Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Untrust Interface : 172.16.1.1/30. Site-to-Site VPN ?

    Posted 10-23-2010 12:14

    Hi,

     

     

    Our new ISP provided us with two networks : a public one (say 80.80.80.64/29) and a private interconnection one (172.16.1.0/30). The ISP's router is 172.16.1.1. So I set my SSG-5's Untrust interface to be 172.16.1.2.

     

    I want to only use the first public IP address. So, I use a DIP for users' outgoing traffic and several NAT dst for incoming traffic. It all works fine.

     

    My problem is with setting up a site-to-site VPN with a SSG-140. How am I supposed to create one if my SSG-5 doesn't have a public IP address ? Is there some way to tell the firewall to NAT its own packets, not just the policies ones ?

     

    I did a very classic route-based setup but the Phase 1 never comes up.

     

    A debug ike clearly shows that the SSG-5 can not talk with the SSG-140. Actually, a simple ping from the SSG-5 to the SSG-140 fails.  I believe this is because the ping leaves the SSG-5 with the 172.16.1.2 address…

     

    Pinging the SSG-140 from the Trust interface works, because at this time the packets are source NATed.

     

    The SSG-140 is not a problem, it is ultra-classic : one public interface (public address) and one private one (private address).

     

    What can I do ?

     

    Thanks in advance.

     

    Regards.



  • 2.  RE: Untrust Interface : 172.16.1.1/30. Site-to-Site VPN ?
    Best Answer

    Posted 10-23-2010 12:31

    Hi Oxassi ,

    One solution is to create a MIP on the untrust interface  like the below:

    host address:interface ip

    Mapped address: a public ip

    This will translate the packets sent from the firewall it self ( as you wanted )  , but the problem here is that  you will be able to reach the public ip  but the VPN packets will not be translated & the phase1 negotiation will fail  with error " retransmission limit has been reached"    ( only VPN packets will not be translated ,  this  is something by design & i got this Info from JTAC months  ago  + i saw it myself at a real scenario )

     

    So , The correct solution is to create a loopback interface at the untrust Zone & give it a public ip then you will use this loopback interface as "external interface " with phase1 configuration  & your peer  will use the loopback ip as the peer address

     

    **************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

     



  • 3.  RE: Untrust Interface : 172.16.1.1/30. Site-to-Site VPN ?

    Posted 10-23-2010 13:24

    It works ! Thanks a lot SSHSSH !

     

    Best regards.