Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

juniper srx site-to-site vpn with 2 destination overlapping networks

Posted on 2014-11-16
7
Medium Priority
?
264 Views
Last Modified: 2015-09-08
I have an existing site-to-site VPN (SiteA to SiteB) 172.16.60.0/24 to 192.168.2.0/24 [route based vpn between juniper srx devices]

I need to setup a new site-to-site VPN (SiteA to SiteC) 172.16.60.0/24 to 192.168.0.0/22

As you can see, 192.168.0.0 - 192.168.3.255 overlaps my current network in Site B 192.168.2.0/24

Site A to B  vpn bind to st0.x interface in the "vpn" zone.

I am confused on how to setup destination NAT (if that is what I need)

I want to setup 192.168.240.0/22 and use that to route to an st0.x interface
then NAT will translate to 192.168.0.0/22 through the tunnel to site C

I cant break the tunnel between site A & B

I was wondering if anybody has any advice on how to set this up? I was thinking a different zone to bind the st0.x interface and then a destination NAT rule (from-zone to-zone) but not sure after reading how Juniper applies the NAT process.

I attached a basic diagram. Thanks for your help.

Visio-Drawing1.pdf
0
Comment
Question by:Brady Pocock
  • 3
  • 2
7 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40445977
I'll be very interested to see if anyone has a solution for this.
Here is how I see it:
A packet is launched from 172.16.60.xxx destined for 192.168.2.xxx.
Where is that packet supposed to go?  There are TWO such addresses.  So that would seem to be an ambiguous case that can't be resolved.
0
 

Author Comment

by:Brady Pocock
ID: 40445996
My vision is to send traffic to 192.168.242.33. This would route to st0.2 interface for site C where NAT would translate the destination IP to 192.168.2.33 through the tunnel.

If I send traffic to 192.168.2.33 then that would be routed to the st0.1 interface for site B.

From a routing and rule perspective they would be 2 separate networks

Site B = 192.168.2.0/24
Site C = 192.168.240.0/22

NAT would change 192.168.240.0/22 to 192.168.0.0/22 after routing and rules. This way I can route and apply security policy to separate networks.

I'm not sure my vision is possible. I have to believe that overlapping destination networks is something the Juniper SRX can support. All the documentation I see is referring to overlapping subnets between source and destination not multiple destinations.

Thanks.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40446038
Well, there may be something but you might explain where 192.168.240.0 resides?

You have mentioned and, in some cases, shown:
172.16.60.0/24
192.168.2.0/24
192.168.0.0/22
192.168.240.0/22

Where does the 192.168.240.0/22 reside?

I still don't understand how you resolve the ambiguity at the computer where the packets initiate from 172.16.60.xxx.
They would be destined from the beginning to 192.168.2.xxx would they not?
If they are, then how does one distinguish one from another regarding your *intended* destination?
Or, do you have some other addressing scheme in mind?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:Brady Pocock
ID: 40446067
192.168.240.0/22 is a dummy subnet defined in site A. NAT will translate any traffic to that subnet on a one-to-one ratio to 192.168.0.0/24 in site C.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40446189
So the idea is to address on the site A side using 240.0 and vice versa.

I guess that might work but I'm sorry I don't know how to implement it.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 40485288
What was advised earlier NAT over IPSec is the way to go.

Have a look at link below:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/lan2lan-vpn-jseries-srx-series-configuring.html

As already explained the network would look something like this:
172.16.60.0/24 SiteA <============> SiteB 192.168.2.0/24
                                      ^
                                      ^<===========> SiteC 192.168.240.0/22 ### Actual IP subnet: 192.168.0.0/22

Site C would be translated to say 192.168.240.0/22 using static NAT.

With static NAT any outbound traffic from Site C would get source NAT and the source IP would be masqueraded to 192.168.240.0/22 from existing 192.168.0.0/22; similarly, any inbound packet would get destination NAT to destination IP 192.168.240.0/22.

Please implement and update.

Thank you.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question