Juniper SSG-140 not reaching devices on VLAN
Have a Juniper SSG-140 connected to a HP PROCURVE 2530 (J9775A) and also a SSL VPN connected to the same switch.
If i configure a interface with ex. DMZ, i am able to reach the SSL VPN, but if i create a vlan on the switch, tag the SSL VPN and the SSG port i cannot reach it. (i also tagged the port on the SSG using the SUB INTERFACE.
The switch have the default VLAN with a IP configured, is this ok?
Maybe the DEFAULT_VLAN having a configured IP is causing this?
If i configure a interface with ex. DMZ, i am able to reach the SSL VPN, but if i create a vlan on the switch, tag the SSL VPN and the SSG port i cannot reach it. (i also tagged the port on the SSG using the SUB INTERFACE.
The switch have the default VLAN with a IP configured, is this ok?
Maybe the DEFAULT_VLAN having a configured IP is causing this?
What does SSL VPN mean exactly? Is this another device terminating a VPN, so the SSG sees just another IP?
Maybe showing a small sketch of the relevant network participants would help much.
Maybe showing a small sketch of the relevant network participants would help much.
ASKER
Is a MAG2600, another device.
ASKER
basically, a SSG-140 as follows:
0/0 - UNTRUST
0/1 - SW 1 - Port 1
0/2 - SW 2 - Port 1
0/3 - SW 1 - Port 3
0/4 - SW 2 - Port 3
0/5 - SW 1 - Port 5
0/6 - SW 2 - Port 5
0/7 - UNTRUST TO SSG140 (B)
0/8 - HA to SSG-140 (B)
0/9 - SW 1 Port 24
MAG 2600 SSL VPN connected on port 24 on SW 1
I bridged ports 0/3 and 0/4, created sub interface DMZ VLAN ID95, later MANAGEMENT will another VLAN here, with VLAN ID 42.
On Switch Created VLAN 95, tagged ports 3, 4 and 20.
Ports 0/1, 0/2, 0/3 and 0/4 are another bridge group, which later i will configure as TRUST and created several VLAN's, like SALES, MARKETING etc...
0/0 - UNTRUST
0/1 - SW 1 - Port 1
0/2 - SW 2 - Port 1
0/3 - SW 1 - Port 3
0/4 - SW 2 - Port 3
0/5 - SW 1 - Port 5
0/6 - SW 2 - Port 5
0/7 - UNTRUST TO SSG140 (B)
0/8 - HA to SSG-140 (B)
0/9 - SW 1 Port 24
MAG 2600 SSL VPN connected on port 24 on SW 1
I bridged ports 0/3 and 0/4, created sub interface DMZ VLAN ID95, later MANAGEMENT will another VLAN here, with VLAN ID 42.
On Switch Created VLAN 95, tagged ports 3, 4 and 20.
Ports 0/1, 0/2, 0/3 and 0/4 are another bridge group, which later i will configure as TRUST and created several VLAN's, like SALES, MARKETING etc...
You certainly haven't the MAG and SSG on Sw1-24 ;-). But I get what you mean. So IF 0/9 on SSG should be the "VPN connection".
You are doing a lot of tagging, and use multiple connections to the same switch. You know that it makes things more complicated? You usually either assign a VLAN tag at each switch port or in the interfaces, but not both. You also don't need to use separate ports for different VLANs on the SSG side, as you might know - the routing info should be sufficient to separate traffic, and using too many zones gets confusing with all the rules you'll need for interzone traffic.
I'm still struggling with getting the right picture, and will need some guru meditation about that ;-).
You are doing a lot of tagging, and use multiple connections to the same switch. You know that it makes things more complicated? You usually either assign a VLAN tag at each switch port or in the interfaces, but not both. You also don't need to use separate ports for different VLANs on the SSG side, as you might know - the routing info should be sufficient to separate traffic, and using too many zones gets confusing with all the rules you'll need for interzone traffic.
I'm still struggling with getting the right picture, and will need some guru meditation about that ;-).
ASKER
The whole thing about vlans is to have everything in a HA configuration, we do have 2 firewalls, 2 switches and 2 MAG2600.
as the SSG's have 10 ports, we are using 2 for HA, 1 for untrust, leaving us with 6 for redundancy, 4 for the TRUST, which is the biggest traffic, 2 for management and DMZ.
TRUST cannot see or reach DMZ or management..
One thing that i noted now, is that the previous guy, configured a IP to the DEFAULT_VLAN, which i believe is wrong, ip should only be configured on the the MANAGEMENT VLAN, right?
as the SSG's have 10 ports, we are using 2 for HA, 1 for untrust, leaving us with 6 for redundancy, 4 for the TRUST, which is the biggest traffic, 2 for management and DMZ.
TRUST cannot see or reach DMZ or management..
One thing that i noted now, is that the previous guy, configured a IP to the DEFAULT_VLAN, which i believe is wrong, ip should only be configured on the the MANAGEMENT VLAN, right?
ASKER
Appreciate that!
thanks very much
thanks very much
If you want TRUST to see the Management or DMZ, you're going to have to add routing to do that.
Is the IP that's been configured part of the VLAN that you're adding?
Is the IP that's been configured part of the VLAN that you're adding?
ASKER
Solved!
it was a misconfiguration on SW.
it was a misconfiguration on SW.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
after contacting juniper and HP support we were able to find and solve the issue.
ASKER