valerio_vanni  Ally Member

Комментарии

  • Yes, I made a summary of working setup. After creation of tunnel A2B2, I could remove policy route on A firewall, LAN C was already included in vpn policy. But I still wonder if there are simpler ways. I don't understand why AB tunnel refuses traffic not belonging to its local-remote policies. This restriction would be…
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 15:38
  • Duplicate message, please delete.
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 15:15
  • I try to summarize working setup, should it be needed by someone during a search. Site A (USG Flex 50) - Policy based S2S vpn - Site B (USG Flex 200) - Policy based S2S vpn - site C (other device). Site A and site B need to go to C, SNATted to specific IP, "FakeB". On A site: no special config Between A and B, two phase 2…
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 15:13
  • VPN policy A-B has only A and B LAN1 subnets as local-remote policy. Just to see if it helped, I had set policy route on B, but it didn't work. With source VTI0 - dest A-B tunnel, last step went to WAN1, with source B-C tunnel - dest A-B tunnel it went to doll (but nothing to site A). At that point, my suspect was that A-B…
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 21 дек
  • Right. In initial setup, traffic flowed from A to B but then cannot go to C with SNAT. Zyman2008 suggestion made things better. Now it goes to C with SNAT, it comes back to B but then it runs away on B WAN1 interface instead of going towards tunnel A-B.
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 21 дек
  • I decided to try your way. 1.Create route-based VPN Connection rule for B - C, then you get a VTI interface to C. But you need using CLI to modify the local/remote policy from any to the address object B, C crypto map VPNConnectionName local-policy any → local-policy address-objectB remote-policy any → remote-policy…
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 21 дек
  • As I said, site C is out of control and that VPN is "untouchable" on that side. Or what you suggest in point 1 would make C side "happy" only setting with CLI local and remote policies? IP of VTI would play no role, right? Does VTI likes this change from CLI? Is it supported or there's some risk that some firmware upgrade…
    Раздел: Source NAT through vpn tunnels Комментарий от valerio_vanni 20 дек
  • Some hour ago it didn't work. I had configured it without Destination NAT, a doubt came to my mind and so I asked. Then I tried to add Destination NAT and it was still not working. I did a phone call with manager of the other side of tunnel, and we found there was some issue on that side . As long as it was fixed, it began…
    Раздел: Destination NAT on VPN Комментарий от valerio_vanni 18 дек
  • So if LAN1 is a /24 network, and Fake is a /32, result is similar to "typical" LAN internet access (that goes to WAN snatted to WAN address), right? And additional specific rules with specific port and specific LAN1 addresses 2 Fake subnet (/32) - specific LAN1 ip100 - protocol1 - service1 etc 3 Fake subnet (/32)- specific…
    Раздел: Destination NAT on VPN Комментарий от valerio_vanni 18 дек
  • Should not these routes be implicit in tunnel policy based?
    Раздел: IPSec VPN behind routeur and DMZ Комментарий от valerio_vanni 13 дек
  • From the image you posted (so, from the point of view of that tunnel side) LAN1 can go into tunnel DMZ cannot go into tunnel Tunnel can go both into LAN1 and DMZ You have all "allow rules", but the latest. If something does not fit into rules is blocked by default rule and the event is logged. So, you could look at logs.…
    Раздел: IPSec VPN behind routeur and DMZ Комментарий от valerio_vanni 11 дек
  • Can you ping the LAN address of remote router? Do you have some other device to ping? A PC can have local firewall.
    Раздел: IPSec VPN behind routeur and DMZ Комментарий от valerio_vanni 11 дек
  • You can write a private message to him.
    Раздел: USG FLEX 50W (USG20W-VPN) no graphs Комментарий от valerio_vanni 10 дек
  • Now it works, I missed that setting. Thank you. Instead, I had activated 2FA in vpn tunnel properties (that, I see now, it doesn't matter).
  • I agree that is not effective as with automatic popup. I would make some bookmark or desktop link to authorization page. Codes have a 30 seconds lifetime, but inside app you can see the time left indicator. You could instruct users that, if they are not sure they will type code in time, they should better wait for next…
    Раздел: ZyWALL SecuExtender Two-Factor Authentication Комментарий от valerio_vanni 4 дек
Default Avatar