VPN site to site tunnel from Juniper SSG20 to Gnatbox 2100 - working in one direction.

Hi guys,

I have confuigured a VPN tunnel site to site between two sites on different subnets.

Now from site B I can ping, rdp etc to any servers at site A.   BUT.... the other direction I cant ping site B from site A or connect to anything on the B subnet.

If I try a ping to Site B subnet it reaches the router, it then seems to go to a 172.x.x.x address?

...which replied to say cant contact the network.

it looks like its getting past the firewall /router at site  A as a 172 address is replying to say cant find the host...?

I checked all the settings on the firewall at A and I cant see any difference between another VPN we have setup for something else...

What should I be checking?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natting might be reason.
Access list on either site.
That is what pops from my mind
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Does it matter which device initiates the tunnel negotiation? Can you post more details about which device is on which site, and the networks and private IPs (if NATted) are used?
Spikeuk30Author Commented:
site A is a Juniper SSG 20
site B is a Gnatbox2100

so i cant ping from the juniper to the gnatbox, but other way works.

I havent used NAT as the subnets are different.
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Check the firewall rules at the Gnatbox first. The site B inbound policies and/or site A outbound policies might not be correct; outbound B and inbound A are, obviously.

A tracert from A to B might reveal something. Also, set the traffic logging options of SSG for the particular policies to check if they are hit at all.
Are you using route-based or policy-based VPN on SSG?
What is 172.x assigned to?
Spikeuk30Author Commented:
I think i might have worked out what is happening.....

at office B the Juniper SSG20 is daisy chained to another Juniper fiber firewall box which has been provided by the ISP.

I think this is what has the 172.x address...   I think we need a rule /exception setup on the ISP firewall to allow traffic to the site A subnet?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
No, the SSG is building a VPN tunnel, and anything passing that tunnel is hidden from other firewalls.
If it is true the 172.x address is the ISP's box, routing is not set up properly for your VPN tunnel on SSG.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.