Interesting, NAT through tunnel?

PashPash Member Posts: 1,601 ■■■■■□□□□□
Hi all,

Interesting one this. Juniper netscreen to Cisco PIX. The PIX only wants to see one ip address in this scenario. The tunnel works fine with encryption and what not, but in terms of making the tunnel and VPN active we have no luck. We need a way of making our private IP address range visable as one IP (WAN address) over the tunnel. Anyone know if it can be done? I have tried DIP but no luck.


Cheers,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.

Comments

  • rossonieri#1rossonieri#1 Member Posts: 800
    hi pash,

    maybe you want to read this :

    http://www.juniper.net/techpubs/software/screenos/screenos5.3.0/ce_v8.pdf

    on page 15 or 16,

    how many DIP have you created? it can be as low as 1 DIP (PAT).

    and the rest just use PBR via the tunnel.

    HTH.
    the More I know, that is more and More I dont know.
  • PashPash Member Posts: 1,601 ■■■■■□□□□□
    Hi rossonieri#1,

    Thank you for the link. Very helpful, however we still can't get it to work. I am using a DIP on our tunnel interface (we are doing route based VPN here) and using that as our source NAT translation when any traffic coming from our private LAN is going to the destination server farm. The VPN concentrator inbetween (we dont have access to this) looks for ONLY one of two main IP's (one of which is my DIP). The tunnel SA is active, but the tunnel is down. I am reallly really lost.

    Thanks again mate,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • rossonieri#1rossonieri#1 Member Posts: 800
    ya - i know its PBR.

    true a DIP can be one IP in your tunnel sbnet - but still the PIX see it as 2 IPs want to connect to it right? 1 is the tunnel itself, and 1 for the PAT-ed client.

    so the workaround is to :
    create ip unnumbered loX - use it for both DIP and tunnel interface.

    never tried that - but it should work.

    just my opinion.

    HTH.
    the More I know, that is more and More I dont know.
  • PashPash Member Posts: 1,601 ■■■■■□□□□□
    ya - i know its PBR.

    true a DIP can be one IP in your tunnel sbnet - but still the PIX see it as 2 IPs want to connect to it right? 1 is the tunnel itself, and 1 for the PAT-ed client.

    so the workaround is to :
    create ip unnumbered loX - use it for both DIP and tunnel interface.

    never tried that - but it should work.

    just my opinion.

    HTH.

    Hi rossonieri,

    We got it to translate now using DIP on tunnel interface, checked logs and its translating is fine BUT the VPN still doesnt become active. Retranmission limit reached every time in event logs. I have a afeeling something is wrong with their end. Gonna have to make a phone call again later!

    Thanks again dude, and yes your info did help..as always :)
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • ScreenieScreenie Member Posts: 13 ■□□□□□□□□□
    Nating in in a tunnel can be done. I did iit between a net screen and a MS VPN server.

    First define a numbered tunnel interface, unnumbred won't work!

    Then define a policy with nat src behind interface.

    Third overrule your proxy-id in phase II settings with your int ip adres, 32 bits.

    Should work.

    Goof luck,

    Screenie.
  • PashPash Member Posts: 1,601 ■■■■■□□□□□
    Screenie wrote:
    Nating in in a tunnel can be done. I did iit between a net screen and a MS VPN server.

    First define a numbered tunnel interface, unnumbred won't work!

    Then define a policy with nat src behind interface.

    Third overrule your proxy-id in phase II settings with your int ip adres, 32 bits.

    Should work.

    Goof luck,

    Screenie.

    We now have a stable VPN connection with the other end. It shows SA status as Active but Link as down (as in tunnel down).....go figure :o

    Thanks,
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • ScreenieScreenie Member Posts: 13 ■□□□□□□□□□
    The down status on a vpn tunnel (and I think on the tunnel interface as well) is as far as I know always caused by failed monitoring. Just try to disable monitoring in phase 2 settings. If this solves the problem try a destination IP wich responds to a ping. Ofcourse only if you want / need monitoring. Twho reasons for this:

    A) To keep the tunnel alwas up
    b) To bring the tunnel interface down when a destination isn;t reachable. Using routing ptiorities you can use a backup path.

    Hope this helps!

    Greetz.
Sign In or Register to comment.