SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Site-to-Site Policy base VPN one way traffic

    Posted 09-14-2011 07:22

    Hi All

     

    I am trying to set up policy base VPN with SRX 220 and cisco  ASA. but i am not able to reach remote lan but Remote site can reach to my side lan. In this case my VPN is up but traffic is not going through VPN tunnel from SRX side. In tracert to remote IP it get drop at my trust interface of firewall.

     

    Please help me to reslove this issue.

     

    For referance find attach config ,Network diagram, tracert from PC.

     

    Thanks

    Hemant Shingane

    CCNP

    Attachment(s)

    txt
    tracertfrompc.txt   1 KB 1 version
    txt
    VPN_Site-2-Site_onewaytraffic.txt   8 KB 1 version


  • 2.  RE: Site-to-Site Policy base VPN one way traffic
    Best Answer

    Posted 09-14-2011 07:50

    I would move this rule above the other one

     

     rule VPN {
                        match {
                            source-address 192.168.0.0/22;
                            destination-address 10.0.16.0/21;
                        }
                        then {
                            source-nat {
                                off;
                            }
                        }
                    }
                }
               
            }

     

    A good command to run would be

     

    show security flow sesssion destination-prefix 10.0.16.0/21



  • 3.  RE: Site-to-Site Policy base VPN one way traffic

    Posted 09-14-2011 08:04
    The below rule is taking all the traffic destined for the VPN because of the 0.0.0.0/0


                   rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }