Hello,
I'm fairly new to netscreens and this is my first post. I'm experiencing issues running dip and mip for my route based site to site VPN setup between a Netscreen and a remote site Cisco ASA. I've drawn up a diagram that hopefully makes sense. See attached.
So far I have managed to get the tunnel up (phase 1 and 2 up/active). Tunnel.1 is binded to the VPN. The DIP (green - outbound flow 1 - see diagram) is also working OK (i.e. I can ping from 1.1.1.1 to remote end inside 192.168.1.1).
However with the traffic associated with the MIP (maroon - inbound flow 2 - see diagram) I can see the icmp traffic leaving the remote ASA but being denied on the netscreen firewall as follows:
Juniper(M)-> get log traffic src-ip 192.168.1.2
PID 22, from Global to Global, src Any, dst Any, service ANY, action Deny
============================================================================================================
Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface
Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface
============================================================================================================
0:00:00 192.168.1.2 43018 192.168.1.65 512 ICMP 0 tunnel.1
Traffic Denied 1 0.0.0.0 0 0.0.0.0 0 22 ethernet1/1.2
0:00:00 192.168.1.2 42762 192.168.1.65 512 ICMP 0 tunnel.1
Traffic Denied 1 0.0.0.0 0 0.0.0.0 0 22 ethernet1/1.2
Total entries matched = 2
Snippet of the configuration on the netscreen:
set vpn "VPN" proxy-id local-ip 192.168.1.64/26 remote-ip 192.168.1.0/26 "ANY"
set vrouter "untrust-vr"
set route 192.168.1.0/26 interface tunnel.1
set vrouter "Trust-vr"
set route 192.168.1.0/26 vrouter "untrust-vr" preference 20
set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet1/0
set interface tunnel.1 ext ip 192.168.1.65 255.255.255.192 dip 1 192.168.1.66 192.168.1.126
set dip sticky
set interface "ethernet1/0" mip 192.168.1.65 host 1.1.1.2 netmask 255.255.255.255 vr "Trust-vr"
set policy id 1 from "Trust-vr" to "Untrust" "host_1.1.1.1" "host_192.168.1.1" "ICMP-ANY" nat src dip-id 1 permit log
set policy id 2 from "Untrust" to "Trust-vr" "host_192.168.1.2" "MIP(192.168.1.65)" "ICMP-ANY" permit log
Is it OK to configure the MIP to use the untrust/outside interface or should I associate the MIP to the tunnel interface as I have with the DIP?
For the MIP Is it OK to use the same address as the DIP ext ip?
Any help much appreciated.
Thanks,
John