SW111
asked on
juniper ssg20 vpn
We're having trouble setting up a site to site vpn between 2 juniper ssg20.
The details are:
HQ Site: 50.0.0.0 subnet
using juniper ssg20
Interface is 50.0.0.1
Problem: Clients (50.0.0.x) can NOT ping clients in 50.0.1.x
Remote site: 50.0.1.0 subnet
also using juniper ssg20
Interface is 50.0.1.1
Clients (50.0.1.x) can actually ping computers in HQ site.
We couldnt figure out what is going on since the remote clients can ping hq hosts but not the other way around.
Thank You
The details are:
HQ Site: 50.0.0.0 subnet
using juniper ssg20
Interface is 50.0.0.1
Problem: Clients (50.0.0.x) can NOT ping clients in 50.0.1.x
Remote site: 50.0.1.0 subnet
also using juniper ssg20
Interface is 50.0.1.1
Clients (50.0.1.x) can actually ping computers in HQ site.
We couldnt figure out what is going on since the remote clients can ping hq hosts but not the other way around.
Thank You
Rick_O_Shay
It sounds like the routing and tunnel are ok. Are there any firewall rules that may explain it?
ASKER
I'm not too sure. we didnt explicitly set a rule to prevent it. SHould we have explicitly set a rule to allow it?
If so, how and where (which juniper: hq or remote)?
If so, how and where (which juniper: hq or remote)?
I don't know the Juniper configs specifically. Is there a way to turn on firewall logging so you can see what is being allowed or dropped by which rules to isolate what is happening to the pings?
ASKER
Well yes. There are a whole lot of logging info on the system. Only I dont see (dont understand?) which one is an error. It doesnt say error explicitly... Is there something I should keep an eye on, in particular?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, turns out that the routing needed to be fixed.
Our setup is a bit different to that from the manual so there was some inconsistencies in the routing. A bit strange because the vpn tunnel is showing up. It was the routing after the tunnel that was problematic.
The soluion was to create a route from untrust-vr to trust-vr zone.
Our setup is a bit different to that from the manual so there was some inconsistencies in the routing. A bit strange because the vpn tunnel is showing up. It was the routing after the tunnel that was problematic.
The soluion was to create a route from untrust-vr to trust-vr zone.