04-07-2011 08:02 PM
is it possible to implement NAT on policy based VPN? or should i use route-based and no other option?
because the other end is Checkpoint firewall, i usually use policy-based when the other end is non-juniper
04-08-2011 01:09 AM
You can use nat-src in a tunnel policy however your proxy ID parameters would be altered and you will get problems establishing phase 2 with the Check Point box.
NAT on a tunnel policy is not the best idea but route-based VPN’s are better suited to nat.
If only one subnet needs to be routed on each side of the VPN then you might be better off configuring a route-based VPN and manually configuring the proxy ID to match what the other end is expecting. If multiple subnets need to be tunnelled then you have to use a policy-based VPN.
04-10-2011 10:40 PM
policy based vpn on juniper is pretty straight forward, i've configured this one on most of my vpn deployments regardless of any 3rd party firewalls and working.
policy based vpn is for juniper to 3rd party firewalls
route based vpn is for juniper to juniper firewalls
04-12-2011 12:27 AM
my point is about configuring NAT (our client suddenly required to configure NAT) on policy based VPN. because i noticed that ppl always go for route-based when there is NAT.
by the way, my policy-based VPN to checkpoint does not have any problem right now.
but if i switched to route-based VPN due to NAT requirement, my concern is there might be issues because i always go for policy-based when the other end is 3rd party firewall.