Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: One-Way VPN on Two Netscreens

from [Mark Owen] Network Security [Permanent Link]
Subject: Re: One-Way VPN on Two Netscreens
Date: Sat, 6 May 2006 13:49:58 -0400 
Got it fixed!
Thanks to all on list who helped out.  For those interested, it was a
policy order issue.  I did not have the tunnels at the top of the
policy.

Thanks again to all!

Mark Owen

On 5/5/06, Mark Owen <mr.markowen@gmail.com> wrote: 
Hello all,

I am having a slight problem with a couple of our firewall/VPN setups
and decided to turn here for perhaps a little insight.

We have two Netscreens, a ns5XP and a ns25.
To explain configuration easier, here is a couple of snips from config file:

set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface trust ip 172.24.248.1/28
set interface trust nat
set interface untrust ip 216.212.XXX.XXX/29
set interface untrust route
...
set address "Trust" "B Subnet" 172.24.248.0 255.255.255.0
set address "Untrust" "A Subnet" 172.25.248.0 255.255.255.0
...
set ike gateway "A_GW" address 69.17.XXX.XXX Main outgoing-interface
"untrust" preshare "XXXXXXXXXXXXX" proposal "XXXXXXXX"
...
set vpn "A_VPN" gateway "A_GW" no-replay tunnel idletime 0 proposal "XXXXXXXXX"
...
set policy id 7 name "A_VPN_Policy" from "Trust" to "Untrust"  "B
Subnet" "A Subnet" "ANY" tunnel vpn "A_VPN" id 10 pair-policy 2
set policy id 2 name "A_VPN_Policy" from "Untrust" to "Trust"  "A
Subnet" "B Subnet" "ANY" tunnel vpn "A_VPN" id 10 pair-policy 7

Other ns has corresponding settings.  I have verified syntax and
addresses are correct on both boxes.


Now this setup has worked without flaw for over a year and the only
recent change was from a cidr /28 to a /24 on "B Subnet".  Both
firewalls have been updated to reflect this change and the VPN works
one way.  Office B can communicate with Internet but not Office A.
Office A can communicate back and forth to Office B.

Example from Office A to Office B:
ping 172.24.248.2

Pinging 172.24.248.2 with 32 bytes of data:

Reply from 172.24.248.2: bytes=32 time=65ms TTL=125
Reply from 172.24.248.2: bytes=32 time=63ms TTL=125
Reply from 172.24.248.2: bytes=32 time=62ms TTL=125
Reply from 172.24.248.2: bytes=32 time=64ms TTL=125

Ping statistics for 172.24.248.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 62ms, Maximum =  65ms, Average =  63ms

Example from Office B to Office A:
ping 172.25.248.2

Pinging 172.25.248.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.25.248.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  0ms, Average =  0ms

Both addresses are valid and can be pinged from Office A.

Does anyone have any ideas that could help me out a little?  More info
is available on request.

Thanks,
Mark Owen



--
Mark Owen

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  One-Way VPN on Two Netscreens, Mark Owen
Next by Date:  Re: One-Way VPN on Two Netscreens, Matthew M
Previous by Thread:  One-Way VPN on Two Netscreens, Mark Owen
Next by Thread:  Re: One-Way VPN on Two Netscreens, Matthew M
Indexes:  [Date] [Thread] [Top] [All Lists]