Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
We have an ISG 2000 with multiple VPNs. We want to NAT some traffic coming in from one of those VPNs. In the past, I've set up a loopback interface, added MIPs and DIPs to that interface, but had to add the specific tunnel interface supporting that VPN to the loopback interface's group in order to pass and translate the traffic appropriately.
I want to do the same thing, but for a different range of IP addresses.
The original loopback interface (loopback.2) is using an IP address of 10.1.1.129/27 with MIPs in that same subnet. The interface of tunnel.6 is a member of the loopback.2 group.
The new loopback interface (loopback.4) would have an IP address of 10.10.0.254/24 and the MIPs would also be in that subnet. Since the traffic destined for that subnet would also be coming in through tunnel.6, can I make tunnel.6 a member of the loopback.4 group, also?
We cannot have one tunnel interface part of two loopback groups.
Since you have already configured MIP for the NAT, i see no obstacles in you creating a MIP subnet thats different from the loopback.2 interface subnet , its supported in Juniper that you can create DIP or MIP in a diff subnet than the parent interface.
Just make sure you are above 6.1 ScreenOs
Thanks, Rontu. We're running 6.1.0r5 on our ISG, so we'll see if we can give that a shot.
FYI, Rontu, this looks like it worked. I did this with a MIP in the different subnet and the ISG was able to pass the traffic (verified with a policy log) to our internal network.
Happy to help