juniper ssg20 vpn

We're having trouble setting up a site to site vpn between 2 juniper ssg20.

The details are:
HQ Site: 50.0.0.0 subnet
using juniper ssg20
Interface is 50.0.0.1
Problem: Clients (50.0.0.x) can NOT ping clients in 50.0.1.x

Remote site: 50.0.1.0 subnet
also using juniper ssg20
Interface is 50.0.1.1
Clients (50.0.1.x) can actually ping computers in HQ site.

We couldnt figure out what is going on since the remote clients can ping hq hosts but not the other way around.

Thank You

SW111Asked:
Who is Participating?
 
Rick_O_ShayCommented:
I was thinking along the lines that in the log event there would be at least the source and destination address and the protocol and whether it was dropped or not. If you see something like the ping being dropped by rule number 10 or whatever then you could expand or change it or add a rule ahead of it to allow for the site to site that you have configured.
Maybe try a quick test with the firewall off just to see if that is the right direction?
0
 
Rick_O_ShayCommented:
It sounds like the routing and tunnel are ok. Are there any firewall rules that may explain it?
0
 
SW111Author Commented:
I'm not too sure. we didnt explicitly set a rule to prevent it. SHould we have explicitly set a rule to allow it?
If so, how and where (which juniper: hq or remote)?
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
Rick_O_ShayCommented:
I don't know the Juniper configs specifically. Is there a way to turn on firewall logging so you can see what is being allowed or dropped by which rules to isolate what is happening to the pings?
0
 
SW111Author Commented:
Well yes. There are a whole lot of logging info on the system. Only I dont see (dont understand?) which one is an error. It doesnt say error explicitly... Is there something I should keep an eye on, in particular?
0
 
SW111Author Commented:
Ah, turns out that the routing needed to be fixed.

Our setup is a bit different to that from the manual so there was some inconsistencies in the routing. A bit strange because the vpn tunnel is showing up. It was the routing after the tunnel that was problematic.

The soluion was to create a route from untrust-vr to trust-vr zone.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.