04-19-2012 03:13 AM
04-19-2012 04:43 AM - edited 04-19-2012 04:46 AM
Do you specifically want to manage the SRX on one of its internal interfaces? As you could just enable HTTPS/SSH on the specific zone terminating the VPN and also on the st (secure tunnel) interface and lock it down with a filter to your specific requirements.
04-22-2012 04:44 PM
I got similar problem.
I have DynVPN to SRX and I have access to all resources in remote LAN, I can ping the internal (trusted) interface of the SRX via the VPN tunnel, but I cannot SSH to it. I have found [KB21489], but it explains only a problem with overlapping networks - I am using different network for DynVPN pool.
Any help or links to similar posts are gratefully received.
04-22-2012 06:12 PM
If you are using a different network for Dynamic VPN, it should work normally. could you please attach the flow trace,if possible ?
04-23-2012 04:35 AM
I do not have access to the SRX at the moment, but what exactly do you need?
I have checked session flow and traffic is permitted, it comes from WAN interface. Ping and ssh is allowed in host-inbound on that interface. I am using the newest Junos 12.1R1.9. It looks like traffic just vanishes.
04-24-2012 04:39 PM
Checked the configuration and tried to disable features which I thought maybe causing problem, but still no luck. Traffic via SRX works fine from DynVPN client to remote LAN, can ping SRX, but any attempt to establish some tcp connectivity to it fails (https, ssh). It looks like packes are vanishing. I could not find anything in policie logs which would direct me any way. As this is test box I have downgraded it back to R11.4, but still same situation.
Other thing I have noticed that if I want to send all traffic via VPN tunnel (no split tunneling) and use SRX as gateway to Internet for DynVPN client it also does not work, maybe some config issue for that part, but I cannot see anything in the firewall filters or traffic flow (sh sec flow session...) or syslog messages - e.g. I am trying to ping from DynVPN client 188.8.131.52.
Any ideas would be more then welcome.