ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
anabiosis
Contributor
anabiosis
Posts: 15
Registered: ‎12-22-2009
0

Splitting VPNs via Different Interfaces

Options

‎06-09-2011 07:49 AM

Hey all, have a quick question I'm hoping someone can give me some help with. I have Googled until my eyes turned blue, scoured my ScreenOS Cookbook to no avail. I have the following:

Firewall A -- e0/0 provider 1 (T1)
           -- e0/1 provider 2 (DSL)
           -- bgr0 192.168.0.1

Firewall B -- e0/0 provider 1 (MetroE)
           -- bgr0 192.168.2.1




I had been asked to send ALL 192.168.0.x tunnel traffic MINUS 1 host via e0/1 and ONE 192.168.0.x host via e0/0 ASCII whould look like:

Firewall A --> 192.168.0.0/24 --> via e0/1 --> Firewall B
Firewall A --> 192.168.0.200/32 --> via e0/0 --> Firewall B

Unsure how to accomplish this. Firewall A's e0/1's default route is active and nothing I send to e0/0 gets through. The moment I gave e0/1 the better preference, is the moment all stopped. I went back and created two VPNs from Firewall A to Firewall B and vice versa, but I cannot get Firewall A's e0/0 connected to Firewall B. Any thoughts, pointers, etc?


Message 1 of 3 (242 Views)
 
Reply
Trusted Expert
Trusted Expert
firewall72
Posts: 781
Registered: ‎05-04-2008
0

Re: Splitting VPNs via Different Interfaces

Options

‎06-09-2011 05:30 PM

Hi,

 

I came across a similar issue and resolved it by adding an interface with a unique IP on Firewall B.  I then added a 32 but route on Firewall A to ensure the second VPN routed via the second ISP.  Once both VPN's were active, I simply used trust-vr routes accordingly.  I hope this sheds some light.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-IDP, JNCIA-JUNOS

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Message 2 of 3 (225 Views)
 
Reply
Distinguished Expert
Distinguished Expert
echidov
Posts: 830
Registered: ‎11-02-2009
0

Re: Splitting VPNs via Different Interfaces

Options

‎06-09-2011 11:54 PM

Hi,

 

As I understand you are using policy based VPN. It would be easer to work with route based VPN. But anyway, you need two VPNs. Create a MIP on eth0/0 for 192.168.0.200 and use it in the VPN configuration. This NAT is required for the FW B to correctly forward the response packets. Place this VPN policy on FW A before the second one that is tunneling the entire network. Use Sorce based routing to route the packets with the source IP 192.168.0.200 through eth0/0. The SBR has higher preference over the dst-routing per default. This should work.

Kind regards,
Edouard
Message 3 of 3 (214 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.