I have 4 locations that are connected via a L3VPN topology. two locations had UTM 9.3 devices. we upgraded these to XG330's
Currently the UTM 9.3's are working without issue. and have static routes and firewall rules allowing traffic from the other sites.
In the Primary Data Center the XG connects to 3rd party VPN's and is where the Primanry Domain controller, as well as primary document stores and several Application hosts reside.
the L3VPN is managed by Juniper's and at the Primary site the juniper's LAN IP is on the same subnet as the Xg's LANPort. for argument sake let's assume the network subnets are as below
Primary Data Center
192.168.1.0\24
L3VPN gateway 192.168.1.2 (this device uses BGP and has routing for all subnets between sites.)
XG 330 lan IP 192.168.1.1 (primary gateway on the network)
Internet and 3rd party VPN's work fine. as do all internal apps in the primary data center.
Secondary Data Center with an SG330
192.168.4.1
2nd Site
Gateway 192.168.2.1
3rd Site
gateway 192.168.3.1
I have added static routes to the XH in the Primary site to send traffic to the other sites to the L3VPN gateway 192.168.1.2 with this in place I can ping and reach all nodes on the remote subnets. however with routing alone the other sites reach the XG330 and fail to reach any nodes at the Primary site.
I have added the following firewall rule to the XG
Source Zones L3VPN
Source Networks 192.168.3.0\24 192.168.2.0\24 192.168.4.0\24
Destination Zones LANS
Destination Networks 192.168.1.0\24
Services Any
Nat & Routing rewrite source address is checked
MASQ 192.168.1.1
No web scanning, IPS, Web or app control are checked. with this rule, I get some services, but not others. again, I can reach services and notes at the remote sites but they cannot reach services nad notes at the primary site.
What am I missing? I have reviewed the logs and see alot of invalid traffic. but can't get it to allow traffic back to the Primary site.
This thread was automatically locked due to age.
