ScreenOS Firewalls (NOT SRX)
Reply
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

NS-5GT VPN Setup Help with Policy Based VPN

Hello,
 
I am pretty new to Juniper hardware.  I have a NS-5GT that I would like to establish a VPN with to a NS204.  I've gotten the configs from other devices and I've been able to setup the policy based vpn and I believe it is working ok execpt for one little problem.
 
We've typically carved off a small subnet for VPN clients. (/28 network)  I have a pre-existing network in place and I would like to blend the two together and I'm unsure how. (Or even if it is possible.)
 
I have a 192.168.0.1/24 network at home and my overall goal would be to map a few of the address I have to the 192.168.3.240/28 network I can use.  I'll need to be able to talk to others on the 192.168.3.x/28 network so I can't use the whole range for myself.
 
For example, I want to map my PC (192.168.0.5) to 192.168.3.250.  To me this would provide a high level of security because that way my PC's wouldn't be able to talk to work without explicit definiton and work wouldn't be able to talk to my network.
 
Any thoughts? 
 
Thanks,
Eric
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

I found this document which is close to what I want to do only my end is the only device that needs to me mapped.
 
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

I am curious. Why use a policy-based VPN? Based on your needs, a route-based VPN might make more sense. That way you can configure a MIP on the tunnel interface to handle the NAT. Is there a reason why you cannot use route-based?
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

The main reason is keeping with the standard.  We have quite a few vpn's setup this way, I just happen do have a fairly large network at home and would like to have access limited to the devices I want and not have to change my ip scheme.  I have limited control on what I can do at one end.  My end I have much greater control.
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Since you are able to control your end, then why not change your end to a route-based. You can have route-based on one side and policy-based on the other. Just be sure to configure proper proxy-id on the route-based side to match the proxy-id sent from the policy-based side. Then you would be free to configure NAT on the tunnel interface.
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Thank you very much for your help!  I was able to get it working just the way I wanted!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.