I would like to make our webserver accessible when Internet is down on ISP1. I want to create second NAT to my webserver, which is connected to FW1, from fW2 which is connected via VPN to FW1. Please see the diagram. Do you know how can I do that? I already created NAT from Untrust to VPN zone, I think I need to add second NIC to webserver, and policy based routing. Could you please advise? Thank you.
can suggest 2 ideas
1) routing-instance of type virtual-router on FW1, please refer https://forums.juniper.net/t5/Day-One-Books/Day-One-Juniper-Ambassadors-Cookbook-for-Enterprise/ba-p/198733 p108, the idea is to get replies routed back to the FW2 in case you use ISP2 for access to the web-server, you would need to merge it with existing VPN config
2) not tested, but you can try to add additional NAT on FW2 to nat/pat everything coming from ISP2 going to the web-server, this should be accesible through VPN from FW1, web-serve will be seeing requests from this new source ip, you can track actual source ips from FW2 session table
Thank you for your answer. I checked the first option and my situation is little different since there two firewall connected to each other via VPN. As far as I understand, I should create NAT(port mapping) on FW2 and create Virtaul router on FW1 and I should route the ISP2 traffic to my VPN interface on FW2 . Is it right?
yes, you have 2 FWs and VPN so it will require additional things to consider, but the general idea is right instance vr and route towards ISP2, please try this
Thank you Alex, it worked.