07-06-2016 09:55 PM
VPN Site to Site
I have communication between site A and site B or site A and Site C, but I have not communication between B y C through A
Site A (headquarters )
Site B (Windows Azure)
Site C (Bank)
The required communication is the site B to contact C through A.
Can you help me please
07-07-2016 09:50 AM
I have a VPN between site "B" and site "A" and and it is working properly
I have a VPN between site "C" and site "A" and and it is working properly
The problem was that when you send a ping site "B" to site "C" trough site A it did not responded to this
your comments helped me solve the problem.
I share the details of the solution
Thank you
Site B
Firewall Juniper SSG5
LAN: 192.168.51.0/24
Site C
Firewall: PA200
LAN: 192.168.20.0/20
site A
Firewall: PA 3020
172.16.16.0/20
Routing B
set route 172.16.16.0/20 interface tunnel.1
set route 192.168.20.0/24 interface tunnel.1
Policies B
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "172.16.16.0/20" "ANY"
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "192.168.20.0/24" "ANY"
set policy id 4 from "Untrust" to "Trust" "172.16.16.0/20" "192.168.51.0/20" "ANY"
set policy id 4 from "Untrust" to "Trust" "192.168.20.0" "192.168.51.0/20" "ANY"
Routing C
destination nexthop metric flags age interface next-AS
172.16.16.0/20 0.0.0.0 10 A S tunnel.1
192.168.51.0/24 0.0.0.0 10 A S tunnel.1
Policies C
Site A and B TO site C {
from Untrust;
source [ 172.16.16.0/20 192.168.51.0/24 ];
source-region none;
to Trust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
Routing A
destination nexthop metric flags age interface next-AS
192.168.51.0/24 0.0.0.0 10 A S tunnel.6
192.168.20.0/24 0.0.0.0 10 A S tunnel.7
Policies A
Site B-Site C {
from untrust;
source 192.168.51.0/24;
source-region none;
to untrust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
Site B-Site A {
from untrust;
source 192.168.51.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
Site C- Site A {
from untrust;
source 192.168.20.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
07-07-2016 02:44 AM
Hi Javier
could you elaborate on what exactly you need assistance ?
did you try setting up a specific configuration which didn't work or are you wondering if it is conceptually possible ?
you can use siteA as a hub by making sure each remote site has routes for the other remote site's subnet pointing at the tunnel interface, and possibly have matching proxyIDs so each site knows it needs to put traffic destined for the other site into the HQ tunnel, then simply set security policies on the HQ site to allow the traffic
07-07-2016 06:49 AM
I m sorry accept the solution by mistake
Give me 30 minutes to send more details
Thank you
07-07-2016 09:50 AM
I have a VPN between site "B" and site "A" and and it is working properly
I have a VPN between site "C" and site "A" and and it is working properly
The problem was that when you send a ping site "B" to site "C" trough site A it did not responded to this
your comments helped me solve the problem.
I share the details of the solution
Thank you
Site B
Firewall Juniper SSG5
LAN: 192.168.51.0/24
Site C
Firewall: PA200
LAN: 192.168.20.0/20
site A
Firewall: PA 3020
172.16.16.0/20
Routing B
set route 172.16.16.0/20 interface tunnel.1
set route 192.168.20.0/24 interface tunnel.1
Policies B
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "172.16.16.0/20" "ANY"
set policy id 3 from "Trust" to "Untrust" "192.168.51.0/24" "192.168.20.0/24" "ANY"
set policy id 4 from "Untrust" to "Trust" "172.16.16.0/20" "192.168.51.0/20" "ANY"
set policy id 4 from "Untrust" to "Trust" "192.168.20.0" "192.168.51.0/20" "ANY"
Routing C
destination nexthop metric flags age interface next-AS
172.16.16.0/20 0.0.0.0 10 A S tunnel.1
192.168.51.0/24 0.0.0.0 10 A S tunnel.1
Policies C
Site A and B TO site C {
from Untrust;
source [ 172.16.16.0/20 192.168.51.0/24 ];
source-region none;
to Trust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
Routing A
destination nexthop metric flags age interface next-AS
192.168.51.0/24 0.0.0.0 10 A S tunnel.6
192.168.20.0/24 0.0.0.0 10 A S tunnel.7
Policies A
Site B-Site C {
from untrust;
source 192.168.51.0/24;
source-region none;
to untrust;
destination 192.168.20.0/24;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
Site B-Site A {
from untrust;
source 192.168.51.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
Site C- Site A {
from untrust;
source 192.168.20.0/24;
source-region none;
to trust;
destination 172.16.16.0/20;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
07-10-2016 03:49 AM
Is your issue solved? If not:
From what you list here, it looks like the VPN from B will not allow traffic with an ip address of C to enter the tunnel and the same seems to be the case in reverse. Your tunnels only seem to capture traffic for the A subnet to these sites.
There would be two basic options:
1-add the missing subnet to both tunnels (proxy-id pairs) so that traffic will be accepted by the tunnels and forwarded through both. This requries changes to all three VPN setups.
2-NAT the traffic between B and C. On the side where the sesssion is initiated NAT the destination to an available address at site A. On site A NAT this address back to the original for the site and forward it on to the existing tunnel.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
