ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Hub & spokes connectivity by using NHTB

05.25.08   |  
‎05-25-2008 11:38 PM

HUB= ISG1000

SPOKES= SSG5  

I have a real scenario consist of 125 remote sites connect with central site for services like VoIP, Application etc.

I have two pools :

1- Untrust IF Pool 120.1.0.0/24

2- Tunnel IF Pool 120.1.200.0/24

On hub site I have to give 120.1.0.254 & tun IF 120.1.200.254, other IPs for remote.

My requirement : VoIP phones on remote sites should communicate with each others ( remote-to-remote)

What I did :- HUB site: I applied the untr IP :120.1.0.254 & Tunnel IP:120.1.200.254. Made Auto IKE & gateway in which i gave remote untr IP :120.1.0.253. In route i gave inside N/w of remote site by using tunnel IF and remote untr IP:120.1.0.253.

REMOTE site: I applied the untr IP :120.1.0.253 & Tunnel IP:120.1.200.253. Made Auto IKE & gateway in which i gave remote untr IP :120.1.0.254. In route i gave default route by using tunnel IF and HUB untr IP:120.1.0.254. Its working fine.. Smiley but when i add one more remote site which just changed in IP but in the HUB site i use the same tunnel interface for routes, when i apply the static route, the route i gave for first remote, i could'nt able to ping the inside network of 1st remote site whereas i can ping the untr IP of 1st & 2nd remote both & tunel IPs also. ................

Kindly do some appropriate solution but I have to use this IP scheme.

Muhammad Anser Khan
Sr.Network Engineer
3 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: Hub & spokes connectivity by using NHTB

05.26.08   |  
‎05-26-2008 10:27 PM

Hi Anser,

 

Tell me:

 

1) What release u r using on firewalls?

2) Post the configuration of HUB and any one remote site.

3) What route u added for remote sites on HUB?

4) By the way u can use private IP pool (like 10.x.x.x/8) on tunnel interfaces instead of public IP

 

Thanks

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: Hub & spokes connectivity by using NHTB

05.26.08   |  
‎05-26-2008 11:04 PM

Hi,

 

See for automatic population of NHTB ur firewalls should have OS 5.0.0 or above. So make sure ur firewalls have OS 5.0.0 OR above. One thing which u can try is manually binding of vpn tunnel to nexthop tunnel interface ip, using the following command on HUB for both remote sites:

 

set interface <tunnel interface> nhtb <nexthop tunnel interface IP> vpn <name of vpn tunnel for nexthop remote site>

 

Please let me know the outcome

 

Thanks

  

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
ScreenOS Firewalls (NOT SRX)

Re: Hub & spokes connectivity by using NHTB

05.27.08   |  
‎05-27-2008 09:41 PM
Thanks kashif. Actually i am going out of country for 15 days. I 'll continue this solution when i back then i'll discuss it with u in more detail.
Muhammad Anser Khan
Sr.Network Engineer