Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Basic routing - problem help needed.

    Posted 02-16-2014 07:26

    Hi All.

     

     

     

    Am very new to ScreenOS and am liking it very much. I am just doing some lab work at home.

    I have a SS5 just trying to setup a basic policy then build on it, but I am unable to ping host computers.

     

    help would be very much appreciated.

     

     

     

    here is the basic config:

     

     

     

    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set alg appleichat enable
    unset alg appleichat re-assembly enable
    set alg sctp enable
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "netscreen"
    set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
    set admin auth web timeout 10
    set admin auth dial-in timeout 3
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "untrust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone id 100 "finance"
    set zone id 101 "eng"
    set zone id 102 "mail"
    set zone "mail" vrouter "untrust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    set zone "Untrust" block
    unset zone "Untrust" tcp-rst
    set zone "MGT" block
    set zone "DMZ" tcp-rst
    set zone "VLAN" block
    unset zone "VLAN" tcp-rst
    set zone "finance" tcp-rst
    set zone "eng" tcp-rst
    set zone "mail" tcp-rst
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface ethernet0/2 phy full 100mb
    set interface "ethernet0/0" zone "Trust"
    set interface "ethernet0/1" zone "Null"
    set interface "ethernet0/2" zone "Trust"
    set interface "ethernet0/2.1" tag 1 zone "finance"
    set interface "ethernet0/3" zone "Untrust"
    set interface "bgroup0" zone "Trust"
    unset interface vlan1 ip
    set interface ethernet0/0 ip 192.168.1.1/24
    set interface ethernet0/0 nat
    set interface ethernet0/2 ip 10.1.1.1/24
    set interface ethernet0/2 route
    set interface ethernet0/2.1 ip 10.1.2.1/24
    set interface ethernet0/2.1 route
    set interface ethernet0/3 ip 10.1.3.1/24
    set interface ethernet0/3 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    set interface ethernet0/2 ip manageable
    set interface ethernet0/2.1 ip manageable
    set interface ethernet0/3 ip manageable
    set interface ethernet0/2.1 manage ping
    set interface ethernet0/3 manage ping
    set interface ethernet0/3 manage ssl
    set interface ethernet0/3 manage web
    set interface "serial0/0" modem settings "USR" init "AT&F"
    set interface "serial0/0" modem settings "USR" active
    set interface "serial0/0" modem speed 115200
    set interface "serial0/0" modem retry 3
    set interface "serial0/0" modem interval 10
    set interface "serial0/0" modem idle-time 10
    set flow tcp-mss
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set address "Trust" "10.1.1.2/32" 10.1.1.2 255.255.255.255
    set address "Untrust" "10.1.3.2/32" 10.1.3.2 255.255.255.255
    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    set url protocol websense
    exit
    set policy id 1 from "Trust" to "Untrust"  "10.1.1.2/32" "10.1.3.2/32" "ANY" permit log
    set policy id 1
    set log session-init
    exit
    set policy id 2 from "Untrust" to "Trust"  "10.1.3.2/32" "10.1.1.2/32" "ANY" permit log
    set policy id 2
    set log session-init
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    unset license-key auto-update
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    set route 0.0.0.0/0 interface ethernet0/3
    set route 10.1.1.2/32 vrouter "trust-vr" preference 20 metric 1
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 10.1.3.2/24 interface ethernet0/3
    set route 0.0.0.0/0 vrouter "untrust-vr" preference 20
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

     

     

     

     

    am trying to ping from a host 10.1.1.2 to 10.1.3.2.

     

    both host defaut gateway can be ping.

     

     

    thank you.

     

     



  • 2.  RE: Basic routing - problem help needed.

    Posted 02-16-2014 08:54

    I don't see any obvious errors in the zone configuration or policy.

     

    Does the ping attempt show up in your traffic logs?

    Do the hosts have os based firewalls turned on that might block the ping?

     

    I did notice that you have an unnecessary route.

    set route 10.1.3.2/24 interface ethernet0/3

     

    Connected subnets will generate the necessary routing entry without this configuration.  You can see that when you look at the route table using:

    get route

    web: network--routing--destination

     

    I am also wondering if the default route you have configured is what you want.  Typically there will be a next hop address and not a next router for default routes.

     

    But neither of these should cause any issue with the policy in question on connected interfaces.



  • 3.  RE: Basic routing - problem help needed.

    Posted 02-16-2014 11:19

    Hi Spuluka

     

     

     

     

     

     

     



  • 4.  RE: Basic routing - problem help needed.

    Posted 02-16-2014 11:21

    I see no traffic in the firewall log from the host



  • 5.  RE: Basic routing - problem help needed.

    Posted 02-16-2014 11:44

    I think you're getting tangled up with unnecessary vrouters.

     

    In most deployments, you don't need to mess with more than 1 vrouter and adding in more tends to complicate and confuse things.

     

    For starters, I suggest you take all the vrouter configs out and go back to basics.  Since your configuration is small and you're just starting, the easiest thing to do would be to do an "unset all" (confirm with "y"), then a "reset", and when it asks "Configuration modified, save? [y]/n" be sure to say "n" and then it will ask to confirm the reset, answer "y".

     

    Keep your interfaces in the trust-vr, and don't let the zone name "Untrust" confuse you, it does not use the untrust-vr.  Zone "Untrust" lives in the trust-vr, along with all your other zones and interfaces by default.  Since you're just starting out, I'd strongly suggest you leave it there.

     

    Start with basic zones and your routes will mostly take care of themselves because they'll be direct/connected routes via your interfaces.  



  • 6.  RE: Basic routing - problem help needed.

    Posted 02-16-2014 12:45

    Hi Keithr

     

     

    thank you for your reply and time.

     

    the reason I am using two vrouter is becasue i will be deploying a netscreen box with untrust and trust zones.

    so to make it more secure i would use two vr. then a number off sub interfaces.

     

     

     

    your advise will be appreciated.

     

     

    thanks

    Zarcoff



  • 7.  RE: Basic routing - problem help needed.
    Best Answer

    Posted 02-17-2014 13:51

    1 - Ping issue

     

    Both of the zones in the issue here Trust and Untrust are in the same VR as connected routes.

     

    Your polcies look correct but do not see traffic.

     

    I would first confirm the setup on the two workstations that they have the correct default gateway and can ping the default gateway.

     

    If none of this reveals the problem, then setup a debug flow for the ping between the sessions.

     

    Spoiler

    DEBUG FLOW BASIC :

    ==================

     

    Prepare the tool

    1. undebug all - we are assuring that the debug utility is not already running. 

    2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter. 

     

    Setup the capture

    3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B) 

      set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A) by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.

     

    Capture the traffic

    5. clear db - this will clear the debugging cache. 

    6. debug flow basic - this turns the debugging utility on. 

    7. initiate the traffic you are interested in capturing. 

     

    Pull the data

    8. undebug all - turns the utility back off.  

    9. get db stream - this is the actual packet capture output that we want. 

     

    Remove the setup

    10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier. 

    11.clear db - this will clear the cache.

      

    2- Multiple VR

     

    Multiple VR is NOT a security measure.  These are here to create separate routing domains.  You don't get any added security by having the ISP in their own VR.   We use VR to separate multi tenant routing so that routes are not exchanged between domains that don't need to reach each other.

     

    If there is only one company at the site you probably don't need separate VR.  You just put your various subnets into the appropriate zone collections for your policies.

     

    The VR here just make things more complicated because the VR separate the routing domains, but you don't want them separate, all the resources DO need to route to each other they just need security policies to restrict access.  So you end up creating more configuration to share the routes that you separated by creating the VR to every other VR.  This basically creates double work.



  • 8.  RE: Basic routing - problem help needed.

    Posted 03-11-2014 14:04

    both host host had issue which now have been resolved.

     

    thank you for your help.



  • 9.  RE: Basic routing - problem help needed.

    Posted 03-11-2014 17:49

    Glad you have it working.