ScreenOS Firewalls (NOT SRX)
Reply
Contributor
anabiosis
Posts: 16
Registered: ‎12-22-2009
0

Splitting VPNs via Different Interfaces

Hey all, have a quick question I'm hoping someone can give me some help with. I have Googled until my eyes turned blue, scoured my ScreenOS Cookbook to no avail. I have the following:

Firewall A -- e0/0 provider 1 (T1)
           -- e0/1 provider 2 (DSL)
           -- bgr0 192.168.0.1

Firewall B -- e0/0 provider 1 (MetroE)
           -- bgr0 192.168.2.1




I had been asked to send ALL 192.168.0.x tunnel traffic MINUS 1 host via e0/1 and ONE 192.168.0.x host via e0/0 ASCII whould look like:

Firewall A --> 192.168.0.0/24 --> via e0/1 --> Firewall B
Firewall A --> 192.168.0.200/32 --> via e0/0 --> Firewall B

Unsure how to accomplish this. Firewall A's e0/1's default route is active and nothing I send to e0/0 gets through. The moment I gave e0/1 the better preference, is the moment all stopped. I went back and created two VPNs from Firewall A to Firewall B and vice versa, but I cannot get Firewall A's e0/0 connected to Firewall B. Any thoughts, pointers, etc?


Distinguished Expert
firewall72
Posts: 811
Registered: ‎05-04-2008
0

Re: Splitting VPNs via Different Interfaces

Hi,

 

I came across a similar issue and resolved it by adding an interface with a unique IP on Firewall B.  I then added a 32 but route on Firewall A to ensure the second VPN routed via the second ISP.  Once both VPN's were active, I simply used trust-vr routes accordingly.  I hope this sheds some light.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Splitting VPNs via Different Interfaces

Hi,

 

As I understand you are using policy based VPN. It would be easer to work with route based VPN. But anyway, you need two VPNs. Create a MIP on eth0/0 for 192.168.0.200 and use it in the VPN configuration. This NAT is required for the FW B to correctly forward the response packets. Place this VPN policy on FW A before the second one that is tunneling the entire network. Use Sorce based routing to route the packets with the source IP 192.168.0.200 through eth0/0. The SBR has higher preference over the dst-routing per default. This should work.

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.