ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Re: VPN up, can't ping gateway

04.20.12   |  
‎04-20-2012 01:08 AM



If you use the route-based VPN the policies and VPN itself are fully independent on each other. This is a great advantage of the route based VPN. The multiple and very granular policies can be created while the VPN stays the same. But if you need a simple access policy, the same for all dialup users, create an Untrust subnet object like which covers the remote IP pool or a group of the host objects like - 172.168.3.x/32. Configure a single Untrust-to-Trust policy:

Subnet object or Group -> Service: Any.

If you assign no DNS in the IP pool the client uses DNS servers which are configured in TCP/IP. If internal servers should be used their addresses should be added to the pool configuration. If these servers are not located in the network you need one more VPN Proxy ID (topology entry) both on the client and the FW. Otherwise the cllients will not be able to reach the DNS servers.

I assume that you use ScreenOS 6.3 which supports multiple Proxy IDs with the route-based VPN.


Kind regards,