04-17-2012 01:37 PM
I currrently have 2x SSG140 in an HA pair with redundant untrust ISPs. I need to create a VPN to a Web Server (with another SSG140 in front) so that folks here can FTP and RDC to the web server securely. The issue I am having is that since the web server and firewall are not under my control, I do not want my private IP addresses exposed.
How do I NAT my private IP addresses using 2x untrust ISPs configured as a policy based Group VPN configuration?
SSG140 (corp) 0=======ISP A - e0/0 - VPN Group1 weight 20=======0 SSG140(web host)-------- Web Server
SSG140 (corp) 0=======ISP B - e0/1 - VPN Group1 weight 10=======0 SSG140(web host)-------- Web Server
Any help would be greatly appreciated.
04-21-2012 06:17 AM
I don't think you can accomplish this with a policy based vpn and the vpn group to change gateways.
You would need to create two separate route based vpn and setup route priorities for the failover and then your unique nat address dip for each vpn.
Likewise, the remote site would need to setup two vpns to your two gateways with the separate addresses you want as your public ip for nat as their remote proxy-id. Likely they now have the same as yours with a single vpn and alternate gateways.
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6