I have attached the diagram of the network we are trying to achive. We have a existing VPN tunnel between Cisco ASA firewall - 172.22.30.6 (A End) and Juniper Firewall - 172.22.50.6 (B End). The router is just to forward the packets.
Basically this vpn is between the 10subnet of A End and 192 subnet of B end. Since its on a privaate cloud our routers and asa are on 172.x.x.x range. We have NAT EXEMPT on the CIsco ASA (between 10.10.x.x and 192.x.x.x subnet). we have static routes on our core (A end) pointing to 192.x.x.x subnet to go through firewall (172.22.30.1) and similary for B End pointing to 10.x.x.x thorugh firewall 172.22.30.1. So at the A end, when a packet from 10 subnet reaches the core and see its a 192. subnet and goes through the firewall and there is NO NAT so it reaches the other end at the 10 address. Similary the other end sees its a 10 address and points it back to 172.22.50.1 firewall. no problem with this. This works great
Now there is a need for a vpn between the second Juniper firewall at A End and Juniper firewall at B end wiht the exisitng tunnel? how we have approached is, we have a 1:1 NAT (172.22.30.73 NATs back to 10.10.19.73) on the cisco asa. So the juniper firewall at B end is using a peer addres of 172.22.30.73 which NATs back to 10.10.19.73 - but the tunnel doesnt seem to come up on the juniper firewall - is this setup possible or are we missing on something?
I am thinking of since we have a NAT exempt (between 10.10.x.x subnet and 192.168.x.x subnet), this is causing the problem. As we are using the peer address as 172.22.30.73 but since this gets NATed to 10.10.19.73 (and there is a NAT exemption between 10.10.x.x range and 192.x.x.x range) would this cause the issue ?
any thoughts pls ? if i am unclear on anything pls let me know
Can you narrow down the NAT 10.10.19.73 -> 172.22.30.73 to a specific port instead of just IP to IP?
Because you cannot have both ways, meaning IP to IP NAT is being done 10.10.19.73 -> 172.22.30.73 and pass-through IP traffic going via (without port speficiation) through the ASA-at-172.22.30.6 at same time.
Either you can have the cake or eat the cake, while being on IP-to-IP, unless you change the NAT 10.10.19.73-> 172.22.30.73 specific port.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...