Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring Your Firewall to Allow IPSec Traffic to Pass Through in NAT Mode (ScreenOS 5.1 and below)

0

0

Article ID: KB4715 KB Last Updated: 26 Dec 2017Version: 7.0
Summary:
Configuring Your Firewall to Allow IPSec Traffic to Pass Through in NAT Mode.  Solution is targeted for systems running ScreenOS 5.1 and below. 
Solution:
If your Juniper firewall is running ScreenOS 5.2 or greater, then refer to KB9243 - How to Pass IPSec Traffic through a Juniper Firewall for an alternate solution which utilizes an enhancement to the ALG in ScreenOS.  However, the solution in this article will still work on ScreenOS 5.2 or greater.

If your Juniper firewall is running ScreenOS 5.1 or below, then allowing IPSec traffic to pass through a Juniper Firewall in NAT mode requires you to send traffic out as a MIP on an IP address other than the external interface. You will need an extra publicly available IP address, so that it does not conflict with the Firewall external interface.

In this example, these are the following IP addresses:

  • Host/Client: 10.1.1.10
  • Firewall Untrust interface: 2.1.1.1
  • Managed IP (MIP): 2.1.1.10
  • IPSec device: 1.1.1.10

Image of example

To allow IPSec traffic to pass through the Juniper Firewall in NAT mode, perform the following steps:

Step one: Open the WebUI. For an example of how to access the WebUI, consult: KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI

Step two: A custom service for IPSec will need to be configured. For more information on configuring a custom service, go to: KB4220 - Configuring a Custom Service.

Note: IPSec works over Internet Protocols (IPs) 50 and 51, and User Diagram Protocol (UDP 500). Here is an example of a configured custom IPSec service:

Image of note


Step three: A Mapped IP (MIP) address will need to be configured. An MIP is needed to map one external IP address to one internal IP address. For more information on configuring an MIP, go to KB4739 How Do I Configure a 1-to-1 Mapping of a Public Address to a Private Address in the WebUI? (aka Configuring a Mapped IP).  In this example, 2.1.1.10 is the external IP address and 10.1.1.10 is the host/client IP address.

Image of note


Step four: From the ScreenOS options menu, click Policies.

Image of step four

Step five: In the From drop-down menu, click to select Trust. In the To drop-down menu, click to select Untrust.

Image of step five and six

Step six: Click New.

Step seven: Under Source Address, click to select New Address. In the New Address text box, enter the client/host IP address.

Image of step seven and eight

Step eight: Under Destination Address, click to select New Address. In the New Address text box, enter the remote gateway IP address.

Note:The Destination Address is the IP address going to the remote gateway device that the IPSec client is trying to reach.

Step nine: In the Service drop-down menu, click to select IPSec. In the Action drop-down menu, click to select Permit.

Image of step nine and ten

Step ten: Click OK.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search