Hi,
I have some external workers on site who connect to their own companies VPN
Our SRX doesn't let them connect by default. I read that i need to disable port translation
I see traffic hitting the created rule but when it comes in its hitting another ip that i made for the srx external interface configured with proxy arp
local ip; 1.1.1.1
vpn ip:. 9.9.9.9
main srx ip: 10.10.10.1
proxy arp srx ip: 10.10.10.2
Session ID: 381059, Policy name: mortgage-to-untrust/32, Timeout: 58, Valid
In: "1.1.1.1"/500 --> "9.9.9.9"/500;udp, If: vlan.68, Pkts: 3, Bytes: 1932
Out: "9.9.9.9"/500 --> "10.10.10.2"/500;udp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0
Basically its not coming in on the main public ip of the srx but that proxy arp ip that i set to enable people to vpn into us (this is configured for a different rule / zone )
Here is what i have done
set security nat source pool gre-nat-pool address "10.10.10.1"
set security nat source pool gre-nat-pool port no-translation
set security nat source rule-set mortgage-to-untrust from zone Mortgage-Insurance
set security nat source rule-set mortgage-to-untrust to zone untrust
set security nat source rule-set mortgage-to-untrust rule mortgage-gre-nat match source-address 0.0.0.0/0
set security nat source rule-set mortgage-to-untrust rule mortgage-gre-nat match destination-address "9.9.9.9"
set security nat source rule-set mortgage-to-untrust rule mortgage-gre-nat then source-nat pool gre-nat-pool
set security nat source rule-set mortgage-to-untrust rule mortgage-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set mortgage-to-untrust rule mortgage-nat-rule then source-nat interface
I have read lots about NAT but its still confusing me at the moment, how come they are not allowed to vpn out by default from the srx when all applications etx are enabled as shown below?
show security policies from-zone Mortgage-Insurance to-zone untrust
policy mortgage-to-untrust {
match {
source-address Mortgage-Insurance;
destination-address any;
application any;
}
then {
permit;
}