Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] NAT private IP addresses behind one public IP address in a route based VPN

0

0

Article ID: KB7774 KB Last Updated: 21 Dec 2019Version: 7.0
Summary:

This article provides information on how to hide a private IP address behind a public IP address.
 

Symptoms:

Environment:

NAT Outgoing VPN packet source address as a specific public IP address.

Symptoms and Errors:

Hide private IP behind one IP in a public address range.
 

Solution:

Note: This article is applicable to ScreenOS 5.0 or later.

If you want to hide or masquerade your VPN traffic as something else, as it reaches the other side of a VPN, the outgoing encrypted packet has to be NATed to the tunnel interface. To do this, the following requirements must be met:
  • The VPN tunnel must be route-based VPN.
  • Thre numbered tunnel Interface must be used.
  • When specifying the tunnel interface, use the numbered tunnel interface optionand specify the IP address that you want the traffic to be NAT'd out as.

For example:

Network diagram:
 

<10.1.1.0/24>Internal LAN--Trust Untrust-tunnel.1--<ISP>--Remote End{Layer 3 Device}Internal Lan<20.1.1.0/24>                                         

set interface tunnel.1 zone untrust
set interface tunnel.1 ip 50.50.50.1/24

Then, configure the VPN as per the normal procedure (including the binding of the VPN to the correct tunnel interface and specifying the route for the destination network via the tunnel interface).

Configure the policy with source based NAT by using the egress interface as the NAT'd IP address (which in this case is the tunnel interface address).

Example:

set policy from trust to untrust 10.1.1.0/24 20.1.1.0/24 any nat src permit

This will cause any hosts with the IP address from 10.1.1.1 to 10.1.1.254 to be NAT'd out as 50.50.50.1, as it traverses the VPN tunnel on its way to 20.1.1.0/24. The firewall on the remote side requires an incoming policy to allow 50.50.50.1/32 to communicate to 20.1.1.0/24.

This will cause any hosts with the IP address from 10.1.1.1 to 10.1.1.254 to be NAT'd out as 50.50.50.1, as it traverses the VPN tunnel on its way to 20.1.1.0/24. The firewall on the remote side requires an incoming policy to allow 50.50.50.1/32 to communicate to 20.1.1.0/24.

For a sample configuration,  refer to Route Based VPN Configurations to Hide the Private IP Behind one Private IP
 

Modification History:

2019-12-21: Content reviewed and validated.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search