SRX

Expand all | Collapse all

Dynamic VPN - Cannot access protected resources

Jump to Best Answer
  • 1.  Dynamic VPN - Cannot access protected resources

    Posted 04-14-2017 15:55

    Hello, 

    I think I may be missing something here, I have gone over the documentation for the dynamic vpn and am able to connect with the pulse client, however I cannot access any protected resources I specify. It seems to me that the traffic is going through a "Untrust to Untrust" zone, which I have allowed and is being allowed through that zone, however it seems I never get any return traffic. 

     

    Right now on the srx300 I have a public interface on ge-0/0/0 with a ip address in a /30 subnet, the vpn addresses are setup on a irb (vlan 2) which is a /24 of public addresses. I'm wondering if this is a issues with the return path but not sure because on the device I am trying to ping (172.21.2.2) I can ping ip addresses in the vlan (eg 45.17.139.1). The routing to the vlan subnet on the device that provides the route for this subnet routes requests to these addresses to the ip of my external interface, eg request for 45.17.139.1 routes to 45.27.153.57. This might all be totally wrong, I'm really not sure this is my first time using a srx and I am really trying to figure it out. Also I may have added some unecessisary things in the configuration in the security policies (allowing multiple policies to the tunnel), and the nat (proxy-arp) while tying to get it to work and learning how to activate the debugging logs.

     

    Additionally when I ssh into the srx I can ping 172.21.2.2, and when I plugin to one of the interfaces that gives DHCP I can ping 172.21.2.2 as  well. I have attached my configuration and a log of me trying to ping 172.21.2.2, Any help at all would be greatly appreciated. Thank you!



  • 2.  RE: Dynamic VPN - Cannot access protected resources
    Best Answer

    Posted 04-17-2017 07:40

    Figured it out. It seems that there needed to be nat set for the pool I was using for the VPN users, since they were getting public IP addresses, and the vpn was connecting from the Untrust zone the nat rules did not matc the traffic for the users. So I added the nat rule for this pool before the original nat rule I had setup and everything seems to work now:

     

    show security nat 
    source {
        rule-set Untrust-to-Untrust {
            from zone Untrust;
            to zone Untrust;
            rule vpn {
                match {
                    source-address xx.xxx.xxx.xx/29;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
        rule-set nsw_srcnat {
            from zone Trust;
            to zone Untrust;
            rule nsw-src-interface {
                match {
                    source-address 0.0.0.0/0;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }