ScreenOS Firewalls (NOT SRX)
Reply
Contributor
JustBob
Posts: 16
Registered: ‎12-29-2008
0
Accepted Solution

Dialup VPN Tunnel Access

Hi,

 

This is my first post and need experts advice and directions.

 

Situation:

-Clients using Netscreen Remote are connecting to NS5GT using Dialup VPN policy. Clients can connect to local workstations and services on this site no problem.

-There is a working tunnel from NS5GT to NS25 in another site with services that the remote clients would like to connect to.

Question:

-Is there a way for the remote client to connect to services where NS25 site is located?

 

Thanks

JB

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008

Re: Dialup VPN Tunnel Access

Hi Jb,

 

Yes there is, but you need to use a Route Based VPN for your Dial-up VPN users.  Most dial-up VPN's I come across use a Policy Based approach.  However, dial-up VPN users are unable to route across to another VPN unless a route based is used.  This is done by terminating the VPN to a Tunnel interface.  You can then add a "dial-up" VPN zone for additional security.  This allows you to control traffic via Policy.  As an FYI, the VPN Policy type is not used with a Route-based approach.  I hope this helps.  Let me know if you have any questions.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
JustBob
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

Hi John,

 

Should I just create an unnumbered interface and bind the tunnel interface to my Auto IKE VPN? What next?

 

Thanks

JB

Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008

Re: Dialup VPN Tunnel Access

Have a look at the following thread.

 

http://forums.juniper.net/jnet/board/message?board.id=Firewalls&message.id=766&query.id=1183697#M766

 

 

Regards

 

Andy

 

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008
0

Re: Dialup VPN Tunnel Access

Hi,

 

I would reveiw the link from AndyC.  If you still have questions or run into an issue, let me know.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
JustBob
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

I was able to create a route based dial-up successfully as per the link (which was really quite helpful). However, i am unable to ping the remote site or NS25 LAN IP. Here's what i have;

 

Remote IP Pool 30.30.30.0/24 

NS5GT LAN 172.18.7.0/24

NS25 LAN 192.168.110.0/24

 

-Remote clients connected to NS5GT via route based tunnel.2.

-Tunnel.1 is the tunnel to NS25 LAN

-NS5GT: Created a policy (Untrust Intra-zone policy) from 30.30.30.0/24 to 192.168.110.0/24

-NS25: Created routing 30.30.30.0/24->tunnel.10 (tunnel.10 is the link to tunnel.1)

 

I reading again the links whole thread as I may have missed out something. I am also confused in that thread as there is another IP which 172....

 

Thanks

JB

Contributor
JustBob
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

I can now successfully ping from remote client to NS25 LAN. Still working on pinging from NS25 LAN to remote client IP.

 

Also, i just noticed I can't access the internet from the remote client even pinging external ip.

 

JB

Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008

Re: Dialup VPN Tunnel Access

Hi,

 

The reason you cant access the internet from the remote pc is because all traffic is being tunneled down the VPN inclueding internet traffic, hence the subnet mask of 0.0.0.0/0

 

You would need a policy on your firewall that would allow the NSRemote client access out on to the internet. If your tunnel interface for the dialup vpn is bound to the untrust zone then you would need a policy from untrust to untrust source 30.30.30.0/24 destination any

 

To get access from the NS25 to the remote client via the 5gt you would need to add a policy making sure that the ns25 lan is allowed to talk to the 30.30.30.0 network 

 

Let me know if this helps

 

If not let me know which zone the tunnel interface for the dial up vpn is in and which zome the tunnel interface for the tunnel to the NS25 is in and i can give a more detailed description.

 

Regards

 

Andy

 

 

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
JustBob
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

Hi Andy,

 

-NS5GT: I have two policies Untrust-to-Untrust (intra-zone ploicy), one is from 30.30.30.0/24 to 172.18.7.0/24 and second is from 30.30.30.0/24 to Any, but i still can't get to the internet from NSRemote client

 

-NS25: I also have a policy Trust-to-Untrust 192.168.110.0/24 to Remote_Sites which includes 172.18.7.0/24 LAN.

-NS25: I also have routing created 30.30.30.0/24 using interface tunnel.10

 

-NS5GT: tunnel.1 interface is the tunnel to NS25 and is on untrust(trust-vr) zone

-NS5GT: tunnel.2 interface is the remote client tunnel and is on untrust(trus-vr) zone.

 

Thanks

JB

Contributor
JustBob
Posts: 16
Registered: ‎12-29-2008
0

Re: Dialup VPN Tunnel Access

My NSRemote client internet access is now working. Have read another solution from previous post to turn on NAT-Src tranlation in

the Untrust intra-zone policy.

 

Question: Why not roite internet access through clients local internet access instead of going to NS5GT and out? Is this possible?

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.