ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

NS-5GT VPN Setup Help with Policy Based VPN

12.27.07   |  
‎12-27-2007 06:44 AM
Hello,
 
I am pretty new to Juniper hardware.  I have a NS-5GT that I would like to establish a VPN with to a NS204.  I've gotten the configs from other devices and I've been able to setup the policy based vpn and I believe it is working ok execpt for one little problem.
 
We've typically carved off a small subnet for VPN clients. (/28 network)  I have a pre-existing network in place and I would like to blend the two together and I'm unsure how. (Or even if it is possible.)
 
I have a 192.168.0.1/24 network at home and my overall goal would be to map a few of the address I have to the 192.168.3.240/28 network I can use.  I'll need to be able to talk to others on the 192.168.3.x/28 network so I can't use the whole range for myself.
 
For example, I want to map my PC (192.168.0.5) to 192.168.3.250.  To me this would provide a high level of security because that way my PC's wouldn't be able to talk to work without explicit definiton and work wouldn't be able to talk to my network.
 
Any thoughts? 
 
Thanks,
Eric
5 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: NS-5GT VPN Setup Help with Policy Based VPN

12.27.07   |  
‎12-27-2007 09:20 AM
I found this document which is close to what I want to do only my end is the only device that needs to me mapped.
 
ScreenOS Firewalls (NOT SRX)

Re: NS-5GT VPN Setup Help with Policy Based VPN

12.27.07   |  
‎12-27-2007 05:22 PM
I am curious. Why use a policy-based VPN? Based on your needs, a route-based VPN might make more sense. That way you can configure a MIP on the tunnel interface to handle the NAT. Is there a reason why you cannot use route-based?
ScreenOS Firewalls (NOT SRX)

Re: NS-5GT VPN Setup Help with Policy Based VPN

12.27.07   |  
‎12-27-2007 05:26 PM
The main reason is keeping with the standard.  We have quite a few vpn's setup this way, I just happen do have a fairly large network at home and would like to have access limited to the devices I want and not have to change my ip scheme.  I have limited control on what I can do at one end.  My end I have much greater control.
ScreenOS Firewalls (NOT SRX)

Re: NS-5GT VPN Setup Help with Policy Based VPN

12.28.07   |  
‎12-28-2007 11:22 AM
Since you are able to control your end, then why not change your end to a route-based. You can have route-based on one side and policy-based on the other. Just be sure to configure proper proxy-id on the route-based side to match the proxy-id sent from the policy-based side. Then you would be free to configure NAT on the tunnel interface.
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: NS-5GT VPN Setup Help with Policy Based VPN

12.31.07   |  
‎12-31-2007 09:43 AM
Thank you very much for your help!  I was able to get it working just the way I wanted!