Solved

Need help configuring Juniper SRX100 IPSEC VPN tunnel with local IP NAT

Posted on 2014-11-17
4
653 Views
Last Modified: 2014-12-04
I am replacing a Sonicwall TZ205 firewall with a Juniper SRX100 firewall. There is a VPN tunnel currently on the Sonicwall that has NAT enabled on it because of overlapping networks I believe. I have already configured a policy based VPN on the Juniper  to another site but am having difficulty with this configuration. Any help would be appreciated.

The local IP range of the Juniper is 192.168.1.0 but I need it NAT'd to appear as 192.168.178.0 to the other side.

I believe that is the only hang up I am having with getting the tunnel built.
0
Comment
Question by:amkbailey
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 40448738
Hi Amkbailey,

With the juniper devices you can use a DIP pool in the vpn policy to enable local IPs to appear as 192.168.178.0. I am more familiar with the steps for SSG juniper devices than SRX, but the concept is the same.

When I did this on a SSG device I created an extended IP on the untrust interface and added a DIP pool to match te source IP address that my local traffic needed to appear as.
0
 

Author Comment

by:amkbailey
ID: 40455989
can you send me some sample command lines to accomplish this?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40457355
Hi amkbailey,

the commands for juniper ssg devices are different from srx devices due to the installed OS. I can send you the commands from my SSG but you would not be able to use them or translate them to SRX due to the big differences in the language
0
 

Author Comment

by:amkbailey
ID: 40481525
I'm accepting your solution but Juniper helped me with the code so I will post it below for others.

security {
    ike {
              }
      proposal SRX-TO-ASA {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
                }
        policy SRX-TO-ASA {
            mode main;
            proposals SRX-TO-ASA;
            pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
        }
      gateway SRX-TO-ASA {
            ike-policy SRX-TO-ASA;
            address xx.xxx.xx.x;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal SRX-TO-ASA {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
               }
        policy SRX-TO-ASA {
            proposals SRX-TO-ASA;
        }
        vpn SRX-TO-ASA {
            bind-interface st0.1;
            ike {
                gateway SRX-TO-ASA;
                proxy-identity {
                    local 192.168.178.0/24;
                    remote x.x.x.x/32;
                }
                ipsec-policy SRX-TO-ASA;
    nat {
        source {
            pool SRX_NAT {
                address {
                    192.168.178.0/24;
                }
            }
            rule-set outbound-internet {
                from zone trust;
                to zone untrust;
                rule VPN {
                    match {
                        source-address 192.168.1.0/24;
                        destination-address x.x.x.x/32;
                    }
                    then {
                        source-nat {
                            pool {
                                SRX_NAT;
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 205
Setup another VLAN on Fortigate 3 36
Monitor Bandwidth throughput in Fortigate 100D 1 39
VLAN Question 13 60
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question