Junos
Reply
Contributor
dohman2011
Posts: 30
Registered: ‎12-13-2011
0

DMZ Setup help - Juniper SSG140

Hi,

 

I have been given a task to setup a webserver in a DMZ and allocate an A-record of a domain to point to a public IP address which points to our internet router.

 

So far I have:

 

- Created a new VLAN in VMware and assigned one physical NIC to it.

- Created a Virtual Server and put it into the VLAN, configured website etc.

- The Virtual Server NIC TCP/IP settings - IP Address: 192.x.x.1 /24, Default Gateway: 192.x.x.1, DNS Servers: ISP's DNS Servers

- Connected the physical NIC of the VMware server to our Juniper SSG140 firewall Port 0/8

- Created an Interface on the firewall for Port 0/8 to be in the DMZ zone, set it to the IP address of the Virtual Server (192.x.x.1), set the type to NAT

- Created a MIP on the internet port (map the Public IP address to 192.x.x.1 (Virtual Server)

- Created an Untrust > DMZ Policy to allow any traffic (this will later be tightened), Source Translation (None (use Egress Interface IP).

 

My problems:

 

- The Virtual Webserver cannot connect to the internet

- Website hosted by Virtual Server cannot be accessed.

 

Does any one have any ideas?

 

 

Trusted Contributor
acooley
Posts: 117
Registered: ‎08-07-2010
0

Re: DMZ Setup help - Juniper SSG140

Hey Dochman

Can you ping the l3 interface on the SSG?

 

-a

-Adam
Contributor
dohman2011
Posts: 30
Registered: ‎12-13-2011
0

Re: DMZ Setup help - Juniper SSG140

Hi A,

 

What is the |3 interface?

 

Also where can you ping in the SSG? I cannot find the tool on there.

 

Thanks

 

Contributor
hkloh
Posts: 13
Registered: ‎04-02-2008
0

Re: DMZ Setup help - Juniper SSG140

The L3 interface means the DMZ interface you configured.

Juniper SSG Firewall does not have any ping/trace tools at GUI, you need to log in to CLI to ping/trace route.

 

You had mention that you are configured source nat for the policy (DMZ to Untrust), then you should able to access internet.

 

is the server can ping to your DMZ Gateway? Do a tracer toute and check where it stop..

Contributor
dohman2011
Posts: 30
Registered: ‎12-13-2011
0

Re: DMZ Setup help - Juniper SSG140

Yes, source NAT is set on the police, I also set the destination one.

 

I cannot get the CLI interface up as I have no cable to connect the console port to the serial port on a laptop.

 

I'm not sure what you meant by 'is the server can ping to your DMZ Gateway? Do a tracer toute and check where it stop..'.

 

The server only recieves 200-odd packets and stops. The default gateway on TCP/IP config on the server is the same as it's IP address (192.x.x.1) which is what the port on the firewall is configured with.

 

This is a copy of the config from the firewall (I have taken out chunks of the config which is not relevant):

 

 

unset key protection enable
set clock ntp
set clock timezone 0
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "name" timeout 1400 
set service "HTTP" timeout never 
set service "name" protocol tcp src-port 0-65535 dst-port 4401-4401 
set service "name" + tcp src-port 0-65535 dst-port 4403-4403 
set service "name" + udp src-port 0-65535 dst-port 4401-4401 
set service "name" + udp src-port 0-65535 dst-port 4403-4403 
set service "name" protocol tcp src-port 0-65535 dst-port 13-13 
set service "name" + tcp src-port 0-65535 dst-port 587-587 
set service "name" protocol tcp src-port 0-65535 dst-port 3389-3389 
set service "name" protocol tcp src-port 0-65535 dst-port 135-139 
set service "name" + udp src-port 0-65535 dst-port 135-139 
set service "name" + tcp src-port 0-65535 dst-port 445-445 
set service "name" + udp src-port 0-65535 dst-port 445-445 
set service "name" protocol tcp src-port 0-65535 dst-port 1494-1494 
set alg sccp app-screen unknown-message nat permit
unset alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "username"
set admin password "#####################"
set admin manager-ip 192.x.x.0 255.255.255.0
set admin manager-ip xx.xx.xxx.x 255.255.255.240
set admin manager-ip 192.x.x.0 255.255.255.0
set admin manager-ip 192.x.x.1
set admin http redirect
set admin mail alert
set admin mail server-name "name"
set admin mail mail-addr1 "name"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id # "name"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
unset zone "name" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Null"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "name"
set interface "ethernet0/8" zone "DMZ"
set interface "ethernet0/9" zone "Trust"
unset interface vlan1 ip
set interface ethernet0/2 ip xx.xx.xx.xx/x
set interface ethernet0/2 route
set interface ethernet0/3 ip xx.xxx.x.x/x
set interface ethernet0/3 route
set interface ethernet0/8 ip 192.x.x.1/32
set interface ethernet0/8 nat
set interface ethernet0/9 ip xx.xx.xx.x/xx
set interface ethernet0/9 nat
set interface ethernet0/2 gateway xx.xx.xx.xx
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/2 ip manageable
set interface ethernet0/3 ip manageable
unset interface ethernet0/8 ip manageable
set interface ethernet0/9 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage ssl
set interface ethernet0/3 manage ping
set interface ethernet0/8 manage web
set interface vlan1 manage mtrace
set interface "ethernet0/2" mip xx.xxx.xxx.xxx host xx.xx.xx.xx netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip xx.xx.xx.xx host xx.xx.xx.x netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip xx.xx.xx.xx host 192.xx.xx.1 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain name
set hostname name
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 xx.xx.x.xx
set dns host dns2 xx.xx.x.xx
set dns host dns3 x.x.x.xx
set address "Trust" "name" xx.xx.xx.x 255.255.255.0
set address "Untrust" "xx.xxx.xx.x/xx" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "xx.xx.xx.xx/xx" xx.xx.xxx.xx 255.255.255.248
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.240
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "name" xxx.xx.xx.xx 255.255.255.0
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.0
set address "Untrust" "name" xx.xx.xx.xx 255.255.255.0
set address "DMZ" "192.x.x.1/24" 192.x.x.1 255.255.255.0
set crypto-policy
exit
unset av scan-mgr max-content-size drop
unset av scan-mgr max-msgs drop
unset av scan-mgr decompress-layer drop
unset av scan-mgr out-of-resource drop
unset av scan-mgr timeout drop
set url protocol websense
set fail-mode permit
exit
set policy id 13 from "DMZ" to "Untrust"  "Any" "Any" "ANY" nat src dst ip x.x.x.x permit 
set policy id 13
exit
set policy id 14 from "Untrust" to "DMZ"  "Any" "Any" "ANY" nat src permit 
set policy id 14
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "uk.pool.ntp.org"
set vrouter "untrust-vr"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

Contributor
dohman2011
Posts: 30
Registered: ‎12-13-2011
0

Re: DMZ Setup help - Juniper SSG140

I have downloaded PuTTY and 'telnetted' on, I can ping the IP Address with 100% success rate (5/5) however the TCP/IP status on the server does not show any packets being recieved whilst the Ping is taking place.

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: DMZ Setup help - Juniper SSG140

Hi dohman,

 

First note, SSG140 isn't JUNOS so it would probably be better to get this moved to the ScreenOS forum, but, I work with these on a regular basis.

 

From the server, can you ping 192.x.x.1?

 

Your vmware config, do you have a vlan id assigned?  If you have a physical interface on this, do you have a seperate vSwitch?  To vlan tag on the SSG140, you need to use a sub-interface, rather than the physical interface.

 

As for traffic into the DMZ, the policy needs to be modified:

set policy id 14 from "Untrust" to "DMZ"  "Any" "mip(MIP IP FROM Ethernet0/2)" "ANY" permit 

***NAT SRC will nat inbound traffic to the 192.x.x.1 ip, so don't use that***

 

Also, your MIP configuration is wrong.

set interface "ethernet0/2" mip xx.xx.xx.xx host [SERVER IP NOT ROUTER IP] netmask 255.255.255.255 vr "trust-vr"

 

In your config, the ethernet0/8 IP is 192.x.x.1, but it sounds like you also set the server IP as 192.x.x.1, this does not work, change your server ip.

 

These changes should get you fixed up.

________________________________________________


If my post helped you, please feel free to give me kudos.
Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: DMZ Setup help - Juniper SSG140


dohman2011 wrote:

I have downloaded PuTTY and 'telnetted' on, I can ping the IP Address with 100% success rate (5/5) however the TCP/IP status on the server does not show any packets being recieved whilst the Ping is taking place.


 

Thats because your actually pinging the ethernet0/8 interface and not the server.  TCP/IP 101: Basic IP addressing

 

________________________________________________


If my post helped you, please feel free to give me kudos.
Contributor
dohman2011
Posts: 30
Registered: ‎12-13-2011
0

Re: DMZ Setup help - Juniper SSG140

Hello TravisJohnson,

 

Thank you for your reply.

 

I have gone through and made modifications to the setup:

 

- Added sub-interface port

- Modified policy

- Modified IP address on server

 

I am unable to get the server to communicate with the internet (Outbound), everything inbound works fine.

 

Any suggestions with this?

 

Thanks

Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: DMZ Setup help - Juniper SSG140

Can you repost your config?  I can load it in my lab and see what I maybe missed

________________________________________________


If my post helped you, please feel free to give me kudos.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.