• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 504
  • Last Modified:

VPN site to site tunnel from Juniper SSG20 to Gnatbox 2100 - working in one direction.

Hi guys,

I have confuigured a VPN tunnel site to site between two sites on different subnets.

Now from site B I can ping, rdp etc to any servers at site A.   BUT.... the other direction I cant ping site B from site A or connect to anything on the B subnet.

If I try a ping to Site B subnet it reaches the router, it then seems to go to a 172.x.x.x address?

...which replied to say cant contact the network.

it looks like its getting past the firewall /router at site  A as a 172 address is replying to say cant find the host...?

I checked all the settings on the firewall at A and I cant see any difference between another VPN we have setup for something else...

What should I be checking?
  • 3
  • 2
1 Solution
Natting might be reason.
Access list on either site.
That is what pops from my mind
QlemoBatchelor and DeveloperCommented:
Does it matter which device initiates the tunnel negotiation? Can you post more details about which device is on which site, and the networks and private IPs (if NATted) are used?
Spikeuk30Author Commented:
site A is a Juniper SSG 20
site B is a Gnatbox2100

so i cant ping from the juniper to the gnatbox, but other way works.

I havent used NAT as the subnets are different.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

QlemoBatchelor and DeveloperCommented:
Check the firewall rules at the Gnatbox first. The site B inbound policies and/or site A outbound policies might not be correct; outbound B and inbound A are, obviously.

A tracert from A to B might reveal something. Also, set the traffic logging options of SSG for the particular policies to check if they are hit at all.
Are you using route-based or policy-based VPN on SSG?
What is 172.x assigned to?
Spikeuk30Author Commented:
I think i might have worked out what is happening.....

at office B the Juniper SSG20 is daisy chained to another Juniper fiber firewall box which has been provided by the ISP.

I think this is what has the 172.x address...   I think we need a rule /exception setup on the ISP firewall to allow traffic to the site A subnet?
QlemoBatchelor and DeveloperCommented:
No, the SSG is building a VPN tunnel, and anything passing that tunnel is hidden from other firewalls.
If it is true the 172.x address is the ISP's box, routing is not set up properly for your VPN tunnel on SSG.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now