12-03-2008 10:09 AM
We have an SSG-20 with multiple policy based VPNs to remote sites. We want to put our public web server in the DMZ zone, but it needs to be able to access back-end services at the local site as well as the VPN sites. I have been able to create a policy allowing access from DMZ web server to local (Trust zone) network services, but it is unable to reach the VPN sites.
I think it's a routing problem because I temporarily created policies to permit all traffic from DMZ to Trust, DMZ to Untrust and DMZ to Global and I still can't ping the vpn sites.
Local Trust 192.168.1.0/24
VPN site A:192.168.2.0/24
VPN site B 192.168.4.0/24
How can I route to the VPN sites from the DMZ?
12-03-2008 10:57 AM
It turned out to be a return-path routing problem (remotes to DMZ). However I am still challenged by the fact that we have older cisco routers on the other end and are unable to create a named tunnel interface (on the cisco) through which to route things. So we have to create multiple VPN objects on the Juniper for each subnet. More work but not impossible.
To elaborate on that in case anyone has some bright ideas: The cisco side encrypts based on an access list, which can contain multiple remote subnets. But the remote subnet traffic to be encrypted must match the policy-id on the Juniper and juniper only allows a single subnet policy-id per vpn. So I can create a single crypto map with a single acl on the cisco, but on the SSG side, I need separate vpn objects, one for each subnet (with a matching policy-id).
I can't wait until we can replace all those aging cisco's with Juniper!
12-08-2008 01:53 AM
Can u tell me what VPN type u have configured on SSG it is route based VPN or policy based VPN?
If it is policy based VPN then u have to do following:
u have to create following two policies for site A and repeat same for site B
1) From Trust zone to Untrust Zone with source 192.168.1.0/24 and destination 192.168.2.0/24 action tunnel and select tunnel for site A and check bidirectional policy
2) From DMZ to Untrust with source 10.10.1.0/24 destination 192.168.2.0/24 action tunnel and select tunnel for site A and check bidirectional policy
On Cisco: (site A)
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
Hope this helps