Branch office VPN to Lan and DMZ

[How to run the NSM GUI under Mac OS X]

How to run the NSM GUI under Mac OS X
How to setup a route-based VPN on a NetScreen
How to make your PPTP VPN client work through a NetScreen/SSG
Setting up a dial-up VPN and NetScreen Remote
How the Global Zone Works (It's probably not what you think)
How to configure NetScreen/SSG devices to work with the built in Mac OS X VPN client
How to Configure Dial-up VPN with route-based tunnels, XAuth, and use IPSecuritas

[holdenga]

Is there a recommended configuration for a remote branch VPN to allow access to the LAN and DMZ zones?  I have an SSG5 to NS25 policy based LAN-LAN VPN in place now, but need to add access to the DMZ for remote users.

Thanks

g

[holdenga]

Is this even supported by Screen O/S?   

g

[marty]

It us supported by NS. Explain your set-up please.

[holdenga]

Remote office is using SSG-5 ver. 6.1.0r2.  Lan IP is 192.168.110.0/24. 

Main office is NS-25 ver 5.3.0r4. LAN subnet of 192.168.100.0/24, DMZ of 192.168.101.0/25.

I have a policy based vpn from the remote LAN to the main office LAN which is working well.  Would like to include access from the remote LAN to the DMZ on the NS-25.  I've not found reference to this type of function in the NS-25 docs, but I'm probably missing something.  Just want to get an idea on how it should be done.  Any suggestions are appreciated.

g

[marty]

Ok so your remote lan to main office Lan is working now you want configure remote lan to main office dmz as well.

1) Cant you supernet both the main office LAN and DMZ address and configure in the VPN as a single address.

2) If you do not want that then you can configure tunnel interface on the external interface of you main office netscreen.
and then configure required policies from Untrust to Main office Lan and Untrust to DMZ office Lan, in order to segregate traffic.

[holdenga]

 I'd prefer to go with option 2.  This is essentially creating 2 tunnels, one for each subnet, right?  I'll give that a shot.

g

>>2) If you do not want that then you can configure tunnel interface on the external interface of you main >>office netscreen. and then configure required policies from Untrust to Main office Lan and Untrust to DMZ >>office Lan, in order to segregate traffic.

[marty]

Yep...crate two tunnel interfaces on the external interface.
Route based VPN always give you extra functionality than a policy based VPN, as you can restrict your VPN traffic based on your policies, it works just like the Checkpoint Encryption domain and rules combo works.
Go ahead an let us know if you encounter any issues.

•      Forum/Home
•      Store
•      Articles
•        Tech Articles
•        Industry News
•        Site News
•      Knowledgebase
•        JUNOS/Routing
•        NS/ISG/SSG/NSM
•        SSL VPN
•      Downloads

Please consider donating if we've saved you time or money. It helps pay for the bandwidth, equipment, and hosting charges to keep this site running

Submit Article/KB - Do not submit questions here.

[Today]

• SRX-210H port-mirroring s... by ociz [Today at 02:14:13 PM]
• configs out of sync by ciscler [Today at 01:11:30 PM]
• Monitoring user bandwidth... by x0rerror [Today at 12:30:20 PM]
• NSRP active/passive with ... by junreaper [Today at 08:41:52 AM]
• Ladies’ fashionable shoes... by fivefingers8 [Yesterday at 06:54:36 PM]
• Routing Traffic From Cust... by fivefingers8 [Yesterday at 06:52:49 PM]
• Load balancing on J-serie... by fivefingers8 [Yesterday at 06:49:46 PM]
• Juniper SSG or other bran... by whoppi [Yesterday at 11:23:49 AM]
• NS25 and NS Remote - Want... by mbrown [Yesterday at 10:38:14 AM]
• Netscreen SSG Policy base... by thisisnuts999 [Yesterday at 07:01:01 AM]

Members

• Total Members: 22068
• Latest: vu.luu@flysfo.com

Stats

• Total Posts: 39593
• Total Topics: 10459
• Online Today: 72
• Online Ever: 393
• (August 06, 2008, 07:40:57 AM)

Users Online

Users: 1
Guests: 30
Total: 31

eagq