• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 725
  • Last Modified:

Need help configuring Juniper SRX100 IPSEC VPN tunnel with local IP NAT

I am replacing a Sonicwall TZ205 firewall with a Juniper SRX100 firewall. There is a VPN tunnel currently on the Sonicwall that has NAT enabled on it because of overlapping networks I believe. I have already configured a policy based VPN on the Juniper  to another site but am having difficulty with this configuration. Any help would be appreciated.

The local IP range of the Juniper is 192.168.1.0 but I need it NAT'd to appear as 192.168.178.0 to the other side.

I believe that is the only hang up I am having with getting the tunnel built.
0
amkbailey
Asked:
amkbailey
  • 2
  • 2
1 Solution
 
Sanga CollinsSystems AdminCommented:
Hi Amkbailey,

With the juniper devices you can use a DIP pool in the vpn policy to enable local IPs to appear as 192.168.178.0. I am more familiar with the steps for SSG juniper devices than SRX, but the concept is the same.

When I did this on a SSG device I created an extended IP on the untrust interface and added a DIP pool to match te source IP address that my local traffic needed to appear as.
0
 
amkbaileyAuthor Commented:
can you send me some sample command lines to accomplish this?
0
 
Sanga CollinsSystems AdminCommented:
Hi amkbailey,

the commands for juniper ssg devices are different from srx devices due to the installed OS. I can send you the commands from my SSG but you would not be able to use them or translate them to SRX due to the big differences in the language
0
 
amkbaileyAuthor Commented:
I'm accepting your solution but Juniper helped me with the code so I will post it below for others.

security {
    ike {
              }
      proposal SRX-TO-ASA {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
                }
        policy SRX-TO-ASA {
            mode main;
            proposals SRX-TO-ASA;
            pre-shared-key ascii-text "xxxxxxx"; ## SECRET-DATA
        }
      gateway SRX-TO-ASA {
            ike-policy SRX-TO-ASA;
            address xx.xxx.xx.x;
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        proposal SRX-TO-ASA {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 28800;
               }
        policy SRX-TO-ASA {
            proposals SRX-TO-ASA;
        }
        vpn SRX-TO-ASA {
            bind-interface st0.1;
            ike {
                gateway SRX-TO-ASA;
                proxy-identity {
                    local 192.168.178.0/24;
                    remote x.x.x.x/32;
                }
                ipsec-policy SRX-TO-ASA;
    nat {
        source {
            pool SRX_NAT {
                address {
                    192.168.178.0/24;
                }
            }
            rule-set outbound-internet {
                from zone trust;
                to zone untrust;
                rule VPN {
                    match {
                        source-address 192.168.1.0/24;
                        destination-address x.x.x.x/32;
                    }
                    then {
                        source-nat {
                            pool {
                                SRX_NAT;
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now