Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Policy Based VPN - MIP to an address in a different zone.

    Posted 05-18-2013 09:02

    Hi.

    I have a little challenge. I have a PB VPN. The remote site needs to have access to a server outside of the defined protected network on our SSG-550. This other network exists on our firewall, so I would like to implement this by means of NAT. I have made a MIP in the defined protected network of the SSG, that points to a server in this secondary network. I have made a VPN policy (pb) that accepts traffic from the remote network towards the MIP adress.

    The problem is, that the secondary network is in a different security zone in our firewall. The policy log says "traffic denied" when trying to access the server via the MIP.

    Do I need to make additional policies from untrust towards the real destination - if so; how? Debugging the traffic flow shows me no information at all.

    I have actually tried to make a static route "injecting" the MIP-adresss into the "real" destination interface and to make a VPN policy from untrust > the "real" destination zone on the MIP-address. This didn't work either. Traffic didn't even hit the policy.

    How can I accomplish this?



  • 2.  RE: Policy Based VPN - MIP to an address in a different zone.

    Posted 05-20-2013 12:14

    Could you just add another policy to tunnel the traffic from your remote site to your additional server at the main location?

     

    If you have PB VPN set up already, say from "untrust" <-> "DMZ", and if your additional server is in the "DMZ2" zone (for example), you could just create your PB VPN policies from "untrust" <-> "DMZ2" referencing your new server.

     

    Did I miss something?



  • 3.  RE: Policy Based VPN - MIP to an address in a different zone.

    Posted 05-20-2013 13:21

    Thanks for the reply.

     

    I could do that. But I was hoping to be able to solve this without changing anything at the customer end. That's why I thought address translation could do the trick.

     

    Theoretically the secondary network conflict with networks of the customer. It doesn't in this case, but you get te idea.



  • 4.  RE: Policy Based VPN - MIP to an address in a different zone.
    Best Answer

    Posted 07-22-2013 06:38

    I found a solution for this! I had to make the following policies:

    untrust > trust (policy based VPN) - customer network to a wide object including the MIP.

    trust > dmz (protected server) - allowing any; thus also the customer network as source address.

    I see traffic hitting the first policy but not the latter. If I deny PING in my trust > dmz rule I see no traffic hitting either policy. PING isn't allowed through either.


    This means that the customer network changes from being in the untrust to being in the trust zone during this process.

    So as a conclusion I can say, that traffic hit both policies, but is only logged in the first one. A bit complex to comprehend, but it works.