Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Netscreen Routing

    Posted 12-24-2013 20:43

    My network is a hub-and-spoke VPN setup (NS-50 hub and NS-5GT spokes).  I want to force spoke sites to access a specific internet site through the hub's internet connection instead directly through their own connection.  

    I created a static route to the internet site on spoke site A's firewall that points to the VPN tunnel to the hub.  I assumed that the hub f/w would pass the traffic to internet site and the responses back, but I'm not getting through.  

    Maybe I missed something obvious?  Would appreciate some guidance!

    Thanks!



  • 2.  RE: Netscreen Routing

    Posted 12-24-2013 23:57

    Hope there are polices from Spoke to hub and from hub to internet, to allow this traffic 



  • 3.  RE: Netscreen Routing

    Posted 12-25-2013 03:49

    Also make sure your nat policy on the hub can accomadate the subnets from the spoke sites going to the internet.



  • 4.  RE: Netscreen Routing

    Posted 12-26-2013 06:20

    Thank you both for your help! 

     

    I currently do not have any NAT polocies.

     

    My network is based on 10.2.0.0/16, with the hub being 10.2.1.0/24 and the spokes being 10.2.X.0/24.  I have a these policies:

     

    From Untrust To Trust
    10.2.0.0/16 to 10.2.0.0/16 ANY Permit

    From Trust To Untrust
    Any-IPv4 to Any-IPv4 ANY Permit

    Untrust Intra-zone policy
    10.2.0.0/16 to 10.2.0.0/16 ANY Permit

    What other policies (and what zones) would I need?  Do I *need* a NAT policy as well?

     

    Thanks again for your help!



  • 5.  RE: Netscreen Routing

    Posted 12-29-2013 23:28

    Hi,

     

    It seems that the policy for the remote site network to go out to the internet on the hub site needs to have a nat-src policy.

     

    For Example: On the hub site, an outgoing policy should be present like the following (Assuming that  x.x.x.x/24 is the local network on the remote spoke site)

     

    set policy from <Incoming Zone> to <Outgoing zone> x.x.x.x/24 Any Any nat src permit

     

    Hope it helps!

     

    BR,

    Swati



  • 6.  RE: Netscreen Routing

    Posted 12-30-2013 06:41

    Thank you for this example.  Examples help me a lot!

     

    When I try to add the command

     

    set policy from trust to untrust 10.2.99.0/24 Any Any nat src permit

     

    I get the error that 10.2.99.0/24 is not defined.

     

    Maybe I have my overall configuration wrong?  I created my VPNs using the Route-Based VPN wizard, and all of my spoke sites are in the untrust zone.  Would that affect how I should define this NAT policy?

     

    Thanks again for your help!

     



  • 7.  RE: Netscreen Routing

    Posted 12-30-2013 22:28

    Hi,

     

    If you have your Spokes VPN terminating on Untrust zone and using the same zone for routing out  internet traffic on HUB site.

     

    Then you will need to create an intra zone policy on Untrust zone for doing source NAT of traffic coming from Spoke site.

     

    set policy from untrust to untrust <Spoke network> Any Any nat src permit

     

    Also, on HUB site you need to define the address book entry for the Spoke network. So, it doesn't throw you an error while adding an intra-zone policy.

     

    Below is a KB link which might help you. However, in this KB link the tunnel interface is a part of "Trust zone" and internet  access is through "Untrust" zone on HUB site. So, policy is created accrodingly from Trust to Untrust.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB7994&actp=search&viewlocale=en_US&smlogin=true

     

    Hope it helps!

     

    BR,

    Swati

     



  • 8.  RE: Netscreen Routing

    Posted 12-31-2013 13:05

    Thank you for your continued assistance.

     

    I set the policy per the example you gave, but the site is still unreachable.

     

    When I reviewed the article you quoted, I found this line:

     

    set route 1.1.1.1/32 interface untrust gateway 10.1.1.1

     

    I attempted to modify that for my use as

     

    set route <hub external IP/32> interface untrust gateway <hub internal gateway IP>

     

    but it took down my VPN tunnel.

     

    Do I need this command in my spoke site firewall?

     

     



  • 9.  RE: Netscreen Routing
    Best Answer

    Posted 12-31-2013 22:43

    Hi,

     

    On the Spoke side you will require to add a route to reach HUB external IP address via Spoke's firewall gateway address. This route will be required to negotiate the VPN parameters between Spoke and HUB.

     

    set route <hub external IP/32> interface untrust gateway <Spoke's gateway IP>

     

    So, please confirm that the route you added is correct on Spoke firewall and also policies on both Spoke and HUB should allow traffic to pass.

     

    Hope it helps!

     

    BR,

    Swati



  • 10.  RE: Netscreen Routing

    Posted 01-01-2014 15:51

    Success!  Thank you so much!



  • 11.  RE: Netscreen Routing

    Posted 01-02-2014 09:40

    My spoke sites are configured for dual-untrust with failover.  Will it cause problems if I have two entries as below, one for each connection (depending on which is active)?

     

     

    set route 1.1.1.5/32 interface untrust gateway 192.168.1.1
    set route 1.1.1.5/32 interface untrust gateway 10.1.10.1

     

     



  • 12.  RE: Netscreen Routing

    Posted 01-03-2014 05:32

    Hi,

     

    You will need to configure a new set of VPN using the other outgoing interface as well and take care of routing via both interfaces using higher metric route for the other ISP.

     

    For more infor, refer below KB:

    http://kb.juniper.net/kb/documents/public/VPN/Interface_Failoverv14.pdf

     

    Hope it helps!

     

    BR,
    Swati