I currrently have 2x SSG140 in an HA pair with redundant untrust ISPs. I need to create a VPN to a Web Server (with another SSG140 in front) so that folks here can FTP and RDC to the web server securely. The issue I am having is that since the web server and firewall are not under my control, I do not want my private IP addresses exposed.
How do I NAT my private IP addresses using 2x untrust ISPs configured as a policy based Group VPN configuration?
SSG140 (corp) 0=======ISP A - e0/0 - VPN Group1 weight 20=======0 SSG140(web host)-------- Web Server
SSG140 (corp) 0=======ISP B - e0/1 - VPN Group1 weight 10=======0 SSG140(web host)-------- Web Server
I don't think you can accomplish this with a policy based vpn and the vpn group to change gateways.
You would need to create two separate route based vpn and setup route priorities for the failover and then your unique nat address dip for each vpn.
Likewise, the remote site would need to setup two vpns to your two gateways with the separate addresses you want as your public ip for nat as their remote proxy-id. Likely they now have the same as yours with a single vpn and alternate gateways.
Steve Puluka BSEET Juniper Ambassador Senior Network Engineer - UPMC Pittsburgh, PA JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCIS-FWV JNCIS-SSL MCP - Managing Server 2003 MCP - Windows XP Professional MCTS Windows 7 http://puluka.com/home