[j-nsp] Static NAT and VPN tunnels

Aaron Dewell aaron.dewell at gmail.com
Wed Jul 24 13:50:46 EDT 2013


Hey all,

Got a conflict here and hoping someone has some ideas on this.  We have 1:1 static nat for a server, but that server also needs to communicate over a policy-based VPN.  If this VPN were route-based, there'd be no problem.  

The VPN works for this server if I remove the static NAT so everything there is good.

The option I've considered is to create a static route to the remote subnet which goes into a different zone (even a fake zone) and adjust the policies to go into that zone instead of the Internet zone.  However, the traffic from the far side would still be coming from the Internet zone, so I'm betting the flows wouldn't match.  It also seems like an extreme hack.

Removing the static NAT would be awesome, but there are unknown things using it, so it's not so easy as that.

Anyone have other suggestions?

Thanks!

Aaron




More information about the juniper-nsp mailing list