03-16-2011 05:55 AM
Attachment is my configuration
remote site firewall : SSG 140
local firewall : SRX 100
remote site subnet: 10.0.30.0/24
10.0.19.0/24
local LAN: 192.168.123.0/24
Policy based VPN is established, those PC on local network can go to Internet however cannot go to remote site network, configuration of remote is absolutely correct
Could someone can help me found out what is the problem of this configuration?
03-16-2011 06:48 AM
I believe that you need a rule above your current nat source rule like this
rule vpn { match { source-address 192.168.123.0/24; destination-address [ 10.0.30.0/24 10.0.19.0/24]; } then { source-nat { off; } }}
03-16-2011 06:53 AM
If I add this rule on the top
when traffic from 192.168.123.0 direct to 10.0.30.0 or 10.0.19.0
it match that policy and the policy for policy base vpn will still function?
03-16-2011 07:10 AM
Correct, the reason it isnt working is cos you are natting all of the traffic at the moment at it will not match the policy
If you do a
show security flow session destination-prefix 10.0.30.0/24
then this will show you this traffic being natted and hitting the wrong policy
03-16-2011 07:18 AM
Thanks for reply
may I ask you one question
the PC on remote site network also cannot ping local LAN(192.168.123.0)
is it related to bypass nat?
03-16-2011 07:30 AM
The return traffic will hit the nat rule, so it woudlnt work either way until the new rule is in place
03-17-2011 03:36 AM
Thank you for yourr support
I will try it next week
