[j-nsp] Juniper SSG Policy-based VPN and NAT

D W kapsi1911 at hotmail.com
Thu Apr 8 11:22:35 EDT 2010


Billy, 

 

Here it is....

 

I have two sites. The main site has a SSG 550 and the other (remote site) has no firewall, just webservers that are internet facing. So currently the unprotected webservers access backend databases at the main site using the server MIPs defined on the main site's SSG. A second SSG has been ordered to put in front of the unprotected servers. I need to encrypt traffic between the webservers and databases. So, the currently unprotected webservers will be re-adressed to 1918 space and their current IPs will become MIPs on the new SSG firewall. No problem so far. The issue is that webscripts (PHP, ASP, etc) on the webservers used to access the main site's databases are coded to use MIPs. This was fine when the traffic was coming from the internet and hitting the untrusted interface of the firewall. Now that traffic is going to be running over the VPN I was trying to figure out a way for the VPN traffic to still hit the MIP since I'm told the scripts can't be modified to point to the real IPs of the database servers. And there's no inside DNS server so split-DNS doesn't seem to be an option either.


Thanks,

Dave
 
> From: billy.guthrie at viawest.com
> To: juniper-nsp at puck.nether.net
> Date: Thu, 8 Apr 2010 07:30:07 -0700
> Subject: Re: [j-nsp] Juniper SSG Policy-based VPN and NAT
> 
> Dave,
> 
> Continuing our discussions from cisco-nsp; you sent me an email directly; I forgot to send an email to the list. We should continue here so that
> Everyone can provide feedback. Again, can you please describe the VPN and the hosts on the local and remote side. This will help us help you.
> 
> 
> 
> 
> Regards,
> 
> Billy Guthrie
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
 		 	   		  
_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2


More information about the juniper-nsp mailing list