SRX Services Gateway
SRX Services Gateway

Cannot pass traffic via policy base vpn

03.16.11   |  
‎03-16-2011 05:55 AM

Attachment is my configuration

remote site firewall : SSG 140

local firewall : SRX 100

 

remote site subnet: 10.0.30.0/24

                                     10.0.19.0/24

local LAN: 192.168.123.0/24

 

Policy based VPN is established, those PC on local network can go to Internet however cannot go to remote site network, configuration of remote is absolutely correct

Could someone can help me found out what is the problem of this configuration?

Attachments

6 REPLIES
SRX Services Gateway

Re: Cannot pass traffic via policy base vpn

03.16.11   |  
‎03-16-2011 06:48 AM

I believe that you need a rule above your current nat source rule like this

 

rule vpn {
    match {
        source-address 192.168.123.0/24;
        destination-address [ 10.0.30.0/24 10.0.19.0/24];
    }
    then {
        source-nat {
            off;
        }
    }
}

SRX Services Gateway

Re: Cannot pass traffic via policy base vpn

03.16.11   |  
‎03-16-2011 06:53 AM

If I add this rule on the top

when traffic from 192.168.123.0 direct to 10.0.30.0 or 10.0.19.0

it match that policy and the policy for policy base vpn will still function?

SRX Services Gateway

Re: Cannot pass traffic via policy base vpn

03.16.11   |  
‎03-16-2011 07:10 AM

Correct, the reason it isnt working is cos you are natting all of the traffic at the moment at it will not match the policy

 

 

If you do a

 

show security flow session destination-prefix 10.0.30.0/24

 

then this will show you this traffic being natted and hitting the wrong policy

SRX Services Gateway

Re: Cannot pass traffic via policy base vpn

03.16.11   |  
‎03-16-2011 07:18 AM

Thanks for reply

may I ask you one question

the PC on remote site network also cannot ping local LAN(192.168.123.0)

is it related to bypass nat?

SRX Services Gateway

Re: Cannot pass traffic via policy base vpn

03.16.11   |  
‎03-16-2011 07:30 AM

The return traffic will hit the nat rule, so it woudlnt work either way until the new rule is in place

Highlighted
SRX Services Gateway

Re: Cannot pass traffic via policy base vpn

03.17.11   |  
‎03-17-2011 03:36 AM

Thank you for yourr support

I will try it next week