Screen OS

Hi

I don't if this uncommon configuration but this my situation. We're using NCP Juniper edition for mobile users. Additionally we have two branch connected through route-based vpn (1 using SRX and the other SSG5). So, the users establish the connection sucessfully to SSG5 and get access to internal resources, but we need that through the same VPN, the user get access to SRX too. On the SSG5, we're using XAuth, so we'd to create a IP Pool. Is it possible? This would be the configuration:

Dial-up ------------->    (SSG5 ----> SRX)

(internet)                        route-based

I do not see a reason why this would not work.  I do not use the NCP stuff, but if your mobile users have access to the resources at the SSG5 site, they should also be able to get to the things at the SRX site.

You may need to add some routes to the SRX that tells it where to route the NCP client traffic (back up the tunnel interface).  You may also need to add some extra policy if there is a zone boundary you are crossing.  This would depend on whether or not your clients end up with IP addresses in a zone different from where the VPN tunnel interface is configured.

Hope that makes sense!

Thanks Sven.

It should be simple, but it won't. I open a case with Juniper this is what we did:

1. we had to change from policy based to route-based (dial-up)

2. We created 2 interface tunnels (unnumbered)

3. We were using Xauth, so we have to add the new ip pool to policy and tunnel

4. Create a untr-2-untr policy, enabling source NAT

It worked!!

This kind of configuration, it doesn't exit in juniper KB.

Thanks