1

I have two SSG5 to build up an route based VPN with static global IP, I want site A to browse the special (external site) via the site B network.

Google                    Site A --> Site B ---> Youtube Website
whatismyip.com            Site A --> Site B ---> Youtube Website
Yahoo                     Site A---> Yahoo Website

I set the Destination Routing on the Site A's SSG 5

64.233.187.199/32       tunnel.1    SP  20  1   Root    www.google.com.hk_001   Remove
141.101.120.15/32       tunnel.1    SP  20  1   Root    www.whatismyip.com_001  Remove

After I set the about setting . I still can not access the website. If I tracert to them. It will hold in the second step.

  1. Site A GW IP
  2. Site B Gobel IP

I setup some policy Any Any to log the event and find the below Trust to untrust rule in Site B GW as below.

2015-07-08 13:03:01 Site A PC   Google  Site A PC   Google  ICMP    60 sec. 78  0   Close - AGE OUT

Do I need to set more routing to do this? (Site A? Site B?)

fukawi2
  • 5,327
  • 3
  • 30
  • 51
Death Instructor
  • 11
  • 1

1 Answers1

0

The problem here is most likely asymmetric routing.

Let's give site A IP address 192.0.2.25, site B address 198.51.100.10. The packet from site A to Youtube goes like this with the tunnel configuration:

  1. 192.0.2.25
  2. 198.51.100.10
  3. Router 1
  4. Router 2
  5. Youtube website

The packet back from Youtube website goes like this:

  1. Youtube website
  2. Router 3
  3. Router 4
  4. 192.0.2.25

So, the route from Youtube website to Site A is different from the route from Site A to Youtube website. This can cause problems.

This asymmetric routing can be solved by performing NAT on Site B, so that Youtube sees packets coming as from Site B, and will route them back to Site B, which will then send the packets to Site A.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58