Setup:
Office A – Juniper Netscreen SSG5 (Static IP)
Office B – Juniper Netscreen SSG5 (Dynamic IP)
Both offices are connected to one another via a VPN tunnel using the SSG5
I came across an issue recently where we had remote hosted servers locked down to a certain IP address (Office A) and we needed office B to access those servers from there office using the Dynamic IP. The way I found around this was to redirect certain traffic over the VPN from office B to Office A, then display the IP as the Static IP from office A to access the servers.
I won’t go through setting up the VPN between the offices as I am assuming this is already done with the following settings.
- The VPNs are setup using tunnels
- The VPNs are working in both directions
- The Policies used are set to allow ANY service through for this test setup.
Office A
- Login into the Juniper and select Policy > Policies.
- In the from dropdown select untrust. From the To dropdown select untrust and then click New.
- Source Address: Select the as the office B LAN.
- Destination LAN: Select Any (or to make it more secure create an Address List for the hosted servers and select them).
- Service: Select the required service (i.e. RDP) or select ANY to allow everthing through.
- Logging: enable this setting
- Click Advanced
- Source Translation: Tick this option
- (DIP on): Select None (Use Egress Interface IP)
- Enable any other relevant settings you require.
- Click OK
- Click OK
- Office B
- Select Network > Routing > Destination
- Click New (Top Right Corner)
- IP Address/Netmask: Enter the external server IP and mask. If it is a single IP use the mask as 32
- Gateway: Enable this option
- Interface: Select the interface as the tunnel interface for the VPN to Office A.
- Gateway IP Address: Enter the internal IP of the Juniper Netscreen for Office A
- Permanent: Enable this option
- Description: I would enter a description here such as the hosted server name
- Click OK
You should have access to the hosted server now. You could if you wanted direct all traffic over the VPN by adding the IP Address/Netmask as 0.0.0.0/0.
One Comment
Leave a Reply
Cisco Security Advisories
- Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection VulnerabilitiesMultiple vulnerabilities in the web-based management interface of certain Cisco Small Business 100, 300, and 500 Series Wireless Access Points could allow an authenticated, remote attacker to perform command injection attacks against an affected device. These vulnerabilities are due to improper validation of user-supplied input. An attacker could exploit these vulnerabilities by sending crafted HTTP requests […]
- Cisco Web Security Appliance Privilege Escalation VulnerabilityA vulnerability in the configuration management of Cisco AsyncOS for Cisco Web Security Appliance (WSA) could allow an authenticated, remote attacker to perform command injection and elevate privileges to root. This vulnerability is due to insufficient validation of user-supplied XML input for the web interface. An attacker could exploit this vulnerability by uploading crafted XML configuration files […]
- Cisco Unified Customer Voice Portal Cross-Site Scripting VulnerabilityA vulnerability in the web-based management interface of Cisco Unified Customer Voice Portal (CVP) could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user. This vulnerability is due to insufficient input validation of a parameter that is used by the web-based management interface. An attacker could exploit this vulnerability by […]
- Cisco Firepower Device Manager On-Box Software Remote Code Execution VulnerabilityA vulnerability in the REST API of Cisco Firepower Device Manager (FDM) On-Box Software could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system of an affected device. This vulnerability is due to insufficient sanitization of user input on specific REST API commands. An attacker could exploit this vulnerability by sending […]
Thanks this blog helped me out loads.