Hi, guys,
I have come across some strange issues, when I try to create a vpn tunnel between srx100 and paloalto (tunnel is UP and stable). when I enable source nat in srx , a client computer behind paloalto can't communicate with client behind srx, But client behind srx can communicate with client behind paloalto. When I remove the source nat everything works fine.But the local clients behind the srx can't access internet as there is no source nat. If I route all the traffic through vpn tunnel then also everything works fine, I will post my configuration below, It would be really helpful if you someone please point me in the right direction to solve the issue.
(172.18.40.1/27)srx----------intrenet------------paloalto(172.16.0.0/16)
set version 12.1X46-D86
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family inet address 233.54.23.23/25
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 point-to-point
set interfaces st0 unit 0 family inet address 10.0.0.1/24
set interfaces vlan unit 0 family inet address 172.18.40.1/27
set routing-options static route 0.0.0.0/0 next-hop 234.38.76.76
set protocols stp
set security ike policy asianet mode main
set security ike policy asianet proposal-set standard
set security ike policy asianet pre-shared-key ascii-text "$9$H.T36/t1RSHqCuOBSy24aJi.QF/tu1ZU/tu0hc"
set security ike gateway ike-asianet ike-policy asianet
set security ike gateway ike-asianet address 233.45.65.75
set security ike gateway ike-asianet external-interface fe-0/0/0
set security ipsec policy asianetvpn proposal-set standard
set security ipsec vpn ike-asianet bind-interface st0.0
set security ipsec vpn ike-asianet ike gateway ike-asianet
set security ipsec vpn ike-asianet ike ipsec-policy asianetvpn
set security ipsec vpn ike-asianet establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule match destination-address 172.16.0.0/16
set security nat source rule-set trust-to-untrust rule NO-source-nat-rule then source-nat off
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule match destination-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces st0.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
No comments:
Post a Comment