ScreenOS Firewalls (NOT SRX)
Reply
Regular Visitor
Anser
Posts: 7
Registered: ‎05-25-2008
0

Hub & spokes connectivity by using NHTB

HUB= ISG1000

SPOKES= SSG5  

I have a real scenario consist of 125 remote sites connect with central site for services like VoIP, Application etc.

I have two pools :

1- Untrust IF Pool 120.1.0.0/24

2- Tunnel IF Pool 120.1.200.0/24

On hub site I have to give 120.1.0.254 & tun IF 120.1.200.254, other IPs for remote.

My requirement : VoIP phones on remote sites should communicate with each others ( remote-to-remote)

What I did :- HUB site: I applied the untr IP :120.1.0.254 & Tunnel IP:120.1.200.254. Made Auto IKE & gateway in which i gave remote untr IP :120.1.0.253. In route i gave inside N/w of remote site by using tunnel IF and remote untr IP:120.1.0.253.

REMOTE site: I applied the untr IP :120.1.0.253 & Tunnel IP:120.1.200.253. Made Auto IKE & gateway in which i gave remote untr IP :120.1.0.254. In route i gave default route by using tunnel IF and HUB untr IP:120.1.0.254. Its working fine.. Smiley but when i add one more remote site which just changed in IP but in the HUB site i use the same tunnel interface for routes, when i apply the static route, the route i gave for first remote, i could'nt able to ping the inside network of 1st remote site whereas i can ping the untr IP of 1st & 2nd remote both & tunel IPs also. ................

Kindly do some appropriate solution but I have to use this IP scheme.

Muhammad Anser Khan
Sr.Network Engineer
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Hub & spokes connectivity by using NHTB

Hi Anser,

 

Tell me:

 

1) What release u r using on firewalls?

2) Post the configuration of HUB and any one remote site.

3) What route u added for remote sites on HUB?

4) By the way u can use private IP pool (like 10.x.x.x/8) on tunnel interfaces instead of public IP

 

Thanks

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Hub & spokes connectivity by using NHTB

Hi,

 

See for automatic population of NHTB ur firewalls should have OS 5.0.0 or above. So make sure ur firewalls have OS 5.0.0 OR above. One thing which u can try is manually binding of vpn tunnel to nexthop tunnel interface ip, using the following command on HUB for both remote sites:

 

set interface <tunnel interface> nhtb <nexthop tunnel interface IP> vpn <name of vpn tunnel for nexthop remote site>

 

Please let me know the outcome

 

Thanks

  

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Regular Visitor
Anser
Posts: 7
Registered: ‎05-25-2008
0

Re: Hub & spokes connectivity by using NHTB

Thanks kashif. Actually i am going out of country for 15 days. I 'll continue this solution when i back then i'll discuss it with u in more detail.
Muhammad Anser Khan
Sr.Network Engineer
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.