SRX Services Gateway
SRX Services Gateway

SRX110 - Dynamic VPN setup to 2nd IP on untrust interface

‎03-26-2013 12:48 PM



I have a SRX 110 running its external connection via ADSL on at-1/0/0.0 with 2 IP addresses configured.


All inbound and outbound NAT goes via one IP leaving the other free.


How do I tie the inbound VPN connection configuration to the 2nd IP?


Our previous setup only had a single IP on the ADSL interface so we had to move our ActiveSync connection to a different port and would hope that moving the inbound VPN connection to a specific IP would allow us to return to a standard port for our remote email users.


Any help gratefully received.

SRX Services Gateway

Re: SRX110 - Dynamic VPN setup to 2nd IP on untrust interface

[ Edited ]
‎03-27-2013 09:00 PM

Well, I can think of two possibilities: the easy way and the hard way.


The easy way is to just make the SRX110 "listen" on the second untrust IP with proxy-arp:

        set security nat proxy-arp interface at-1/0/0.0 address <second-ip-address>

And then have your VPN clients try to connect to the second address.  It may or may not work but it's worth a shot.


The hard way would be to basically create a new physical untrust interface just for VPN users.  By doing it this way you have more granular control over the routes/interfaces that both inbound and outbound traffic take.

  - configure a new virtual router and security zone

  - move your existing untrust interface into the new virtual router

  - adjust all trust<-->untrust and NAT policies (except the dynamic VPN tunnel policy) to work with the new security zone

  - create a second untrust interface in the default routing instance for dynamic vpn only, using the second IP (dynamic VPN's can only be terminated in the default routing instance).  You will need default gateway routes in both the default routing instance and virtual router.

  - change the dynamic vpn gateway to use the new untrust interface

  - get a four-port switch: one cat5 from switch to ADSL and two cat5's from switch to two untrust ports on SRX110