Solved

Set Up SSG-5 VPN for remote/remote subnet

Posted on 2007-11-20
7
2,037 Views
Last Modified: 2012-08-13
I have an SSG-5 site-to-site VPN set up on a local subnet - the other end is an RV042.

Now I need to modify the VPN local end point to be another subnet while keeping the interface on the current subnet.  Like this:

The current SSG-5 interface on the local subnet is 192.168.2.2
The destination subnet for packets coming through the VPN will be 192.168.1.0/24
So, the VPN must be terminated with that subnet - that is well known.
There is a local router at 192.168.2.99 that will send the packets on to 192.168.1.0/24

So, I need to make these changes:
1) Terminate the tunnel at the SSG-5 end with 192.168.1.0/24 (keeping the router LAN physical address at 192.168.2.2).
2) Route packets destined for 192.168.1.0/24 to 192.168.2.99

Which things should I be thinking about changing in the SSG-5?  I know what to do with the RV042 settings at the other end of the VPN.   I'm still a bit confused about the relationship between "address list, objects, policies, etc." in the Juniper Networks box.  Maybe a brief description of their roles in the scheme of things would help!
0
Comment
Question by:Fred Marshall
  • 4
  • 3
7 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20324473
Please look at the article below which talks about NATing multiple IP address to one IP address, the situation which you want [the article talk about routing internal IPs to one single external or public IP but the case you want would also be configured the same way]:
http://kb.juniper.net/KB7774

Regarding description:
Address list: you create an address list so you can use an alias for a network rather than specifying the network range again and again; this makes the configuration easy to understand and also hides the IP addressing scheme.

Objects: Depending what the object is defined for it would help, eg, address object as obove, policy would help specifying rules for allowing/denying inbound/outbound traffic, etc.

Policy: A policy determines whether a packet traversing a firewall should be allowed or denied; if allowed, then if there is any need to do some work on the packet like NATing, PAT, IPSec (read encryption/de-encryption), routing, etc.

Hope this helps. Please let me know if you need more details.

Thank you.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 20365399
Thanks.
So, an address list seems clear enough.
The Object thing though .... it sounds like an address IS or CAN BE an object?  A Policy can be an object?
If an address can be reused by virtue of an assigned alias then what would be object of an address object be?

OK - in the mean time I'm trying to wade through that paper.  At first glance it seems pretty far afield from what I'm trying to do.  I might use a nudge.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20366279
Adress Objects which can be added are:
Host objects
Network Objects
Multicast Object
Group -- group of one or more of the above objects

Policy uses any/all the objects created and determines the flow of traffic from one end to another, for eg, address objects, service objects, zones, logging options, authentication, VPN options, etc.

Yes, you can reuse any of the objects created like address objects, attack objects, authentication server objects, CA objects, CRL, etc.

The paper gives you the option to configure through WEB UI, I am in some product training till Monday; after that I would try to configure the scenario and give you some CLIs which might have help NAT configuration for VPN [provided you don't already figure it out by then! :)]

Let me know if you need more inputs, I might not be able to create scenario (at this time) but would certainly be able to clarify few things if needed.

Thank you.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 25

Author Comment

by:Fred Marshall
ID: 20367072
Thanks!

My hope is that what I want to do next is simple:

1) I've already set up a VPN between a remote and a local subnet - I've got that working.

2) Set up a new VPN exactly the same way between a remote subnet and a "nonlocal" subnet (a subnet VPN terminated at the local site but not in the address range of any of the interfaces) - I've had those working with RV042s just fine so I anticipate that the SSG-5 setup will be the same as the SSG-5 setup above - just with a different subnet.

3) Since the setup in #2 won't DO anything then set up a route in the SSG-5 to direct packets destined to the nonlocal subnet to a router on the local subnet that will take them from there.

If (2) is as simple as replicating (1) with a different "local" subnet then that should be easy.

Then, if (3) is as simple as adding a route, that should also be easy.

I just don't know:
a) if the replication is that simple
b) how to actually make the added route settings on an SSG-5
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20416367
I would like to thank you first of all for waiting on me.

Now I would like to backtrack on the solution; as I understand what you wish is not NAT over IPSec but you want to have the SSG send encrypted packets to an intermediate device and let the device send the traffic over to the Linksys device. If this is what you want then we need to add a route in SSG as:

set route 192.168.1.0/24 gateway 192.168.2.99

All other VPN settings would remain the way they are.

I had just one question, if your router would take the routing part between the remote subnet and 192.168.2.0 subnet why create VPN at all?

I am not sure if I have missed something; please advice.

Thank you.
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 20417497
No problem.  In fact I've been stuck in the NW US coastal storm without power or internet connection for the last 3 days!!

Let me be clearer about the connections.  There are really two "remote" sites.  A company Remote Office and a third party site that's also remote.  The third party site is accessed over a private link.

Remote Office LAN________Main Office LAN___Router____________________Other remote site    
192.168.3.0/24 <> VPN <> 192.168.2.0/24 <> 192.168.2.99 <> private link <> 192.168.1.0/24

Actual VPN setup for forward path at Main Office:
Remote LAN_________"Local" LAN
192.168.1.0/24 <VPN>192.168.1.0/24

Local "Main Office" LAN 192.168.2.0/24
"Other" remote site accessed through a private link uses router at 192.168.2.99 for *that* connection.  Packets going via the private link are destined for 192.168.1.0/24.

Remote Office LAN 192.168.3.0/24  ... this is where the VPN is used.
There will be a VPN, or two, between the Remote Office and the Main Office.
One of those VPNs will be used to route packets from the Remote Office, over the internet, to the Main Office and then on to the private link destinations in 192.168.1.0/24.

So there will be a VPN termination at the Main Office with remote LAN termination of 192.168.3.0 and with the local LAN of 192.168.1.0/24 (even though that LAN isn't actually"local").  Unencrypted packets detined for 192.168.1.0/24 will emerge the VPN at the Main Office and must be routed to 192.168.2.99 as the next hop.  

I hope that clarifies my last message.

My only challenge is how to set up the route in the SSG-5 for the unencrypted packets emerging the VPN.

Returning packets will source from 192.168.1.0/24, routed via the router at 192.168.2.99 to 192.168.2.2, the VPN router, and thus through the VPN back to  192.168.3.0.

The only encryption is from the Main Office to the Remote Office - the VPN.





0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 20425798
set route 192.168.1.0/24 gateway 192.168.2.99

This command would set up route for you in SSG 5 for the remote subnet (behind router); I think you already would have created tunnel for 192.168.1.0 and 192.168.3.0 subnets other than for .2 and .3 subnets.

Please let me know if you more details.

Thank you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Website Routing Issue 3 34
EIGRP  router failure 14 30
Connecting LAN to a new leased line 2 26
Read-only SNMP string example ? 7 35
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now