Hi all,

I've got a situation which I'm having little troubles with. My Customer has a SRX100 firewall with behind it a 192.168.2.0/24 subnet. This subnet contains all their servers. The SRX is located in a datacenter and they all connect from their office over the VPN. The subnet in the office is 192.168.3.0/24 so routing and everything works fine! The tunnel is route based

My problem is that they need another VPN from the SRX to a financial company that is also using the 192.168.2.0/24 subnet. I somehow have to NAT (source?) the 192.168.2.0 subnet to something different, so the VPN can be made. I can't just do a NAT from 192.168.2.0 to 192.168.16.0 for example, because then the VPN from the datacenter to their office isn't working anymore.

Before I mess up things, I want to know how to do this. I've created a new VPN to the finacial office on a new ST0 interface (st0.4 in this case). Next to this I've created a source nat rule as stated below:

rule-set Nat-ctb {
    from zone trust;
    to interface st0.4;
    rule source-nat-ctb {
        match {
            source-address 192.168.2.0/24;
            destination-address 192.168.16.0/24;
        }
        then {
            source-nat {
                interface;
            }
Is this the way to go, or with it nat all 192.168.2.0 addresses to 192.168.16.0? I only want to have it NAT on the ST0.4 interface.. Maybe use destination NAT for the incoming traffice from the remote VPN?

Any help would be very appreciated.