SSG5 to Cisco tunnel using public IP inside the tunnel



  • Hi guys,

    I’ve been using SSG5’s for a few years now to build IPSec tunnels between a number of our european offices. These are pretty simple policy based links with reserved IP subnets on each end.

    We’re now being asked to create a tunnel to a third party which will require the use a public IP inside the tunnel because of an overlap of private subnets but I can’t see how this is possible. The publice IP’s are of course on the Untrust side of the Juniper so I can’t apply a policy from Untrust to Untrust with Tunnel as the option.

    Essentially, we’re looking at something like this where x.x.x.x is a private IP on our LAN, y.y.y.y is a secondary public IP in the same subnet as the Juniper and z.z.z.z is a public IP provided on the remote end of the tunnel :-

    Local Server (x.x.x.x) > SSG5 > NAT/MIP > (y.y.y.y) > IPSec tunnel > Supplier Cisco > (z.z.z.z).

    It’s been suggested that using ProxyID is the way to go but I just can’t get my head around how this should work.

    Could anyone suggest a good example that might help me get my head around this?

    Thanks,



  • Yes, there are very nice examples in Juniper manuals which you can download from www.juniper.net. There is some information also when you search this forum.


 

53
Online

38.4k
Users

12.7k
Topics

44.5k
Posts