I'm currently setting up a MAG2600. This is the first time for me so everything is new. The web portal works fine, I have one user realm and two user roles that are assigned depending on AD membership.
Now I'm setting up the Pulse client for our company's laptops and I need to assign a DHCP scope. The SA is connected with its internal interface to our DMZ switch and has the DMZ interface of our firewall as standard gateway. The subnet is 10.0.0.0/24.
Now I don't really want to assign the client's with IPs from that DMZ subnet but rather use a new one. An internal one like 172.17.191.0/24. When I configure such a scope and even put in a static route pointing to our DMZ firewall (Juniper Netscreen) interface this isn't working. I can connect the laptop, get an IP from that scope but cannot access any internal resources. A trace ends at the VPN tunnel IP.
Our firewall acts as central rounting device as well, so has all the routes to all subnets etc. I put a new route in place for the way back sending packets with 172.17.191.X back to the DMZ interface. Still not working.
Is there a way to set this up without using the SA's other interface plugged in to the LAN? That would circumvent our firewall and is not really an option.
Add the static route on the firewall so that :
Destination : 172.17.191.0/24
Next hop or gateway : SA/MAG's internal interface IP or cluster internal VIP in case of A/P Cluster
thanks for the suggestion, doesn't work unfortunately The config I'm using looks like this:
Intended pool: 172.17.191.10 - 172.17.191.250
Internal Interface SA: 10.0.0.220
routes on the SA
0.0.0.0 0.0.0.0 -> 10.0.0.254 (firewall dmz int)
10.0.0.0 255.255.255.0 -> 0.0.0.0
both have been put in automatically
on the juniper firewall
172.17.191.0/24 -> 10.0.0.220 (dmz int)
There are also routes on the firewall in place to all other subnets as we use it as central routing device.
What's an IP of an "internal resource" you are trying to reach from the client connected with Pulse?
Have you looked at your Firewall ACL's to make sure you are allowing traffic appropriately in/out of the DMZ zone to the zone that has those "internal resources" ?
The configuration looks correct,what does a tracert output look like when connected via VPN to an internal resource.
The tracert ends at the VPN tunnel server IP. After that nothing. When my client is on the DMZ subnet I can ping the firewall, clients inside our LAN can also ping the firewall. So this should be possible in general.
Yes, this is possible.
Looks like the return route to the NC client IP is the issue.
Could you take a TCP dump on the SA/MAG internal interface when pinging an internal resource
Mention the resource IP and NC client IP.
Ok. Issue solved. Since my intended IP range is different from the network segment the MAG is in, I needed to put a source NAT in place on the firewall. So clients are "hiding" behind the DMZ interface on the firewall and the firewall maps pakets back to their original IP.