SSG5 to Cisco tunnel using public IP inside the tunnel

  • Hi guys,

    I’ve been using SSG5’s for a few years now to build IPSec tunnels between a number of our european offices. These are pretty simple policy based links with reserved IP subnets on each end.

    We’re now being asked to create a tunnel to a third party which will require the use a public IP inside the tunnel because of an overlap of private subnets but I can’t see how this is possible. The publice IP’s are of course on the Untrust side of the Juniper so I can’t apply a policy from Untrust to Untrust with Tunnel as the option.

    Essentially, we’re looking at something like this where x.x.x.x is a private IP on our LAN, y.y.y.y is a secondary public IP in the same subnet as the Juniper and z.z.z.z is a public IP provided on the remote end of the tunnel :-

    Local Server (x.x.x.x) > SSG5 > NAT/MIP > (y.y.y.y) > IPSec tunnel > Supplier Cisco > (z.z.z.z).

    It’s been suggested that using ProxyID is the way to go but I just can’t get my head around how this should work.

    Could anyone suggest a good example that might help me get my head around this?


  • Yes, there are very nice examples in Juniper manuals which you can download from There is some information also when you search this forum.