ScreenOS Firewalls (NOT SRX)
Reply
Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

 192.168.241.5 is the safenet virual adapter.

 

Thanks for your help. I will be out of the office for a few days so this will be my last correspondence until Sunday.

 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\gdaliberty>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 43 b4 64 19 ...... Broadcom NetXtreme 57xx Gigabit Controller -
 Packet Scheduler Miniport
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   192.168.12.254  192.168.12.100       21
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.12.0    255.255.255.0   192.168.12.100  192.168.12.100       20
   192.168.12.100  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.12.255  255.255.255.255   192.168.12.100  192.168.12.100       20
    192.168.239.0    255.255.255.0    192.168.241.5   192.168.241.5       1
    192.168.241.5  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.241.5  255.255.255.255    192.168.241.5   192.168.241.5       1
  192.168.241.255  255.255.255.255    192.168.241.5   192.168.241.5       50
        224.0.0.0        240.0.0.0   192.168.12.100  192.168.12.100       20
        224.0.0.0        240.0.0.0    192.168.241.5   192.168.241.5       50
  255.255.255.255  255.255.255.255   192.168.12.100  192.168.12.100       1
  255.255.255.255  255.255.255.255    192.168.241.5   192.168.241.5       1
Default Gateway:    192.168.12.254
===========================================================================
Persistent Routes:
  None

C:\Documents and Settings\gdaliberty>

Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

Problem corrected....during testing I configures 2 security policies with the same trusted networks. I stopped one of them in the GUI and it disabled traffic to that trusted network. Once I deleted the stopped policy everything was good.

 

Thanks to Juniper support and very one here!!!! for helping. I didn't realize that what would happen. 

Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

Now that I have a basic dialup vpn working to a single subnet I need to configure it so that the dialup user can access several different subnets at our corporate site. I thought it would be as simple as adding the networks to the policy. Not so!!! Does any one have any ideas why this is so??? Can it be done?? There must be a way to configure this. Maybe I'm just to use to cisco. :smileymad:
Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

I'm able to get a large range such as 192.168.0.0/16 but how can I add that network and 10.0.0.0/16 ???

 

Any ideas will be appreciated immensely.

 

Thanks


 

Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: dialup VPN not passing traffic

Hi,

 

Unfortunately from my experience you cant do this with a single policy on NSremote unless you want to tunnel all traffic 0.0.0.0/0. The only other way to do it is to create 2 security policies on NSremote one for each of the subnets and then have 2 policies on the firewall.

 

Although someone else might have a better suggestion. If you have got quite a few people connecting in over VPN then you might want to have a look at the Juniper SA which is a SSL VPN and is much more flexible.

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

Thanks for your reply. Thats too bad. It does a fine job with site to site VPN's. After reading the specs it seemed it would do everything that our aging Cisco 3000 (altiga vintage) did. It looks like I'll have go with the SSL VPN device or go back to a Cisco device. Hopefully someone will have an answer. If not It will only be a $3.5k loss and time to go back to Cisco.
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: dialup VPN not passing traffic

Hi biker,

See its fact that if we are new to any box and we dont know its behaviour then simple issue becomes complex and increase our frustration. It happenened to me also :smileyhappy: but now i feel very comfortable with all juniper boxes with the passage of time. Juniper products are much much stronger that cisco. The other factor is most people feel comfortable with cisco that cisco expertise are more than juniper so we can get help any where, but now juniper web-site, JTAC is much better in support and juniper expertise are now developing bcs now people going to know whats juniper strength is?

 
Any ways u can pass multiple subnets through dialup vpn tunnel using Route based dialup vpn. Refer to thread  http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=739

 

Thanks 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: dialup VPN not passing traffic

Hi Kashif Rana,

 

Thanks for the info, I understand route based vpn on the firewall no problem. My questions is how do you configure the NSRemote client to send 2 networks down the tunnel say 10.1.1.0/24 and 192.168.1.0/24????

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008

Re: dialup VPN not passing traffic

Hi,

 

u can use 0.0.0.0/0 in Remote Party identity field. But u have to disable split tunneling which is by default disable so that traffic for internet no pass through tunnel. But for internet connection u can use proxy or use untrust to untrust zone intrazone policy with policy based NAT.

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
biker
Posts: 21
Registered: ‎05-07-2008
0

Re: dialup VPN not passing traffic

[ Edited ]

Thanks -Kashif Rana

 

I got the dialup VPN working from that thread. I'm getting there. Thank you. How about local LAN access on the NSR side? I've read some threads about split tunneling but haven't had any success.

 

Thanks for all the help.

 

Rick

Message Edited by biker on 07-27-2008 03:11 PM
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.