Hi All,
One of our site firewall is replaced from netscreen to SRX210. The tunnel is up and both LAN side users can ping each others. Recently, SRX210 users request to reach other side DMZ server. I have added policy on both firewall (SRX, trust to untrust) (SSG, Untrust to DMZ), however, the traffic still go through from untrust to trust network.
In the SSG monitor status, the bottom tunnel still inactive.
| LXX_VPN | 000002e3 | 389/388 | 6x.xx.xx.15x | AutoIKE | Active | Up |
| LXX_VPN | 000002e4 | 1257/-1 | 6x.xx.xx.15x | AutoIKE | Inactive | Inactive |
SSG Firewall Policy
| Traffic log for policy : |
|
| Date/Time | Source Address/Port | Destination Address/Port | Translated Source Address/Port | Translated Destination Address/Port | Service | Duration | Bytes Sent | Bytes Received | Close Reason |
|---|---|---|---|---|---|---|---|---|---|
| 2016-08-25 15:03:04 | 192.168.193.1:133 | 172.16.0.20:58137 | 0.0.0.0:0 | 0.0.0.0:0 | ICMP | 0 sec. | 0 | 64 | Traffic Denied |
| 2016-08-25 15:03:03 | 192.168.193.1:132 | 172.16.0.20:58137 | 0.0.0.0:0 | 0.0.0.0:0 | ICMP | 0 sec. | 0 | 64 | Traffic Denied |
| 2016-08-25 15:03:02 | 192.168.193.1:131 | 172.16.0.20:58137 | 0.0.0.0:0 | 0.0.0.0:0 | ICMP | 0 sec. | 0 | 64 | Traffic Denied |
| 2016-08-25 15:03:01 | 192.168.193.1:130 | 172.16.0.20:58137 | 0.0.0.0:0 | 0.0.0.0:0 | ICMP | 0 sec. | 0 | 64 | Traffic Denied |
Any idea how to fix it?
Many Thanks,
Kay