Helow! Help ping vpn users from local network



  • Hi! I get vpn l2tp withowt ipsec, i can ping my local network, but then i go to the web-server, he can’t answer me because, from this server they can’t ping me/ For exsample/ local network subnet 192.168.20.0 (int dmz), and vpn users subnet 192.168.25.0. And after connect vpn user can ping hosts in local network, but hosts in local network can’t ping the vpn users/ what i must do



  • Debug flow basic is run on the NetScreen. This debug will tell you how the NetScreen is handling the traffic and whether it is permitting or denying the traffic and which policy is reached. Example for using debug flow basic is below:

    You must be logged into the CLI (console, telnet or SSH) to run this. From CLI prompt:

    debug flow basic
    clear db

    Capture the failed instance, then stop the debugs and output the data.

    undebug all
    get db stream

    Note that if you have alot of traffic then you may want to first enable some flow filters to help to narrow down the captured data to only what you are interested in.

    Example:
    set ff src-ip <ip of="" server="">ip-proto 1

    the above captures all ICMP traffic from whatever IP you specify.

    and

    set ff src-ip <public ip="" of="" vpn="" peer="">dest-port 4500

    the above captures all VPN traffic from the client assuming that nat-traversal is used.

    or

    set ff src-ip <public ip="" of="" vpn="" peer="">ip-proto 50

    the above captures all VPN traffic from the client assuming that nat-traversal is NOT used.</public></public></ip>



  • This logs then i ping 192.168.20.2, and than i go to the web-server 192.168.20.3, but i have don’t answer from web-server (sharepoint) than i go to the web page/ something like that http://192.168.20.3 and i’ll have error with accept, because may be with server want’s to access there by exp http://name.domain.com, but i can do it from my vpn/ i can only http://192.168.20.3/
    I think that request from 192.168.20.3 to 192.168.25.1 (vpn user) gone any there, but not to me, because 192.168.20.3 don’t see 192.168.25.1
    ns208-> get   log traffic
    PID 20, from Untrust to DMZ, src Dial-Up VPN, dst Any, service ANY, action Tunnel

    Date       Time       Duration Source IP        Port Destination IP   Port Service
                                   Xlated Src IP    Port Xlated Dst IP    Port

    2008-01-07 22:26:57    0:00:02 192.168.25.1     2048 192.168.20.2     1536 ICMP
                                   192.168.25.1     2048 192.168.20.2     1536
    2008-01-07 22:26:55    0:00:02 192.168.25.1     1536 192.168.20.2     1536 ICMP
                                   192.168.25.1     1536 192.168.20.2     1536
    2008-01-07 22:26:55    0:00:01 192.168.25.1     1792 192.168.20.2     1536 ICMP
                                   192.168.25.1     1792 192.168.20.2     1536
    2008-01-07 22:26:53    0:00:01 192.168.25.1     1280 192.168.20.2     1536 ICMP
                                   192.168.25.1     1280 192.168.20.2     1536
    2008-01-07 22:25:17    0:00:33 192.168.25.1     2984 192.168.20.3       80 HTTP
                                   192.168.25.1     2984 192.168.20.3       80
    2008-01-07 22:23:31    0:01:01 192.168.25.1     2981 192.168.20.3       80 HTTP
                                   192.168.25.1     2981 192.168.20.3       80
    2008-01-07 22:22:11    0:02:05 192.168.25.1     2977 192.168.20.3       80 HTTP
                                   192.168.25.1     2977 192.168.20.3       80
    2008-01-07 22:21:27    0:01:07 192.168.25.1     2978 192.168.20.3       80 HTTP
                                   192.168.25.1     2978 192.168.20.3       80
    2008-01-07 22:18:51    0:00:02 192.168.25.1     1024 192.168.20.2     1536 ICMP
    –- more —
                                   192.168.25.1     1024 192.168.20.2     1536
    2008-01-07 22:18:49    0:00:02 192.168.25.1      512 192.168.20.2     1536 ICMP
                                   192.168.25.1      512 192.168.20.2     1536
    2008-01-07 22:18:49    0:00:01 192.168.25.1      768 192.168.20.2     1536 ICMP
                                   192.168.25.1      768 192.168.20.2     1536
    2008-01-07 22:18:47    0:00:01 192.168.25.1      256 192.168.20.2     1536 ICMP
                                   192.168.25.1      256 192.168.20.2     1536



  • but what i must do it for this by netscreen 208



  • I assume that since you can ping the local hosts, then routing is working properly. Do you have a security policy to permit this? You may need to run debug flow basic to find out what is happening with the traffic initiating from the local network.


 

37
Online

38.4k
Users

12.7k
Topics

44.5k
Posts