We have 3 juniper SRX-100 firewalls, they are configured like so:
FW1 -> FW2 -> INTERNET -> FW3
We would like to create an IPSEC tunnel between FW3 and FW1 passing through FW2 preferably using NAT-T. Is this possible?
FW1 and FW2 have some strict access rules only allowing 1 port connected (it's a DMZ with a server in) so we can't just create a route based vpn between FW1 and FW2 to forward the traffic (otherwise all traffic will be forwarded)
We know the tunnel is fine because we have managed to test it between FW1 and FW3 (without FW2 in the middle) so we know that the issue is to do with the 'passthrough' on FW2.
Essentially, the question is – What options do we need to select on FW2 to enable it to pass through the IPSEC traffic straight to FW1?
Best Answer
if its anything like the SSG's then you could just create a port forward though (possibly)
Set a destination on VIP on the 'Dirty' side of FW2, with the 'host' being FW1, then just policy it through.
I'm no juniper expert, but it should let you forward through like that