For When You Can't Have The Real Thing
[ start | index | login ]
start > Netscreen > NAT across VPN

NAT across VPN

Created by dave. Last edited by dave, 11 years and 37 days ago. Viewed 3,647 times. #1
[edit] [rdf]
(29 January 2013)


You are setting up a VPN with the following conditions.

  • Your local network is
  • The remote private network is
  • The remote end requires you to NAT traffic which comes from your end to
  • The remote end needs to access the server at


I am using ScreenOS 6.3.0r12.0

We are going to set up a VPN with a tunnel interface. We'll assign an IP address to the tunnel interfaces and define the MIP on the interface as well.

I have some custom zones in use here:

  • Private Networks is the zone I keep my private networks in
  • Backup Clients is for VPN partners
First we need some objects:
set address "Private Networks" "My Private Network"
set address "Private Networks" "My Server"
set address "Backup Clients" "Partner Private Network"

Next we need our tunnel interface, along with MIP:

set interface "tunnel.4" zone "Backup Clients"
set interface tunnel.4 ip
set interface tunnel.4 mip host netmask vr "trust-vr"

VPN gateway and definition is pretty routine, note the tunnel glued to the VPN:

set ike gateway "Partner Gateway" address $IP Main outgoing-interface "ethernet0/1.2" preshare "$KEY" proposal "pre-g2-3des-sha"
set vpn "Partner VPN" gateway "ILS-Telus Gateway" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "Partner VPN" id 0x5b bind interface tunnel.4

Be aware that if you are doing this through the GUI, you can't apply an IP to the tunnel after it has MIPs or it has been associated with a VPN. You have to do the IP assignment first (or strip off everything else, then apply the IP, then re-apply everything -- which is effectively the same as "do it first").

Next, you have to manually set a Proxy-ID that matches the traffic that the other end is expecting. Note that the local-ip is set to the netblock they've asked you to NAT your traffic to:

set vpn "Partner VPN" proxy-id local-ip remote-ip "ANY"

And of course you need a route telling your firewall that the partner network is reachable via the tunnel interface:

set route interface tunnel.4 description "Partner VPN"

Then it is just policies. Make sure these specific rules are inserted before any general permit/deny rules.

This lets them access your MIP'd server:

set policy id 494 name "Partner VPN" from "Backup Clients" to "Private Networks"  "Partner Private Network" "MIP(" "ANY" permit 
set policy id 494

This lets you access their network:

set policy id 495 name "Partner VPN" from "Private Networks" to "Backup Clients"  "My Private Network" "Partner Private Network" "ANY" nat src permit 
set policy id 495

There are variations possible including using a DIP pool to map outbound IPs to multiple NAT IPs, but I leave that as an exercise for the reader.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt