ScreenOS Firewalls (NOT SRX)
Distinguished Expert
Posts: 858
Registered: ‎11-02-2009

Re: VPN up, can't ping gateway



If you use the route-based VPN the policies and VPN itself are fully independent on each other. This is a great advantage of the route based VPN. The multiple and very granular policies can be created while the VPN stays the same. But if you need a simple access policy, the same for all dialup users, create an Untrust subnet object like which covers the remote IP pool or a group of the host objects like - 172.168.3.x/32. Configure a single Untrust-to-Trust policy:

Subnet object or Group -> Service: Any.

If you assign no DNS in the IP pool the client uses DNS servers which are configured in TCP/IP. If internal servers should be used their addresses should be added to the pool configuration. If these servers are not located in the network you need one more VPN Proxy ID (topology entry) both on the client and the FW. Otherwise the cllients will not be able to reach the DNS servers.

I assume that you use ScreenOS 6.3 which supports multiple Proxy IDs with the route-based VPN.


Kind regards,
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.