ScreenOS Firewalls (NOT SRX)
Reply
Regular Visitor
jlar310
Posts: 9
Registered: ‎11-25-2008
0

Routing/Policy problem from DMZ to policy-based VPN

We have an SSG-20 with multiple policy based VPNs to remote sites. We want to put our public web server in the DMZ zone, but it needs to be able to access back-end services at the local site as well as the VPN sites. I have been able to create a policy allowing access from DMZ web server to local (Trust zone) network services, but it is unable to reach the VPN sites.

 

I think it's a routing problem because I temporarily created policies to permit all traffic from DMZ to Trust, DMZ to Untrust and DMZ to Global and I still can't ping the vpn sites.

 

Local Trust 192.168.1.0/24

DMZ 10.10.1.0/24

VPN site A:192.168.2.0/24

VPN site B 192.168.4.0/24

 

How can I route to the VPN sites from the DMZ?

 

 

Regular Visitor
jlar310
Posts: 9
Registered: ‎11-25-2008
0

Re: Routing/Policy problem from DMZ to policy-based VPN

It turned out to be a return-path routing problem (remotes to DMZ). However I am still challenged by the fact that we have older cisco routers on the other end and are unable to create a named tunnel interface (on the cisco) through which to route things. So we have to create multiple VPN objects on the Juniper for each subnet. More work but not impossible.

 

To elaborate on that in case anyone has some bright ideas:  The cisco side encrypts based on an access list, which can contain multiple remote subnets. But the remote subnet traffic to be encrypted must match the policy-id on the Juniper and juniper only allows a single subnet policy-id per vpn. So I can create a single crypto map with a single acl on the cisco, but on the SSG side, I need separate vpn objects, one for each subnet (with a matching policy-id).

 

I can't wait until we can replace all those aging cisco's with Juniper!

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Routing/Policy problem from DMZ to policy-based VPN

Hi,

 

Can u tell me what VPN type u have configured on SSG it is route based VPN or policy based VPN?

 

If it is policy based VPN then u have to do following:

 

On SSG:

 

u have to create following two policies for site A and repeat same for site B

1) From Trust zone to Untrust Zone with source  192.168.1.0/24 and destination 192.168.2.0/24 action tunnel and select tunnel for site A and check bidirectional policy

2) From DMZ to Untrust with source 10.10.1.0/24 destination 192.168.2.0/24 action tunnel and select tunnel for site A and check bidirectional policy

 

 On Cisco: (site A)

 

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255

 

Hope this helps

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.