all, I have couple different issues going on which I believe are all related to a basic config setting, however I just can't find my error. I've chosen my incomming internet on ge 0/0/0.0 my isp static is xx.xxx.xx.254 with a gateway address ending in .253 the subnet is 255.255.255.252....
I have the same unit with the same basic config at another site with a 5 static ip which works as expected (except for the tunnel)
so what is working - i'm passing traffic to the internet and can browse the internet
what is not working - remote management via any means, a site to site tunnel (no traffic is recieved and times out)
I believe once I get remote management working everything else will fall into place
config below I've attempted to trim out users, logging info, extra interfaces not in use etc... so this may not be a "working code segment"
Ideas? I believe i had this similar issue at this site with a ssg5 (screenos) which if my memory is correct I had to add a gateway address to the internet facing interface. The ssg5 device is currently in use . i swap out until i can get it working in the overnight hours.
## Last changed: 2019-01-15 07:23:12 GMT-6
version 15.1X49-D70.3;
system {
host-name xyz;
time-zone GMT-6;
root-authentication {
encrypted-password "xxx";
}
name-server {
8.8.8.8;
8.8.4.4;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
xnm-clear-text;
dhcp-local-server {
group jweb-default-group {
interface irb.0;
}
}
web-management {
http;
https {
system-generated-certificate;
}
session {
idle-timeout 60;
}
}
}
}
}
security {
log {
mode event;
}
ike {
policy ike_pol_vpn_to_headquarters {
mode aggressive;
proposal-set basic;
pre-shared-key ascii-text "xyz";
}
gateway gw_vpn_to_headquarters {
ike-policy ike_pol_vpn_to_headquarters;
address xx.xxx.xx.107;
dead-peer-detection;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy ipsec_pol_vpn_to_headquarters {
perfect-forward-secrecy {
keys group5;
}
proposal-set basic;
}
vpn vpn_to_headquarters {
bind-interface st0.0;
vpn-monitor;
ike {
gateway gw_vpn_to_headquarters;
ipsec-policy ipsec_pol_vpn_to_headquarters;
}
establish-tunnels immediately;
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy_out_vpn_to_headquarters {
match {
source-address addr_192_168_0_0_24;
destination-address addr_192_168_3_0_24;
application any;
}
then {
permit;
}
}
}
from-zone Internal to-zone Internal {
policy All_Internal_Internal {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone Internal {
policy policy_in_vpn_to_headquarters {
match {
source-address addr_192_168_3_0_24;
destination-address addr_192_168_0_0_24;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Internal {
address-book {
address addr_192_168_0_0_24 192.168.0.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone Internet {
address-book {
address addr_192_168_3_0_24 192.168.3.0/24;
}
host-inbound-traffic {
system-services {
ike;
ssh;
https;
http;
traceroute;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
http;
https;
ssh;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
tftp;
dhcp;
}
}
}
st0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address xx.xxx.xx.254/30;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan0;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan0;
}
}
}
}
}
}
}
irb {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 192.168.3.0/24 next-hop st0.0;
route 0.0.0.0/0 next-hop xx.xx.xx.253; ##isp gateway address##
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
access {
address-assignment {
pool jweb-default-pool {
family inet {
network 192.168.0.0/24;
range jweb-default-range {
low 192.168.0.2;
high 192.168.0.254;
}
dhcp-attributes {
name-server {
8.8.8.8;
}
router {
192.168.0.1;
}
}
}
}
}
}
vlans {
vlan0 {
vlan-id 2;
l3-interface irb.0;
}
}