Hello, so sorry for the extremely late reply! Ended up fixing it a day after this post and forgot about it, turns out it was just a wrong subnet for ge-0/0/6, I somehow did a /32 instead of a /24. Having the VPN subnet overlap with my local subnet didn't cause the issue but it's certainly not good, so I changed it back to my private class B subnet for the VPN as I did for my ASA. Thanks for help!
Original Message:
Sent: 10-21-2024 17:49
From: Nikolay Semov
Subject: SRX300 Secure Connect Can't Reach Internal Network
You're using NAT, so technically it should be working, but overlapping IP addresses for remote clients with your local subnet looks suspect. While the firewalls is aware that, say, 192.168.60.15 is a remote VPN user, your server (192.168.60.2) has no idea that's the case.
You can try to do some flow debugging to see where the problem is, something like this:
monitor security flow filter filter-name-here source-prefix <IP of remote VPN client here>/32 destination-prefix 192.168.60.2/32monitor security flow file flow-tracemonitor security flow start--- at this point send test traffic (e.g. a ping) from VPN client to 192.168.60.2monitor security flow stopshow log flow-trace
------------------------------
Nikolay Semov
Original Message:
Sent: 10-20-2024 12:18
From: plaush
Subject: SRX300 Secure Connect Can't Reach Internal Network
Hello, I'm a student with a homelab looking to learn about Juniper, I bought a used SRX300 and I'm currently learning the ropes. My config is rather basic with no custom security zones, DHCP Server & this semi-functional Secure Connect Remote Access VPN.
I'm able to connect VPN and browse the internet (split tunneling works), however I'm unable to reach the internal network despite being assigned an IP within the network; can't access any internal website, ping or basically anything.
I suspect it's a NAT issue as my SRX is connected to my home consumer wireless router, which acts as the 'ISP', it probably isn't the problem as I tried disabling its firewall. I'm a bit lost as I already have a NAT rule that translates all IPs in 'trust' going to zone 'untrust' aka the internet.
I'd appreciate any help, but I'd be best to explain where I went wrong!
Edit:
Here's the config with some redaction: Juniper SRX300 Config - Pastebin.com
Pastebin | remove preview |
| Juniper SRX300 Config - Pastebin.com | Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time. | View this on Pastebin > |
|
|
(Red
------------------------------
Ong Wei Ze
------------------------------