Helow! Help ping vpn users from local network

  • Hi! I get vpn l2tp withowt ipsec, i can ping my local network, but then i go to the web-server, he can’t answer me because, from this server they can’t ping me/ For exsample/ local network subnet (int dmz), and vpn users subnet And after connect vpn user can ping hosts in local network, but hosts in local network can’t ping the vpn users/ what i must do

  • Debug flow basic is run on the NetScreen. This debug will tell you how the NetScreen is handling the traffic and whether it is permitting or denying the traffic and which policy is reached. Example for using debug flow basic is below:

    You must be logged into the CLI (console, telnet or SSH) to run this. From CLI prompt:

    debug flow basic
    clear db

    Capture the failed instance, then stop the debugs and output the data.

    undebug all
    get db stream

    Note that if you have alot of traffic then you may want to first enable some flow filters to help to narrow down the captured data to only what you are interested in.

    set ff src-ip <ip of="" server="">ip-proto 1

    the above captures all ICMP traffic from whatever IP you specify.


    set ff src-ip <public ip="" of="" vpn="" peer="">dest-port 4500

    the above captures all VPN traffic from the client assuming that nat-traversal is used.


    set ff src-ip <public ip="" of="" vpn="" peer="">ip-proto 50

    the above captures all VPN traffic from the client assuming that nat-traversal is NOT used.</public></public></ip>

  • This logs then i ping, and than i go to the web-server, but i have don’t answer from web-server (sharepoint) than i go to the web page/ something like that and i’ll have error with accept, because may be with server want’s to access there by exp http://name.domain.com, but i can do it from my vpn/ i can only
    I think that request from to (vpn user) gone any there, but not to me, because don’t see
    ns208-> get   log traffic
    PID 20, from Untrust to DMZ, src Dial-Up VPN, dst Any, service ANY, action Tunnel

    Date       Time       Duration Source IP        Port Destination IP   Port Service
                                   Xlated Src IP    Port Xlated Dst IP    Port

    2008-01-07 22:26:57    0:00:02     2048     1536 ICMP
                              2048     1536
    2008-01-07 22:26:55    0:00:02     1536     1536 ICMP
                              1536     1536
    2008-01-07 22:26:55    0:00:01     1792     1536 ICMP
                              1792     1536
    2008-01-07 22:26:53    0:00:01     1280     1536 ICMP
                              1280     1536
    2008-01-07 22:25:17    0:00:33     2984       80 HTTP
                              2984       80
    2008-01-07 22:23:31    0:01:01     2981       80 HTTP
                              2981       80
    2008-01-07 22:22:11    0:02:05     2977       80 HTTP
                              2977       80
    2008-01-07 22:21:27    0:01:07     2978       80 HTTP
                              2978       80
    2008-01-07 22:18:51    0:00:02     1024     1536 ICMP
    –- more —
                              1024     1536
    2008-01-07 22:18:49    0:00:02      512     1536 ICMP
                               512     1536
    2008-01-07 22:18:49    0:00:01      768     1536 ICMP
                               768     1536
    2008-01-07 22:18:47    0:00:01      256     1536 ICMP
                               256     1536

  • but what i must do it for this by netscreen 208

  • I assume that since you can ping the local hosts, then routing is working properly. Do you have a security policy to permit this? You may need to run debug flow basic to find out what is happening with the traffic initiating from the local network.