SSG-140 - DialUP-VPN, Problems accessing remote tunnel destination from mobile



  • Hi everybody,

    my Firewall itself has two active interfaces (the public interface e.g. x.x.x.x and the private one, 192.168.1.2/24).  Furthermore there is an active site-to-site-vpn configured between the ssg and another hardware firewall device (the subnet 10.0.0.0/8 is behind the “other hardware firewall”). On the SSG there is a static route for 10.0.0.0/8 which are needed to reach the subnet from the SSG trust zone. So far so good, the mobile VPN is working so far, I am able to ping all active machines within the 192.168.1.0/24 subnet (trust).

    I’ve created the DialUP-VPN-Setup on behalf of those documents:
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB14878

    So far so goot, but now comes the problem. I want to access addresses within 10.0.0.0/8 from the dialup-vpn-client. Therefor I’ve duplicated the Policy for the 192.168.1.0/24 network. Traffic from the mobile Client initiates the VPN, it’s successfully established. For accessing another Remote Subnet at the same time I’ve followed those instructions: http://forums.cabling-design.com/vpn/Static-route-through-Netscreen-Remote-can-it-be-done-485-.htm
    Well, Traffic to 10.0.0.0/8 also initiates the VPN, it’s also successfully established. But the traffic to 10.0.0.0/8 is denied by the newly created policy. I’ve attached an Image.

    I have no clue, why the policy denies traffic to 10.0.0.0/8.

    Any help is appreciated.

    Thank you,
    Wayne
    Bildschirmfoto 2012-10-17 um 13.53.54.png


 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts