Three NAT modes of SRX are applied to VPN sites.

Zhan Bo Juniper) SRX is relatively simple to establish a VPN site, and NAT is also simple to use. What I want to talk about is the joint application between them. Requirements: Local A and local B establish A VPN site connection, A remote place C through the leased line to the local, the remote only to the local A route, and cannot add A route. Remote C is required to access VPN Site B through local. Let's take a look at the configuration of the VPN site. Although it is very simple, we should paste the configuration. This SRX is version 11.4R6.6 security {
Ike {
Proposal pre-g2-aes128-sha1 {
Authentication-method pre-shared-keys;
Dh-group group2;
Authentication-algorithm sha1;
Encryption-algorithm aes-128-cbc;
Lifetime-second 28800;
}
Policy RemoteIKE {
Mode main;
Proposals pre-g2-aes128-sha1;
Pre-shared-key ascii-text "******************"; # SECRET-DATA
} Gateway RemoteGW {
Ike-policy RemoteIKE;
Address 36. *. *. 89; external-interface ge-0/0/0;
Version v1-only;
} Ipsec {
Proposal esp-3des-sha1 {
Protocol esp;
Authentication-algorithm hmac-sha1-96;
Encryption-algorithm 3des-cbc;
Lifetime-second 3600;
} Policy g2-esp-3des-sha1 {
Perfect-forward-secrecy {
Keys group2;
}
Proposals esp-3des-sha1;
} Vpn RemoteVPN {
Bind-interface st0.2;
Vpn-monitor {
Optimized;
}
Ike {
Gateway RemoteGW;
Ipsec-policy g2-esp-3des-sha1;
}
Establish-tunnels on-traffic;
} Routing-options {
Static {
Route 0.0.0.0/0 next-hop 122. *. *. 185;
Route 172.24.60.0/24 next-hop st0.2;
} Here, we can see that the address of VPN Site B is 172.24.60.0/24, the remote C Address is 172.16.0.0/16, and the local A is 172.18.0.0/16, remote C only has a route to 172.26.0.0/16, but not 172.24.60.0/24. Similarly, VPN Site B does not have a route to remote C, so it cannot be used? The joint use of NAT can solve this problem. Srx nat is divided into three categories: source, destination, and static. The source address NAT can be further divided into address pools and interfaces, it is to replace the source address with the address pool address or the address of the specified interface. destination and static are very similar. They both change the destination address, but there is a difference. destination uses the address pool, it is used in rotation, while static is the fixed position transformation. In addition, let's talk about the execution sequence of the three of them, static> destination> source, and the execution sequence between them and others. The routes are lower than those of NAT, VPN is lower than the route. Here the route-based VPN site is used. The final execution order is static NAT> destination NAT> Policy> source NAT> Route> VPN. This is the first time that a policy is introduced here. Because NAT transformation is involved, is the address before or after the transformation used? In this example. The C location is 172.16.0.0/16. Let C access 172.18.60.0/24, so that the local A can be reached. In A, the source address is 172.18.12.0/24 through the source address NAT translation, use static NAT translation to change 172.18.60.0/24 to 172.24.60.0/24. Then, the local A accesses the B of the VPN site. What is the policy address? 172.16.0.0/16-> 172.24.60.0/24 we can see the sorting. Static NAT is executed first, and the destination address is changed to 172.24.60.0/24. At this time, the package source address is 172.16.0.0/16, the purpose is 172.24.60.0/24. If the policy passes through this status, the source NAT will continue and the source address will be changed to 172.18.12.0/24. After arriving at VPN site B, the policy will meet the requirements. Let's take a look at the configuration. Nat {
Source {
Pool ManCo {
Routing-instance {
ManCo;
}
Address {
172.18.12.0/24;
}
Port no-translation;
}
Rule-set ShangHai-ManCo {
From zone ManIN;
To zone ManCoVPN;
Rule ShangHai {
Match {
Source-address 172.16.0.0/24;
Destination-address 172.24.60.0/24;
}
Then {
Source-nat {
Pool {
ManCo;
}
}
}
} 172.16.0.0/24
}
}
Static {
Rule-set 5rt {
From zone ManIN;
Rule 5rt-r {
Match {
Destination-address 172.18.60.0/24;
}
Then {
Static-nat {
Prefix {
172.24.60.0/24;
}
} 172.16.0.0/24
}
}
}
}
}
Static NAT is a one-to-one transformation. When you access 172.18.60.1, 172.24.60.1 is changed. When you access 172.18.60.2, 172.24.60.2 is changed. This is the biggest difference between the source address and the source address of 172.16.0.1, one session becomes 172.18.12.1, and the second session becomes 172.18.12.2.

This article from the "Genius without that 1% is never done" blog, please be sure to keep this source http://xushen.blog.51cto.com/1673219/1156078