SRX Services Gateway
Reply
Contributor
Wilmer
Posts: 35
Registered: ‎12-23-2010
0

Cannot pass traffic via policy base vpn

Attachment is my configuration

remote site firewall : SSG 140

local firewall : SRX 100

 

remote site subnet: 10.0.30.0/24

                                     10.0.19.0/24

local LAN: 192.168.123.0/24

 

Policy based VPN is established, those PC on local network can go to Internet however cannot go to remote site network, configuration of remote is absolutely correct

Could someone can help me found out what is the problem of this configuration?

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: Cannot pass traffic via policy base vpn

I believe that you need a rule above your current nat source rule like this

 

rule vpn {
    match {
        source-address 192.168.123.0/24;
        destination-address [ 10.0.30.0/24 10.0.19.0/24];
    }
    then {
        source-nat {
            off;
        }
    }
}

Contributor
Wilmer
Posts: 35
Registered: ‎12-23-2010
0

Re: Cannot pass traffic via policy base vpn

If I add this rule on the top

when traffic from 192.168.123.0 direct to 10.0.30.0 or 10.0.19.0

it match that policy and the policy for policy base vpn will still function?

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: Cannot pass traffic via policy base vpn

Correct, the reason it isnt working is cos you are natting all of the traffic at the moment at it will not match the policy

 

 

If you do a

 

show security flow session destination-prefix 10.0.30.0/24

 

then this will show you this traffic being natted and hitting the wrong policy

Contributor
Wilmer
Posts: 35
Registered: ‎12-23-2010
0

Re: Cannot pass traffic via policy base vpn

Thanks for reply

may I ask you one question

the PC on remote site network also cannot ping local LAN(192.168.123.0)

is it related to bypass nat?

Trusted Contributor
Digs
Posts: 57
Registered: ‎08-25-2010
0

Re: Cannot pass traffic via policy base vpn

The return traffic will hit the nat rule, so it woudlnt work either way until the new rule is in place

Contributor
Wilmer
Posts: 35
Registered: ‎12-23-2010
0

Re: Cannot pass traffic via policy base vpn

Thank you for yourr support

I will try it next week

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.