Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Netscreen Remote Traffic and Subnets

    Posted 01-29-2009 22:28

    Hi all,

     

    Im using Netscreen Remote  with a Juniper SSG 5 to create a VPN between moble PC's and my Juniper device.

     

    The Netscreen PC's are assigned an IP 192.168.150.100-192.168.150.200. 

    The Juniper SSG5 is on the subnet 192.168.1.0/24 along with some servers. (Site A)

     

    We have a second site, which is connected via site-to-site VPN, and is also a Juniper SSG 5 running subnet 192.168.100.0/24. (Site B)

     

    The site-to-site VPN works perfectly, and data can travel as intended between Site A and Site B.

     

    My problem is the following. I can access all of the PC's from the Netscreen Remote client at Site A, but I'm unable to access Site B at all from the VPN client.

     

    I have tried debugging the information flow on the Site A Juniper, and when i ping any server in Site B from the vpn client, the logs show no traffic being sent to the Site A SSG5 in the first place.

     

    Just to add, on the VPN client PC, Netscreen remote will tunnel all traffic with subnet 192.168.0.0/16 via the VPN connection.

     

    Any suggestion on where to start looking?



  • 2.  RE: Netscreen Remote Traffic and Subnets
    Best Answer

    Posted 01-29-2009 22:59

    Do you have the subnet of the client to site users in your policy/proxy  id's on the site to site ?

     

    What i usually do in these scenarios is create a VPN zone in which i place a tunnel interface (on both devices).

    I then create a route based VPN between the tunnel interfaces, on proxy id's 0.0.0.0/0 (or 192.168.0.0/16).

     

    The client to site vpn terminates on the untrust. I need a couple of policies then:

    - untrust to trust to allow the vpn clients to site a  (only on FW-site A)

    - untrust to vpn-zone to allow the vpn clients to site b (only on FW-site A)

    - trust to vpn to allow site a to communicate to site b (on FW-site A and site B)

    - vpn to trust to allow site b to communicate to site a (on FW-site A and site B)

     

    Set up routing to the tunnel interfaces

     

    - Route Subnet-SiteB to tunnel-if on site A

    - Route Subnet-SiteA to tunnel-if on siteB

     

    This way you should get it running...

     

    Dennis

    Message Edited by dennish on 30-01-2009 08:00 AM


  • 3.  RE: Netscreen Remote Traffic and Subnets

    Posted 11-01-2010 12:15

    Hi,

     

    sorry but can you elaborate on the config?  i have a similar problem.  does the ns remote client have to be route based?

    thanks



  • 4.  RE: Netscreen Remote Traffic and Subnets

    Posted 01-31-2009 05:28
    Thanks very much. It worked perfectly.


  • 5.  RE: Netscreen Remote Traffic and Subnets

    Posted 01-31-2009 08:22

    Great!

     

    You're welcome.