Screen OS

Hi, I'm trying to work through this, hopefully the community can help.

Site A - SSG550

Zones: trust (employees) and DMZ (customer wifi)

Site B - SSG20

Zones: trust (employees) and DMZ (customer wifi)

I am going to an MPLS connection only at site B. Site A is the hub with a direct line and MPLS. So all traffic will go out of site A.

Problem: site B currently has a direct circuit and DMZ.

Currently the trust zones have a vpn tied to tunnel.1 between them. I need to tunnel SiteB/DMZ to SiteA/DMZ also. What is the best way to do this without allowing traffic from DMZ to enter trust network?

I believe you are trying to route Users from Trust network of site B to DMZ Network of Site A, correct ?

You can achieve this by configuring a route based VPN, and control the traffic by routing the way you want to.

---

@sarab wrote:

I believe you are trying to route Users from Trust network of site B to DMZ Network of Site A, correct ?

 

You can achieve this by configuring a route based VPN, and control the traffic by routing the way you want to.

---

No, I'm trying to totally keep the networks separate. Two connections on each side: trustA-trustB and DMZA-DMZB. Only site A has internet. All internet-bound traffic needs to go over the MPLS (on a VPN) to site A. No crossing of the streams.

So I guess, technically they are not sharing VPN's, but rather sharing MPLS connections. I need two VPN's going over one connection.

The problem is that the DMZ is a separate interface (eth0/2) and trust is eth0/0. Since they are different zones, they need different tunnel interfaces (tunnel.1 for trust & tunnel.2 for DMZ). However, the Autokey IKE's bound to each tunnel interface cannot share the same Gateway or they bounce up and down.

OK, if I got it rite, then the setup is as below :

DMZ-A   |                                                                                                                 |  DMZ-B

               | Untrust-A ========= VPN (MPLS Link) ========= untrust-B |

Trust-A  |                                                                                                                 |  Trust -B

You got a VPN between the two site terminating on untrust zone.

What you can do to keep two networks seprate is create one tunnel i/f on both sites (assuming both are Netscreen) and bind them to untrust zone.

Then control the communication with policies from untrust to Trust and Untrust to DMZ.

This way you can have DMZ talking to DMZ and Trust talking to Trust network.

===============================================================

Pls click the button "Accept as Solution" if my post helped to solve your problem

---

@DeaconZ wrote:

However, the Autokey IKE's bound to each tunnel interface cannot share the same Gateway or they bounce up and down.

---

This actually should work fine if you configure appropriate Proxy IDs on one or both tunnels.

Otherwise, sarahb's suggestion above (bind the tunnel interface to the Untrust zone) should also do what you need.

---

@Spud wrote:

---

@DeaconZ wrote:

However, the Autokey IKE's bound to each tunnel interface cannot share the same Gateway or they bounce up and down.

---

This actually should work fine if you configure appropriate Proxy IDs on one or both tunnels.

 

Otherwise, sarahb's suggestion above (bind the tunnel interface to the Untrust zone) should also do what you need.

---

So,both are Netscreens (siteA is SSG550 & Site B is SSG20)

SiteA Config

Untrust IP = 1.1.1.1

Trust IP = 10.10.0.1

DMZ IP = 10.100.0.1

Gateway

SiteB-GW = 2.2.2.2

Autokey IKE

SiteB-Trust-VPN =10.20.0.1, bind tunnel.1, proxy ID local: 10.10.0.0/16 remote: 10.20.0.0/16 (I have multiple remote sites within this /16; they are all /22's)

SiteB-DMZ-VPN = 10.200.0.1, bind tunnel.1, proxy ID local: 10.100.0.0/22 remote: 10.200.0.0/24

*********************

SiteB Config

Untrust IP = 2.2.2.2

Trust IP = 10.20.0.1

DMZ IP = 10.200.0.1

Gateway

SiteA-GW = 1.1.1.1

Autokey IKE

SiteA-Trust-VPN =10.10.0.1, bind tunnel.1, proxy ID local: 10.20.0.0/22 remote: 10.10.0.0/16

SiteA-DMZ-VPN = 10.100.0.1, bind tunnel.1, proxy ID local: 10.200.0.0/24 remote: 10.100.0.0/22

So I got both VPN's up on the same tunnel interface. But, the trust tunnel can get to the internet (via a proxy on another zone), but the DMZ cannot (no proxy server). And I am not seeing the traffic on the Site A firewall.

There was a slight edit on the proxy ID's as well.

SiteA trust - local 0.0.0.0/0 remote 10.20.44.0/22

SiteB trust - local 10.20.44.0/22 remote 0.0.0.0/0

SiteA DMZ - local 0.0.0.0/0 remote 10.200.44.0/22

SiteB DMZ - local 10.200.44.0/22 remote 0.0.0.0/0

Now I am seeing stuff, but the traffic from DMZ-B is being routed into the trust zone by firewall B.

Ok. Looks like the proxy ID for DMZ couldn't have 0.0.0.0/0 in it.

OK, so now I have another related problem. Lately, several of these MPLS sites have had "issues" with AT&T peer in the MPLS cloud. When this happens, the VPN's go inactive/down and they refuse to come back up.

They only go Active/Up again if we manually rebuild the Autokey IKE VPN or reboot the firewall.

Anybody ever seen that before? Never been an issue before until this configuration.

I'm wondering if it is somehow related to them sharing the same gateway, but the SSG550 on the HQ side is fine and comes up fine.