0/24
192.168.2.0/24
192.168.0.0/22
192.168.240.0/22

Where does the 192.168.240.0/22 reside?

I still don't understand how you resolve the ambiguity at the computer where the packets initiate from 172.16.60.xxx.
They would be destined from the beginning to 192.168.2.xxx would they not?
If they are, then how does one distinguish one from another regarding your *intended* destination?
Or, do you have some other addressing scheme in mind?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Brady Pocock
ID: 40446067
192.168.240.0/22 is a dummy subnet defined in site A. NAT will translate any traffic to that subnet on a one-to-one ratio to 192.168.0.0/24 in site C.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40446189
So the idea is to address on the site A side using 240.0 and vice versa.

I guess that might work but I'm sorry I don't know how to implement it.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 40485288
What was advised earlier NAT over IPSec is the way to go.

Have a look at link below:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/lan2lan-vpn-jseries-srx-series-configuring.html

As already explained the network would look something like this:
172.16.60.0/24 SiteA <============> SiteB 192.168.2.0/24
                                      ^
                                      ^<===========> SiteC 192.168.240.0/22 ### Actual IP subnet: 192.168.0.0/22

Site C would be translated to say 192.168.240.0/22 using static NAT.

With static NAT any outbound traffic from Site C would get source NAT and the source IP would be masqueraded to 192.168.240.0/22 from existing 192.168.0.0/22; similarly, any inbound packet would get destination NAT to destination IP 192.168.240.0/22.

Please implement and update.

Thank you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now