{"id":266,"date":"2017-08-13T17:19:29","date_gmt":"2017-08-13T21:19:29","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=266"},"modified":"2017-08-13T17:19:29","modified_gmt":"2017-08-13T21:19:29","slug":"screenos-remote-site-server-published-on-local-site-public-ip-address","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/screenos-remote-site-server-published-on-local-site-public-ip-address\/","title":{"rendered":"ScreenOS \u2013 Remote Site Server Published on Local Site Public IP Address"},"content":{"rendered":"

Product<\/strong>: ScreenOS
\nVersion<\/strong>: 6.0 and higher<\/p>\n

Network Topology<\/h2>\n

\"\"<\/a><\/p>\n

Two sites are connected via a route based VPN, server site and public IP site. The local public ip site publishes a policy to allow internet access to the server. Traffic is forwarded down the vpn tunnel and the responses returned to the internet requester.<\/p>\n

Description:<\/h2>\n

The sites have IPSEC VPN in route mode on unnumbered interfaces associated with the local lan ip segment. This allows the inbound internet traffic to also have source address NAT using this egress tunnel interface. Thus the return route for the internet request will be a local site address known to the remote site routing.<\/p>\n

The process utilizes IPSEC VPN in route mode and NAT.<\/p>\n

    \n
  1. Create IPSEC VPN between the sites<\/li>\n
  2. Publish the public server ip address at the local site with NAT on both source and destination<\/li>\n<\/ol>\n

    Zone Layout<\/h3>\n

    untrust interface is ethernet0\/0
    \ntrust interface is bgroup0
    \ntunnel.1 interface is in trust zone as a unnumbered interface associated with bgroup0<\/p>\n

    This zone layout puts all sites and tunnels into the same security zone.\u00a0 No policies need to be created on any device for full communications across the entire hub and spoke network.\u00a0 This is assuming that intra zone blocking is NOT enabled on any of the firewalls for the trust zone.\u00a0 This is the default behavior for the trust zone.<\/p>\n

    You can change the zone of the tunnel interface to untrust and create policies as needed to allow traffic. But changing the association of the tunnel interface off of the internal lan bgroup0 will necessitate changes in the source nat policy. The source address in nat must be known to the remote server site. You will need to create a dip with a local lan ip address to use for the source nat.<\/p>\n

    Configuration:<\/h2>\n

    1. Create IPSEC VPN between sites<\/strong><\/p>\n

    Create the tunnel.1 interface on each site as unnumbered and associated with bgroup0. This is the same on both sites.<\/p>\n

    CLI \u2013 Both Sites<\/strong>
    \nset interface tunnel.1 zone Trust
    \nset interface tunnel.1 ip unnumbered interface bgroup0
    \nSet routes to these tunnel interfaces for each remote site<\/p>\n

    CLI<\/strong>
    \nPublic IP site<\/strong>
    \nset route 10.0.2.0\/24 interface tunnel.1 gateway 10.0.2.1
    \nServer Site<\/strong>
    \nset route 10.0.1.0\/24 interface tunnel.1 gateway 10.0.1.1<\/p>\n

    WEB<\/strong>
    \nPublic IP site<\/strong>
    \nNetwork \u2013 Routing \u2013 Destination
    \nNew button
    \n10.0.2.0\/24
    \ninterface tunnel.1
    \ngateway 10.0.2.1<\/p>\n

    Server Site<\/strong>
    \nNetwork-Routing \u2013 Destination
    \nNew button
    \n10.0.1.0\/24
    \ninterface tunnel.1
    \nGateway 10.0.1.1<\/p>\n

    WEB<\/strong>
    \nNetwork \u2013 Interfaces \u2013 List
    \nNew tunnel interface in the upper right
    \nTrust zone
    \nUnnumbered with the bgroup0 interface
    \nCreate the VPN gateways<\/p>\n

    CLI<\/strong>
    \nFirewall Local Public Address Site<\/strong>
    \nset ike gateway Server-GW address 2.2.2.2 Main outgoing-interface ethernet0\/0 preshare juniper sec-level standard<\/p>\n

    Firewall Server Site<\/strong>
    \nset ike gateway Public-GW address 1.1.1.1 Main outgoing-interface ethernet0\/0 preshare juniper sec-level standard<\/p>\n

    WEB
    \nFirewall Local Public Address site<\/strong>
    \nVPNs \u2013 AutoKey Advanced \u2013 Gateway
    \nCreate new gateway
    \nName Server-GW
    \nIP: 2.2.2.2
    \nAdvanced button
    \nPreshared key: juniper
    \nOutgoing interface ethernet0\/0 (Change to ethernet 0\/1 for SiteB2-GW)<\/p>\n

    Firewall Server Site<\/strong>
    \nVPNs \u2013 AutoKey Advanced \u2013 Gateway
    \nCreate new gateway
    \nName Public-GW
    \nIP: .1.1.1.1
    \nAdvanced button
    \nPreshared key: juniper
    \nOutgoing interface ethernet0\/0
    \nCreate AutoKey IKE Objects
    \nFirewall Public Address Site<\/p>\n

    CLI<\/strong>
    \nset vpn Server gateway Server-GW sec-level standard
    \nset vpn Server bind interface tunnel.1<\/p>\n

    WEB<\/strong>
    \nVPNs \u2013 AutoKey IKE
    \nCreate New
    \nName Server
    \nAssociated gateway Server-GW
    \nAdvanced button
    \nTunnel interface tunnel.1
    \nFirewall Server Site<\/p>\n

    CLI<\/strong>
    \nset vpn Public gateway Public-GW sec-level standard
    \nset vpn Public bind interface tunnel.1<\/p>\n

    WEB<\/strong>
    \nVPNs \u2013 AutoKey IKE
    \nCreate New
    \nName Public
    \nAssociated gateway Public-GW
    \nAdvanced button
    \nTunnel interface tunnel.1<\/p>\n

    2. Publish the server pubic ip address and nat policies<\/strong><\/p>\n

    Enable the proxy arp for destination nat. This is a CLI only command.<\/p>\n

    CLI<\/strong>
    \nset arp nat-dst<\/p>\n

    Create the pubic address object for the server ip address<\/p>\n

    CLI<\/strong>
    \nset address untrust server 1.1.1.2 255.255.255.255<\/p>\n

    WEB<\/strong>
    \nPolicies \u2013 Policy Objects \u2013 Addresses – List
    \nNew address in upper right
    \nuntrust zone
    \n1.1.1.2\/32<\/p>\n

    Create the policy with both destination nat for the server and source nat for the requester<\/p>\n

    CLI<\/strong>
    \nset policy name RemoteServerAccess from Untrust to Untrust Any RemoteServerPublic PING nat src dst ip 10.0.2.2 permit log
    \nChange or add services that are needed in place of PING<\/p>\n

    WEB<\/strong>
    \nPolicies \u2013 Policy \u2013 set untrust to untrust \u2013 Create New
    \nName: RemoteServerAccess
    \nSource: Any
    \nDestination: Server (new address object)
    \nselect the required server services
    \ncheck log button
    \nAdvanced button
    \nCheck destination translation and enter the server ip addess 10.0.2.2
    \nCheck source translation and leave on the default egress interface<\/p>\n

    Verification:<\/h2>\n

    Attempt server access and open the policy log. Verify that both the source and destination translation are occurring as expected.<\/p>\n

    References:<\/h2>\n

    ScreenOS Concepts and Examples Guide<\/strong>
    \n    http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a><\/p>\n

    Route based VPN tunnels<\/h3>\n

    Concepts & Examples Guide
    \nVolume 5 Virtual Private Networks
    \nChapter 3 VPN Guidelines
    \nChapter 4 VPN: Sit-to-site VPN Configurations<\/p>\n

    Network Address Translation<\/h3>\n

    Concepts & Examples Guide
    \nVolume 8 Address Translation
    \nChapter 3 \u2013 Nat-src and Nat-dst in the same policy
    \nKB12631
    \n    http:\/\/kb.juniper.net\/InfoCenter\/index?page=content&id=KB1263 <\/a><\/p>\n

    Originally Posted June 03, 2011
    \nLast Revised on June 03, 2011<\/p>\n","protected":false},"excerpt":{"rendered":"

    Product: ScreenOS Version: 6.0 and higher Network Topology Two sites are connected via a route based VPN, server site and public IP site. The local public ip site publishes a policy to allow internet access […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-266","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=266"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/266\/revisions"}],"predecessor-version":[{"id":268,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/266\/revisions\/268"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=266"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}