ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)


09.24.11   |  
‎09-24-2011 10:16 AM

Hi all, 

I hope you could help me to solve this issue:


i have a LAN to LAN, policy based VPN:


LAN1( -----[FW1]------- tunnel -------[JNP1]---- LAN2 (


the policy for the tunnel on JNP is:



On the JNP1 i have a static route that permit the host in LAN2 to reach the hosts on anothe network LAN3 ( and the default GW to reach the LAN3 hosts is the JNP1 itself.



Now the problem is that I would like the hosts in LAN3 to appear like if they were hosts of LAN2. To do this for example I added a policy:

FROM LAN2 to LAN2 for a host NATting it to . Doing so I can ping the host  in LAN3 from hosts in LAN2


If I ping from LAN2 it works, and the natted host in LAN3 is pinged, and I see in the polucy FROM LAN2 to LAN2 the ping succeeding.


The issue I have is that if i do a ping to the host from LAN1 I see in the logs of the VPN policy  that there is a ping from to but nothing more....


So, why can't I ping from LAN1 the ip address ( the natted one)?


Thanks for your help.







ScreenOS Firewalls (NOT SRX)

Re: VPN and NAT

09.26.11   |  
‎09-26-2011 03:09 AM



The packet from has Untrust as it's source zone and this IP does not belong to LAN2. It's destination is a NAT configured on the Trust interface. The packet exits the trust interface and enters it again. You can imagine it this way. So, this is a looping connection that requires two policies. But LAN2 to LAN2 policy is not applied to this packet (wrong source IP!). You can enable source NAT for the LAN1 to LAN2 policy and use trust interface IP for the NAT.

Configuring/troubleshooting of such looping connections may be cumbersome. Besides, only the first policy is logged. One should use "debug flow" to understand how it works.

If you need a clean solution, you'd better connect LAN3 to a dedicated interface and switch to the route based VPN. The most adequate (and flexible) NAT would be in this case a policy based NAT.

Kind regards,