Screen OS

HI guys..I got a little problem in configuring my firewall SSG20 .
the issues is that I used to be using j2300 as our router and we use BGP for the protocol
in j2300 I have policy statement like this

policy-options {
    policy-statement to_bgp {
        term 1 {
            from {
                route-filter 0.0.0.0/0 exact;
                route-filter 30.11.1.0/24 exact;
                route-filter 30.12.1.0/24 exact;
                route-filter 30.13.1.0/24 exact;
            }
            then {
                next-hop self;
                accept;
            }
        }
        term 2 {
            then reject;
        }

and now I want to Implemented the same configuration like this in SSG20, I heard about Router map and access list but I got difficulty with limiting prefix which is should be only 0.0.0.0/0, 30.11.1.0/24, 30.12.1.0/24, 30.13.1.0/24 and no other prefix received from the neighbor but since I accept 0.0.0.0/0 my SSG20 received all the prefix.

My question how to limit set of prefixes and reject all others in SSG20 ?

thanks for Your help guys...

Best Regards,

Roy

Hi,

 

you can set this prefixes in the access list, one at a time (total of 4) with the permit action and that should do the same as the JUNOS policy you show. In the routemap you refer to this access list. It's not all that clear as JUNOS but certainly possible.

 

 

yes but when I do route map with this access  list, and I put default-route 0.0.0.0/0 with the permit action, my SSG-20 received all the prefixes from beside that 4 prefix...this what may become my problem right now ? how to only accept that 4 prefixes only from ISP....thx anyway

ScreenOS doesn't have that option. Please contact your account team to open an Enhancement Request.

I only have one ssg at the moment, can't try. But: in the bgp instance settings you can select "reject default route" what implies it is accept by default. So what happens if you only set the four specific routes in the route map and don't select the reject option?

Dear Screenie,

 

On the contrary, I need to accept the default-route ( 0.0.0.0/0 ) and other 3 prefixes, but reject other, but since I allow default-route on  route map, all others prefixes were received automatically, this what may issues right now...is there any ways to accept default-route and the 3 others prefixes and rejects others..thx

 

 

I haven't tested this myself.  But I remember seeing this in the O'Reilly ScreenOS cookbook.  And sure enough its on page 603.

 

This should accept the prefixes you have defined including the default and deny all others.

 

e0/0 is untrust

 

Create your access list

 

set vrouter trust-vr 

set access-list 3 permit ip 30.11.1.0/24 1

set access-list 3 permit 30.12.1.0/24 2

set access-list 3 permit 30.13.1.0/24 3

set access-list 3 permit default-route 4 

 

Then set your route map

 

set route-map name inbound-from-isp permit 10

set match ip 3

exit

 

BGP Neighbor settings

 

set protocol bgp neighbor x.x.x.x remote-as x

set protocol bgp neighbor x.x.x.x route-map inbound-from-isp in

set protocol bgp neighbor x.x.x.x enable

exit

 

You should be able to check this by the following command

 

get vrouter trust-vr protocol bgp rib-in

get vrouter trust-vr route protocol bgp

 

Hi Shadow...

 

I have try this step before and still not working,  when I try only 

 

set access-list 3 permit ip 30.11.1.0/24 1

set access-list 3 permit 30.12.1.0/24 2

set access-list 3 permit 30.13.1.0/24 3

 

the prefix  30.11.1.0/24, 30.12.1.0/24, 30.13.1.0/24 were recieve. but when I made access list for

 

set access-list 3 permit default-route 4 ( 0.0.0.0/0 )

 

All prefixes were receive from my ISP to my SSG-20 Firewall, The point is how to accept only default-route ( 0.0.0.0/0 ) and reject all other prefixes..

 

 Hi Mangapuly,

 

I am having a similar problem but I am trying to filter outgoing.  My understanding o:

set access-list 3 permit ip 30.11.1.0/24 1

set access-list 3 permit 30.12.1.0/24 2

set access-list 3 permit 30.13.1.0/24 3

 

Is that if your isp was also advertising more specific subnets i.e 30.11.1.16/28 these would still be allowed throught the filter. It almost seems to me that you would need to do:

 

set access-list 3 permit ip 30.11.1.0/32 1

set access-list 3 permit 30.12.1.0/32 2

set access-list 3 permit 30.13.1.0/32 3

set access-list 3 permit 0.0.0.0/32 4

 

This doesnt seem right to me but out of desperation I am going to try the equivalent for my setup when Im back in the office in a couple of days time!

 

Cheers 

Gaz

 

 

 

 

Hi Gazzbut,

 

as far as I know there is no  set access-list 3 permit 0.0.0.0/32 4

 

the right default route is  0.0.0.0/0, I have never heard 0.0.0.0/32, I don't with your ScreenOS version

but mine is ScreenOS 6.2

 

let me know if yu are succed...thx

 

so it's means that access list and route map in screen OS can't support that ? tell me what do you means by Enhancement Request ? is it an optional choices that we can achieve from them....thx