Screen OS

Hi all

I have a question. I have 3 sites (SiteA, SiteB and SiteC). All these sites are connected with an MPLS. On ecah site, I have : dedicated firewall to protect Internet access, Juniper SSG320 to protect LAN access and Cisco router.

To redistribute my privates network  on all devices, I use OSPF configured on my Juniper SSG320 with only one area.  Our Exchange infrastructure is hosted outside on a privte clound provided by a provider. We access to our Exchange (hosted on a network 10.203.144.x/24 provided by provider) through 3 IPsec tunnel configured on our each site :

- 1 tunnel SiteA to Mail_Provider (users from siteA use this tunnel to connect Outlook client to Exchange server

- 1 tunnel SiteB to Mail_Provider (users from siteB use this tunnel to connect Outlook client to Exchange server)

- 1 tunnel SiteC to Mail_Provider (users from siteC use this tunnel to connect Outlook client to Exchange server)

Currently, I don't add 10.203.144.0/24 under my routing table and this netwrok is reachable through the default route on each site (0.0.0.0 goes to Internet through the Juniper Interface connected on my Internet firewall).

How I can add 10.203.144.0/24 on my Juniper routing table (with OSPF) and continue to use the default route on each site and to reach 10.203.144.0/24 through the IPsec tunnel configured on our Inernet access on each site (and not forward all traffic from siteA and siteB to siteC to reach my Exchange network ?)

BR

I'm not sure I understand the topology, but I think you are sending traffic for the VPN network out the MPLS connection currently at the two spoke sites.

Is your VPN to 10.203.144.0/24 a policy or route based VPN?

Does 10.203.144.0/24 appear in the local routing table at the spoke sites as an active route?

Currently, the VPN is setup from our Internet firewall (Stonegate) on each site. And Juniper is only uses to protect LAN zone (the VPN configuration is not set on Juniper).

Currently, I never add 10.203.144.0/24 in my route table and this network is reachable on each site through the default route. And the default route is configured to uses our intercace (Eth0/0) connected with Stonegate (to goes to Internet). The interface connected to WAN is another card (eth0/2)

BR

Thanks for the clarification.

You will need to add a static route on the SSG

Network > Routing > Destination

new

10.203.144.0/24 

Select Gateway

interface: eth0/2

IP ADDRESS OF THE Stonegate Router or router connected to the SSG

but when I add a static route on the SSG in siteA for example and to add the route through the interface connected whith my Stonegate FW, the route is also push on other equipment through OSP..... 😞

And on other site (siteB and siteC), after I added the route as you mentionned on SSG in SiteA, the route to reach 10.203.144.0 is routed to the WAN and try to reach 10.203.144.0 through Internet access in siteA..

By default the ScreenOS will not import static routes to OSPF.

We will need to look at your route import policy and adjust this to reject the new route to 10.203.144.0/24

Find the access list used as the route map for your OSPF import policy and we need to see how to design this to reject the new route.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5788

on Network/routing/Virtual routes, I have Trust-vr and when I edit Access list, I have "0.0.0.0/0" permit

You will need to look at your routing table and make a list of all the routes you have there now.

Create a  new access list to have these routes or larger subnets that include all these routes and still exclude the 10.203.144.0/24 route.  Along with a matching route map

Change the redistribution rule to use the new list.

It's not possible exclude to OSPF the Juniper interface eth2 connected on my Internet Firewall? And for the system, all routes added through this interface (eth2) are not distributed through OSPF protocol ?  

Unfortunately, the only control you get when allowing static routes imported into OSPF is the route map control.  So you will need to create a route map that imports what you want and excludes what you do not in this case.

In order to do that we need to know what static routes are in the local routing table for this virtual router.  You will need to confirm which virtual router  is connected to these interfaces.

The output of this command will give all the routes.  the idea is to create  a series of prefix maps that will include all these routes but not include the 10.203.144.0/24 prefix.

get route protocol static

I just need to pricess one point : on my architecture, I must connect my network (10.241.0.0/16) with my new owner of my company. And this new new owner has many networks with 10.x prefix and he ask me to add in my route table a global 10.0.0.0/8 network.

Currently, my Exchange server network (10.203.144.0/16) is not configured on my route table on SSG, the nework is reachable throught the default route. But if I add 10.0.0.0/8 as asked by the new owner of my compagny, the Exchange server will be routed with 10.0.0.0/8 information and not through default route....

Are you an OSPF neighbor to the new owner network or just using static routing for that?

Is that on a different interface?

Right now we have two interfaces:

Internal 

eth2

Must the 10.0.0.0/8 route be distributed via OSPF or can it be added as a static at all three sites?