Screen OS

Hello,

I'm trying to achiev the following (see attached drawing). On site A, I have a webserver (192.168.10.27) behind a SSG5. The SSG5 has a site-to-site route based VPN to a NS5gt. The NS5gt has a public IP (X.X.X.57/22) in the same subnet as the SSG5 (X.X.X.59/22). I would like a browser to access IP X.X.X.57 and hit the webserver through the VPN.

Moreover, the public subnet /22 is assigned by the provider but there is only 1 fixed IP address per Firewall. And the VPN should be kept "as is" if possible because it's needed to transport VoIP between site A and B.

Currently I have tried with a VIP on NS5 (same-as-interface) and a policy with source NAT. Traffic is reaching site A but the source is X.X.X.57 and the packet is dropped because the source is in the subnet of interface eth0/0 (I think).

Here is some excerpt of the config of NS5:

set interface untrust vip interface-ip 80 "HTTP" 192.168.10.27 manual

set policy id 19 from "Untrust" to "Untrust"  "Any" "VIP(untrust)" "HTTP" nat src permit log

Any clue on how to do this ?

Thanks in advance,

Nicolas

I have have a configuration sample for this posted in the configuration library forum.  You need to do both source and destination nat before sending the traffic down the tunnel.

ScreenOS – Remote Site Server Published on Local Site Public IP Address

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Remote-Site-Server-Published-on-Local-Site-Public-IP/m-p/82780#M242

Thanks for your prompt answer,

I've tried to implement that but I'm still not done with it. I'm now facing some problems with DIP. Because my tunnels are bound to the eth0/0 in the Untrust zone. This means that I must use a DIP to do the source NAT (correct me if I'm wrong). But if I try to do a DIP on the bgroup0 it won't work because the DIP is not on the same interface than the policy (policy from Untrust to Untrust).

This is the commands I tried :

set interface bgroup0 dip 4 192.168.12.250 192.168.12.250 scale-size 1
set policy id 577664 from untrust to untrust Any srv_192.168.10.27 HTTP nat src dip-id 4 dst ip 192.168.10.27 permit log
set policy id 577664
set service HTTPS
set log session-init
unset notify-conn-close
exit

But the result is : "DIP 4 doesn't belong to src/dst zone"

What am I missing ?

Best regards,

Nicolas

A source nat dip must belong to the egress interface as the nat occurs as the packet leaves the firewall.

Just create you dip on the tunnel interface and select the "extended ip subnet" option with the range for the bgroup0 subnet.

Thank you, this time it works. However I could not use destination NAT because the IP on the untrust interface is the same used for the server. Thus I used almost the same rule but with a VIP. Here is a bit of config used :

set vip multi-port
set interface untrust vip interface-ip 80 "HTTP" 192.168.10.27 manual
set interface untrust vip interface-ip 443 "HTTPS" 192.168.10.27 manual

set interface tunnel.1 ext ip 192.168.12.251/22 dip 4 192.168.12.251 192.168.12.251
set policy id 19 from untrust to untrust Any VIP(untrust) HTTP nat src dip-id 4 permit log
set policy id 19
set service HTTPS
set log session-init
exit

And another trick I had to find is that the subnet mask of the ext IP on the tunnel must be the same as the one on the interface (Untrust) to which it is bound. This means in my case that the ext ip is 192.168.12.251/22 ! But it works.

Nicolas

Thanks. I needed this today 🙂 It worked like a charm.