Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Attaching Airport Express to SSG20

    Posted 03-06-2012 19:12

    Hi,

     

    I've successfully added the airport express to the Bgroup where it passes through DHCP etc.  Thing is, I really want the wireless clients to be separate from the Bgroup as I don't want them on the same range, nor using the vpn connection.

     

    So I've tried using the DMZ connection of the SSG.  I assigned another IP and have configured the Airport Express to act as the DHCP using the 'distribute a range of IP addresses' option.   I've also added a DMZ to Untrust policy to allow all but I'm obviously still missing something crucial as I can't get internet access through it.

     

    If anyone's got any pointers it would be greatly appreciated.

     

    Cheers



  • 2.  RE: Attaching Airport Express to SSG20
    Best Answer

    Posted 03-07-2012 03:58

    It sounds like the only piece you are missing was the DMZ to Untrust web access policy with interface based nat.

     

    I have an example posted in the Configuration Library section that shows how to configure a port as a place to attach a separate guest wifi WAP.  This runs through the whole process.

     

    http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Configure-Guest-External-WAP-Segment/m-p/64151#M158



  • 3.  RE: Attaching Airport Express to SSG20

    Posted 03-07-2012 12:54

    Steve, awesome work.  Turns out it was the policy NAT config as you predicted.

     

    Many thanks..

     

     

     



  • 4.  RE: Attaching Airport Express to SSG20

    Posted 03-07-2012 15:10

    Actually Steve, one other question.

     

    Within the Zones config, to keep the networks totally separate, should I check the 'Block Intra Zone Traffic' check box?

     

    Cheers



  • 5.  RE: Attaching Airport Express to SSG20

    Posted 03-07-2012 16:48

    No intra zone traffic is for example DMZ-to-DMZ, you do not need this enabled to keep zones seperate.



  • 6.  RE: Attaching Airport Express to SSG20

    Posted 03-07-2012 16:59

    Great, thanks..



  • 7.  RE: Attaching Airport Express to SSG20

    Posted 03-07-2012 18:15

    intra zone = within the same zone.  By default this is permited without any policy being configured.

     

    inter  zone = between two different zones.  By default this is blocked without any policy being configured.

     

    I do use intra zone blocking on public access segments.  Just as a security measure for the guest computers.  They will not be able to attempt access between other computers connected on the guest network with this enabled.  So if a bad actor gets on your guest nework, they are blocked from attempts access to other guest computers.

     

    Intra zone blocking also gets commonly used in DMZ zones.  Where you want to control server to server communications to only specific devices and protocols.  This also helps with security in the event a single server is compromised there is a limit to what the hacker has access to on the server segment.



  • 8.  RE: Attaching Airport Express to SSG20

    Posted 03-07-2012 19:34
    @spuluka wrote:

    I do use intra zone blocking on public access segments.  Just as a security measure for the guest computers.  They will not be able to attempt access between other computers connected on the guest network with this enabled.  So if a bad actor gets on your guest nework, they are blocked from attempts access to other guest computers.

    This is not really correct, any members on the DMZ network within the same subnet can directly communicate with each other and do not pass via the firewall (This is standard TCP/IP).

     

    If you had an SSG with wireless then yes I believe you can do a similar thing, but this is called client isolation and is set in the wireless settings and isn't a zone configuration option.



  • 9.  RE: Attaching Airport Express to SSG20

    Posted 03-09-2012 19:52

    many thanks