Juniper Netscreen – Route traffic through another firewall

Posted by on 18 Feb, 2015 in Firewalls, Juniper, Security | 1 comment

Setup:

Office A – Juniper Netscreen SSG5 (Static IP)

Office B – Juniper Netscreen SSG5 (Dynamic IP)

Both offices are connected to one another via a VPN tunnel using the SSG5

 

I came across an issue recently where we had remote hosted servers locked down to a certain IP address (Office A) and we needed office B to access those servers from there office using the Dynamic IP. The way I found around this was to redirect certain traffic over the VPN from office B to Office A, then display the IP as the Static IP from office A to access the servers.

 

I won’t go through setting up the VPN between the offices as I am assuming this is already done with the following settings.

  • The VPNs are setup using tunnels
  • The VPNs are working in both directions
  • The Policies used are set to allow ANY service through for this test setup.

 

Office A

 

  • Login into the Juniper and select Policy > Policies.
  • In the from dropdown select untrust. From the To dropdown select untrust and then click New.
    • Source Address: Select the as the office B LAN.
    • Destination LAN: Select Any (or to make it more secure create an Address List for the hosted servers and select them).
    • Service: Select the required service (i.e. RDP) or select ANY to allow everthing through.
    • Logging: enable this setting
    • Click Advanced
      • Source Translation: Tick this option
      • (DIP on): Select None (Use Egress Interface IP)
      • Enable any other relevant settings you require.
      • Click OK
      • Click OK

 

  • Office B

 

  • Select Network > Routing > Destination
  • Click New (Top Right Corner)
    • IP Address/Netmask: Enter the external server IP and mask. If it is a single IP use the mask as 32
    • Gateway: Enable this option
    • Interface: Select the interface as the tunnel interface for the VPN to Office A.
    • Gateway IP Address: Enter the internal IP of the Juniper Netscreen for Office A
    • Permanent: Enable this option
    • Description: I would enter a description here such as the hosted server name
    • Click OK

 

You should have access to the hosted server now. You could if you wanted direct all traffic over the VPN by adding the IP Address/Netmask as 0.0.0.0/0.

One Comment

  1. Thanks this blog helped me out loads.

Leave a Reply

Your email address will not be published. Required fields are marked *