Link to home
Start Free TrialLog in
Avatar of GregBresser
GregBresserFlag for United States of America

asked on

Remote VPN Netscreen Dialup help

I have a SSG-520M with Software Version: 6.3.0r5.0 as my edge Firewall/VPN gateway. I will be using LAN-2-LAN VPN tunnels as well as Dialup VPN connections. I am using Netscreen-remote 10.8.10 software to connect to my VPN gateway. May problem is that I can connect successfully to the VPN gate via the untrusted interface (eth0/2), but from the dialup connected laptop I am only able to communicate to the DMZ interface on the VPN GW (eth0/1) and that is only when I change from the DMZ zone to a trusted zone on eth0/1. However, I am still not able communicate to any other interface in the 172.16.100.0/24 subnet (The cisco switch or the DMZ firewall). I am able to talk to the cisco switch and the DMZ firewall directly from the VPN Gateway/Firewall. I put VPN monitoring on the Eth0/2 interface on the VPN GW and saw that the SA is active but the link is showing down. I need some help please.


VPN monitor:

VPN Name      SA ID      Policy ID      Peer Gateway IP    Type            SA Status      Link

ApptisDialupv2      00000009      2/-1      12.16.16.16      AutoIKE      Active      Down


Thank You
   
EEQ2.png
Avatar of Qlemo
Qlemo
Flag of Germany image

Any reason why you use two SSGs? The 520 has enough interfaces (4) to allow for WAN, DMZ and LAN connection on a single device. IMHO that setup provokes config issues.

Whatsoever, for 50 points I can only give general advice:
If traffic is passing when you change the zone, your associated policy (#2) is in the wrong zone.
Trust is special in that way that crossing Trust to Untrust or vice versa will automatically apply NAT (if the Trust interface is in NAT mode). Traffic crossing other zones need to have NAT applied in the corresponding "allow" policy.
VPN Monitor is of no use here. That feature is between two Juniper devices only, which need to maintain a VPN tunnel between them. So the "down" info on the link tells you nothing.
Avatar of GregBresser

ASKER

I am not used to points and I am not aware of the values yet, so i increased it to 200.

I inherited the design, but a firewall was required for both sides according to the security policies that needs to be followed and I am finding out that it is a difficult design.
It is good to know about the VPN monitoring, I am a newbie on netscreens. So, I need to look at my source and destination zones when creating the policy?

 
Whenever you create a policy, you need to thoroughly look on both zones. Policies only work for crossing zones, and hence only for exactly those zones you create them in.

I agree the design is prone to configuration issues - but "it's the law", so probably no chance to change that. I'm not certain that that separation of networks is part of the issue you have.

As I hinted already, when using a DMZ you will not have NAT (automatically) applied. That does not matter, as the NetScreen Remote client should have received a routable, internal address (not certain about that - does SafeNet [= original manufacturer of NSR] use virtual IPs?). Of course that IP needs to be (a) allowed and (b) routed on DMZ and (internal) Trust network. I reckon you should start there with diagnostics, like a tracert from a server to the VPN client IP, and vice versa, and see which devices answer.
Thanks

Let me take a look and see what I see.
I can only ping the 172.16.100.3 IP (eth0/1) and tracert does not dive a single hop. I am trying to tracert to the cisco switch (172.16.100.200) and the other SSG firewall interface (172.16.100.1).

In Netscreen-remote under "Remote party Identity and Addressing" I am using "ID Tyoe" IP subnet with 172.16.100.0/24 as the subnet. Does the VPN client assume the Eth0/1 (172.16.100.3) IP or is using the anchor point (Eth0/2) IP?

I listed the get interface, policy, and Route fro the VPN gateway (VPNJ2)



VPNJ2-> get route

IPv4 Dest-Routes for <trust-vr> (8 entries)
--------------------------------------------------------------------------------------
ID          IP-Prefix           Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         3      0.0.0.0/0           eth0/2        1.1.1.1         S   20      1     Root
*        10      172.16.100.0/24   eth0/1         0.0.0.0         C    0      0     Root
*        14      10.153.0.0/16       eth0/1          172.16.100.1   S   20      1     Root
*         1      1.1.1.224/28         eth0/2         0.0.0.0         C    0      0     Root
*         2      1.1.1.238/32         eth0/2         0.0.0.0         H    0      0     Root
*        11      172.16.100.3/32   eth0/1         0.0.0.0         H    0      0     Root
*        13      192.168.120.0/24 eth0/1          172.16.100.1   S   20      1     Root
*        12      10.0.0.0/8              eth0/1         172.16.100.1   S   20      1     Root

VPNJ2-> get policy
Total regular policies 2, Default deny, Software based policy search, new policy enabled.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
     2 Untrust  Trust    VPNClient2S~ Internet Net ANY                  Tunnel enabled -----X
     4 Untrust  Global   Any          VIP(etherne~ SSH                  Permit enabled ---X-X

VPNJ2-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name        IP Address                Zone        MAC                  VLAN State VSD      
eth0/0       0.0.0.0/0                    Trust        50c5.8d61.xxx1    -   D   -  
eth0/1       172.16.100.3/24        Trust        50c5.8d61.xxx2    -   U   -  
eth0/2       1.1.1.238/28              Untrust     50c5.8d61.xxx3   -   U   -  
eth0/3       0.0.0.0/0                    HA           50c5.8d61.xxx4   -   D   -  
vlan1        0.0.0.0/0                    VLAN      50c5.8d61.xxx5   1   D   -  
null           0.0.0.0/0                    Null        N/A                        -   U   -  

Can you show the VPN IP pool used (or the address handed out for the VPN client when connected), just to make sure that introduces no additional routing issues?

As I guessed earlier, policy 2 is Untrust To Trust. You need an exact copy of that policy for Untrust to DMZ. That should allow the VPN traffic to pass the first SSG when you switch back to DMZ.
My IP pool is not there. Let me put it back in.
Hi Olemo,

Sorry for the long delay my wife and kids were sick. My Remote-Netsceen client received an IP from the IP pool. I am still not able to ping the any device on the 172.16.100.0 subnet with the exception of the SSG I am connecting to. I have attached a copy of my config. This is very basic config, I am very much a newbie with netscreens and I wanted to get all my parts working before I tighten things down.

 J2FW.log J2FW.log
Sorry for the extended period of inactivity, but I would like to work further on this issue with the author.
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The solution works. I would like to open it then close it out correctly.
GregBresser,

I have objected to the closing recommendation to stop it. Now you can go on and close as you see fit.
Recommendation:  Accept http:#a34826441