SRX Services Gateway
SRX Services Gateway

NAT subnet over just one VPN tunnel interface

09.26.11   |  
‎09-26-2011 11:04 AM

Hi all,


I've got a situation which I'm having little troubles with. My Customer has a SRX100 firewall with behind it a subnet. This subnet contains all their servers. The SRX is located in a datacenter and they all connect from their office over the VPN. The subnet in the office is so routing and everything works fine! The tunnel is route based


My problem is that they need another VPN from the SRX to a financial company that is also using the subnet. I somehow have to NAT (source?) the subnet to something different, so the VPN can be made. I can't just do a NAT from to for example, because then the VPN from the datacenter to their office isn't working anymore.


Before I mess up things, I want to know how to do this. I've created a new VPN to the finacial office on a new ST0 interface (st0.4 in this case). Next to this I've created a source nat rule as stated below:


rule-set Nat-ctb {
    from zone trust;
    to interface st0.4;
    rule source-nat-ctb {
        match {
        then {
            source-nat {
Is this the way to go, or with it nat all addresses to I only want to have it NAT on the ST0.4 interface.. Maybe use destination NAT for the incoming traffice from the remote VPN?


Any help would be very appreciated.

SRX Services Gateway

Re: NAT subnet over just one VPN tunnel interface

09.29.11   |  
‎09-29-2011 07:52 AM

If im correct in what you are trying to do then the following will documentation should help:


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]