Screen OS

Hallo @all

first of all sorry for my very bad English I hope I can explain my Problems....

I have configured a RuleBased  Dialup VPN. When the VPN Client connect to the SSG5  he becomes an IP Address from a predifined IP Pool.  Its a IP Address from my Trust Network. It works very fine.  

So when I connect with the VPN Client I am part of the Trust Network.

- I am able to ping the TrustInterface of the Firewall and

- I have access to the  Web Interface of the Firewall SSG5

- I have WebAccess to my ISP Router who is part of the Untrust Network.

Destination: Any

Service: Any

Action: Tunnel

No I want to have access from the VPN Client to a Server in the Trust Zone.  I have send pings to the  Server in the Trust Zone .

I have seen the request Packets in the Log of the Rule above  but I cant  see the reply Packet.

Message:

Close Reason:  Close Age Out

So I have no accsess from the VPN Client to the Server in the Trust Zone and no accsess from the Server in the Trust Zone to the Dialup VPN Client in the Trust Zone.

Can you help me ? Is this a Routing Problem ?

Best regards

sxx128

can you also please paste your configuration...

thanks

Raheel Anwar

Hallo Raheel

after I have disconnected the vpn client and connect again ... I can reach the Server in the Trust Zone from the VPN Client. I dont understand why ? I do not made any changes  !   

From the Server in the Trust Zone it is still not possible to reach the vpn client with ICMP. 

Which part of the configuration you need ?

Regards 

sxx128

please attach the whole configuration, if possible.

thanks

Raheel Anwar

Hallo again !

..sorry for the question... 

i think its dangerous to post the whole configuration ...

Regards 

sxx128

understand your concern, if possible please privately send your configuration.

without looking at your configuration completely it would be very difficult answering your query.

thanks

Raheel Anwar

Hallo

sorry I am not allowed to do this. I hope you understand.

Now  I have configured Source NAT for the Traffic von Untrust (Dialup VPN) to Trust. The Source Nat Address is in this example

192.168.10.2

No I have full access to the Trust Network Server and the Trust Interface of the Firewall but since I configured Source NAT I have no access to the ISP Router in the Untrust Zone.

009-07-12 20:25:59 192.168.10.2:1083 192.168.1.xxx:1280 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied

2009-07-12 20:25:54 192.168.10.2:1082 192.168.1.xxx:1280 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied

But there is a Rule  from the Zone Trust to Untrust  that permit any Services.

Best Regards 

sxx128

Hallo Raheel

i solved the Problem.  It was a Routing Problem.  On the Server in the Trust Zone I defined a 

Static Arp Entry  

for the Address of the Dialup VPN Client and there is no SourceNat configured on the Firewall.

Best

Regards

sxx128

great.