Screen OS

Hi ,

              We have Site A (WAN A , LANA(192.168.y.y ) ,Site B (WANB , LANB ) both are communication via VPN Tunnel . But right now at remote Site A , one more LAN IPs were added(192.168.x.x) .How to Access 192.168.x.x/24 network from Site B , where i have to do modifications in Site A or SiteB Tunnel  or do i need to create another Tunnel to Access Site A second network .

Site A :  WAN IP  , Lan IP 192.168.Y.Y

Site B: WAN IP  , Lan IP 192.168.Z.Z ,....Both are communicating via VPN Tunnel.

Now we added 192.168..X.X network in Site A . How to access this network from Site B , .what modifications i have to do , can any one please send me help full link or helpfull steps.Do i need to create one more tunnel for another network ?

               I followed this way but it didn't work for me

  1) Network >Routing > Destination (IN site B) : Added Route : 192.168.100.0/24 , Gw (Site A's PublicIP) ,  through Tunnel.3 (existin Tunnel.3)

Site A : Wan IP is , Lan IP is : 192.168.0.0/24

Site B; Wan IP is , Lan IP is  : 192.168.2.0/24 , till here everything is fine, we can able to ping Site A's LanIP to Site B Lan IP vise versa via Lan-Lan Vpn Tunnel (route based)

                    But now we added 192.168.100.0/24 networkin Site A , so how to ping that ip from Site B Lan IP(x.x.2.0/24).Do i need to create one more tunnel between both Sites or small modications are enough..if modifications are enough then wht modifacaions do i have to do

Attachment(s)

Setup.doc   22 KB 1 version

Since you have a tunnel interface I am going to assume your VPN between site A-B is a route based vpn with the default settings allowing all networks to connect.

If that is the case, your route addition is the correct step.  But you also need to add policies that permit the traffic on both firewalls.

Create an address object for the new subnet

Create a permit policy on each firewall from the existing addresses as source to the new address as destination

Create a permit policy on each firewall from the new address as source to the existing addresses as destination

HI can you please tell me where to add address object (in site A or Site B )  , neet to access SiteA's additional IP pool from Site B's Lan (Tunnel). Can you please give me steps or url from GUI. Thnx in advance.

HI ,

      just wento Site A as well As Site B's polices  and create new polices ,

""

1) Create an address object for the new subnet   ::   created New Address object by : Police>trust to untrust >  Soure (created new address) > Destination SiteB's Intranet (192.168.2.0/24)

2) Create a permit policy on each firewall from the existing addresses as source to the new address as destination

 ::   from Site A (192.168.100.0/24 to 192.168.2.0/24 )

Create a permit policy on each firewall from the new address as source to the existing addresses as destination :

   :: from site B ( 192.168.2.0/24 to 192.168.100.0/24 )

             but it didn't work for me...

Hi,

If you have configured any VPN Proxy IDs delete them on both firewalls (provided that both are SSGs).

The default Proxy ID is 0.0.0.0/0 - 0.0.0.0/0 which allows adding of any number of new networks without changing the VPN. All you need are new routes and access policies.

I can delet proxy IDs on both sides , but i read some where that firmware version "
6.1.0r2.0 (Firewall+VPN)"" doesn't support proxy ids disabling , i am using same ssg5 (same version) on both sides ,

2) if everything is fine then how can i add route to both sites ?

 Is it like this ?? >>>>> From Site A # Routing > Destination > New Route >  IP Add/ mack is_____ ( local ip ??) ,

Gate way is ____ ( Tunnel Interface.x  & Gate Way IP is 0.0.0.0   or static IP (site A or site B)  is should use ??

If this is  fine then

 do i have to repeat same for second IP Pool ???

 CAn you please give me GUI steps .

Can't i do anything without disturbing existing Vpn Tunnel ? If deleting proxy IDs means reconfiguring existing tunnel, for this i don't  know whether this works or not, both routers are  presently is in live , so how can i do this..i want to acees Site A's another network from Site B from existin tunnel or adding new configuration ...

Deleted Proxy IDs on both sides, now my VPN tunnle is fine. Till here everything is fine..but i am not able to ping 192.168.100.0/24 on Site A side from Site B. Can you please help me in this...

Hi,

You should add a route for 192.168.100.0/24 on the firewall B using tun.3 as routing interface and FW-A's public IP as the gateway. Type get route after that and check if this route is marked with *, which means that the route is active. Enable logging in the policy, also for the session start. If you see no policy hits please attach the config after having removed the confidential information.

Added Route 192.168.100.0/24 Gw SiteA's Public IP , Tunnel.3 . But didn't work.  this route is marked with *, which means that the route is active. but still i am not able to route. As you said deleted Proxy id after that also  192.168.0.0/24 (SiteA) is able to ping from 192.168.2.0/24 (SiteB)..vise versa but from site B not able to ping Site A's another IP 192.168.100.0 ,Let me tell you one more configuration , may be you can get idea In Site A's router  192.168.100.0/24 is added under bgroup 0 , as seconday IP , bgroup static ip is 192.160.0.0/24 , is this causes any issue ?

Hi,

What do you see in the policy log?

This is Site B's config file..

Attachment(s)

_cfg.txt   12 KB 1 version

Policy log from Site A or Site B ?

From B firewall. But if you have both, what not to attach both?

Site A's config file

Attachment(s)

_cfgs.txt   7 KB 1 version

Hi,

Sorry, my question was "What do you see in the policy log?".

But looking at the configs I can say that you will see no policy hits in the policy 49 because the policy 1 is located above:

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit

All packets to the network 192.168.100.0/24 are src-natted to the FW public IP. Policy 49 should be installed before policy 1.

So in Site B , Do you want me to up "" set policy id 49 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.100.0/24" "ANY" permit set policy id 49 ""    and "" set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit set policy id 1 ""  should downgrade ??? ...

Thnx echidov  , it worked for me..as you said i moved policy 49 above to policy 1.Policy 49 is locate above and its working fine for me....Thnq very much for your help..

echidov :

                   Thnx for your support for my earlier issue . Now I have one more issue addition to that .

Side A : 192.168.0.0/24 , 192.168.100.0/24  , Side B : 192.168.2.0/24 , with your support I can able to ping from Site B to both networks (0/24 , 100/24 ) in side A , vice versa from Side A I am able to ping 192.168.2.0/24 from both networks (0.0/24 , 100.0/24 ).

          Issue is I have added one more network in Side B ie 192.168.6.0/24 . Now i have to ping Side A both networks from side B , as well as sibe B's both networks from Side A .

Side A networks : 192.168.0.0/24 , 192.168.100/24

Side B networks : 192.168.2.0/24 , 192.168.6.0/24 ( New Network Added)

                   I sent my configuration files ,there is  no change in that except new change in Site B policy 49 moved to above policy 1 as you suggesting worked fine. Can you please let me help me in second network configuration also

Thnx in Advance.