Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Traffic not passing through tunnel even if the VPN tunnel is up

0

0

Article ID: KB15524 KB Last Updated: 04 Nov 2020Version: 3.0
Summary:
Source NAT was being applied to all traffic (both Internet and VPN Tunnel), so it was affecting the VPN tunnel traffic.  Customer requirement was to only apply source NAT to Internet traffic.
Symptoms:
Customer wants to only NAT the traffic destined for the Internet, and they do not want to NAT traffic through the VPN tunnel.

Source NAT was configured for Internet access, and the VPN traffic initiated from the network for which source NAT is configured was NAT'ed too.  This was causing the traffic to not pass thru the tunnel. In the latest version of JUNOS NAT, policy lookup is done separately.  (In ScreenOS, NAT is linked with the policy, i.e. we have to enable source NAT in the policy.)

In many cases, customers create a source NAT rule with the source as 0.0.0.0/0 and destination as 0.0.0.0/0.

Note:  In order to tell if the traffic is being NAT'd, use the flow traceoption for basic-datapath. If interface NAT has been configured, then you will see the private IP getting translated to the interface public IP address and dip id will be 0/2. When NAT is not occurring, the id will be 0/0.
Solution:
For VPN traffic, a rule needed to be created for disabling/not doing NAT. This rule has to be placed on top. The rule will be as shown below:
[edit security nat]
root@DEV-FW1# show
source {
rule-set test {
from zone trust;
to zone untrust;
rule vpn-no-nat {
match {
source-address 192.168.1.0/24;
destination-address 192.168.2.0/24;
}
then {
source-nat {
off;
}
}
}
rule out-nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/32;
}
then {
source-nat {
interface;
}
}
}
}
}

{disabled:node0}[edit security nat]
root@DEV-FW1#

In the above example, "vpn-no-nat" is the rule for disabling nat for VPN traffic, and other rule is to NAT traffic going to Internet or any other destination.

IMPORTANT:  Even after creating the above rule, if traffic does not flow through the tunnel, then deactivate all the rules.  Make sure to commit, and then activate the rules and commit again.
 
Modification History:
2020-10-28: Removed EOL/EOS product.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search