Hi there,
I have a site to site route based VPN between my SSG 320 and client firewall and this is working fine.
We now have a requirement to be able to get into client subnet by using my SSG 320 as gateway.
To that means I have set up a route-based dial up VPN but I am unable to ping/RDP into clients subnet.
Network diagram:
NSR 10.1.1.1/24 <-> 172.16.10.0/24 SSG 320 10.232.226.40/29 <-> 10.175.0.0/24 Client Firewall.
I am using 2 interface tunnels (unnumbered). I am using Xauth, so I have added the new ip pool (10.1.1.0/24) to policy and tunnel. I created an untr-2-untr policy (between ip pool and customer private subnet), enabling source NAT.
I have added a ff to the firewall between 10.1.1.1 (ip pool)and 10.175.0.0 (client subnet) but when I ping after successfully connecting the debug stays empty.
My question is what routing/policy am I missing? Does the client firewall need a route back to the ip pool 10.1.1.1? I was kind of hoping that when going through the SSG 320 the packet's IP would change.
Is there any guide to set this up as I looked everywhere on Kb and forums for the last couple of weeks, but apart from the advice to use route based vpn's instead of policy based I cannot see much else.
1.Route based Dial-up VPN set up identical to http://kb.juniper.net/InfoCenter/index?page=content&id=KB15272
2. Route based LAN to LAN VPN set up like http://kb.juniper.net/InfoCenter/index?page=content&id=KB14330
What I want to do is called a Back to back vpn I believe.
Please see cropped config