06-28-2012 06:41 AM
I'd be really grateful for some help, we have a Juniper SSG5 firewall installed on our LAN and we're planning on putting a proxy server between it and our LAN switch. The Juniper will stay as our edge firewall but will be on a different network than our LAN -
Current setup - flat LAN on a 192.168.X.X /16, inside interface of the Juniper is 192.168.1.2 and the outside is directly attached to an ADSL router
New setup - LAN attached to a proxy server which will have an inside interface of 192.168.1.2 and an out outside of 10.0.0.1, the Juniper will be directly connected on its inside interface of 10.0.0.2. The Juniper will have an outside interface connected to the ADSL router, same as before.
We have VIP (I think that's the terminology) setup on the outside interface so for example, our SMTP is translated from XXX.XXX.XXX.XXX:25 to 192.168.1.X:25 along with a few other ports.
I'm very new to Juniper firewalls, my previous experience has been on a Cisco ASA but I was by no means an expert on that. When we inserted the proxy server, we changed the internal interface to 10.0.0.2 and I added a route for 192.168.0.0 /16 to be passed to the inside interface but I could see no traffic hitting the outside interface of the Proxy server (the interface directly connected to the Juniper).
I understand this is probably quite a complex issue so if I've left out any pertinent information then I'll post back with what ever is required.
Thank you for any help and assistance with this.
06-28-2012 03:08 PM
Since your interface is no longer in the 192.168.0.0/16 network you wll have to associate this with a zone for firewall rules.
I assume when you changed the internal LAN interface on the SSG the zone and all the rules remain the same.
If that is the case then:
Create an address object for the 192.168.0.0/16 in the same zone as your LAN interface.
Then confirm that your LAN zone rules are set to "any" or if they are more specific create matching rules using this new address object.
Any inbound traffic would also need to have the vip, mip or policy rules adjusted for the new setup.
If none of this applies then you can use debug flow basic to capture a traffic flow attempt. This will tell you exactly what path is being used by the SSG and what processing is applied.
DEBUG FLOW BASIC :
Prepare the tool
1. undebug all - we are assuring that the debug utility is not already running.
2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.
Setup the capture
3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A) by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.
Capture the traffic
5. clear db - this will clear the debugging cache.
6. debug flow basic - this turns the debugging utility on.
7. initiate the traffic you are interested in capturing.
Pull the data
8. undebug all - turns the utility back off.
9. get db stream - this is the actual packet capture output that we want.
Remove the setup
10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
11.clear db - this will clear the cache.
06-29-2012 12:54 AM - edited 06-29-2012 12:57 AM
Thank you very much for the detailed response, it all makes sense so I'll have a go on Monday morning and let you know how I get on.
Edit - I'm assuming I'll still need to put the route in so all 192.168.0.0 /16 traffic is passed to the inside interface?
06-29-2012 03:44 AM
Correct, you do still need the route to direct the traffic.
07-03-2012 02:01 AM - edited 07-03-2012 02:04 AM
We did a test this morning and it's still not passing traffic to our Proxy server. I added the route and address object in the trust zone; after checking in the routing table the new route was showing as active whereas last time it didn't so I think we're one step closer. I checked the VIP on the outside interface and the status for all was "Down", is there anything you can think of that might be causing this? I think that may be the only stumbling block so anything you can suggest will be gratefully received.
Thanks for your input so far,
Edit - I've just noticed this statement in your original reply - "Any inbound traffic would also need to have the vip, mip or policy rules adjusted for the new setup." Given the information so far, what would I need to adjust here? Sorry if this is all getting a bit too granular.
07-03-2012 03:56 AM
The vip will show down if the auto detect is selected and the host cannot respond to ping.
Confirm that inbound ping to the host is working. Your proxy may have inbound firewall filters active.
Confirm that the destination address of the vip is within the scope of your policy address object
Confirm the route is active to the vip destination
If ping from the firewall to the vip destination does not work, then use the debug flow capture above to trace the transaction and see path used by the traffic.