Solved

Need help configuring Juniper SRX100 IPSEC VPN tunnel with local IP NAT

Posted on 2014-11-17
4
628 Views
Last Modified: 2014-12-04
I am replacing a Sonicwall TZ205 firewall with a Juniper SRX100 firewall. There is a VPN tunnel currently on the Sonicwall that has NAT enabled on it because of overlapping networks I believe. I have already configured a policy based VPN on the Juniper  to another site but am having difficulty with this configuration. Any help would be appreciated.

The local IP range of the Juniper is 192.168.1.0 but I need it NAT'd to appear as 192.168.178.0 to the other side.

I believe that is the only hang up I am having with getting the tunnel built.
0
Comment
Question by:amkbailey
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 40448738
Hi Amkbailey,

With the juniper devices you can use a DIP pool in the vpn policy to enable local IPs to appear as 192.168.178.0. I am more familiar with the steps for SSG juniper devices than SRX, but the concept is the same.

When I did this on a SSG device I created an extended IP on the untrust interface and added a DIP pool to match te source IP address that my local traffic needed to appear as.
0
 

Author Comment

by:amkbailey
ID: 40455989
can you send me some sample command lines to accomplish this?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40457355
Hi amkbailey,

the commands for juniper ssg devices are different from srx devices due to the installed OS. I can send you the commands from my SSG but you would not be able to use them or translate them to SRX due to the big differences in the language
0
 

Author Comment

by:amkbailey
ID: 40481525
I'm accepting your solution but Juniper helped me with the code so I will post it below for others.

security {
    ike {
              }
      proposal SRX-TO-ASA {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
                }
        policy SRX-TO-ASA {
            mode main;
            proposals SRX-TO-ASA;
            pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
        }
      gateway SRX-TO-ASA {
            ike-policy SRX-TO-ASA;
            address xx.xxx.xx.x;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal SRX-TO-ASA {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
               }
        policy SRX-TO-ASA {
            proposals SRX-TO-ASA;
        }
        vpn SRX-TO-ASA {
            bind-interface st0.1;
            ike {
                gateway SRX-TO-ASA;
                proxy-identity {
                    local 192.168.178.0/24;
                    remote x.x.x.x/32;
                }
                ipsec-policy SRX-TO-ASA;
    nat {
        source {
            pool SRX_NAT {
                address {
                    192.168.178.0/24;
                }
            }
            rule-set outbound-internet {
                from zone trust;
                to zone untrust;
                rule VPN {
                    match {
                        source-address 192.168.1.0/24;
                        destination-address x.x.x.x/32;
                    }
                    then {
                        source-nat {
                            pool {
                                SRX_NAT;
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now