ScreenOS Firewalls (NOT SRX)
Reply
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: VPN up, can't ping gateway

Hi,

 

If you use the route-based VPN the policies and VPN itself are fully independent on each other. This is a great advantage of the route based VPN. The multiple and very granular policies can be created while the VPN stays the same. But if you need a simple access policy, the same for all dialup users, create an Untrust subnet object like 172.168.3.0/27 which covers the remote IP pool or a group of the host objects like 172.168.3.10/32 - 172.168.3.x/32. Configure a single Untrust-to-Trust policy:

Subnet object or Group -> 172.168.1.0/24 Service: Any.

If you assign no DNS in the IP pool the client uses DNS servers which are configured in TCP/IP. If internal servers should be used their addresses should be added to the pool configuration. If these servers are not located in the network 172.168.1.0/24 you need one more VPN Proxy ID (topology entry) both on the client and the FW. Otherwise the cllients will not be able to reach the DNS servers.

I assume that you use ScreenOS 6.3 which supports multiple Proxy IDs with the route-based VPN.

 

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.