Routing change from tunnel to a direct link issue
Hi All, Existing setting:HQ and the remote office are using site-to-site VPN to communicate. 96.0/20 traffic are routed via eth1/3.1 via the tunnel to remote site office.192.168.96.0/20 <NS...
View ArticleRe: Routing change from tunnel to a direct link issue
Here are some of the HQ and Remote Site Interface list and Routing table
View ArticleSite-to-site VPN between 3 locations (hairpin NAT)
Want to connect the VPN between 3 sites like belowBranchA(SSG140) <-> HA(SSG140) <-> BranchB(Palo Alto PA-820)The VPN between the branch and HA were establish. Problem is how to make Branch...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Hi, It's mandatory to have hair-pin NAT for VPN. I think you are trying to configure the HUB and spoke VPN. Please check the below examples:...
View ArticleRe: Routing change from tunnel to a direct link issue
Hi, The config looks OK, ACL 9 should be hit before 6 and 7.Can you collect a flow debug on HQ box while attempting the internal ping? clear dbunset ff (repeat till you see a message - Invalid ID)set...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Hello vikassingh,Since my existing VPN are not using NAT. Is that mean I have to re-create new set of tunnels for the "hub and spoke"? That's a big change and risky. As I https/ssh to the firewall...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Hi, NAT mainly changes source/destination IPs and mostly we use while accessing Internet or for hosting some server on the Internet. If there is no such requirement then I doubt that you will need any...
View ArticleRe: ISG2000 High Availability issue
Hello vikassingh, Check the output from another Node CORE-FIREWALL-2(I)-> get nsrp nsrp version: 2.0cluster info:cluster id: 1, no namelocal unit id: 9693312active units discovered: index: 0, unit...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Is your existing vpn from the ssg remote site to the HA site route based vpn?If so, you can simply add the route to the PAN site on the SSG remote site.Expand the security policy to permit the traffic...
View ArticleRe: ISG2000 High Availability issue
1). Will the changes made on Master( during the time back in INOPERABLE state) be auto copied to Backup ? or some manual command needs to be run?Vikas : Yes, nothing extra needed to sync the config....
View ArticleRe: ISG2000 High Availability issue
Thanks @ vikassingh for helping out.Is there any netscreen command equivalent to " >request routing-engine login " , or any other way to login to Backup node.
View ArticleRe: ISG2000 High Availability issue
Unfortunately, there is no way to login from one node to other over the HA links. You need to have ip, manage-ip configured on the interfaces to access Master and backup bode accordingly. Thanks,Vikas
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Hello spuluka,Route and policies were set for the 3 sites. But the ping are still timeout.The interesting thing is all 3 sites firewall logs shows the pings are allow with correct...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Once the vpn scope between PAN and the hub site is expanded to allow the ip address range from site A there is no need for NAT. In addition to the policy check, you can use snoop to verify the return...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Hi, I understadn that you see the PING traffic from SiteA to SiteB (PA) , via HA (SSG). How are you checking the log/traffic in PA.If I remeber correctly in PA's traffic logs you can see whether you...
View ArticleAuthentication window does not work in a world of "Let's Encrypt"
This is on an SSG5: For years, I have been limiting Internet access from a couple subnets via the authentication option. The users would have to enter a valid local userid & password to get out....
View ArticleSelective NATing
I recently changed my ISP such that now my SSG5 needs to do the NATing function for the private IP addresses. I have a /28 block of public addresses behind my ISP access gateway (that only NATs the...
View ArticleRe: Unable to define new admin user on command line ?
Hi everyone, I am facing similar issue, by issuing get admin user, I can see 2 users with RW privilege, however I am unable to create account using both rw admin. F35001(M)-> get admin userName...
View ArticleRe: Unable to define new admin user on command line ?
There is a single "admin" user with "root" access. The name by default is netscreen but can be changed. This is the only user that can run this command. Other admin users can have full read/write but...
View Article