The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Juniper Firewall/VPN Help
Locust76
Registered User regular
Registered User regular
Hey everyone,
I've got a client for whom we manage their Juniper Firewall. They want a VPN connection to another company and I need to set it up. I've done some VPN work on Junipers before, so it's not 100% foreign to me; I've got the Gateway already set up, as well as the P1 and P2 proposals and Firewall policies.
One thing I'm not so sure about though: The distant end expects to communicate with only one private IP within the VPN. That means that I need to configure a NATting interface on the Firewall that is somehow inside of the VPN tunnel, which I don't quite understand how to do. I've tried setting up a TUNNEL interface, but that didn't seem quite right to me and I couldn't bind the VPN connection to it using any means that I could see.
Basically it must look like this:
TRUST NET ---> TRUST GW (VLAN Subif) ---> VPN "WAN" (NAT) ---> VPN Tunnel ---> ??? ---> Profit
Anyone know how I can get this Firewall (it's an SSG-140, so it should be capable of just about everything) to behave the way I want it to? I would prefer using the GUI, but CLI configuration commands are also welcome!
Thanks!
I've got a client for whom we manage their Juniper Firewall. They want a VPN connection to another company and I need to set it up. I've done some VPN work on Junipers before, so it's not 100% foreign to me; I've got the Gateway already set up, as well as the P1 and P2 proposals and Firewall policies.
One thing I'm not so sure about though: The distant end expects to communicate with only one private IP within the VPN. That means that I need to configure a NATting interface on the Firewall that is somehow inside of the VPN tunnel, which I don't quite understand how to do. I've tried setting up a TUNNEL interface, but that didn't seem quite right to me and I couldn't bind the VPN connection to it using any means that I could see.
Basically it must look like this:
TRUST NET ---> TRUST GW (VLAN Subif) ---> VPN "WAN" (NAT) ---> VPN Tunnel ---> ??? ---> Profit
Anyone know how I can get this Firewall (it's an SSG-140, so it should be capable of just about everything) to behave the way I want it to? I would prefer using the GUI, but CLI configuration commands are also welcome!
Thanks!
Locust76 on
0
Posts
This might be helpful in pointing you in the right direction: http://net-scenarios.net/2010/02/11/configuring-vpns-overlapping-addresses/
You might try posting over at http://www.juniperforum.com/ and see if someone there can give you a hand. I have lots of experience with building and maintaining Juniper firewall VPNs but have never had to set up anything like what you are asking. Unless there is some address space overlap or some other problem I would just set up a direct VPN and use policies to control the traffic.
The VPN "private IP" is outside of the Trusted network's scope (trusted net is class C 192.168.0.0/24 and the VPN NAT IP should be 10.0.0.0/24. My thought was to try to minimize configuration on the client side, and just basically tell the firewall that all traffic for the VPN networks on the distant end will be NATted through a single address, thereby making the internal trusted network "invisible" to the other side.
I'll take a look at those links, thanks! Let me know if you have any suggestions though as to how I might proceed, since I can't look at the links right at this very moment..
I have a couple of spare Juniper devices here at work I can mess around with and see if I can find a way to set this type of scenario up and make it work.
It's exclusive to the VPN, but my appointment to set it all up is in 3 hours so I'm pretty much screwed and have to think up an alternative