Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Netscreen SSG - Nat on tunnel interface

    Posted 09-20-2012 19:35
      |   view attached

    Hello

     

    Could someone please help in resolving my issue. The portion of the FW is provided in the attachment. I am trying to get the subnet in the VPN Network to reach the subnet in the R1 Router located in the internet.

     

    Tunnel.1 is an unnumbered interface borrowing the ip address from the physical interface. The VPN tunnel is for communication between the VPN Network (200.200.200.0/24) to the Internal network. Now i require the VPN Network (200.200.200.0/24) to connect with 100.100.100.100/32 located on the Internet.

     

    The 0/4 interface where  the tunnel.1 is located is a natted interface.

     

    What do i need to do for the VPN Network to connect to the R1 subnet.

     

    I am t hinking of creating a loopback group and adding tunnel.1 to the loopback group and create a MIP on the loopback so that the VPN Subnet can reach the R1 network. Please let me know if I am correct otherwise please suggest a more practical approach.

     

    Thanks

     

    Sidhanth

     

     

    Attachment(s)

    pdf
    img-921122718-0001.pdf   107 KB 1 version


  • 2.  RE: Netscreen SSG - Nat on tunnel interface
    Best Answer

     
    Posted 09-20-2012 22:37

    Hello,

     

    If the requirement is to have one way comunication i.e users in VPN network should be able to initiate traffic to R1 network then you can put a route on VPN Network device for 10.10.10.100/32 pointing to tunnel, configure a policy from then zone to which tunnel belongs to towards E0/4 zone and put a source NAT on that policy and it will work.

     

    However if your requirement is that 100.100.100.100/32 should also be able to initiate traffic to VPN network then config will be bit more, let meknow the requirement and we can take it up then.

     

    Regards

    Sarab



  • 3.  RE: Netscreen SSG - Nat on tunnel interface

    Posted 09-20-2012 23:05

    Hello Sarab,

     

    Thanks for the reply.

     

    I will get back to you on whether the other end also would have to initiate the traffic. If this the case, what do i have to do?

     

    Thanks

     

    Sidhanth



  • 4.  RE: Netscreen SSG - Nat on tunnel interface

     
    Posted 09-20-2012 23:34
    Then you would need to buy some public IPs from ISP depending upon the number of hosts in VPN network that needs to be reachable from R1 subnet. MIP will be configured for each of them. Or else if the device R1 supports VPN, you can setup another tunnel with that.


  • 5.  RE: Netscreen SSG - Nat on tunnel interface

    Posted 09-20-2012 23:42

    Sarab,

     

    If i just configure MIP (public IP) on the loopback interface and put tunnel.1 on the loopback group so that when traffic from the VPN Network hits the MIP on the loopback interface it will forwarded out the physical interface and likewise when 100.100.100.100/32 host initiates communication and hits the MIP, it will forwarded towards the VPN network.

     

    Isnt the above a workable solution?

     

    Thanks

     

    Sidhanth



  • 6.  RE: Netscreen SSG - Nat on tunnel interface

     
    Posted 09-21-2012 01:31
    No need to create a separate loopback interface when we can configure this setup without that as described earlier. Let me know if customer is looking for a bidirectional traffic and we can discuss on that in detail then. Or else for one way, suggestion mentioned earlier would help.


  • 7.  RE: Netscreen SSG - Nat on tunnel interface

    Posted 09-25-2012 05:49

    Thanks Sarab

     

    It is all working fine now