SRX Services Gateway
SRX Services Gateway

NAT through to a IPSec VPN

‎11-03-2017 11:38 PM

Amazon is hosting an Application server my users access via RDP. (

We have an IPSec connection to the Amazon VPC via SRX300.

I need to give my users access to this Amazon resource from various locations around the country as they travel for the next 10 days; instead of opening a connection direction to the VM via Amazon gateway or managing all the various IP addresses they will be using, I would like to use the SRX.

Ideally my users would use RDP to hit the public IP address of our SRX using a port other than 3389 (173.161.47.x:3456) and be directed to the application server ( over the IPSec connection.

I have tried to make this happen several times with zero luck.

I dont have any examples of my failures; when they did not work I rolled back the configuration. Also, I am actually on vacation but need to come up with a solution this weekend if I can.

Traffice between Amazon and my local internal network works flawlessly.
routing-options {
static {
route next-hop [ st0.1 st0.2 ];   <-- Local network to Amazon
route next-hop 173.161.47.x;  <-- Local network to public internet.
route next-hop st0.3;   <-- traffic to remote office over IPSec
route next-hop st0.3;  <-- traffic to remote office over IPSec

Any direction you be greatly appreciated.

To sum it up:
Traffic hits the SRX over public IP 173.161.47.x:3456 sent through to Amazon app server over IPSEC VPN and remote desktop magic happens.

SRX Services Gateway

Re: NAT through to a IPSec VPN

‎11-04-2017 12:08 AM
can you paste your natting config?

Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
SRX Services Gateway

Re: NAT through to a IPSec VPN

‎11-12-2017 04:54 AM

In addition to the destination nat and port change for this operation you will also need to do a source nat change so that the address they are coming from on the internet is now inside the range you include on your VPN up to AWS.


But also want to go on record that publishing RDP directly to the internet is a bad idea.  Rather you should have your users connect to a dynamic VPN and then initiate the RDP from this secure connection instead.


Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)