11-21-2010 12:50 PM
Im fairly new to Juniper having been studying Cisco for quite a while I thought it was time for a change. I actually find Juniper more interesting somewhat and much easier to configure. Anyway, things cut short - I'm setting up a VPN between Site A and Site B. IPSEC is configured between Site A and B. I can see the VPN as "up" on both ends and I have added some routes in to allow LAN-to-LAN connectivity. However! All seems good, only until I try to configure my next challenge. What I want to achieve is split-tunneling in a sense but only with the traffic of one host being on VPN tunnel, all other hosts will go to the split - direct to the internet. So if you look at the attached drawing im aiming to go from Site B Host 192.168.1.10 (follow the green arrow) through the untrust interface into the VPN tunnel to Site A. I think i've managed to get that far because when I follow up a trace-route from the 192.168.1.10 host I see the untrust interface of Site A (220.127.116.11) as the last destination I get to. As you can probably see there is a host on Site A (10.0.0.10) that goes to our service on the internet (18.104.22.168). (Green and Yellow Route). Should all make sense if you follow the arrows.
So I've done quite a bit but cant get my head round the last bit perhaps need that little help in understanding whats to configure next. Just in summary i want to go the Green arrow starting from 192.168.1.10 to 22.214.171.124 and route back to 192.168.1.10 through the same way it came.
If someone can explain if i need to do policy based VPN or if i can stick to route based VPN (which im quietly confident i will be able to). I've put a static route in on Site B for 192.168.1.10 traffic to go to the Site A GW. But at this point i can't think around it.
So, i hope i've explained and laid out everything easy so someone can help me out.
Please remember i'm beginner :-)
Palo Alto ACE
11-22-2010 12:25 AM
If I am understanding the correctly you want to start from your host in site B go over Site A to reach 126.96.36.199
If so, you just need to add a rout for 188.8.131.52 in site B to go over the vpn and then allow in site A traffic from site B towards the server on internet.
11-23-2010 12:55 AM
Thanks for your reply. I had already put a route for the 184.108.40.206 server on site B to go via the tunnel. Everything else i want it to go out to the internet (red arrow). Anyway, I was playing aruond with this yesterday and though "hows the NAT" happening.
Policy on Site A which says from trust to untrust --> NAT it. So I am able to gain connectivity from the 192.168.1.10 host to the 220.127.116.11 host via the tunnel.1 interface. However, Site B will also need to do NAT too right? If hosts are to go out to the internet they need to be NAT'ed. This comes to a point when i configure that also, i dont get LAN to LAN connectivity either. How can I reach this goal of having a split tunnel - having only one host from Site B going through the VPN Tunnel. Not sure if i've explained it well enough - so let me know.
Appreciate your help.
Palo Alto ACE