ScreenOS Firewalls (NOT SRX)
Posts: 5
Registered: ‎09-15-2011

ScreenOS Group VPN NAT

I currrently have 2x SSG140 in an HA pair with redundant untrust ISPs. I need to create a VPN to a Web Server (with another SSG140 in front) so that folks here can FTP and RDC to the web server securely. The issue I am having is that since the web server and firewall are not under my control, I do not want my private IP addresses exposed.



How do I NAT my private IP addresses using 2x untrust ISPs configured as a policy based Group VPN configuration?


Basic Diagram:

SSG140 (corp) 0=======ISP A - e0/0 - VPN Group1 weight 20=======0 SSG140(web host)-------- Web Server

SSG140 (corp) 0=======ISP B - e0/1 - VPN Group1 weight 10=======0 SSG140(web host)-------- Web Server


Any help would be greatly appreciated.

Distinguished Expert
Posts: 2,750
Registered: ‎03-30-2009

Re: ScreenOS Group VPN NAT

I don't think you can accomplish this with a policy based vpn and the vpn group to change gateways.


You would need to create two separate route based vpn and setup route priorities for the failover and then your unique nat address dip for each vpn.


Likewise, the remote site would need to setup two vpns to your two gateways with the separate addresses you want as your public ip for nat as their remote proxy-id.  Likely they now have the same as yours with a single vpn and alternate gateways.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.