Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Juniper Netscreen SSG20 VPN Config

Posted on 2013-05-14
8
Medium Priority
?
1,140 Views
Last Modified: 2013-06-26
Hi

I have a working VPN config between a remote Checkpoint site (that I dont manage) and our Juniper Netscreen.

VPN is policy based with traffic at the remote site only being allowed to initiate a connection for an application they run to a server at our end. All works fine.

I now need to allow a print server queue located at my site to send print jobs to a printer at the remote site. The application that is run creates a print request to the database at my end sends the print to to the print queue. I am told by the admin at the remote site that I need to add the printer IP to my encryption domain and give it the relevant access ie port 9100 outgoing through the tunnel.

How do I add the printer IP to my encryption domain?
Once added do I add a trust to untrust policy for the port number?

Thanks
0
Comment
Question by:Winfix1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 2000 total points
ID: 39165833
There is no encryption domain on juniper devices. So I am thinking this is a checkpointe firewall term.

The equivalent, since you are using a policy based VPN, would be to allow port 9100 through the VPN. If you are restricting access in the policy by specifying source and destination IPs, then the print server and printer IPs would need to be added to the policy for it to work properly.
0
 

Author Comment

by:Winfix1
ID: 39167262
Thanks.

OK at present I just have an Incoming policy for the VPN. There is no outgoing policy as outgoing traffic to the VPN was not required before.

How do I create an relevant outgoing policy to point the traffic  to the VPN for the remote printer IP traffic?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39167692
if you edit the incoming policy for the VPN. there is a check mark at the bottom for "Modify matching bidirectional VPN policy " Enabling this will create the matching policy VPN for traffic going the opposite way.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:Winfix1
ID: 39167736
Thanks OK. But what do I need to modify so that my server sends/routes traffic for the printer ip 10.132.145.10 down the vpn tunnel? Currently it tries to just send out to the internet.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39167769
The destination IP of the matching VPN policy should be 10.132.145.0/24, this will make sure all traffic destined for that subnet goes via the VPN and not out to the internet.
0
 

Author Comment

by:Winfix1
ID: 39167846
Hi
Thanks. Ticking "Modify matching bidirectional VPN policy", does not stick. It reverts back to unticked?

Here is the policy

Policy
The source address is 80.x.x.x through a MIP. But traffic I generate needs to go down the tunnel to 10.132.145.10, this is where the printer will try to send to.

How would I set 10.132.145.10 to go down the tunnel?

Thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39167900
I see your problem, this is not a VPN. It is actually a mapped IP. Basically your internal server is reachable from the internet via the public IP MIP(81.*.*.229)

In this configuration you will not be able to actually print to the printer in the other network.

In a policy based VPN, This is what you would have:
The source IP would be your LAN.
The destination IP would be the remote LAN.
The action would be = tunnel.
The tunnel VPN = The autokey IKE setup under the VPN menu.
And lastly you could then check the box for matching bidirectional vpn.

Below is a screen shot of a policy based VPN. Mine is one way only so the bidirection is unchecked

policy
policy 2
0
 

Author Closing Comment

by:Winfix1
ID: 39277461
Thanks
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question