ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG20 Assistance with VPN Tunnel

‎08-21-2018 09:52 AM

We have been asked to create a VPN tunnel between a vendor and a site of ours.  The vendor is claiming our internal address is already taken by another client.  For arguments sake, we will say it is 192.168.2.0\24.  They are requesting we present 10.10.10.0\24 to the tunnel as our address and let our firewall translate it to the correct local IP address.

 

I have never done this before and I am  not sure where to begin or even the proper terminology to google a solution.

 

I am only familiar with the ScreenOS and not console into the device.  Any assistance in direction would be appreciated.

2 REPLIES 2
ScreenOS Firewalls (NOT SRX)

Re: SSG20 Assistance with VPN Tunnel

‎08-21-2018 11:38 AM
Hi,

I hope at least Vendor's subnet can be used at your side and not taken by anyone else.

1: if you use 10.10.10.0/24 then vendor PC will initiate traffic to 10. series ip, it will be pushed through the tunnel.

2: once it's decypted at your end then a subnet nat can used to map 10.10.10.0/24 to your actual subnet.

E.g. : host and subnet mip for reference https://kb.juniper.net/InfoCenter/index?page=content&id=KB10923&actp=METADATA

Note: the VPN will be between the customer side subnet and 10 series subnet , proxy I'd etc should be accordingly. And then the mip trigger for the clear text traffic.



Thanks,
Vikas
ScreenOS Firewalls (NOT SRX)

Re: SSG20 Assistance with VPN Tunnel

‎08-21-2018 10:25 PM

Hi,

 

Basically, you are looking at an issue with overlapping subnets between 2 sites.

Pretty simple to workaround on a ScreenOS device.

 

This article will be of help: https://kb.juniper.net/InfoCenter/index?page=content&id=KB5346&actp=METADATA

 

Please review it and update this thread with any query you might have.

Regards,
Gokul