[j-nsp] vpn site to site with source and destination NAT

Abdullah Baheer abdullahbaheer at yahoo.com
Mon Dec 17 07:32:08 EST 2012


Hi Osama,
Did you add a route for 192.168.120.10 pointing to the interface of the LAN (10.10.1.10) on Site A?Route lookup is done before destination NAT in SSG...
Abdullah Baheer
--- On Mon, 12/17/12, mahmoud yasin <eng_mahmood48 at yahoo.com> wrote:

From: mahmoud yasin <eng_mahmood48 at yahoo.com>
Subject: Re: [j-nsp] vpn site to site with source and destination  NAT
To: "osamh hammoudeh" <osamh.co at hotmail.com>, "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Date: Monday, December 17, 2012, 3:47 PM

Hi Osama

I suggest to enable Debugging on the firewall and check if there is a packets received from Cisco side, and if it received then you can know how packets got processed.

Commands sample;

unset ff
set ff src-ip x.x.x.x dst-ip x.x.x.x
clear db
debug flow basic
get db str

Regards
Mahmoud
 




________________________________
 From: osamh hammoudeh <osamh.co at hotmail.com>
To: juniper-nsp at puck.nether.net 
Sent: Monday, December 17, 2012 2:22 PM
Subject: [j-nsp] vpn site to site with source and destination  NAT
 



Date: Mon, 17 Dec 2012 13:06:05 +0300





Dears

i have SSG 520 and i am configured VPN site-to-site with Cisco router .
the VPN status is up and both LAN are ping .
siteA  : peer ip : 1.1.1.1 local user 192.168.120.10

site B
peer ip 2.2.2.2local user 10.70.12.10

in site to site setup local users on both site are ping

i want know to change in my setup small things , which is change local subnet in site A to be 10.10.1.10 without any change on site B.
so i need to configure  source Nat and destination NAT  as below
1- configure source NAT for for new subnet for site A (10.10.1.10 ) -----> to be NAT to the old subnet (192.168.120.10) 
we use DIP for this policy based ==> source : 10.10.1.10                           destination : 10.70.12.10                           enable source NAT with DIP which configure up  


2- configure destination NAT  for the traffic coming from site B and destination 192.168.120.10  , note : that site B still ask for 192.168.120.10 no VPN changes on site B so the request from site B to Site A as below
source : 10.70.12.10destination : 192.168.120.10 we need to enable Destination NAT (if destination 192.168.120.10 translate it to 10.10.1.10) 

i did all the setup , and configured source NAT and it worked fine but my problem was in destination NAT it's not working  and nothing in policy log.
could you plz advice AS SOON AS POSSIPLE

Best regards
osama hammoudeh

                                                                   
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list