Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Confused regarding policies

    Posted 09-06-2008 14:26

    I recently was finally able to get my DMZ working on the DMZ with Outlook on my workstation in the trusted network.

    Trusted network 10.1.1.0

    DMZ  172.16.10.0

    Why is it that I need not only a policy from the Untrust to the DMZ using HTTPS and SMTP but also a policy from the DMZ to the untrust using SMTP?

     

    I also seem to have to have a policy from the trust to the DMZ (workstation using outlook) to (mail server) using the TCP-ANY service…

    If I take out the policy from the workstation to the mail server (TCP-ANY) I get an error in OUTLOOK saying cannot authenticate or find pop3 mail server…

    I am wondering if I really need the policy that I have. I do recall that Policies are stateful so why is it that it seems I need them in both directions?

     

    set clock timezone -5
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set service "BitTorrent" protocol tcp src-port 6881-6889 dst-port 6881-6889
    set service "BitTorrent" + udp src-port 6881-6889 dst-port 6881-6889
    set service "Torrent" protocol tcp src-port 1-65535 dst-port 56881-56881
    set service "Torrent" + udp src-port 1-65535 dst-port 56881-56881
    set service "Torrent" + udp src-port 1-65535 dst-port 56969-56969
    set service "Torrent" + tcp src-port 1-65535 dst-port 6881-6889
    set service "Torrent" + udp src-port 1-65535 dst-port 6881-6889
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "cyberwatchers"
    set admin password "nMlLPoreNfTFcxEBPsLE+4Lt1gA/ln"
    set admin port 8080
    set admin ssh port 2173
    set admin mail alert
    set admin mail server-name "mail"
    set admin mail mail-addr1 "info@mail.com"
    set admin mail mail-addr2 "geraldfwhite@mail.net"
    set admin mail traffic-log
    set admin auth timeout 10
    set admin auth server "Local"
    set admin privilege read-write
    set admin format dos
    set vip multi-port
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone id 100 "Quarantine"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    set zone "Untrust" block
    unset zone "Untrust" tcp-rst
    set zone "DMZ" tcp-rst
    set zone "VLAN" block
    unset zone "VLAN" tcp-rst
    unset zone "Quarantine" tcp-rst
    unset zone "Untrust" screen tear-drop
    unset zone "Untrust" screen syn-flood
    unset zone "Untrust" screen ping-death
    unset zone "Untrust" screen ip-filter-src
    unset zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface "ethernet0/0" zone "Untrust"
    set interface "ethernet0/1" zone "DMZ"
    set interface "ethernet0/6" zone "Quarantine"
    set interface "wireless0/0" zone "Trust"
    set interface "bgroup0" zone "Trust"
    set interface bgroup0 port ethernet0/2
    set interface bgroup0 port ethernet0/3
    set interface bgroup0 port ethernet0/4
    set interface bgroup0 port ethernet0/5
    unset interface vlan1 ip
    set interface ethernet0/0 ip 75.146.xx.xxx/30
    set interface ethernet0/0 route
    set interface ethernet0/1 ip 172.16.10.1/24
    set interface ethernet0/1 nat
    set interface ethernet0/6 ip 10.1.2.1/24
    set interface ethernet0/6 nat
    set interface wireless0/0 ip 192.168.2.1/24
    set interface wireless0/0 nat
    set interface bgroup0 ip 10.1.1.1/24
    set interface bgroup0 nat
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    set interface ethernet0/1 ip manageable
    set interface ethernet0/6 ip manageable
    set interface wireless0/0 ip manageable
    set interface bgroup0 ip manageable
    set interface ethernet0/0 manage ping
    set interface ethernet0/0 manage web
    set interface ethernet0/1 manage ssh
    set interface bgroup0 manage mtrace
    set interface ethernet0/0 vip untrust 25 "SMTP" 172.16.10.3 manual
    set interface ethernet0/0 vip untrust 80 "HTTP" 172.16.10.2
    set interface ethernet0/0 vip untrust 443 "HTTPS" 172.16.10.3 manual
    set interface ethernet0/0 vip untrust 56881 "Torrent" 172.16.10.7
    set interface ethernet0/1 dhcp server service
    set interface ethernet0/6 dhcp server service
    set interface wireless0/0 dhcp server service
    set interface bgroup0 dhcp server service
    set interface ethernet0/1 dhcp server auto
    set interface ethernet0/6 dhcp server enable
    set interface wireless0/0 dhcp server auto
    set interface bgroup0 dhcp server auto
    set interface ethernet0/1 dhcp server option dns1 10.1.1.4
    set interface ethernet0/1 dhcp server option dns2 68.87.75.194
    set interface ethernet0/6 dhcp server option lease 1440000
    set interface ethernet0/6 dhcp server option gateway 10.1.2.1
    set interface ethernet0/6 dhcp server option netmask 255.255.255.0
    set interface ethernet0/6 dhcp server option dns1 68.87.75.194
    set interface wireless0/0 dhcp server option lease 1440000
    set interface wireless0/0 dhcp server option dns1 10.1.1.4
    set interface bgroup0 dhcp server option gateway 10.1.1.1
    set interface bgroup0 dhcp server option netmask 255.255.255.0
    set interface bgroup0 dhcp server option dns1 10.1.1.4
    set interface ethernet0/1 dhcp server ip 172.16.10.2 mac 000c768517fe
    set interface ethernet0/1 dhcp server ip 172.16.10.3 mac 0040ca57c261
    set interface ethernet0/1 dhcp server ip 172.16.10.7 mac 001b211b4c54
    set interface ethernet0/1 dhcp server ip 172.16.10.11 to 172.16.10.15
    set interface ethernet0/6 dhcp server ip 10.1.2.2 to 10.1.2.3
    set interface wireless0/0 dhcp server ip 192.168.2.11 to 192.168.2.15
    set interface bgroup0 dhcp server ip 10.1.1.20 to 10.1.1.25
    unset interface ethernet0/1 dhcp server config next-server-ip
    unset interface ethernet0/6 dhcp server config next-server-ip
    unset interface wireless0/0 dhcp server config next-server-ip
    unset interface bgroup0 dhcp server config next-server-ip
    unset interface bgroup0 dhcp server config updatable
    set interface "serial0/0" modem settings "USR" init "AT&F"
    set interface "serial0/0" modem settings "USR" active
    set interface "serial0/0" modem speed 115200
    set interface "serial0/0" modem retry 3
    set interface "serial0/0" modem interval 10
    set interface "serial0/0" modem idle-time 10
    set interface wireless0 wlan 0
    set flow tcp-mss
    unset flow tcp-syn-check
    set domain cyberwatchers.local
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 68.87.75.194 src-interface ethernet0/0
    set dns host dns2 68.87.64.146 src-interface ethernet0/0
    set dns host dns3 0.0.0.0
    set address "Trust" "cyberserve" 10.1.1.7 255.255.255.0
    set address "Trust" "p4" 10.1.1.5 255.255.255.0
    set address "Trust" "vpnaddress" 10.1.1.1 255.255.255.0
    set address "DMZ" "Fedora" 172.16.10.2 255.255.255.0
    set address "DMZ" "Mail Server" 172.16.10.3 255.255.255.0
    set group service "Remote Access Group"
    set group service "Remote Access Group" add "SSH"
    set group service "Remote Access Group" add "UDP-ANY"
    set user "Gary" uid 3
    set user "Gary" ike-id u-fqdn "gary@mail.com" share-limit 1
    set user "Gary" type  auth ike
    set user "Gary" password "HLv+Be0wNzhvo3sRvJCLeOVXY8nwHUECLg=="
    set user "Gary" "enable"
    set user "gerald" uid 2
    set user "gerald" ike-id u-fqdn "gerald@mail.com" share-limit 1
    set user "gerald" type  auth ike
    set user "gerald" password "c7GwVEGQNVczTYsSHcCHrA1xNOnLTkN9lw=="
    set user "gerald" "enable"
    set ike gateway "Garys_Gateway" dialup "Gary" Aggr outgoing-interface "ethernet0/0" preshare "uEKrg80XNRemPTsjt6CGJ90HCXntBRdAudZ7qYtHGT3nr6TRbxF7Jwk=" proposal "pre-g2-3des-sha"
    unset ike gateway "Garys_Gateway" nat-traversal
    set ike gateway "Geralds_Gateway" dialup "gerald" Aggr outgoing-interface "ethernet0/0" preshare "guqkypjNNigkaIs+jvCmLo5038nPRgpvWuqRjSbq42tKomnb7Z0ezAA=" proposal "pre-g2-3des-sha"
    unset ike gateway "Geralds_Gateway" nat-traversal
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vpn "Garys_Tunnel" gateway "Garys_Gateway" no-replay tunnel idletime 0 sec-level compatible
    set vpn "Geralds_Tunnel" gateway "Geralds_Gateway" no-replay tunnel idletime 0 sec-level compatible
    set url protocol websense
    exit
    set policy id 25 name "Gerald" from "Untrust" to "Trust"  "Dial-Up VPN" "vpnaddress" "ANY" tunnel vpn "Geralds_Tunnel" id 5
    set policy id 25
    exit
    set policy id 24 name "Gary" from "Untrust" to "Trust"  "Dial-Up VPN" "vpnaddress" "ANY" tunnel vpn "Garys_Tunnel" id 4
    set policy id 24
    exit
    set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
    set policy id 1
    exit
    set policy id 12 from "DMZ" to "Trust"  "Any" "Any" "SSH" permit
    set policy id 12
    set service "UDP-ANY"
    exit
    set policy id 13 from "Trust" to "DMZ"  "Any" "Any" "SSH" permit
    set policy id 13
    set service "UDP-ANY"
    exit
    set policy id 19 name "Sick Computers" from "Quarantine" to "Untrust"  "Any" "Any" "ANY" nat src permit
    set policy id 19 disable
    set policy id 19
    exit
    set policy id 18 from "Untrust" to "DMZ"  "Any" "VIP(ethernet0/0)" "HTTP" permit
    set policy id 18
    set service "HTTPS"
    set service "SMTP"
    exit
    set policy id 22 from "DMZ" to "Untrust"  "Mail Server" "Any" "SMTP" nat src permit
    set policy id 22
    exit
    set policy id 26 from "Trust" to "DMZ"  "p4" "Mail Server" "TCP-ANY" permit
    set policy id 26
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    set wlan 0 channel auto
    set wlan 1 channel auto
    set ssid name cybersluts
    set ssid cybersluts authentication wpa-psk passphrase ZJOjsbHANPlvK+sm03CYJZnV/gnUyYYIjMlccQ5TkGhl7lxaIwsUS2A= encryption auto
    set ssid cybersluts interface wireless0
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 interface ethernet0/0 gateway 75.146.xx.xxx preference 20 permanent
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

     



  • 2.  RE: Confused regarding policies
    Best Answer

    Posted 09-06-2008 14:42

    Hi,

     

    Policies need are needed to allow connections in the direction that they are initiated. The reason you need a policy from DMZ to Untrust for SMTP is that the mail server needs this to be able to send emails out to other mail servers on the internet.

     

    The reason you need a policy from Trust to DMZ to the mail server is you outlook client needs to connect to the mail server to get e-mails.

     

    If you turn on loging on on the policy you will be able to see what ports are being used, do you could tie it down more than just using TCP-ANY.

     

    Regards

     

    Andy



  • 3.  RE: Confused regarding policies

    Posted 09-07-2008 02:16

    Andy,

     

    Thanks. I will look into the logging then. I tried every service other than the TCP-ANY and it did not work without it. I guess it will need to narrowed down to the actual port or ports that outlook is using between my workstation and the mail server. Thanks for the info I will get back to this post with my findings.



  • 4.  RE: Confused regarding policies

    Posted 09-07-2008 03:58

    Andy,

     

    First I would like to say thank you for your help and this site is awesome. Your solution worked. I was able to figure out that it was port 995 using secure POP3 which I kind of knew. I just did not know about the logging feature in the policy. I also forgot that I could create a custom service object which I have done enabling the port and doing a way with TCP-ANY.

    I also did away with UDP-ANY which I was using along with SSH in order to communicate between the trust and DMZ zones. I needed DNS.

     

    Regards