Before starting, I need to mention that I have never configured an firewall before and am therefore missing a lot of theory on this topic. I was given the task to configure an SSG-5 for an VPN connection to our AWS VPC. The VPN connection wasn't a problem as AWS provided us with an config dokument for the IPsec VPN tunnels and on AWS, the tunnels are displayed as UP. The SSG-5 displayes the SA Status as Active and the Link displays "Off".
Before continuing I will first explain the Set-Up that I'm aiming for. We need to be able to access our EC2 Servers with their private IP's (10.0.0.0/16) from within our Network. The SSG-5 is connected to our Router using the port eth0/0 and our Router knows to assign it the static IP 192.168.53.200/24. The bgroup0 acts as a DHCP Server and distributes IP addresses in the range of 192.168.1.0/24 to clients. Clients that are currently connected to the bgroup0 have access to the Internet and the DNS server address is forwarded from our router through the SSG-5 to the clients. Our goal is that employees can connect to any 10.0.0.0/16 address from any device that is connected to the router even if they aren't in the bgroup0. To do that, we have configured our router to forward any request with the IP 10.0.0.0/16 to 192.168.53.200 which is the SSG-5 port eth0/0. I know that this must be possible because another company is injecting their VPN connection into our network also using the SSG-5 with only one cable going into eth0/0 and request that are made to IP's on the other side of their tunnel are again forwarded from our router to the IP of their SSG-5. Sadly they won't provide us with the login info so that we can take a look at their config. I looked at many documents such as KB9276 or KB4130 as well as the ScreenOS Cookbook but nothing there solved the problem that I can't reach devices in our AWS VPC. I'd be very happy if I could atleast reach the devices through bgroup0 if the other idea is to difficult to configure, but I need access as soon as possible.
There are a few elements to having this fully working so I will separate them out.
--AWS route from your router
This you appear to have covered by sending the 10/16 network over to the SSG5 that has the tunnel to AWS
--SSG5 routes to your router
This may be in place already but you need all the subnets on your router to be reachable by the SSG5 towards your interface connected to the SSG5
--AWS routes to your router subnets
The vpn tunnel you have to AWS likely was setup with the expectation that local routers were bgroup0 on the SSG5 as you note are currently working.
You will need to expand this VPN to include all the subnets you want to use on your router.
This will take changes to both sides of the vpn and any associated routing for the vpn
--SSG5 security policy
There will need to be zone to zone policy in place on the SSG5 to permit the traffic from your router to the AWS networks. This will be from zone the interace your router link is in to the zone the AWS tunnel interface is placed into.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home