Juniper Firewall/VPN Help

  • Hey everyone,

    I’ve got a client for whom we manage their Juniper Firewall. They want a VPN connection to another company and I need to set it up. I’ve done some VPN work on Junipers before, so it’s not 100% foreign to me; I’ve got the Gateway already set up, as well as the P1 and P2 proposals and Firewall policies.

    One thing I’m not so sure about though: The distant end expects to communicate with only one private IP within the VPN. That means that I need to configure a NATting interface on the Firewall that is somehow inside of the VPN tunnel, which I don’t quite understand how to do. I’ve tried setting up a TUNNEL interface, but that didn’t seem quite right to me and I couldn’t bind the VPN connection to it using any means that I could see. The Trust network is and the IP they expect to communicate with will be in the net (for example).

    Anyone know how I can get this Firewall (it’s an SSG-140) to behave the way I want it to? I would prefer using the GUI, but CLI configuration commands are also welcome!


  • Oh, good you got it working. I see what you did, you used the same logic which I usually do for a custom zone that goes to untrust: define egress src-nat and as a result, the “internet” starts working and everything is seen like coming from one and the same IP address. I think I haven’t used that way of src-natting before in VPN situations, thanks for hint 🙂

  • Hello and thanks for the reply!

    I actually managed to get it to work.  I was actually on the right track, just got the config boogered up with all the false starts.

    The purpose of having one IP was so that our clients could expand their network however they wanted and it wouldn’t affect the VPN connection at all, since everything would be NATted through the tunnel.

    Basically, I just had to define the Tunnel interface with the IP to NAT through in the VPN zone.  I experimented here a bit with MIPs and such, but none of that worked.  Just a standard Tunnel interface and primary IP was fine.

    Then I set up the VPN with the appropriate Phase 1 and Phase 2 proposals, and used the Tunnel interface to bind to the gateway.  The policy is where the NAT magic took place.  It’s pretty much an “any source from TRUST to this destination in VPN is allowed” (NOT tunneled!), with NAT enabled on the egress interface.

    After all that was set up properly, it started working and NATting all traffic through the Tunnel interface.  They have some confusion with another branch that comes through another default gateway into the VPN’s trust network, but that’s not really my problem; they gotta get their routing straight before I can do anything more to the firewall.

  • What is the purpose of the requirement of communicating with one IP? Where is that one IP located, in your client’s network or in your client’s partner’s network? It makes things clear when the reason is known, because sometimes the whole thing can be solved in a different and more elegant way.

    1. If the one and only IP is in your client’s side, then just make appropriate rule that only that one IP can be involved in the tunnel.
    1a. If in addition you must hide this IP behind another IP in your client’s side, then do a numbered tunnel interface and configure a MIP on it - the quickest way to do NAT and hide some address behind another. Watch out proxy ID-s then, that you don’t use non-tunnel-natted network on your client’s side.

    2. Or is the one and only IP on client’s partner side?