Solved

Need help configuring Juniper SRX100 IPSEC VPN tunnel with local IP NAT

Posted on 2014-11-17
4
636 Views
Last Modified: 2014-12-04
I am replacing a Sonicwall TZ205 firewall with a Juniper SRX100 firewall. There is a VPN tunnel currently on the Sonicwall that has NAT enabled on it because of overlapping networks I believe. I have already configured a policy based VPN on the Juniper  to another site but am having difficulty with this configuration. Any help would be appreciated.

The local IP range of the Juniper is 192.168.1.0 but I need it NAT'd to appear as 192.168.178.0 to the other side.

I believe that is the only hang up I am having with getting the tunnel built.
0
Comment
Question by:amkbailey
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 40448738
Hi Amkbailey,

With the juniper devices you can use a DIP pool in the vpn policy to enable local IPs to appear as 192.168.178.0. I am more familiar with the steps for SSG juniper devices than SRX, but the concept is the same.

When I did this on a SSG device I created an extended IP on the untrust interface and added a DIP pool to match te source IP address that my local traffic needed to appear as.
0
 

Author Comment

by:amkbailey
ID: 40455989
can you send me some sample command lines to accomplish this?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40457355
Hi amkbailey,

the commands for juniper ssg devices are different from srx devices due to the installed OS. I can send you the commands from my SSG but you would not be able to use them or translate them to SRX due to the big differences in the language
0
 

Author Comment

by:amkbailey
ID: 40481525
I'm accepting your solution but Juniper helped me with the code so I will post it below for others.

security {
    ike {
              }
      proposal SRX-TO-ASA {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
                }
        policy SRX-TO-ASA {
            mode main;
            proposals SRX-TO-ASA;
            pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
        }
      gateway SRX-TO-ASA {
            ike-policy SRX-TO-ASA;
            address xx.xxx.xx.x;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal SRX-TO-ASA {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
               }
        policy SRX-TO-ASA {
            proposals SRX-TO-ASA;
        }
        vpn SRX-TO-ASA {
            bind-interface st0.1;
            ike {
                gateway SRX-TO-ASA;
                proxy-identity {
                    local 192.168.178.0/24;
                    remote x.x.x.x/32;
                }
                ipsec-policy SRX-TO-ASA;
    nat {
        source {
            pool SRX_NAT {
                address {
                    192.168.178.0/24;
                }
            }
            rule-set outbound-internet {
                from zone trust;
                to zone untrust;
                rule VPN {
                    match {
                        source-address 192.168.1.0/24;
                        destination-address x.x.x.x/32;
                    }
                    then {
                        source-nat {
                            pool {
                                SRX_NAT;
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now