Screen OS

On my SSG20 firewall, I have five interfaces:

ETH0/0 - untrust

ETH0/1 - untrust

ETH0/2 - untrust

ETH0/3 - TrustVCNetwork

ETH0/4 Bound to bggroup1- Trust

I have intra-zone policy to allow traffic from ETH0/3 to ETH0/2. For some reason, any traffic from and to ETH0/3 is not working even if there are proper policy and routes.

Any suggestions?

Cheers ! 

Intrazone policy is for the Same zone traffic . ETH0/3 to ETH0/2 are in different zone so intra zone policy will not work.

I would suggest to please verify the policies and routes for ETH0/3 interfaces and make sure that you have policy for TrustVCNetwork Zone.

If it still does not work then  run the "debug flow basic" would help us to find the root cause of the issue.

For troubleshooting , please follow this KB:

http://kb.juniper.net/KB9221

Thanks

Atif

I am sorry, I should write interzone policy. I am new with firewall products and nervous. So please rectify my wrong meaning technical terms.

Will debug command cause other interfaces to participate as well?

I just want to know whats happening with traffic from and to ETH0/3 interface.

Also, as you seems to be familiar with these products so you will be able to answer one more query. We have used allowed 10 route based VPN tunnels and now we cannot create a new one. How do we go about getting more tunnels?

Cheers

you are probably hitting to the firewall limitation. You can verify the number of tunnels allowed in the firewalls by the following command:

par-> get sys-cfg | i tunnel
tunnel interface number: 10

Thanks

Atif

It says only 10. But how can I increase it?

Thanks

HI i think you can not increase it since refer to box capability for ssg5/20 only support 10 interface tunnel, if u wanna increase ityou should upgrade the box

Thanks

EL 

you have to summarize the network so that you would have less tunnel and you can also configure some policy based VPNs.

Thanks

Atif