SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX100B - Dynamic VPN - RDP not usable

    Posted 05-29-2012 23:59
      |   view attached

    Hi,

    I have a problem / misconfiguration with my firewall. We have a fixed adsl IP on the wan and a vlan for the LAN. We have port 3389 connected directly to a pc from the outside wan. But now I have configured Dynamic VPN as per http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-junos10.4-v21.pdf and it works fine. But now when I want to Remote Desktop to my server, I get redirected to the PC. Even tough through file access it works ( eg \\192.168.0.101 ) , but rdp on that IP not. Here is my config : 

     

     Can someone see why this is not working?

     

    Greetings,

    Thomas

    Attachment(s)

    txt
    20120529 - Config Juniper SRX100B.txt   13 KB 1 version


  • 2.  RE: SRX100B - Dynamic VPN - RDP not usable

    Posted 05-30-2012 04:39

    My guess would be that the NAT rule for RDP is being applied regardless. I have the following in my config before any destination NAT rules:

     

    rule-set untrust-to-trust {

            from zone untrust; 

            rule IPSECLinks {

                    # Don't apply NAT to any incoming private (IPSEC) link connections to our LAN

                    match {

                            source-address-name RFC1918;                                   # you can make this 10.10.10.0/24.

                            destination-address-name HomeLAN;                           # and this would be 192.168.1.0/24

                    }

                    then {

                            destination-nat off;

                    }

            }

     }



  • 3.  RE: SRX100B - Dynamic VPN - RDP not usable
    Best Answer

    Posted 05-30-2012 08:31

    Try the following.  The traffic for 192.168.1.101 is getting routed down the VPN by the pushed routes from the SRX.

     

     

    dynamic-vpn {
        access-profile dyn-vpn-access-profile;
        clients {
            all {
                remote-protected-resources {
                    192.168.1.0/24;
                }
                remote-exceptions {
                    192.168.1.101;
                }
                ipsec-vpn dyn-vpn;
                user {
                    PcManager;
                    geelen;
                }
            }
        }

     



  • 4.  RE: SRX100B - Dynamic VPN - RDP not usable

    Posted 06-05-2012 07:26
    Thanks for the answers, strangely I taught the first answer was the correct one, with a policy which disables the nat for that specific device, but it did not help. Fortunatly , the second one did ! Thanks!