Showing posts with label ssg. Show all posts
Showing posts with label ssg. Show all posts

Monday, 22 May 2017

source NAT on juniper SSG

I wanted to source NAT my traffic so it appears to come from 10.58.x.x range so it could go over my VPN.

I was able to do this with a DIP on juniper. The DIP must be created on the tunnel interface which is attached to the VPN that we want to travel over.


Since the tunnel interface is unnumbered I confgured the extended IP
10.58.254.1 /24 (I know this range is free)
For the DIP range I gave 10.58.254.2 - 10.58.254.254

set interface tunnel.4 ext ip 10.58.254.1 255.255.255.0 dip 4 10.58.254.2 10.58.254.254

You need a policy to allow the traffic and do the NAT.
The policy should be at the top so other rules won't overlap/interfere.

set policy id 123 from "Trust" to "Untrust" "LOCAL_NETS_2_NAT" "REMOVE_VPN_NETS" "ANY" nat src dip-id 4 permit log

The 10.58.x.x/16 network already had a policy to allow the traffic and was already in the encryption domain.

Did a debug flow basic and it seems to have worked, will test now.

WebGUI
Network -> Interfaces -> Edit tunnel.4
DIP tab  -> New 
Fill in IP range 10.58.254.2 - 10.58.254.254
Select port translation
Select in the same subnet as the extended IP fill in 10.58.254.1/24

Create you NAT policy
Policy -> Policies
Select source and destination networks
Service = ANY
Action = Permit
Click Advanced button
Tick Source Translation
Select the DIP you created on tun.4 
Click ok


Posted by at No comments:
Labels: , , , , , ,

Tuesday, 17 January 2017

ASA to SSG VPN setup

https://blog.webernetz.net/2014/01/28/ipsec-site-to-site-vpn-juniper-screenos-cisco-asa/


Posted by at No comments:
Labels: , , , , ,

Thursday, 5 November 2015

packet-tracer for juniper screen os ... sort of

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5536&actp=search

Set logging the debug to the console (not sure that this is required might be an old command)
set console dbuf

Set your filters to match the interesting traffic
set ffilter src-ip xx.xx.xx.xx dst-ip yy.yy.yy.yy
set ffilter src-ip yy.yy.yy.yy dst-ip xx.xx.xx.xx

unset ffilter ? (to remove, usually use id "0")

Start the debug
Debug flow basic
(can also use 'debug flow drop' to only see drop/deny)

Generate your traffic
ping yy.yy.yy.yy

Stop the debug
Press ESC when finished or 'undebug all'

Show the debug output
get db stream

Clear the debug to do a fresh test without a wall of text
clear db

There is a lot of output but if you read through you should see the routing, nat and policy(ACL) matching and what happened to the traffic.





Posted by at No comments:
Labels: , , ,

Thursday, 25 July 2013

troubleshoot VPNs on a juniper device

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb9221.htm
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)