What device are you using? Sometimes it is possible to use a route-based VPN even if the other side only can use policy-based VPN (SRX with Cisco ASA is a typical example), that could perhaps solve your problem?
/Per 24 jul 2013 kl. 19:50 skrev Aaron Dewell <[email protected]>: > > Hey all, > > Got a conflict here and hoping someone has some ideas on this. We have 1:1 > static nat for a server, but that server also needs to communicate over a > policy-based VPN. If this VPN were route-based, there'd be no problem. > > The VPN works for this server if I remove the static NAT so everything there > is good. > > The option I've considered is to create a static route to the remote subnet > which goes into a different zone (even a fake zone) and adjust the policies > to go into that zone instead of the Internet zone. However, the traffic from > the far side would still be coming from the Internet zone, so I'm betting the > flows wouldn't match. It also seems like an extreme hack. > > Removing the static NAT would be awesome, but there are unknown things using > it, so it's not so easy as that. > > Anyone have other suggestions? > > Thanks! > > Aaron > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
