ScreenOS Firewalls (NOT SRX)
Reply
Contributor
r0mm3L
Posts: 77
Registered: ‎05-11-2008
0

NAT on policy-based VPN , other end is Checkpoint Firewall

is it possible to implement NAT on policy based VPN? or should i use route-based and no other option?

 

because the other end is Checkpoint firewall, i usually use policy-based when the other end is non-juniper

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: NAT on policy-based VPN , other end is Checkpoint Firewall

Hi,

 

You can use nat-src in a tunnel policy however your proxy ID parameters would be altered and you will get problems establishing phase 2 with the Check Point box.

 

NAT on a tunnel policy is not the best idea but route-based VPN’s are better suited to nat.

 

If only one subnet needs to be routed on each side of the VPN then you might be better off configuring a route-based VPN and manually configuring the proxy ID to match what the other end is expecting. If multiple subnets need to be tunnelled then you have to use a policy-based VPN.

 

Gavrilo

Contributor
dwayne
Posts: 32
Registered: ‎06-22-2009
0

Re: NAT on policy-based VPN , other end is Checkpoint Firewall

 

policy based vpn on juniper is pretty straight forward, i've configured this one on most of my vpn deployments regardless of any 3rd party firewalls and working.

 

 

policy based vpn is for juniper to 3rd party firewalls

 

route based vpn is for juniper to juniper firewalls

Contributor
r0mm3L
Posts: 77
Registered: ‎05-11-2008
0

Re: NAT on policy-based VPN , other end is Checkpoint Firewall

hi dwayne,

 

my point is about configuring NAT (our client suddenly required to configure NAT) on policy based VPN. because i noticed that ppl always go for route-based when there is NAT.

 

by the way, my policy-based VPN to checkpoint does not have any problem right now. 

 

but if i switched to route-based VPN due to NAT requirement, my concern is there might be issues because i always go for policy-based when the other end is 3rd party firewall.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.