Re: Site-to-site VPN between 3 locations (hairpin NAT)
Hi, wrote:Hello spuluka,Route and policies were set for the 3 sites. But the ping are still timeout.The interesting thing is all 3 sites firewall logs shows the pings are allow with correct...
View ArticleRe: Selective NATing
Hi, What is the zone in which wou have got 'ethernet0/2'?I guess Untrust?
View ArticleRe: Authentication window does not work in a world of "Let's Encrypt"
Hi, The Firewall cannot intercept an HTTPS connection and redirect it to authentication page.You may want to adopt web-auth, where users first need to visit an internal IP, authenticate themselves and...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
hello panita,Destination based route were set in the 2 spoke firewall.Both routes set destinate to another spoke subnet. And choose to use the tunnel interface.Without those routes. I think those ping...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Hello, The firewalls on both Branch sides have the routes, I agree. Based on your post earlier, I understand that the Branch firewall was forwarding the pings but workstation was not responding to the...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
When you are looping traffic through a central site between two other sites connected by vpn there are two options. The nat option you mention is when you do not change the vpns but use NAT ip...
View ArticleRe: Selective NATing
Actually I created my own zone HTT, that I put in the untrust-vr and that is what is on interface 0/2 set zone id 100 "HTT"set zone "HTT" vrouter "untrust-vr"set interface "ethernet0/2" zone "HTT"
View ArticleRe: Selective NATing
Got it, So, is your current policy a simple Permit policy or have you called NAT in it? ( Trust to HTT, permit) Easiest solution I can think of: - move trust interface to Route mode- Configure 2...
View ArticleRe: Selective NATing
Yes, I have a simple permit rule for the trusted zone(s) (office, labs, home) to the untrusted zone (htt). And each trusted interface is set to nat. I was thinking that 2 rules, one with nat, would...
View ArticleRe: Selective NATing
I had a typo in the destination address subnet for the not nat policy. Fixed that, and all is well. private IPs to DMZ servers and private IPs NATed to public. thanks
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
hello spuluka,I try the test more simple without the workstations involved. I ping each other gateways IP at both spokes.The status of "Close Reason" in policy log of ScreenOS make me doubt about the...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
I'm not sure I follow the topology now. Are you saying there are two paths between spoke a and the data center hub site?If so, asymmetrical routing could cause failures. Since this does work in one...
View ArticleSSL ciphersuite
On my SSG5, I am running 6.3.0r26, which I believe is the most current. The most current SSL cipher shown in the GUI is 3DES-SHA1. the config has: set ssl encrypt 3des sha-1 My browser does not...
View ArticleRe: SSL ciphersuite
Unfortunately, that is the highest cipher supported. I end up using firefox which still allows accepting risk for lower ciphers to connect via web ui to these devices.
View ArticleRe: SSL ciphersuite
I am using Firefox v64 on Fedora 28. How did you get it to accept 3DES-SHA1? I have a few things to tune up, then I will probably be good for the next 4 years with a fairly stable setup.
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Topology like belowspokeA(SSG 192.168.1.0) <--- tunnel.1A (VPN) ---> Hub (DataCenter SSG) <--- tunnel.1B ---> spokeB(PA 172.16.2.0)<--- tunnel.2A (P2P) --->Previously, I set route...
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
If traffic is initiated from SpokeB (PA) side then it works, if it's initiated from SpokeA to SpokeB then it fails. Can you please ensure that the bidirectional policy is configured properly with the...
View ArticleRe: Selective NATing
Glad to hear that,Please mark this thread as resolved so that it would help other users with similar requirement.
View ArticleRe: Site-to-site VPN between 3 locations (hairpin NAT)
Found the solution for the last issue.In Palo Alto. Beside of routing and security policies. There is a "Policy Based Forwarding" setting. This determine the traffic from differnet zones use the...
View ArticleRe: SSL ciphersuite
Can't remember the exact setting change but there are a series of ssl settings in the hidden about:config menu that can be manually overridden.
View Article