[j-nsp] Juniper SSG Policy-based VPN and NAT

Billy Guthrie bg at billyguthrie.com
Thu Apr 8 20:48:53 EDT 2010


Dave,

Sorry for taking so long, was a busy day at work; at any rate. On the new 
SSG where the traffic will be sourced from (traffic destined to your old 
MIP) you will want to create a static route pointing via the tunnel 
interface. As this is a longer prefix, it will be preferred. Routing is 
performed before any policies are looked up (If my memory serves me well), 
once the static route is in place, what you will want to do is create a 
policy from your zone that the PHP and ASP hosts are located on (Call it 
Trust[172.16.100.0/24]?); you have not provided much details on your 
network, so I am using fictional hosts and IPs at this point. On the new 
policy that you create (source 172.16.100.0/24, destination [old MIP - 
public) click on advanced and you will want to select destination NAT, click 
on translate to IP (use the host ip that was once attached to the MIP) and 
click on OK.

Create IPSEC Tunnel:
I would recommend a zone name VPN
Use tunnel interface and bind to the VPN
Create policies from the Trust/DMZ to VPN Zone

New SSG:
add static route for old MIP via the tunnel interface
create new policy and create a destination NAT and use the IP address that 
was once the host address for the MIP on the SSG550.

Hope this helps. This will work

Good luck
Billy




More information about the juniper-nsp mailing list