[j-nsp] Static NAT and VPN tunnels
Per Westerlund
p1 at westerlund.se
Wed Jul 24 14:41:15 EDT 2013
What device are you using?
Sometimes it is possible to use a route-based VPN even if the other side only can use policy-based VPN (SRX with Cisco ASA is a typical example), that could perhaps solve your problem?
/Per
24 jul 2013 kl. 19:50 skrev Aaron Dewell <aaron.dewell at gmail.com>:
>
> Hey all,
>
> Got a conflict here and hoping someone has some ideas on this. We have 1:1 static nat for a server, but that server also needs to communicate over a policy-based VPN. If this VPN were route-based, there'd be no problem.
>
> The VPN works for this server if I remove the static NAT so everything there is good.
>
> The option I've considered is to create a static route to the remote subnet which goes into a different zone (even a fake zone) and adjust the policies to go into that zone instead of the Internet zone. However, the traffic from the far side would still be coming from the Internet zone, so I'm betting the flows wouldn't match. It also seems like an extreme hack.
>
> Removing the static NAT would be awesome, but there are unknown things using it, so it's not so easy as that.
>
> Anyone have other suggestions?
>
> Thanks!
>
> Aaron
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list