And yes, I know, the default gateway by original definition is supposed to live adjacent on the same subnet as the station.
Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, September 17, 2010 7:49 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query OK, at site B you set up a static route 10.60.1.1 255.255.255.255 -> 192.168.99.1 - so that all site B computers know how to get to the main firewall via the local firewall ( the local firewall will know to traverse the VPN and not the public internet ) Also at site B you set up a default gateway route 0.0.0.0 0.0.0.0 -> 10.60.1.1 so that all default traffic goes to the main site. Alternatively, you could put a static route in the remote Juniper to locate the public IP of the Main firewall via the remote internet/public port address ( to facilitate the tunnel ) and a default gateway in the remote Juniper to the main firewall at 10.60.1.1 This way, ONLY the traffic to create the tunnel will travel the internet connection on the remote Juniper, and ALL OTHER traffic is forced over the tunnel. This would complicate any remote configuration/access to the Juniper at 192.168.99.1 except from within the main site Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:35 AM To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Erik can you expand a little please? Site A (main site) 10.60.0.0/16 main firewall IP of 10.60.1.1 Site B (remote site) 192.168.99.0/24 – junipers LAN IP is 192.168.99.1 At Site B right now everyone’s default gateway would be 192.168.99.1 but the VPN tunnels all traffic for 10.60.0.0/16 over the tunnel1.interface to the firewall at site B. Whilst I get what VPN’s are/what they do I’ve not had much hands on and each vendor seems to do the same thing a slightly different way. Thanks, Paul From: Erik Goldoff [mailto:egold...@gmail.com] Sent: 17 September 2010 12:31 To: NT System Admin Issues Subject: RE: Juniper VPN Tunnel Query Static route on the local systems for the remote ‘main’ firewall/internet via the local IP of your local Juniper, and a default gateway on local systems pointing to that remote main firewall ? Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, September 17, 2010 7:16 AM To: NT System Admin Issues Subject: Juniper VPN Tunnel Query I’m testing a VPN tunnel between what will be two sites. I have the tunnel working just fine between Site A and Site B using a route based VPN, however what I want to do is configure it so that in Site B any traffic for 0.0.0.0 goes over the tunnel so it goes out to the Internet via our main firewall/internet connection. I’m struggling a little on how to configure the Juniper (an SSG running ScreenOS 6.3.x) to do this as its default gateway for 0.0.0.0 is of course the router to the ISP. Thanks. _____ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin