SRX

Hi,

my customer have a SRX210 firewall and uses Dynamic VPN with Pulse client.

Internal (trust): 192.168.0.0/24

External (untrust) to internet: 62.96.112.138/29

There is an address pool with a 10.10.250.0/24 network for the vpn users.

And a policy from untrust to trust to give access.

This is all working!

Now the customer wants to give the vpn users access to an external address. How should I configure this?

External IP address on untrust interface: 82.135.48.56/32

clients {
    clients_dynamic_vpn {
        remote-protected-resources {
            192.168.0.0/24;
            82.135.48.56/32;
        }
        ipsec-vpn vpn_dynamic_vpn;

}

I have logged in with Junos Pulse and checked the routinglist under windows. And there is now a rule to forward 82... to the vpn interface/ip (10....)

Then I have tried to configure a vpn secuity policy from untrust to untrust to allow this connection. But it don't works.

Jan

OK I have set this up also.

In your policy for Untrust to Untrust did you specify the the VPN Tunnel?  Like this:

    policy policy_untrust_to_untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                tunnel {
                    ipsec-vpn MYVPN;
                }
            }
        }
    }

This will work on most versions, however there are versions where referencing the VPN in the policy twice causes only one to work.

I found a workaround to be the following:

On the 2nd zone try the following policy instead:

policy policy_untrust_to_untrust {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
                }
            }
        }

Hi MMcD,

what do you mean with "This will work on most versions, however there are versions where referencing the VPN in the policy twice causes only one to work."

Here is my full config:

root@firewall-slave# show security dynamic-vpn
clients {
    clients_dynamic_vpn {
        remote-protected-resources {
            192.168.0.0/24;
            172.16.131.0/24;
            82.135.48.56/32;
        }
        ipsec-vpn vpn_dynamic_vpn;
}

{primary:node1}[edit security policies from-zone untrust to-zone untrust]
policy pol-test {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn_dynamic_vpn;
            }
        }
    }
}

{primary:node1}[edit security policies from-zone untrust to-zone trust]
policy pol-dynamic_vpn-to-trust {
    match {
        source-address any;
        destination-address net-trust;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn_dynamic_vpn;
            }
        }
    }
}

{primary:node1}[edit security policies from-zone untrust to-zone dmz] 
policy pol-dynamic_vpn-to-dmz {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn_dynamic_vpn;
            }
        }
    }
}

Sorry i mean, for example on Version 11.1R4.4 I had to only include one "Permit Tunnel" in the config, and then in other zones, e.g. from Untrust to Untrust I had to just permit all and not reference the Permit Tunnel in the Policy.

See below:

{primary:node1}[edit security policies from-zone untrust to-zone untrust]
policy pol-test {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
        }
    }
}

Are both the below policies working?  You said Untrust to Trust was but what about to zone DMZ?

{primary:node1}[edit security policies from-zone untrust to-zone trust]
policy pol-dynamic_vpn-to-trust {
    match {
        source-address any;
        destination-address net-trust;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn_dynamic_vpn;
            }
        }
    }
}

{primary:node1}[edit security policies from-zone untrust to-zone dmz] 
policy pol-dynamic_vpn-to-dmz {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn_dynamic_vpn;
            }
        }
    }
}

Hi,

I use the Release 10.4R6.5. Is your suggestion a 11.1 feature?

The policys from unstrust to trust and from untrust to dmz are working fine. In my first post I have used a simplified example configuration for the forum.

OK,

So for example, your IP range for VPN clients is 192.xxx.xxx.xxx/24

You want to access the external Site you mentioned.  Do you have a  Source NAT rule in place to NAT the traffic coming from the VPN going outside?

Hi,

my IP range for VPN client is 10.10.250.0/24

there is no Source NAT rule. How I build this? A Source NAT needs a zone. which is the right zone? untrust to untrust?

Yeah, from Zone untrust to-zone untrust.

This is all assuming your network is set up correctly with a default gateway to the outside etc etc.

This will set the traffic to NAT on the ip set up on the external zone.

  rule-set Untrust_to_Untrust {
        from zone untrust;
        to zone untrust;
        rule VPN_Outside {
            match {
                source-address 10.10.250.0/24;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }

Very cool. It works! Thank you!

Here my final config:

{primary:node1}[edit security nat source rule-set untrust-to-untrust]
from zone untrust;
to zone untrust;
rule vpnclients-nat-rule {
    match {
        source-address 10.10.250.0/24;
    }
    then {
        source-nat {
            interface;
        }
    }
}

{primary:node1}[edit security policies from-zone untrust to-zone untrust]
policy pol-dynamic_vpn {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn vpn_dynamic_vpn;
            }
        }
    }
}

Nice one! 😄

Can you mark my answer as accepted if you think it was help

How mean ha! Accepting your own comment as solution 😛

Sorry.. I was to fast. I have clicked befor I have read your post 🙂

My fault!

Hi MMcD,

because of the help with this thread, maybe you can help gain for this problem:

http://forums.juniper.net/t5/SRX-Services-Gateway/Routing-DynamicVPN-gt-Zone-Trust-Cluster-Node0-not-working/td-p/117348

It's the same SRX210 cluster.

Jan

Your suggestion to use a policy without tunnel argument don't works:

policy pol-test {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
}