Need help configuring Juniper SRX100 IPSEC VPN tunnel with local IP NAT

I am replacing a Sonicwall TZ205 firewall with a Juniper SRX100 firewall. There is a VPN tunnel currently on the Sonicwall that has NAT enabled on it because of overlapping networks I believe. I have already configured a policy based VPN on the Juniper  to another site but am having difficulty with this configuration. Any help would be appreciated.

The local IP range of the Juniper is 192.168.1.0 but I need it NAT'd to appear as 192.168.178.0 to the other side.

I believe that is the only hang up I am having with getting the tunnel built.
amkbaileyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
Hi Amkbailey,

With the juniper devices you can use a DIP pool in the vpn policy to enable local IPs to appear as 192.168.178.0. I am more familiar with the steps for SSG juniper devices than SRX, but the concept is the same.

When I did this on a SSG device I created an extended IP on the untrust interface and added a DIP pool to match te source IP address that my local traffic needed to appear as.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amkbaileyAuthor Commented:
can you send me some sample command lines to accomplish this?
0
Sanga CollinsSystems AdminCommented:
Hi amkbailey,

the commands for juniper ssg devices are different from srx devices due to the installed OS. I can send you the commands from my SSG but you would not be able to use them or translate them to SRX due to the big differences in the language
0
amkbaileyAuthor Commented:
I'm accepting your solution but Juniper helped me with the code so I will post it below for others.

security {
    ike {
              }
      proposal SRX-TO-ASA {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
                }
        policy SRX-TO-ASA {
            mode main;
            proposals SRX-TO-ASA;
            pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
        }
      gateway SRX-TO-ASA {
            ike-policy SRX-TO-ASA;
            address xx.xxx.xx.x;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal SRX-TO-ASA {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
               }
        policy SRX-TO-ASA {
            proposals SRX-TO-ASA;
        }
        vpn SRX-TO-ASA {
            bind-interface st0.1;
            ike {
                gateway SRX-TO-ASA;
                proxy-identity {
                    local 192.168.178.0/24;
                    remote x.x.x.x/32;
                }
                ipsec-policy SRX-TO-ASA;
    nat {
        source {
            pool SRX_NAT {
                address {
                    192.168.178.0/24;
                }
            }
            rule-set outbound-internet {
                from zone trust;
                to zone untrust;
                rule VPN {
                    match {
                        source-address 192.168.1.0/24;
                        destination-address x.x.x.x/32;
                    }
                    then {
                        source-nat {
                            pool {
                                SRX_NAT;
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.