cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
3
Replies

second VPN possible ?

Network Pro
Level 1
Level 1

Hi,

I have attached the diagram of the network we are trying to achive. We have a existing VPN tunnel between Cisco ASA firewall - 172.22.30.6 (A End) and Juniper Firewall - 172.22.50.6 (B End). The router is just to forward the packets.

Basically this vpn is between the 10subnet of A End and 192 subnet of B end. Since its on a privaate cloud our routers and asa are on 172.x.x.x range. We have NAT EXEMPT on the CIsco ASA (between 10.10.x.x and 192.x.x.x subnet). we have static routes on our core (A end) pointing to 192.x.x.x subnet to go through firewall (172.22.30.1)  and similary for B End pointing to 10.x.x.x thorugh firewall 172.22.30.1.  So at the A end, when a packet from 10 subnet reaches the core and see its a 192. subnet and goes through the firewall and there is NO NAT so it reaches the other end at the 10 address. Similary the other end sees its a 10 address and points it back to 172.22.50.1 firewall.  no problem with this. This works great

Now there is a need for a vpn between the second Juniper firewall at A End and Juniper firewall at B end wiht the exisitng tunnel? how we have approached is, we have a 1:1 NAT (172.22.30.73 NATs back to 10.10.19.73) on the cisco asa. So the juniper firewall at B end is using a peer addres of 172.22.30.73 which NATs back to 10.10.19.73 - but the tunnel doesnt seem to come up on the juniper firewall - is this setup possible or are we missing on something?

I am thinking of since we have a NAT exempt (between 10.10.x.x subnet and 192.168.x.x subnet), this is causing the problem. As we are using the peer address as 172.22.30.73 but since this gets NATed to 10.10.19.73 (and there is a NAT exemption between 10.10.x.x range and 192.x.x.x range) would this cause the issue ?

any thoughts pls ? if i am unclear on anything pls let me know


Thanks

3 Replies 3

rizwanr74
Level 7
Level 7

Can you narrow down the NAT 10.10.19.73 -> 172.22.30.73 to a specific port instead of just IP to IP?

Because you cannot have both ways, meaning IP to IP NAT is being done 10.10.19.73 -> 172.22.30.73 and pass-through IP traffic going via (without port speficiation) through the ASA-at-172.22.30.6 at same time. 

Either you can have the cake or eat the cake, while being on IP-to-IP, unless you change the NAT 10.10.19.73-> 172.22.30.73 specific port.

I hope it make sense to you.

Thanks rizwan. I have been on other stuff and not able to try this. I will give this a shot next week and update. Thanks for the valuable info

mudjain
Level 1
Level 1

the setup that you have shown in the diagram should be functional can you please see if you are able to ping Juniper at A to Juniper at B  or not.

provide crypto ACL is different for the two tunnels.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: