• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2058
  • Last Modified:

Set Up SSG-5 VPN for remote/remote subnet

I have an SSG-5 site-to-site VPN set up on a local subnet - the other end is an RV042.

Now I need to modify the VPN local end point to be another subnet while keeping the interface on the current subnet.  Like this:

The current SSG-5 interface on the local subnet is
The destination subnet for packets coming through the VPN will be
So, the VPN must be terminated with that subnet - that is well known.
There is a local router at that will send the packets on to

So, I need to make these changes:
1) Terminate the tunnel at the SSG-5 end with (keeping the router LAN physical address at
2) Route packets destined for to

Which things should I be thinking about changing in the SSG-5?  I know what to do with the RV042 settings at the other end of the VPN.   I'm still a bit confused about the relationship between "address list, objects, policies, etc." in the Juniper Networks box.  Maybe a brief description of their roles in the scheme of things would help!
Fred Marshall
Fred Marshall
  • 4
  • 3
1 Solution
Please look at the article below which talks about NATing multiple IP address to one IP address, the situation which you want [the article talk about routing internal IPs to one single external or public IP but the case you want would also be configured the same way]:

Regarding description:
Address list: you create an address list so you can use an alias for a network rather than specifying the network range again and again; this makes the configuration easy to understand and also hides the IP addressing scheme.

Objects: Depending what the object is defined for it would help, eg, address object as obove, policy would help specifying rules for allowing/denying inbound/outbound traffic, etc.

Policy: A policy determines whether a packet traversing a firewall should be allowed or denied; if allowed, then if there is any need to do some work on the packet like NATing, PAT, IPSec (read encryption/de-encryption), routing, etc.

Hope this helps. Please let me know if you need more details.

Thank you.
Fred MarshallPrincipalAuthor Commented:
So, an address list seems clear enough.
The Object thing though .... it sounds like an address IS or CAN BE an object?  A Policy can be an object?
If an address can be reused by virtue of an assigned alias then what would be object of an address object be?

OK - in the mean time I'm trying to wade through that paper.  At first glance it seems pretty far afield from what I'm trying to do.  I might use a nudge.
Adress Objects which can be added are:
Host objects
Network Objects
Multicast Object
Group -- group of one or more of the above objects

Policy uses any/all the objects created and determines the flow of traffic from one end to another, for eg, address objects, service objects, zones, logging options, authentication, VPN options, etc.

Yes, you can reuse any of the objects created like address objects, attack objects, authentication server objects, CA objects, CRL, etc.

The paper gives you the option to configure through WEB UI, I am in some product training till Monday; after that I would try to configure the scenario and give you some CLIs which might have help NAT configuration for VPN [provided you don't already figure it out by then! :)]

Let me know if you need more inputs, I might not be able to create scenario (at this time) but would certainly be able to clarify few things if needed.

Thank you.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Fred MarshallPrincipalAuthor Commented:

My hope is that what I want to do next is simple:

1) I've already set up a VPN between a remote and a local subnet - I've got that working.

2) Set up a new VPN exactly the same way between a remote subnet and a "nonlocal" subnet (a subnet VPN terminated at the local site but not in the address range of any of the interfaces) - I've had those working with RV042s just fine so I anticipate that the SSG-5 setup will be the same as the SSG-5 setup above - just with a different subnet.

3) Since the setup in #2 won't DO anything then set up a route in the SSG-5 to direct packets destined to the nonlocal subnet to a router on the local subnet that will take them from there.

If (2) is as simple as replicating (1) with a different "local" subnet then that should be easy.

Then, if (3) is as simple as adding a route, that should also be easy.

I just don't know:
a) if the replication is that simple
b) how to actually make the added route settings on an SSG-5
I would like to thank you first of all for waiting on me.

Now I would like to backtrack on the solution; as I understand what you wish is not NAT over IPSec but you want to have the SSG send encrypted packets to an intermediate device and let the device send the traffic over to the Linksys device. If this is what you want then we need to add a route in SSG as:

set route gateway

All other VPN settings would remain the way they are.

I had just one question, if your router would take the routing part between the remote subnet and subnet why create VPN at all?

I am not sure if I have missed something; please advice.

Thank you.
Fred MarshallPrincipalAuthor Commented:
No problem.  In fact I've been stuck in the NW US coastal storm without power or internet connection for the last 3 days!!

Let me be clearer about the connections.  There are really two "remote" sites.  A company Remote Office and a third party site that's also remote.  The third party site is accessed over a private link.

Remote Office LAN________Main Office LAN___Router____________________Other remote site <> VPN <> <> <> private link <>

Actual VPN setup for forward path at Main Office:
Remote LAN_________"Local" LAN <VPN>

Local "Main Office" LAN
"Other" remote site accessed through a private link uses router at for *that* connection.  Packets going via the private link are destined for

Remote Office LAN  ... this is where the VPN is used.
There will be a VPN, or two, between the Remote Office and the Main Office.
One of those VPNs will be used to route packets from the Remote Office, over the internet, to the Main Office and then on to the private link destinations in

So there will be a VPN termination at the Main Office with remote LAN termination of and with the local LAN of (even though that LAN isn't actually"local").  Unencrypted packets detined for will emerge the VPN at the Main Office and must be routed to as the next hop.  

I hope that clarifies my last message.

My only challenge is how to set up the route in the SSG-5 for the unencrypted packets emerging the VPN.

Returning packets will source from, routed via the router at to, the VPN router, and thus through the VPN back to

The only encryption is from the Main Office to the Remote Office - the VPN.

set route gateway

This command would set up route for you in SSG 5 for the remote subnet (behind router); I think you already would have created tunnel for and subnets other than for .2 and .3 subnets.

Please let me know if you more details.

Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now