Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How Do I Hide the True Source IP Address of Incoming IPSec Traffic?



Article ID: KB6574 KB Last Updated: 28 Nov 2011Version: 8.0

How Do I Hide the True Source IP Address of Incoming IPSec Traffic?


How do you "change or hide" the true source IP address of incoming IPSec Traffic that is decrypted on the NetScreen/SSG/ISG device?


Note: This article applies to ScreenOS 5.0 and higher.

One way to hide the true source-IP address in an IPSec VPN tunnel is by using inbound NAT.  This is where the destination IP will see the traffic coming from the interface IP address.

note: If you are using Route-Based VPN, you will need to use a tunnel interface. You will have to bind it to a different zone (Untrust) than where the private network exists (trust, DMZ, etc.). Configure an incoming policy from Untrust zone to the internal zone and then enable inbound NAT on the interface. If you plan to use a tunnel interface with a DIP pool, you will have to make the tunnel interface numbered so that a DIP/MIP can be created for this tunnel interface.

note: There are two ways to hide the true source IP address of incoming IPSec traffic:

  • Create a DIP Pool: You can define a DIP pool on this interface so that that the incoming source IP address will assume one of these IP addresses, whichever is first available. You will select this DIP pool when you turn on NAT on the inbound access policy.
  • Turn on NAT on the inbound policy: This will translate the source IP address to the trust interface IP address. An added advantage to using this method is that you will not have to add additional return routes in order for this packet to return back to the NetScreen device. Since the source IP address has now become the trusted interface IP address, internal routers and hosts that point to the NetScreen trusted interface as the default gateway will insure that replies for this translated packet gets returned back to the NetScreen device appropriately.

To hide the true source IP address of incoming IPSec traffic, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

From the WebUI, click Policies.

Image of step two

From the VPN policy that you want to hide the true source IP address of incoming IPSec traffic, click Edit.

Image of step three

Click Advanced.

Image of step four

Under Advanced Policy Settings, click to select Source Translation.

Image of step five

Click OK.

Image of step six

note: You always need an access policy if the traffic traverses between two zones. If the tunnel interface is bound to the same zone as from traffic initiates for the VPN tunnel, then you will not need a policy.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search