Set Up SSG-5 VPN for remote/remote subnet

Posted on 2007-11-20
Medium Priority
Last Modified: 2012-08-13
I have an SSG-5 site-to-site VPN set up on a local subnet - the other end is an RV042.

Now I need to modify the VPN local end point to be another subnet while keeping the interface on the current subnet.  Like this:

The current SSG-5 interface on the local subnet is
The destination subnet for packets coming through the VPN will be
So, the VPN must be terminated with that subnet - that is well known.
There is a local router at that will send the packets on to

So, I need to make these changes:
1) Terminate the tunnel at the SSG-5 end with (keeping the router LAN physical address at
2) Route packets destined for to

Which things should I be thinking about changing in the SSG-5?  I know what to do with the RV042 settings at the other end of the VPN.   I'm still a bit confused about the relationship between "address list, objects, policies, etc." in the Juniper Networks box.  Maybe a brief description of their roles in the scheme of things would help!
Question by:Fred Marshall
  • 4
  • 3
LVL 32

Expert Comment

ID: 20324473
Please look at the article below which talks about NATing multiple IP address to one IP address, the situation which you want [the article talk about routing internal IPs to one single external or public IP but the case you want would also be configured the same way]:

Regarding description:
Address list: you create an address list so you can use an alias for a network rather than specifying the network range again and again; this makes the configuration easy to understand and also hides the IP addressing scheme.

Objects: Depending what the object is defined for it would help, eg, address object as obove, policy would help specifying rules for allowing/denying inbound/outbound traffic, etc.

Policy: A policy determines whether a packet traversing a firewall should be allowed or denied; if allowed, then if there is any need to do some work on the packet like NATing, PAT, IPSec (read encryption/de-encryption), routing, etc.

Hope this helps. Please let me know if you need more details.

Thank you.
LVL 26

Author Comment

by:Fred Marshall
ID: 20365399
So, an address list seems clear enough.
The Object thing though .... it sounds like an address IS or CAN BE an object?  A Policy can be an object?
If an address can be reused by virtue of an assigned alias then what would be object of an address object be?

OK - in the mean time I'm trying to wade through that paper.  At first glance it seems pretty far afield from what I'm trying to do.  I might use a nudge.
LVL 32

Expert Comment

ID: 20366279
Adress Objects which can be added are:
Host objects
Network Objects
Multicast Object
Group -- group of one or more of the above objects

Policy uses any/all the objects created and determines the flow of traffic from one end to another, for eg, address objects, service objects, zones, logging options, authentication, VPN options, etc.

Yes, you can reuse any of the objects created like address objects, attack objects, authentication server objects, CA objects, CRL, etc.

The paper gives you the option to configure through WEB UI, I am in some product training till Monday; after that I would try to configure the scenario and give you some CLIs which might have help NAT configuration for VPN [provided you don't already figure it out by then! :)]

Let me know if you need more inputs, I might not be able to create scenario (at this time) but would certainly be able to clarify few things if needed.

Thank you.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 26

Author Comment

by:Fred Marshall
ID: 20367072

My hope is that what I want to do next is simple:

1) I've already set up a VPN between a remote and a local subnet - I've got that working.

2) Set up a new VPN exactly the same way between a remote subnet and a "nonlocal" subnet (a subnet VPN terminated at the local site but not in the address range of any of the interfaces) - I've had those working with RV042s just fine so I anticipate that the SSG-5 setup will be the same as the SSG-5 setup above - just with a different subnet.

3) Since the setup in #2 won't DO anything then set up a route in the SSG-5 to direct packets destined to the nonlocal subnet to a router on the local subnet that will take them from there.

If (2) is as simple as replicating (1) with a different "local" subnet then that should be easy.

Then, if (3) is as simple as adding a route, that should also be easy.

I just don't know:
a) if the replication is that simple
b) how to actually make the added route settings on an SSG-5
LVL 32

Expert Comment

ID: 20416367
I would like to thank you first of all for waiting on me.

Now I would like to backtrack on the solution; as I understand what you wish is not NAT over IPSec but you want to have the SSG send encrypted packets to an intermediate device and let the device send the traffic over to the Linksys device. If this is what you want then we need to add a route in SSG as:

set route gateway

All other VPN settings would remain the way they are.

I had just one question, if your router would take the routing part between the remote subnet and subnet why create VPN at all?

I am not sure if I have missed something; please advice.

Thank you.
LVL 26

Author Comment

by:Fred Marshall
ID: 20417497
No problem.  In fact I've been stuck in the NW US coastal storm without power or internet connection for the last 3 days!!

Let me be clearer about the connections.  There are really two "remote" sites.  A company Remote Office and a third party site that's also remote.  The third party site is accessed over a private link.

Remote Office LAN________Main Office LAN___Router____________________Other remote site <> VPN <> <> <> private link <>

Actual VPN setup for forward path at Main Office:
Remote LAN_________"Local" LAN <VPN>

Local "Main Office" LAN
"Other" remote site accessed through a private link uses router at for *that* connection.  Packets going via the private link are destined for

Remote Office LAN  ... this is where the VPN is used.
There will be a VPN, or two, between the Remote Office and the Main Office.
One of those VPNs will be used to route packets from the Remote Office, over the internet, to the Main Office and then on to the private link destinations in

So there will be a VPN termination at the Main Office with remote LAN termination of and with the local LAN of (even though that LAN isn't actually"local").  Unencrypted packets detined for will emerge the VPN at the Main Office and must be routed to as the next hop.  

I hope that clarifies my last message.

My only challenge is how to set up the route in the SSG-5 for the unencrypted packets emerging the VPN.

Returning packets will source from, routed via the router at to, the VPN router, and thus through the VPN back to

The only encryption is from the Main Office to the Remote Office - the VPN.

LVL 32

Accepted Solution

dpk_wal earned 2000 total points
ID: 20425798
set route gateway

This command would set up route for you in SSG 5 for the remote subnet (behind router); I think you already would have created tunnel for and subnets other than for .2 and .3 subnets.

Please let me know if you more details.

Thank you.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question