Hi all i created VPN to My netscreen 5XP and i can connect using Netscreen Remote (connection extablished) but i can not connect to my internal network
I was using this link
Thank you Robert
If your connection is established, either you used incorrect proxy-ID's on both sides (unlikely) or your policy is wrong (much more likely).
You may have also picked an invalid subnet or IP to assign to your client.
If you want more help you'll need to provide more info -- you just posted the equivalent of asking "my car won't start what's wrong?".
Also the URL you specified is only available with a support login.
-Russ.
I went Step by step via "how to " doc
Subnet is OK
unset hardware wdt-reset set clock timezone 0 set vrouter trust-vr sharable unset vrouter "trust-vr" auto-route-export set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set admin name "netscreen" set admin password "--------------------------" set admin scs password disable username netscreen set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "VLAN" block set zone "VLAN" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "trust" zone "Trust" set interface "untrust" zone "Untrust" unset interface vlan1 ip set interface trust ip 192.168.1.1/24 set interface trust nat set interface untrust ip 80.80.192.30/28 set interface untrust route set interface untrust gateway 80.169.192.17 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface trust ip manageable set interface untrust ip manageable set interface untrust manage ping set interface untrust manage ssh set interface untrust manage web set interface trust dhcp server service set interface trust dhcp server auto set interface trust dhcp server option gateway 192.168.1.1 set interface trust dhcp server option netmask 255.255.255.0 set interface trust dhcp server option dns1 195.110.64.205 set interface trust dhcp server option dns2 195.110.64.206 set interface trust dhcp server ip 192.168.1.33 to 192.168.1.126 set flow tcp-mss set hostname ns5xp set address "Trust" "Internal Net" 192.168.1.0 255.255.255.0 set user "User1" uid 5 set user "User1" ike-id u-fqdn " snipped-for-privacy@domain.com" share-limit 1 set user "User1" type ike set user "User1" "enable" set user "User2" uid 2 set user "User2" ike-id u-fqdn " snipped-for-privacy@domain.com" share-limit 1 set user "User2" type ike set user "User2" "enable" set user-group "VPNGROUP" id 1 set user-group "VPNGROUP" user "User1" set user-group "VPNGROUP" user "User2" set ike gateway "vpngateway2" dialup "VPNGROUP" Aggr outgoing-interface "untrust" preshare "4kpyIF0uNhuQq9soOcCyQ5HrJTnrKWfTxg==" proposal "pre-g1-des-sha" set ike gateway "vpngateway2" cert peer-cert-type x509-sig unset ike gateway "vpngateway2" nat-traversal set ike respond-bad-spi 1 set vpn "dialupvpn2" gateway "vpngateway2" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha" set vpn "dialupvpn2" monitor set policy id 2 name "VPNRemote" from "Untrust" to "Trust" "Dial-Up VPN" "Internal Net" "ANY" tunnel vpn "dialupvpn2" id 5 log set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log count set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route exit
What subnet is your client's ethernet card in, and what subnet if any did you apply to your client?
There's nothing in particular wrong with your appliance setup as shown, if your client is correctly configured. With that setup, you can't use a Virtual IP for the client. I'd recommend also enabling NAT on the policy coming in. You should do a flow debug to see what is actually happening to the inbound packets too. (If they're actually arriving at the NS, what do the logs show you?)
I AM @ HOME ny network/subnet 192.168.1.0/24
remote subnet is the same I made a change - remote netwiork is 10.10.10.0/24
I enabled Nat traversal but still nothing
Strange thing: after i connect to network i should get remote network config - i am not obtaining remote network :(
Another thing
This is test firewall I have ISP Fibre chale Box going to my Cisco 3640 - with Inside and outside public IP's - i have 16 public IPs (for example
80.80.169.15/255.255.255.240) There is 1 PIX with 80.80.169.18 and there is VPN site to site in the same network i plced netscreen 5xp with 80.80.169.30 and i am trying to create VPN (the same subnet mask) i do not think it is issue - but maybie?this is my neew config
set clock timezone 0 set vrouter trust-vr sharable unset vrouter "trust-vr" auto-route-export set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "VLAN" block set zone "VLAN" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "trust" zone "Trust" set interface "untrust" zone "Untrust" unset interface vlan1 ip set interface trust ip 10.10.10.254/24 set interface trust nat set interface untrust ip 80.80.192.30/28 set interface untrust route set interface untrust gateway 80.80.192.17 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface trust ip manageable set interface untrust ip manageable set interface untrust manage ping set interface untrust manage ssh set interface untrust manage telnet set interface untrust manage web set flow tcp-mss set hostname ns5xp set dns host dns1 195.110.64.205 set dns host dns2 195.110.64.206 set address "Trust" "LocalLan" 10.10.10.0 255.255.255.0 set user "Joanna" uid 9 set user "Joanna" ike-id u-fqdn " snipped-for-privacy@domain.org" share-limit 1 set user "Joanna" type ike set user "Joanna" "enable" set user "Robert" uid 8 set user "Robert" ike-id u-fqdn " snipped-for-privacy@domain.org" share-limit 1 set user "Robert" type ike set user "Robert" "enable" set user-group "OfficeVPN" id 3 set user-group "OfficeVPN" user "Joanna" set user-group "OfficeVPN" user "Robert" set ike gateway "OfficeVPNG" dialup "OfficeVPN" Main outgoing-interface "untrust" preshare "gSrX/i8dNC6dFHskqwC1aX2/Mwn11WaLuQ==" proposal "pre-g1-des-sha" set ike gateway "OfficeVPNG" nat-traversal udp-checksum set ike gateway "OfficeVPNG" nat-traversal keepalive-frequency 5 set ike respond-bad-spi 1 set vpn "OfficeIKE" gateway "OfficeVPNG" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha" set pki authority default scep mode "auto" set policy id 2 from "Untrust" to "Trust" "Dial-Up VPN" "LocalLan" "ANY" nat src tunnel vpn "OfficeIKE" id 10 log count set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log count set global vpn set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route exit
This is specifically why I'm trying to get this info out of you, if you LAN IP where the client is running is in the same subnet as the remote IP of the netscreen's trust interface, it won't work. They need to be different.
Ok, so your remote subnet in the client is specified as 10.10.10.0/24, that's correct now since that matches the trust network on the NetScreen shown below. Good.
Nat Traversal needs to be enabled on the netscreen phase 1 (which you did according to the config below) as well as on the client itself.
I was suggesting you enable NAT on the incoming policy. It's in the advanced properties.
No, you won't under the config you have. That's ok, your PC is *not* getting a virtual IP, it's going to participate in the remote LAN using the trusted IP of the NetScreen. It's a kind of automagical thing.
This is much more likely where your problem lies. Two things: 1) Are you sure that protocol 50 traffic gets to the netscreen? Clearly UDP 500 does.
2) Is there any chance that in your config the PIX is trying to pick up the return traffic? What are it's remote and local subnets set to? What is the default gateway of the PC's in that network?Have you looked in the policy logs to see what traffic is going through them, or done a flow debug yet?
-Russ.
I did it again Works :D the same settings but again
Thank you PS @ home i have 192.168.1.xxx but @ work only 10.10.yyy.zzz and strange thing was @ work did not work - now works
Thank you again
Robert
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.