SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Local Zone to remote VPN

    Posted 05-08-2014 22:33

    Hi,

     

    Here is my scenario.I have 2 Internet connections, one Internal network and a third network connected to my SRX240 at branch office. The 2 internet links are configured as untrust zones, Internal network as trust zone and the third link connecting to one of our cliient in our premises is configured as zone abc. Workstations from abc zone are not able to access the webserver at HO. HO and branch are connected through a route based VPN. I have tried configuring policies from abc zone to HO-VPN. Clients can access only if I change the default policy to accept-all. Any help is much appreciated.

     

    Regards

     



  • 2.  RE: Local Zone to remote VPN

     
    Posted 05-08-2014 22:40

    Hello Thomas

     

    From your description I reckon tunnel is up as you can access remote side on having default-permit-all policy.

    To me it appears to be a policy configuration issue.

     

    Can you tell me to which zone st0 interface is bound to?

    Would it be possible for you to share below?

     

    1. source-ip of the traffic.

    2. destination-ip of traffic

    3. RSI/Configuration

     

    Regards,

    Raveen

     



  • 3.  RE: Local Zone to remote VPN

    Posted 05-08-2014 23:03

    I am copying only the relevant configs.

     

    Traffic Originating from 

     

    ge-0/0/7 {
    unit 0 {
    description "ABC Link";
    family inet {
    address 172.17.254.2/24;

     

    Destined to 10.71.0.0

     

    static route 

    route 10.71.0.0/16 next-hop st0.10;

    route 10.1.0.0/16 next-hop 172.17.254.1;

     

    security-zone ABC {
    address-book {
    address ABCzoneadd1 10.1.0.0/16;
    }
    }
    host-inbound-traffic {
    system-services {
    dns;
    ftp;
    http;
    https;
    ident-reset;
    ping;
    snmp;
    traceroute;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/7.0;
    }

     

    from-zone HOVPN to-zone ABC {
    policy HOvpn-ABC {
    match {
    source-address net-HO_10-71-0-0--16;
    destination-address ABCzone;
    application any;
    }
    then {
    permit;

     

    from-zone ABC to-zone HOVPN {
    policy ABC-HO {
    match {
    source-address ABCzone;
    destination-address net-HO_10-71-0-0--16;
    application any;
    }
    then {
    permit;

     

     

    VPN is up and running and clients from local network 10.31.xx.xx can access remote network at 10.71.xx.xx . The trouble is from zone ABC 10.1.xx.xx to 10.71.xx.xx



  • 4.  RE: Local Zone to remote VPN

    Posted 05-08-2014 23:05

    St0.x is bound to zone untrust.



  • 5.  RE: Local Zone to remote VPN
    Best Answer

     
    Posted 05-08-2014 23:25
    The policy has to be between your ABC zone and untrust zone(st0.X) Can you create a test policy between ABC and untrust and check if it resolves? Regards, Raveen


  • 6.  RE: Local Zone to remote VPN

    Posted 05-12-2014 20:14

    The policy exists between ABC zone and HOVPN zone. St0.x to HO is on HOVPN Zone



  • 7.  RE: Local Zone to remote VPN

    Posted 05-12-2014 21:21

    The name of your address book entry is "

    This is the address book entry in your abc zone ABCzoneadd1  and not  ABCzone.  So you need to correct that.