netscreen NAT with VPN

trackittrackit Member Posts: 224
Hey! Maybe im a bit tired and shortcircuited righ now, but im stuck...

I have a netscreeen that makes site-to-site VPN-s over public Internet. I have many 192.168.0.0/16 internal subnets and i want to make yet another VPN to remote company for lets say internal 192.168.10.0/24 network (NOT directly connected to netscreen), the thing is this network is in use at the other side so we cant use it. How do i NAT this network to lets say 10.10.10.0/24 and make VPN at the same time?

Comments

  • trackittrackit Member Posts: 224
    ok, i found this whitepaper:

    http://kb.juniper.net/kb/documents/public/VPN/ScreenOS_VPN_with_Overlapping_Subnets.pdf

    outline steps are:

    1. Configure the “vpn” security zone. “Trust” and “Untrust” zones are predefined.
    2. Configure IP addresses for interfaces ethernet0/0 and ethernet0/3. Bind the interfaces the “Trust” and “Untrust” zones respectively.
    3. Create tunnel.1 interface and bind to “vpn” zone.
    4. Configure MIP for the tunnel interface.
    5. Configure default route to Internet next-hop and also a static route for the Remote site LAN. Optionally you can use a dynamic routing protocol such as OSPF instead but that is beyond the scope of this application note.
    6. Configure address book entries for “Trust” and “vpn” zones. This will be necessary for the security policies.
    7. Configure phase-1 (IKE) and phase-2 (VPN) proposals. This step is optional. You can also use one of the pre-defined p1 and p2 proposals or use one of the pre-defined security levels (i.e. basic, standard or compatible)
    8. Configure IKE gateway profile referencing the phase-1 proposal from step 7.
    9. Configure VPN profile referencing IKE gateway from step 8 and phase-2 proposal from step 7. Then bind interface tunnel.1 to the VPN.
    10. Configure security policy to permit Corporate site LAN to Remote site LAN using the address book entries created in step 6.
    11. Configure security policy to permit Remote site LAN traffic to Corporate site LAN using address book entry from step 6 with destination address as the MIP.
    12. Configure outgoing “Trust” to “Untrust” permit all policy with interface source NAT for Internet traffic.
    13. Configure tcp-mss for IPSec traffic to eliminate the possibility of fragmented TCP traffic. This will lessen the resource utilization on the device.


    But i dont quite get it, what exactly tells netscreen to NAT? and can i use just one ip as destination address for example in step 11 instead of MIP?
  • zoidbergzoidberg Member Posts: 365
    i did something like this late last week.

    i used a DIP pool defined on an tunnel interface, with no IP on the tunnel interface. the DIP pool consisted of a single IP address, which is what you were asking about. you create a policy to tell the netscreen to nat. at the end of the policy you can add nat src dip id # dst ip... etc.

    sorry, can't really elaborate too much right now as i just got called and need to run.
  • trackittrackit Member Posts: 224
    got it done, thanks...
Sign In or Register to comment.