Screen OS

Hi

I have an SSG 5 which is working great.  I have created Dial UP VPN users with the Wizard and they all use the same tunnel.1 interface.  They connect fine and can access the local network but I can t find a way for them to connect back out to the Internet.  The Internet is back out on the same physical port that the dial up users come in on and is the untrust vr.

Any help would be great

Thanks

Hi,

On the netscreen remote configuration is the destination network set to 0.0.0.0/0 to make sure all traffic goes down the tunnel?

On the firewall which zone is the tunnel.1 interface in and which virtual router?

Regards

Andy

Hi Andy, thanks for the reply.

What we have is a VPN user group where members are using IKE,XAUTH.  This provides them with an IP Adddress from a Pool (10.10.100.1 ..... /24) and some DNS settings.  The client can login in fine and can resolve names to IP addresses on the Internet from a local DNS server.

AutoKey IKE is bound to tunnel.1

There is an unTrust to Trust policy which was created when the VPN Wizard was used which is just an any - any - permit.

On the Interface List, Tunnel.1 is unnumbered, in the untrust zone and type tunnel

There are no specific routes which determine how to route from the tunnel to untrust or 0.0.0.0 /0 for the tunnel

Cheers

Lance

Hi,

It sounds like you need a intrazone policy on the untrust zone as this is where the vpn terminates (tunnel.1) and where the internet is connected.

set policy from untrust to untrust 10.10.100/24 any http permit

add other sevices that you want to allow to the policy.

See if that helps.

Regards

Andy

Ok, tried that, the policy is working

but still no traffic back, does it need to be bi-directional ?

Cheers

Lance

Hi,

Doesnt need to be bi-directional, forgot to tell you to add NAT-src to the policy to allow devices on the internet to come back via the firewall.

Edit the untrust to untrust policy and go into the advance section and enable Nat-Src using egress interface IP.

This should get it all working.

Regards

Andy

You da man Andy !

Thats awesome, been trying to get this working for weeks

Cheers

Lance

Hi Guys

Hope you can help ANDY!!

i have the same problem and ive followed this thread to a "T" - I cant get the traffic to go out the same interface it came in on. Ive done the intrazone policy - source NAT, but still i cant get traffic out. My DNS is fine and i do an NSLOOKUP over the VPN. i have a policy from ADSL_ZONE to trust allowing the L2TP VPN in, but no traffic is going out. The policy logs reports TRAFFIC DENY.

Ive got this working on another firewall. the zone is UNTRUST - will that make a diffrence? I noticed under  ZONES that my ADSL zone is not shared, while the UNTRUST zone is - will this make a diffrence. and if so, how do i change the ADSL zone to be SHARED.

Maybe thats my answer right there - i need to change the ZONE to UNTRUST.....

Help if you can

Andrew