12-30-2008 10:25 AM
This is my first post and need experts advice and directions.
-Clients using Netscreen Remote are connecting to NS5GT using Dialup VPN policy. Clients can connect to local workstations and services on this site no problem.
-There is a working tunnel from NS5GT to NS25 in another site with services that the remote clients would like to connect to.
-Is there a way for the remote client to connect to services where NS25 site is located?
Solved! Go to Solution.
12-30-2008 10:37 AM
Yes there is, but you need to use a Route Based VPN for your Dial-up VPN users. Most dial-up VPN's I come across use a Policy Based approach. However, dial-up VPN users are unable to route across to another VPN unless a route based is used. This is done by terminating the VPN to a Tunnel interface. You can then add a "dial-up" VPN zone for additional security. This allows you to control traffic via Policy. As an FYI, the VPN Policy type is not used with a Route-based approach. I hope this helps. Let me know if you have any questions.
12-30-2008 12:00 PM
Have a look at the following thread.
12-30-2008 01:35 PM
I would reveiw the link from AndyC. If you still have questions or run into an issue, let me know.
12-30-2008 03:20 PM
I was able to create a route based dial-up successfully as per the link (which was really quite helpful). However, i am unable to ping the remote site or NS25 LAN IP. Here's what i have;
Remote IP Pool 126.96.36.199/24
NS5GT LAN 172.18.7.0/24
NS25 LAN 192.168.110.0/24
-Remote clients connected to NS5GT via route based tunnel.2.
-Tunnel.1 is the tunnel to NS25 LAN
-NS5GT: Created a policy (Untrust Intra-zone policy) from 188.8.131.52/24 to 192.168.110.0/24
-NS25: Created routing 184.108.40.206/24->tunnel.10 (tunnel.10 is the link to tunnel.1)
I reading again the links whole thread as I may have missed out something. I am also confused in that thread as there is another IP which 172....
12-30-2008 03:52 PM
I can now successfully ping from remote client to NS25 LAN. Still working on pinging from NS25 LAN to remote client IP.
Also, i just noticed I can't access the internet from the remote client even pinging external ip.
12-30-2008 05:34 PM
The reason you cant access the internet from the remote pc is because all traffic is being tunneled down the VPN inclueding internet traffic, hence the subnet mask of 0.0.0.0/0
You would need a policy on your firewall that would allow the NSRemote client access out on to the internet. If your tunnel interface for the dialup vpn is bound to the untrust zone then you would need a policy from untrust to untrust source 220.127.116.11/24 destination any
To get access from the NS25 to the remote client via the 5gt you would need to add a policy making sure that the ns25 lan is allowed to talk to the 18.104.22.168 network
Let me know if this helps
If not let me know which zone the tunnel interface for the dial up vpn is in and which zome the tunnel interface for the tunnel to the NS25 is in and i can give a more detailed description.
12-30-2008 08:22 PM
-NS5GT: I have two policies Untrust-to-Untrust (intra-zone ploicy), one is from 22.214.171.124/24 to 172.18.7.0/24 and second is from 126.96.36.199/24 to Any, but i still can't get to the internet from NSRemote client
-NS25: I also have a policy Trust-to-Untrust 192.168.110.0/24 to Remote_Sites which includes 172.18.7.0/24 LAN.
-NS25: I also have routing created 188.8.131.52/24 using interface tunnel.10
-NS5GT: tunnel.1 interface is the tunnel to NS25 and is on untrust(trust-vr) zone
-NS5GT: tunnel.2 interface is the remote client tunnel and is on untrust(trus-vr) zone.
12-31-2008 11:38 AM
My NSRemote client internet access is now working. Have read another solution from previous post to turn on NAT-Src tranlation in
the Untrust intra-zone policy.
Question: Why not roite internet access through clients local internet access instead of going to NS5GT and out? Is this possible?