ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
ecornwell
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

NS-5GT VPN Setup Help with Policy Based VPN

Options

‎12-27-2007 06:44 AM

Hello,
 
I am pretty new to Juniper hardware.  I have a NS-5GT that I would like to establish a VPN with to a NS204.  I've gotten the configs from other devices and I've been able to setup the policy based vpn and I believe it is working ok execpt for one little problem.
 
We've typically carved off a small subnet for VPN clients. (/28 network)  I have a pre-existing network in place and I would like to blend the two together and I'm unsure how. (Or even if it is possible.)
 
I have a 192.168.0.1/24 network at home and my overall goal would be to map a few of the address I have to the 192.168.3.240/28 network I can use.  I'll need to be able to talk to others on the 192.168.3.x/28 network so I can't use the whole range for myself.
 
For example, I want to map my PC (192.168.0.5) to 192.168.3.250.  To me this would provide a high level of security because that way my PC's wouldn't be able to talk to work without explicit definiton and work wouldn't be able to talk to my network.
 
Any thoughts? 
 
Thanks,
Eric
Message 1 of 6 (17,947 Views)
 
Reply
ecornwell
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Options

‎12-27-2007 09:20 AM

I found this document which is close to what I want to do only my end is the only device that needs to me mapped.
 
Message 2 of 6 (17,945 Views)
 
Reply
Distinguished Expert Distinguished Expert
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Options

‎12-27-2007 05:22 PM

I am curious. Why use a policy-based VPN? Based on your needs, a route-based VPN might make more sense. That way you can configure a MIP on the tunnel interface to handle the NAT. Is there a reason why you cannot use route-based?
Message 3 of 6 (17,929 Views)
 
Reply
ecornwell
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Options

‎12-27-2007 05:26 PM

The main reason is keeping with the standard.  We have quite a few vpn's setup this way, I just happen do have a fairly large network at home and would like to have access limited to the devices I want and not have to change my ip scheme.  I have limited control on what I can do at one end.  My end I have much greater control.
Message 4 of 6 (17,925 Views)
 
Reply
Distinguished Expert Distinguished Expert
Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Options

‎12-28-2007 11:22 AM

Since you are able to control your end, then why not change your end to a route-based. You can have route-based on one side and policy-based on the other. Just be sure to configure proper proxy-id on the route-based side to match the proxy-id sent from the policy-based side. Then you would be free to configure NAT on the tunnel interface.
Message 5 of 6 (17,904 Views)
 
Reply
ecornwell
Visitor
ecornwell
Posts: 7
Registered: ‎12-06-2007
0

Re: NS-5GT VPN Setup Help with Policy Based VPN

Options

‎12-31-2007 09:43 AM

Thank you very much for your help!  I was able to get it working just the way I wanted!
Message 6 of 6 (17,888 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.