Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 279
  • Last Modified:

juniper srx site-to-site vpn with 2 destination overlapping networks

I have an existing site-to-site VPN (SiteA to SiteB) 172.16.60.0/24 to 192.168.2.0/24 [route based vpn between juniper srx devices]

I need to setup a new site-to-site VPN (SiteA to SiteC) 172.16.60.0/24 to 192.168.0.0/22

As you can see, 192.168.0.0 - 192.168.3.255 overlaps my current network in Site B 192.168.2.0/24

Site A to B  vpn bind to st0.x interface in the "vpn" zone.

I am confused on how to setup destination NAT (if that is what I need)

I want to setup 192.168.240.0/22 and use that to route to an st0.x interface
then NAT will translate to 192.168.0.0/22 through the tunnel to site C

I cant break the tunnel between site A & B

I was wondering if anybody has any advice on how to set this up? I was thinking a different zone to bind the st0.x interface and then a destination NAT rule (from-zone to-zone) but not sure after reading how Juniper applies the NAT process.

I attached a basic diagram. Thanks for your help.

Visio-Drawing1.pdf
0
Brady Pocock
Asked:
Brady Pocock
  • 3
  • 2
1 Solution
 
Fred MarshallPrincipalCommented:
I'll be very interested to see if anyone has a solution for this.
Here is how I see it:
A packet is launched from 172.16.60.xxx destined for 192.168.2.xxx.
Where is that packet supposed to go?  There are TWO such addresses.  So that would seem to be an ambiguous case that can't be resolved.
0
 
Brady PocockConsultantAuthor Commented:
My vision is to send traffic to 192.168.242.33. This would route to st0.2 interface for site C where NAT would translate the destination IP to 192.168.2.33 through the tunnel.

If I send traffic to 192.168.2.33 then that would be routed to the st0.1 interface for site B.

From a routing and rule perspective they would be 2 separate networks

Site B = 192.168.2.0/24
Site C = 192.168.240.0/22

NAT would change 192.168.240.0/22 to 192.168.0.0/22 after routing and rules. This way I can route and apply security policy to separate networks.

I'm not sure my vision is possible. I have to believe that overlapping destination networks is something the Juniper SRX can support. All the documentation I see is referring to overlapping subnets between source and destination not multiple destinations.

Thanks.
0
 
Fred MarshallPrincipalCommented:
Well, there may be something but you might explain where 192.168.240.0 resides?

You have mentioned and, in some cases, shown:
172.16.60.0/24
192.168.2.0/24
192.168.0.0/22
192.168.240.0/22

Where does the 192.168.240.0/22 reside?

I still don't understand how you resolve the ambiguity at the computer where the packets initiate from 172.16.60.xxx.
They would be destined from the beginning to 192.168.2.xxx would they not?
If they are, then how does one distinguish one from another regarding your *intended* destination?
Or, do you have some other addressing scheme in mind?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Brady PocockConsultantAuthor Commented:
192.168.240.0/22 is a dummy subnet defined in site A. NAT will translate any traffic to that subnet on a one-to-one ratio to 192.168.0.0/24 in site C.
0
 
Fred MarshallPrincipalCommented:
So the idea is to address on the site A side using 240.0 and vice versa.

I guess that might work but I'm sorry I don't know how to implement it.
0
 
dpk_walCommented:
What was advised earlier NAT over IPSec is the way to go.

Have a look at link below:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/lan2lan-vpn-jseries-srx-series-configuring.html

As already explained the network would look something like this:
172.16.60.0/24 SiteA <============> SiteB 192.168.2.0/24
                                      ^
                                      ^<===========> SiteC 192.168.240.0/22 ### Actual IP subnet: 192.168.0.0/22

Site C would be translated to say 192.168.240.0/22 using static NAT.

With static NAT any outbound traffic from Site C would get source NAT and the source IP would be masqueraded to 192.168.240.0/22 from existing 192.168.0.0/22; similarly, any inbound packet would get destination NAT to destination IP 192.168.240.0/22.

Please implement and update.

Thank you.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now