steve@puluka.comProduct: ScreenOS
Version: 6.0 and higher
Network Topology
Two sites are connected via a route based VPN, server site and public IP site. The local public ip site publishes a policy to allow internet access to the server. Traffic is forwarded down the vpn tunnel and the responses returned to the internet requester.
Description:
The sites have IPSEC VPN in route mode on unnumbered interfaces associated with the local lan ip segment. This allows the inbound internet traffic to also have source address NAT using this egress tunnel interface. Thus the return route for the internet request will be a local site address known to the remote site routing.
The process utilizes IPSEC VPN in route mode and NAT.
- Create IPSEC VPN between the sites
- Publish the public server ip address at the local site with NAT on both source and destination
Zone Layout
untrust interface is ethernet0/0
trust interface is bgroup0
tunnel.1 interface is in trust zone as a unnumbered interface associated with bgroup0
This zone layout puts all sites and tunnels into the same security zone. No policies need to be created on any device for full communications across the entire hub and spoke network. This is assuming that intra zone blocking is NOT enabled on any of the firewalls for the trust zone. This is the default behavior for the trust zone.
You can change the zone of the tunnel interface to untrust and create policies as needed to allow traffic. But changing the association of the tunnel interface off of the internal lan bgroup0 will necessitate changes in the source nat policy. The source address in nat must be known to the remote server site. You will need to create a dip with a local lan ip address to use for the source nat.
Configuration:
1. Create IPSEC VPN between sites
Create the tunnel.1 interface on each site as unnumbered and associated with bgroup0. This is the same on both sites.
CLI – Both Sites
set interface tunnel.1 zone Trust
set interface tunnel.1 ip unnumbered interface bgroup0
Set routes to these tunnel interfaces for each remote site
CLI
Public IP site
set route 10.0.2.0/24 interface tunnel.1 gateway 10.0.2.1
Server Site
set route 10.0.1.0/24 interface tunnel.1 gateway 10.0.1.1
WEB
Public IP site
Network – Routing – Destination
New button
10.0.2.0/24
interface tunnel.1
gateway 10.0.2.1
Server Site
Network-Routing – Destination
New button
10.0.1.0/24
interface tunnel.1
Gateway 10.0.1.1
WEB
Network – Interfaces – List
New tunnel interface in the upper right
Trust zone
Unnumbered with the bgroup0 interface
Create the VPN gateways
CLI
Firewall Local Public Address Site
set ike gateway Server-GW address 2.2.2.2 Main outgoing-interface ethernet0/0 preshare juniper sec-level standard
Firewall Server Site
set ike gateway Public-GW address 1.1.1.1 Main outgoing-interface ethernet0/0 preshare juniper sec-level standard
WEB
Firewall Local Public Address site
VPNs – AutoKey Advanced – Gateway
Create new gateway
Name Server-GW
IP: 2.2.2.2
Advanced button
Preshared key: juniper
Outgoing interface ethernet0/0 (Change to ethernet 0/1 for SiteB2-GW)
Firewall Server Site
VPNs – AutoKey Advanced – Gateway
Create new gateway
Name Public-GW
IP: .1.1.1.1
Advanced button
Preshared key: juniper
Outgoing interface ethernet0/0
Create AutoKey IKE Objects
Firewall Public Address Site
CLI
set vpn Server gateway Server-GW sec-level standard
set vpn Server bind interface tunnel.1
WEB
VPNs – AutoKey IKE
Create New
Name Server
Associated gateway Server-GW
Advanced button
Tunnel interface tunnel.1
Firewall Server Site
CLI
set vpn Public gateway Public-GW sec-level standard
set vpn Public bind interface tunnel.1
WEB
VPNs – AutoKey IKE
Create New
Name Public
Associated gateway Public-GW
Advanced button
Tunnel interface tunnel.1
2. Publish the server pubic ip address and nat policies
Enable the proxy arp for destination nat. This is a CLI only command.
CLI
set arp nat-dst
Create the pubic address object for the server ip address
CLI
set address untrust server 1.1.1.2 255.255.255.255
WEB
Policies – Policy Objects – Addresses – List
New address in upper right
untrust zone
1.1.1.2/32
Create the policy with both destination nat for the server and source nat for the requester
CLI
set policy name RemoteServerAccess from Untrust to Untrust Any RemoteServerPublic PING nat src dst ip 10.0.2.2 permit log
Change or add services that are needed in place of PING
WEB
Policies – Policy – set untrust to untrust – Create New
Name: RemoteServerAccess
Source: Any
Destination: Server (new address object)
select the required server services
check log button
Advanced button
Check destination translation and enter the server ip addess 10.0.2.2
Check source translation and leave on the default egress interface
Verification:
Attempt server access and open the policy log. Verify that both the source and destination translation are occurring as expected.
References:
ScreenOS Concepts and Examples Guide
http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html
Route based VPN tunnels
Concepts & Examples Guide
Volume 5 Virtual Private Networks
Chapter 3 VPN Guidelines
Chapter 4 VPN: Sit-to-site VPN Configurations
Network Address Translation
Concepts & Examples Guide
Volume 8 Address Translation
Chapter 3 – Nat-src and Nat-dst in the same policy
KB12631
http://kb.juniper.net/InfoCenter/index?page=content&id=KB1263
Originally Posted June 03, 2011
Last Revised on June 03, 2011
