Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Access VIP service from a trusted Zone

    Posted 09-30-2014 03:33

    Hello!

     

    I have setup a with juniper ssg 20. I have a seconday IP on my WAN interface which handles all VIP traffic for Exchange. I have multiple networks in trust and i would like to have them communicate straight on the VIP adress (for Exchange) Somehow if I communicate from zone SEMI_TRUST to zone ISP (lan_network -> VIP-IP) I get time-outs in NAT and Routed mode for the policy. Any hints on what I should do?

     

    (See config-details in my post below)

     

    Thanks!



  • 2.  RE: Access VIP service from a trusted Zone

    Posted 09-30-2014 04:03

    For the devices that are in the same subnet as the exchange server you will need to add source nat to their access policy.

     

    The reason is that the exchange server is getting the traffic from the firewall, but replies to the host directly since they are on the same subnet.  This creates an asymmetrical route and the firewall session never gets setup properly.

     

    If your source nat the traffic on the firewall interface you should get the flows symmetrical and working.



  • 3.  RE: Access VIP service from a trusted Zone

    Posted 10-01-2014 02:21

    Hi Steve

     

    Thanks for your answer! I have posted a piece of the config below (with i think all relevant info) cause I can't get it to work.

     

    Note: as you can see the exchnage is in LAN A in vrouter trust in it's own zone. LAN B in vrouter trust (in it's own zone) needs to communicate over the VIP in vrouter untrust (in it's own zone). Any more clues? Sorry for any obsolete config.

     

    Thanks in advance!

     

    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    set zone "Trust" vrouter "trust-vr"
    set zone id 102 "OTH_WIFI"
    set zone id 105 "ISP"
    set zone "ISP" vrouter "untrust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    unset zone "V1-Trust" tcp-rst
    unset zone "V1-Untrust" tcp-rst
    unset zone "VLAN" tcp-rst
    unset zone "OTH_WIFI" tcp-rst  
    set zone "MGT_WIFI" block
    unset zone "MGT_WIFI" tcp-rst
    set zone "ISP" block
    unset zone "ISP" tcp-rst
    set interface "ethernet0/0" zone "Null"
    set interface "ethernet0/1" zone "Trust"
    set interface "ethernet0/2" zone "HOTSPOT_ZONE"
    set interface "ethernet0/3" zone "MGT_WIFI"
    set interface "ethernet0/3.1" tag 21 zone "OTH_WIFI"
    set interface "ethernet0/3.2" tag 22 zone "CORP_WIFI"
    set interface "ethernet0/4" zone "ISP"
    set interface "bgroup0" zone "Null"
    unset interface vlan1 ip
    set interface ethernet0/1 ip 192.168.20.254/24
    set interface ethernet0/1 nat
    set interface ethernet0/2 ip 192.168.23.254/24
    set interface ethernet0/2 route
    set interface ethernet0/3 ip 192.168.24.254/24
    set interface ethernet0/3 route
    set interface ethernet0/3.1 ip 192.168.21.254/24
    set interface ethernet0/3.1 route
    set interface ethernet0/3.2 ip 192.168.22.254/24
    set interface ethernet0/3.2 route
    set interface ethernet0/4 ip 1.2.3.98/28
    set interface ethernet0/4 route
    set interface ethernet0/3.1 mtu 1500
    set interface ethernet0/3.2 mtu 1500

    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip

    set interface ethernet0/4 vip 1.2.3.99 443 "HTTPS" 192.168.20.4

    set address "Trust" "192.168.20.32/32" 192.168.20.32 255.255.255.255
    set address "Trust" "CORP_LAN_20" 192.168.20.0 255.255.255.0

    set address "OTH_WIFI" "OTH_LAN_21" 192.168.21.0 255.255.255.0

    set address "ISP" "ethernet0/4-1.2.3.98" 1.2.3.98 255.255.255.255
    set address "ISP" "ethernet0/4-1.2.3.99" 1.2.3.99 255.255.255.255

    set policy id 17 from "Trust" to "ISP"  "CORP_LAN_20" "Any" "DNS" nat src permit log
    set service "FTP"
    set service "HTTP"
    set service "HTTPS"
    set service "NTP"
    set service "PING"
    exit
    set policy id 33 from "ISP" to "Trust"  "Any" "VIP(1.2.3.99)" "HTTP" permit log
    set policy id 33
    set service "HTTPS"
    exit
    set policy id 42 from "OTH_WIFI" to "ISP"  "Any" "ethernet0/4-1.2.3.99" "HTTPS" nat src permit log
    set policy id 42
    exit
    set policy id 35 from "OTH_WIFI" to "ISP"  "OTH_LAN_21" "Any" "DNS" nat src permit log
    set policy id 35
    set service "FTP"
    set service "HTTP"
    set service "HTTPS"
    set service "IMAP"
    set service "NTP"
    set service "PING"
    exit

    set vrouter "untrust-vr"
    set route 0.0.0.0/0 interface ethernet0/4 gateway 1.2.3.97 permanent
    set route 192.168.20.0/24 vrouter "trust-vr" preference 20 metric 1
    set route 192.168.21.0/24 vrouter "trust-vr" preference 20 metric 1
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

     



  • 4.  RE: Access VIP service from a trusted Zone
    Best Answer

    Posted 10-01-2014 15:47

    I can't be sure from the config posted.  But it looks like you only have the vip setup for traffic inbound from the internet to the server.  You need some method to flag the destination nat from your internal zones out to the server.

     

    I would suggest using policy destination nat for this. The policy would be from the source zone to the ISP zone where your public address is assigned.  Then select the advanced tab and put in the destination server address 192.168.20.4 as the translated address.