ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Policy based VPN to non-screenos device with overlapping address

07.05.10   |  
‎07-05-2010 09:13 AM

I found the ScreenOS C&E document which talks about VPN's. There is a section on overlapping addresses and it talks about route based setup with tunnel interfaces. However I'm faced with problem of having overlapping address to non-screenos devices, such as cisco or sonicwall.


The remote devices are client networks and we to build a tunnel between 1 server on our network to 1 server on their network.


I have done this in past with a cisco asa to checkpoint. We built a tunnel between the two firewals and allowed (protected) only the NAT (MIP) address of the servers.


Has this/can this be done on netscreen, if so how?





ScreenOS Firewalls (NOT SRX)

Re: Policy based VPN to non-screenos device with overlapping address

07.06.10   |  
‎07-06-2010 12:53 AM



Configuring/troubleshooting policy based VPN with NAT is a cumbersome work with no succes guarantee. I do recommend to use route based one. This is not a "special type" of VPN that might be incompatible with the third party devices and it is very flexible and easier to understand. I NEVER use policy based VPN.

The only thing that can be incompatible is VPN Monitoring feature. Just disable it or try to use specific IPs as monitoring source and destination, that belong to the Proxy IDs (do not use defaults).


Kind regards,


Kind regards,
ScreenOS Firewalls (NOT SRX)

Re: Policy based VPN to non-screenos device with overlapping address

07.07.10   |  
‎07-07-2010 04:44 PM

You can do this with route based vpn on the screenos side.  There is a detailed configuration document that reviews the process in KB5346.  This example has screenos on both sides but you'll just pick one as yours and configure per the guide. 


On the other side Sonicwall will require the enhanced OS on their device.  In that version you will configure the address objects you need that correspond to the address changes as outlined in the guide and setup the nat on the actual vpn policy advanced settings page.


I have not worked with Cisco ASA but I understand they also support route based vpn in a fashion similar to Juniper.


If you want to use policy on the Juniper side, then you will configure this as nat on the advance page of the policy you create for the vpn tunnel.  I have not used this before so there may be nuances I'm missing.  First, don't create the bidirectional tunnel automatically.  You will need to apply nat in the advanced section but on the outbound policy you will be using source nat and on the inbound policy you will be using destination nat.  The guide above will help you picture what address changes you need to program.  The flow is still the same but the rules will be part of the policy.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)