PPTP Passthrough or Static NATA common network scenario – how to provide access to internal resources through firewall from external users. In this particular case, we will talk about providing access for PPTP VPN-Clients to connect to our VPN-Gateway behind Juniper SRX. This scheme is called PPTP Passthrough or Static NAT (this is more complex, because we can NAT every IP or protocol through SRX). And here is a little tip how to do this

Juniper SRX PPTP Passthrough or Static NAT: Case Description

Juniper SRX PPTP Passthrough or Static NAT 2

Here is our scheme. We need to allow to connect VPN-Clients from any IP from Untrusted networks (external to our corporate network, or Internet) to our VPN-Gate server (which, in my case, is Microsoft TMG), located in Trusted (internal) network through Juniper SRX.

Juniper External interface – ge-0/0/0 IP =
Juniper Internal interface – ge-0/0/4 IP =
VPN Server NIC IP =
IP, dedicated to VPN-Client Connections IP =

So, External IP of our SRX is, BUT – this is important thing – VPN Clients will use another, Dedicated IP for connection -


Juniper SRX PPTP Passthrough or Static NAT Step 1: The NAT itself

First, let’s set up the NAT:

Here we are doing two things. First – is a static NAT rule – if a packet arrives from ANY destination to – forward it to Next, is Proxy-ARP setting. That is needed for ge-0/0/0 to answer to ARP requests for, because they are in the same network segment.

Juniper SRX PPTP Passthrough or Static NAT Step 2: Security zones

Add your VPN-Server to trusted zone, and give it a friendly name:

Or you can choose to add the address to security-zone address book:

Juniper SRX PPTP Passthrough or Static NAT Step 3: Security Policies

Now we need to write two policies – for traffic TO and FROM VPN Gateway:

So here we are allowing all traffic from our VPN Gateway to Untrusted (external) network, and allowing only PPTP and GRE traffic from Untrusted (external) network to our VPN Gateway for security measures. Now our configuration is complete, and it’s time to commit and make a check.

Juniper SRX PPTP Passthrough or Static NAT Step 4: Verify configuration

First, make a basic check – telnet to port 1723. If everything is ok, try to make a VPN connection to And if we need to check the rule on the SRX side, here is the command.

We are interested in the last entry – it must be more than 0.