O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

8.19. Configure NAT with Policy-Based VPN

Problem

You want to perform source and destination NAT on a policy-based virtual private network (VPN) tunnel.

Solution

Configure NAT on only one side of the tunnel. Starting on FW-A, first you must configure a tunnel interface and put the tunnel interface into a tunnel zone:

	set interface "tunnel.1" zone "Untrust-Tun"
	set interface tunnel.1 ip 1.1.1.1/24

Then, configure the p1 and p2 of the VPN tunnel, binding the VPN tunnel to the same tunnel zone to which you were binding the tunnel interface. The tunnel zone connects a policy-based VPN to a tunnel interface.

	set ike gateway "test-gw" address 10.4.4.1 Main outgoing-interface
	"ethernet0/1" preshare netscreensec-level standard

	set vpn "test-vpn" gateway "test-gw" no-replay tunnel idletime 0 sec-level standard
	set vpn "test-vpn" monitor
	set vpn "test-vpn" bind zone Untrust-Tun

Next, configure the DIP on the outgoing interface, which you configured in the ike gateway statement. Then, configure the MIP on the tunnel interface:

	set interface ethernet0/1 ext ip 1.1.1.150/32 dip 4 1.1.1.150 fix-port
	set interface tunnel.1 mip 1.1.1.100 host 192.168.1.

Configure the tunnel policy and reference the DIP and MIP:

 set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0 set address "Untrust" "192.168.2.0/24" 192.168.2.0 255.255.255.0 set policy id 1 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.2.0/24" "ANY" nat src dip-id 4 tunnel vpn "test-vpn" set policy id 2 from "Untrust" to "Trust" "192.168.2.0/24" ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required