Jack_son_
asked on
Juniper Firewall double nat
How do you configure double natting for the Juniper Firewall? So basically, going coming from one ip address but tranlating to another.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, or what if I have it translated from another appliance first, then it comes to this device, how can I make it aware of this, using a DIP as well?
Thanks
Thanks
Using a DIP pool only handles the actual translation. It can not be used to determine the original source IP if another device has already done the translation for you.
What are you trying to accomplish? If you give us an example of what you would like to do i am sure that if it is possible we can find a solution.
What are you trying to accomplish? If you give us an example of what you would like to do i am sure that if it is possible we can find a solution.
ASKER
Basically I am brining in traffic from another one of our sites via ipsec tunnel, the ip's are being natted internally to appear as a different ip address from that network since there are overlapping ip ranges on the 2 networks. So I have them coming in properly, but once they hit the juniper it does not recognize this range. How can I fix it so it knows this range and where to send the packets?
Ah i see, The best way to accomplish this is to configure the DIP pool on the remote site. Hopefully the remote site also has a Juniper firewall. If it does, i would configure a policy based VPN on the remote site and on that policy add a DIP pool to translate the source IP addresses into a new subnet before sending the traffic through the VPN.
One disadvantage of this is that you will not be able to ping the remote site ip addresses directly. Ill have to research how to send traffic back to the remote site.
One disadvantage of this is that you will not be able to ping the remote site ip addresses directly. Ill have to research how to send traffic back to the remote site.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great, thanks; do you have any information on setting up the DIP in this way?
Could you show us the relevant part of the (VPN) config?
ASKER
yes, its below:
(still waiting for the config ...)
ASKER