ScreenOS Firewalls (NOT SRX)
Reply
Visitor
NetGuy6446
Posts: 5
Registered: ‎09-15-2011
0

ScreenOS Group VPN NAT

I currrently have 2x SSG140 in an HA pair with redundant untrust ISPs. I need to create a VPN to a Web Server (with another SSG140 in front) so that folks here can FTP and RDC to the web server securely. The issue I am having is that since the web server and firewall are not under my control, I do not want my private IP addresses exposed.

 

Question:

How do I NAT my private IP addresses using 2x untrust ISPs configured as a policy based Group VPN configuration?

 

Basic Diagram:

SSG140 (corp) 0=======ISP A - e0/0 - VPN Group1 weight 20=======0 SSG140(web host)-------- Web Server

SSG140 (corp) 0=======ISP B - e0/1 - VPN Group1 weight 10=======0 SSG140(web host)-------- Web Server

 

Any help would be greatly appreciated.

Distinguished Expert
spuluka
Posts: 2,566
Registered: ‎03-30-2009
0

Re: ScreenOS Group VPN NAT

I don't think you can accomplish this with a policy based vpn and the vpn group to change gateways.

 

You would need to create two separate route based vpn and setup route priorities for the failover and then your unique nat address dip for each vpn.

 

Likewise, the remote site would need to setup two vpns to your two gateways with the separate addresses you want as your public ip for nat as their remote proxy-id.  Likely they now have the same as yours with a single vpn and alternate gateways.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.