ScreenOS Firewalls (NOT SRX)
Reply
Visitor
J2EE App Dev Team
Posts: 5
Registered: ‎09-29-2010
0

Shrew Juniper Configuration: ping unable to reach behind firewall

When configuring ShrewVPN to work with SSG, I was able to ping firewall interface but unable to ping behind the firewall (servers, LAN). Resolution was discovered. I am duly posting for similar user with identical issue. 

 

[Original Issue]

ShrewVPN is configured following the procedure given by ShrewVPN: 

 

http://www.shrew.net/support/wiki/HowtoJuniperSsg

 

However, after setting up, ping to firewall interface is replied, but no resources behind is responding. In below example, we can ping 10.9.78.254, but no other resources such as 10.9.78.150, or any others. 

 

430i0009D6C9DCC42F64

 

[Cause]

{1} 'source translation' was not ticked in the policy setting in the dialup VPN. (Policy > Advanced)

{2} IP pool must be different from the target IP subnet.

 

If this is not done, user can ping the firewall interface itself, but cannot ping further. 

 

[Resolution-1]

Source Translation must be ticked in the Juniper SSG. (I attached the screenshot to this email.)

 

[Resolution-2]

IP Pool must be configured that target IP subnet and IP Pool is different. If we aim for 10.7.4.0/24, we should be using something different IP subnet.

 

I hope this will serve quicker resolution for persons working on new SSG project. 

 

 

Visitor
cabellamy
Posts: 1
Registered: ‎05-13-2012
0

Re: Shrew Juniper Configuration: ping unable to reach behind firewall

I tried this but no luck.  I cannot even ping the tructed side of the FW.

Trusted Expert
sarab
Posts: 369
Registered: ‎05-12-2012
0

Re: Shrew Juniper Configuration: ping unable to reach behind firewall

If the VPN is up and you are unable to ping even the trust side, then please verify if you have NAT-T enabled on the Juniper side in Phase 1 configuration of this VPN.

 

If above setting is enabled, then try doing a debug flow basic to verify if packets are received from the your PC with Shrew VPN client on the firewall.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.