July 6, 2008 03:21am pdt

1. RobWill 269,328
2. batry_boy 232,484
3. lrmoore 113,038
4. arnold 107,903
5. mwecompu... 64,924
6. dpk_wal 52,425
7. mkielar 41,600
8. ebjers 39,050
9. MrHusy 38,470
10. Cyclops3590 32,200
11. Voltz-dk 28,470
12. TechSoEasy 28,114
13. trinak96 26,165
14. keith_al... 21,046
15. stuknhawaii 20,075

1. RobWill 1,422,221
2. lrmoore 913,781
3. batry_boy 407,194
4. grblades 214,434
5. rsivanandan 145,141
6. calvinetter 112,055
7. arnold 109,903
8. dpk_wal 105,425
9. TechSoEasy 101,193
10. mwecompu... 82,724
11. tim_holman 75,964
12. keith_al... 75,885
13. MrHusy 71,744
14. ewtaylor 68,324
15. Cyclops3590 68,145

02.29.2008 at 01:49PM PST, ID: 23205203

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.2

Routed VPN - One way routing only. Need bidirectional routing. NS5GT

Zones: Virtual Private Networking (VPN), Network Software Firewalls, Networking Hardware Firewalls

Tags: Juniper, Netscreen, 5GT, VPN Firewall

I have a remote user with a #1 NS5GT connected to a Verizon FIOS router (dynamic ip) with a VPN tunnel to another #2 NS5GT (static IP).

#1 NS5GT <--> FIOS Router <-->INTERNET<--> #2 NS5GT

I'm doing routed VPN and I am able to connect from the #1 NS5GT to any device behind #2 NS5GT.
I can *not* connect from #2 to any device behind #1.

I used the wizard so I know the routes in the NSGTs are there. I'm thinking this is something with the FIOS router. I did add route to the subnet behind #1.

Thanks for the help
Tony

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: tonyparkersd

Solution Provided By: tonyparkersd

Participating Experts: 2

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.03.2008 at 03:57PM PST, ID: 21037020

sangamc:

This sounds like you are missing a policy to allow traffic from #2 to #1, seeing as traffic is going in one direction your VPN is probably configured correctly, and your route statements are also in good order. this leaves the policies as the last thing to check. remember the missing policy might be on device #1 so check both places.

you can also post your config file with the details stripped. this will allow me to give you a better answer instead of the very generalized one i posted above.

03.03.2008 at 09:18PM PST, ID: 21038497

tonyparkersd:

Ok, here is are both configs.
Just a recap:
I can ping from behind #1 to #2 network but I can not ping or send any traffic from behind #2 to #1.

Here is NS5GT #1 Config
=======================
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "Remote_Desktop" protocol tcp src-port 0-65535 dst-port 3389-3389 timeout never
set service "PCAnywhere" protocol tcp src-port 5631-5631 dst-port 5631-5631
set service "PCAnywhere2" protocol tcp src-port 5632-5632 dst-port 5632-5632
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646

set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 172.20.10.1/24
set interface trust nat
set interface untrust ip 192.168.1.200/24
set interface untrust nat
set interface tunnel.1 ip unnumbered interface trust
set interface trust mtu 1500
set interface untrust mtu 1500
set interface tunnel.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 "Remote_Desktop" 172.20.10.205
set interface untrust vip untrust 5631 "PCAnywhere" 172.20.10.102
set interface untrust vip untrust 5632 "PCAnywhere2" 172.20.10.102
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 172.20.10.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option domainname home
set interface trust dhcp server option dns1 192.168.1.1
set interface trust dhcp server option dns2 172.20.1.252
set interface trust dhcp server option wins1 172.20.1.200
set interface trust dhcp server ip 172.20.10.100 to 172.20.10.199
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain home1
set hostname ns5gt1
set dns host dns1 192.168.1.1
set dns host dns2 4.2.2.2
set address "Trust" "Trust_LAN" 172.20.10.0 255.255.255.0
set address "Untrust" "Work_LAN" 172.20.11.0 255.255.255.0
set ike gateway "Gateway for Work_LAN" address x.x.x.x Aggr local-id "user" outgoing-interface "untrust" preshare "p" sec-level compatible
set ike gateway "Gateway for Work_LAN" nat-traversal
unset ike gateway "Gateway for Work_LAN" nat-traversal udp-checksum
set ike gateway "Gateway for Work_LAN" nat-traversal keepalive-frequency 1
set ike respond-bad-spi 1
set vpn "VPN for Work_LAN" gateway "Gateway for Work_LAN" no-replay tunnel idletime 0 sec-level compatible
set vpn "VPN for Work_LAN" id 1 bind interface tunnel.1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set av all fail-mode traffic permit
unset av http webmail enable
set av profile "scan-mgr"
exit
set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 60
set url protocol sc-cpa
exit
set policy id 5 from "Untrust" to "Trust" "Work_LAN" "Trust_LAN" "ANY" permit log
set policy id 5
exit
set policy id 4 from "Trust" to "Untrust" "Trust_LAN" "Work_LAN" "ANY" permit log
set policy id 4
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust" "Any" "VIP(untrust)" "ANY" permit log
set policy id 2
exit
set policy id 3 from "Trust" to "Untrust" "Any" "VIP(untrust)" "ANY" permit log
set policy id 3
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set dl-buf size 7340032
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10

set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway 192.168.1.1 preference 20 permanent
set route 172.20.11.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
========== EOM =============

Here is NS5GT #2
===========================
set clock ntp
set clock timezone -8
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "RDT" protocol tcp src-port 3389-3389 dst-port 3389-3389 timeout never
set service "PCAnywhere" protocol tcp src-port 5631-5631 dst-port 5631-5631 timeout never
set service "PCAnywhere2" protocol tcp src-port 5632-5632 dst-port 5632-5632 timeout never
set service "Cam1" protocol tcp src-port 2000-2000 dst-port 2000-2000
set service "Cam2" protocol tcp src-port 2001-2001 dst-port 2001-2001 timeout never
set service "Cam3" protocol tcp src-port 2002-2002 dst-port 2002-2002 timeout never
set service "Cam 4" protocol tcp src-port 2003-2003 dst-port 2003-2003
set service "cam5" protocol tcp src-port 2004-2004 dst-port 2004-2004
set service "MS VPN" protocol tcp src-port 0-65535 dst-port 1723-1723
set service "MS VPN" + 50 src-port 0-65535 dst-port 0-65535
set service "MS VPN" + 47 src-port 0-65535 dst-port 0-65535
set service "MS VPN" + tcp src-port 1723-1723 dst-port 0-65535
set service "500" protocol udp src-port 0-65535 dst-port 0-65535
set service "POP-SSL" protocol tcp src-port 0-65535 dst-port 995-995
set service "POP-SSL" + udp src-port 0-65535 dst-port 995-995
set service "POP-SSL" timeout never
set service "Yahoo Messenger" protocol tcp src-port 0-65535 dst-port 5000-5001
set service "Yahoo Messenger" + udp src-port 0-65535 dst-port 5000-5001
set service "Yahoo Messenger" + tcp src-port 0-65535 dst-port 5050-5050
set service "Yahoo Messenger" + udp src-port 0-65535 dst-port 5050-5050
set service "Yahoo Messenger" + tcp src-port 0-65535 dst-port 5100-5100
set service "Yahoo Messenger" + udp src-port 0-65535 dst-port 5100-5100
set service "Yahoo Messenger" timeout never
set service "G-SNMTP" protocol tcp src-port 0-65535 dst-port 3535-3535
set service "G-SNMTP" + udp src-port 0-65535 dst-port 3535-3535
set service "G-SMTP" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "G-SMTP" + udp src-port 0-65535 dst-port 8080-8080
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "RDP" + udp src-port 0-65535 dst-port 3389-3389
set service "SIP-Audio" protocol tcp src-port 0-65535 dst-port 5001-5004
set service "SIP-Audio" + udp src-port 0-65535 dst-port 5001-5004
set service "SIP-Audio" + tcp src-port 0-65535 dst-port 5060-5082
set service "SIP-Audio" + udp src-port 0-65535 dst-port 5060-5082
set service "SIP-Audio" timeout never
set service "Mac Account" protocol udp src-port 0-65535 dst-port 993-993
set service "Mac Account" + tcp src-port 0-65535 dst-port 993-993
unset alg msrpc
unset alg sunrpc
unset alg sql
unset alg q931
unset alg h245
unset alg ras
unset alg sip
unset alg rtsp
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646

set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen ip-filter-src
set zone "Trust" screen land
set zone "Trust" screen syn-frag
set zone "Trust" screen tcp-no-flag
set zone "Trust" screen unknown-protocol
set zone "Trust" screen ip-bad-option
set zone "Trust" screen ip-record-route
set zone "Trust" screen ip-timestamp-opt
set zone "Trust" screen ip-security-opt
set zone "Trust" screen ip-loose-src-route
set zone "Trust" screen ip-strict-src-route
set zone "Trust" screen ip-stream-opt
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen syn-fin
set zone "Trust" screen fin-no-ack
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen limit-session destination-ip-based
set zone "Trust" screen ip-spoofing drop-no-rpf-route
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface vlan1 ip 172.20.2.1/24
set interface trust ip 172.20.11.1/24
set interface trust nat
set interface untrust ip x.x.x.x/29
set interface untrust route
set interface tunnel.1 ip unnumbered interface untrust
set interface tunnel.2 ip unnumbered interface untrust
set interface trust mtu 1500
set interface untrust mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface trust ip manageable
set interface untrust ip manageable
set interface trust manage ident-reset
set interface trust manage mtrace
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage telnet
set interface untrust manage snmp
set interface untrust manage ssl
set interface untrust manage web
set interface untrust manage ident-reset
set interface untrust monitor track-ip ip
set interface untrust monitor track-ip threshold 3
set interface untrust monitor track-ip weight 3
set interface untrust monitor track-ip ip 172.20.11.52 interval 30
set interface untrust monitor track-ip ip 172.20.11.52 weight 3
unset interface untrust monitor track-ip dynamic
set interface untrust vip untrust 3389 "RDT" 172.20.11.2
set interface untrust vip untrust 2000 "Cam1" 172.20.11.20
set interface untrust vip untrust 2002 "Cam3" 172.20.11.22
set interface untrust vip untrust 2001 "Cam2" 172.20.11.21
set interface untrust vip untrust 2003 "Cam 4" 172.20.11.23
set interface untrust vip untrust 2004 "cam5" 172.20.11.24
set interface untrust vip untrust 1701 "L2TP" 172.20.11.2
set interface untrust vip untrust 500 "IKE" 172.20.11.2
set flow tcp-mss
unset flow tcp-syn-check
set hostname ns5gt
set dns host dns1 4.2.2.2
set dns host dns2 4.2.2.1
set dns host schedule 06:28 interval 4
set address "Trust" "172.20.11.0/24" 172.20.11.0 255.255.255.0
set address "Trust" "172.20.11.149/32" 172.20.11.149 255.255.255.255
set address "Trust" "Amanda PC" 172.20.11.9 255.255.255.255
set address "Trust" "Cam1" 172.20.11.20 255.255.255.255
set address "Trust" "Cam2" 172.20.11.21 255.255.255.255
set address "Trust" "Cam3" 172.20.11.22 255.255.255.255
set address "Trust" "Cam4" 172.20.11.23 255.255.255.255
set address "Trust" "Cam5" 172.20.11.24 255.255.255.255
set address "Trust" "Craig Polycom" 172.20.11.100 255.255.255.255
set address "Trust" "Cynthia PC" 172.20.11.7 255.255.255.255
set address "Trust" "Kristie PC" 172.20.11.5 255.255.255.255
set address "Trust" "Lisa PC" 172.20.11.6 255.255.255.255
set address "Trust" "Macintosh iMac" 172.20.11.108 255.255.255.255
set address "Trust" "Paula PC" 172.20.11.4 255.255.255.255
set address "Trust" "Rachel PC" 172.20.11.8 255.255.255.255
set address "Trust" "Stewart Polycom" 172.20.11.101 255.255.255.255
set address "Trust" "TerminalServer" 172.20.11.2 255.255.255.255
set address "Trust" "Trust_LAN" 172.20.11.0 255.255.255.0
set address "Untrust" "172.20.10.0/24" 172.20.10.0 255.255.255.0
set address "Untrust" "172.20.12.0/24" 172.20.12.0 255.255.255.0
set address "Untrust" "172.20.13.0/24" 172.20.13.0 255.255.255.0
set address "Untrust" "172.20.14.0/24" 172.20.14.0 255.255.255.0
set address "Untrust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Untrust" "x.x.x.x/32" x.x.x.x 255.255.255.255
set address "Untrust" "x.x.x.x/32" x.x.x.x 255.255.255.255
set address "Untrust" "x.x.x.x/32" x.x.x.x 255.255.255.255
set address "Untrust" "Home_LAN" 172.20.10.0 255.255.255.0
set address "Untrust" "Parker-Net" 172.20.1.0 255.255.255.0
set address "Untrust" "Web Server" x.x.x.x 255.255.255.255

set ike gateway "Gateway for 172.20.14.0/24" address x.x.x.x Main outgoing-interface "untrust" preshare "p" proposal "pre-g2-3des-sha"
set ike gateway "Gateway for 172.20.12.0/24" address x.x.x.x Main outgoing-interface "untrust" preshare "p" sec-level compatible
set ike gateway "Gateway for 172.20.10.0/24" address 0.0.0.0 id "user" Aggr outgoing-interface "untrust" preshare "p" sec-level compatible
set ike gateway "Gateway for 172.20.10.0/24" nat-traversal udp-checksum
set ike gateway "Gateway for 172.20.10.0/24" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set vpn "VPN for 172.20.14.0/24" gateway "Gateway for 172.20.14.0/24" replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "VPN for 172.20.14.0/24" id 15 bind interface tunnel.2
set vpn "VPN for 172.20.12.0/24" gateway "Gateway for 172.20.12.0/24" replay tunnel idletime 0 sec-level compatible
set vpn "VPN for 172.20.12.0/24" id 16 bind interface tunnel.1
set vpn "VPN for 172.20.10.0/24" gateway "Gateway for 172.20.10.0/24" replay tunnel idletime 0 sec-level compatible
set vpn "VPN for 172.20.10.0/24" id 25 bind interface tunnel.1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set group address "Trust" "Cameras"
set group address "Trust" "Cameras" add "Cam1"
set group address "Trust" "Cameras" add "Cam2"
set group address "Trust" "Cameras" add "Cam3"
set group address "Trust" "Cameras" add "Cam4"
set group address "Trust" "Cameras" add "Cam5"
set traffic-shaping dscp-class-selector
set av profile "scan-mgr"
exit
set av scan-mgr pattern-update-url http://5gt-t.activeupdate.trendmicro.com:80/activeupdate/server.ini interval 60
set url protocol sc-cpa
exit
set policy id 58 from "Trust" to "Untrust" "172.20.11.0/24" "172.20.10.0/24" "ANY" permit log
set policy id 58
exit
set policy id 39 from "Trust" to "Untrust" "Any" "x.x.x.x/32" "ANY" permit log count traffic gbw 256 priority 0 mbw 1536 dscp enable
set policy id 39
exit
set policy id 55 from "Trust" to "Untrust" "TerminalServer" "Any" "ANY" permit log count traffic gbw 0 priority 7 mbw 512
set policy id 55
exit
set policy id 56 from "Trust" to "Untrust" "Macintosh iMac" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 256 dscp enable
set policy id 56
exit
set policy id 50 from "Trust" to "Untrust" "Amanda PC" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 368 dscp enable
set policy id 50
exit
set policy id 54 from "Trust" to "Untrust" "Paula PC" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 368 dscp enable
set policy id 54
exit
set policy id 51 from "Trust" to "Untrust" "Lisa PC" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 368 dscp enable
set policy id 51
exit
set policy id 53 from "Trust" to "Untrust" "Kristie PC" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 368 dscp enable
set policy id 53
exit
set policy id 52 from "Trust" to "Untrust" "Rachel PC" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 368 dscp enable
set policy id 52
exit
set policy id 48 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "NTP" permit
set policy id 48
exit
set policy id 47 from "Untrust" to "Trust" "x.x.x.x/32" "Any" "ANY" permit log count traffic gbw 256 priority 0 mbw 1532 dscp enable
set policy id 47
exit
set policy id 49 from "Untrust" to "Trust" "Web Server" "Any" "ANY" permit log count traffic gbw 0 priority 7 mbw 1024 dscp enable
set policy id 49
exit
set policy id 46 from "Untrust" to "Trust" "Any" "172.20.11.0/24" "ANY" permit log count traffic gbw 0 priority 7 mbw 512 dscp enable
set policy id 46
exit
set policy id 45 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "TELNET" permit
set policy id 45
exit
set policy id 44 from "Trust" to "Untrust" "Cameras" "Any" "ANY" permit log traffic gbw 0 priority 5 mbw 512 dscp enable
set policy id 44
exit
set policy id 57 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "Mac Account" permit
set policy id 57
exit
set policy id 43 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "RDP" permit
set policy id 43
exit
set policy id 42 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "G-SMTP" permit
set policy id 42
exit
set policy id 41 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "G-SNMTP" permit
set policy id 41
exit
set policy id 40 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "Yahoo Messenger" permit log traffic gbw 0 priority 7 mbw 256 dscp enable
set policy id 40
exit
set policy id 37 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "RDT" permit
set policy id 37
exit
set policy id 36 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "POP-SSL" permit
set policy id 36
exit
set policy id 35 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "POP3" permit
set policy id 35
exit
set policy id 34 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "SMTP" permit
set policy id 34
exit
set policy id 33 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "DNS" permit
set policy id 33
exit
set policy id 32 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "FTP" permit log count
set policy id 32
exit
set policy id 31 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "HTTPS" permit log count traffic gbw 0 priority 7 mbw 819 dscp enable
set policy id 31
exit
set policy id 30 from "Trust" to "Untrust" "172.20.11.0/24" "Any" "HTTP" permit log count traffic gbw 0 priority 7 mbw 819
set policy id 30
exit
set policy id 23 from "Untrust" to "Trust" "172.20.12.0/24" "TerminalServer" "ANY" permit log traffic gbw 0 priority 7 mbw 512 dscp enable
set policy id 23
exit
set policy id 22 from "Trust" to "Untrust" "172.20.11.0/24" "172.20.12.0/24" "ANY" permit
set policy id 22
exit
set policy id 21 from "Untrust" to "Trust" "172.20.14.0/24" "TerminalServer" "ANY" permit log traffic gbw 0 priority 7 mbw 512 dscp enable
set policy id 21
exit
set policy id 25 from "Untrust" to "Trust" "172.20.13.0/24" "TerminalServer" "ANY" permit log traffic gbw 0 priority 7 mbw 512 dscp enable
set policy id 25
exit
set policy id 20 from "Trust" to "Untrust" "172.20.11.0/24" "172.20.14.0/24" "ANY" permit traffic gbw 0 priority 7 mbw 512
set policy id 20
exit
set policy id 24 from "Trust" to "Untrust" "172.20.11.0/24" "172.20.13.0/24" "ANY" permit traffic gbw 0 priority 7 mbw 512
set policy id 24
exit
set policy id 3 from "Untrust" to "Trust" "Any" "VIP(untrust)" "ANY" permit log
set policy id 3
exit
set policy id 38 from "Trust" to "Untrust" "Any" "Any" "ANY" deny
set policy id 38
exit
set vpn "VPN for 172.20.14.0/24" proxy-id local-ip 172.20.11.0/24 remote-ip 172.20.14.0/24 "ANY"

set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set dl-buf size 10848588
set sip signaling-inactivity-timeout 65000
set sip media-inactivity-timeout 2550
set ntp server "time.apple.com"
set ntp server src-interface "untrust"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10

set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway x.x.x.x preference 20 permanent
set route 172.20.14.0/24 interface tunnel.2
set route 172.20.12.0/24 interface tunnel.1
set route 172.20.13.0/24 interface tunnel.1 preference 20
set route 172.20.10.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

03.03.2008 at 10:35PM PST, ID: 21038772

tonyparkersd:

I found the issue.

After adding these entries on NS5GT #2
set route 192.168.1.0/24 interface tunnel.3 preference 20 permanent
set route 172.20.10.0/24 interface tunnel.3 gateway 192.168.1.200 preference 20 permanent

I was able to route back to NS5GT #1. It confused me because of the extra hope behind the Verizon router and it being a dynamic vpn.

Accepted Solution

03.04.2008 at 06:44AM PST, ID: 21041385

sangamc:

thats gr8 to hear. i only just got to work and saw your post. i didnt even get a chance to look at the config files in detail. post if you have more issues

03.04.2008 at 08:00AM PST, ID: 21042136

Vee_Mod:

All Concerned (Asker and Experts),

New Feature Alert!

Please do not make any post of any kind after a "Closing Request" has been started by the asker - unless you have a specific objection.

Any post by anyone will stop the automated process and force the manual intervention of a Moderator/Admin.

If anyone has questions about the process, please post them at the "Link to CS-G post:" below my signature.

tonyparkersd - please start the process again and thank you for using it. When we all get used to the process, it will greatly improve the 'abandoned' question problem.
If you have specific responses or posts you need to make, please do so before starting the process again.

Vee_Mod
Experts Exchange Moderator
Link to CS-G post:
http://www.experts-exchange.com/Q_23212695.html

03.05.2008 at 03:18AM PST, ID: 21049302

Vee_Mod:

A request has been made in Community Support to close this question:
http://www.experts-exchange.com/Q_23212695.html

Note that if you haven't replied to the experts explaining why their solutions were not useful, or explaining why you are no longer looking for a solution, you might not get your refund.

If there are no objections, a moderator will finalize this question in approximately 4 days as follows:
PAQ with refund using {http:#a21038772}

Please only post in this question again if you have an objection.

Vee_Mod
Community Support Moderator

Vee_Mod

03.09.2008 at 05:00AM PDT, ID: 21081025

Closed, 300 points refunded.
Vee_Mod
Community Support Moderator

20080236-EE-VQP-29 / EE_QW_2_20070628