ScreenOS Firewalls (NOT SRX)
Reply
Contributor
cyberwatcher
Posts: 45
Registered: ‎08-23-2008
0
Accepted Solution

Confused regarding policies

I recently was finally able to get my DMZ working on the DMZ with Outlook on my workstation in the trusted network.

Trusted network 10.1.1.0

DMZ  172.16.10.0

Why is it that I need not only a policy from the Untrust to the DMZ using HTTPS and SMTP but also a policy from the DMZ to the untrust using SMTP?

 

I also seem to have to have a policy from the trust to the DMZ (workstation using outlook) to (mail server) using the TCP-ANY service…

If I take out the policy from the workstation to the mail server (TCP-ANY) I get an error in OUTLOOK saying cannot authenticate or find pop3 mail server…

I am wondering if I really need the policy that I have. I do recall that Policies are stateful so why is it that it seems I need them in both directions?

 

set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "BitTorrent" protocol tcp src-port 6881-6889 dst-port 6881-6889
set service "BitTorrent" + udp src-port 6881-6889 dst-port 6881-6889
set service "Torrent" protocol tcp src-port 1-65535 dst-port 56881-56881
set service "Torrent" + udp src-port 1-65535 dst-port 56881-56881
set service "Torrent" + udp src-port 1-65535 dst-port 56969-56969
set service "Torrent" + tcp src-port 1-65535 dst-port 6881-6889
set service "Torrent" + udp src-port 1-65535 dst-port 6881-6889
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "cyberwatchers"
set admin password "nMlLPoreNfTFcxEBPsLE+4Lt1gA/ln"
set admin port 8080
set admin ssh port 2173
set admin mail alert
set admin mail server-name "mail"
set admin mail mail-addr1 "info@mail.com"
set admin mail mail-addr2 "geraldfwhite@mail.net"
set admin mail traffic-log
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Quarantine"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
unset zone "Quarantine" tcp-rst
unset zone "Untrust" screen tear-drop
unset zone "Untrust" screen syn-flood
unset zone "Untrust" screen ping-death
unset zone "Untrust" screen ip-filter-src
unset zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/6" zone "Quarantine"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
unset interface vlan1 ip
set interface ethernet0/0 ip 75.146.xx.xxx/30
set interface ethernet0/0 route
set interface ethernet0/1 ip 172.16.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/6 ip 10.1.2.1/24
set interface ethernet0/6 nat
set interface wireless0/0 ip 192.168.2.1/24
set interface wireless0/0 nat
set interface bgroup0 ip 10.1.1.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/6 ip manageable
set interface wireless0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface ethernet0/1 manage ssh
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip untrust 25 "SMTP" 172.16.10.3 manual
set interface ethernet0/0 vip untrust 80 "HTTP" 172.16.10.2
set interface ethernet0/0 vip untrust 443 "HTTPS" 172.16.10.3 manual
set interface ethernet0/0 vip untrust 56881 "Torrent" 172.16.10.7
set interface ethernet0/1 dhcp server service
set interface ethernet0/6 dhcp server service
set interface wireless0/0 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server auto
set interface ethernet0/6 dhcp server enable
set interface wireless0/0 dhcp server auto
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option dns1 10.1.1.4
set interface ethernet0/1 dhcp server option dns2 68.87.75.194
set interface ethernet0/6 dhcp server option lease 1440000
set interface ethernet0/6 dhcp server option gateway 10.1.2.1
set interface ethernet0/6 dhcp server option netmask 255.255.255.0
set interface ethernet0/6 dhcp server option dns1 68.87.75.194
set interface wireless0/0 dhcp server option lease 1440000
set interface wireless0/0 dhcp server option dns1 10.1.1.4
set interface bgroup0 dhcp server option gateway 10.1.1.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server option dns1 10.1.1.4
set interface ethernet0/1 dhcp server ip 172.16.10.2 mac 000c768517fe
set interface ethernet0/1 dhcp server ip 172.16.10.3 mac 0040ca57c261
set interface ethernet0/1 dhcp server ip 172.16.10.7 mac 001b211b4c54
set interface ethernet0/1 dhcp server ip 172.16.10.11 to 172.16.10.15
set interface ethernet0/6 dhcp server ip 10.1.2.2 to 10.1.2.3
set interface wireless0/0 dhcp server ip 192.168.2.11 to 192.168.2.15
set interface bgroup0 dhcp server ip 10.1.1.20 to 10.1.1.25
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface ethernet0/6 dhcp server config next-server-ip
unset interface wireless0/0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config updatable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface wireless0 wlan 0
set flow tcp-mss
unset flow tcp-syn-check
set domain cyberwatchers.local
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 68.87.75.194 src-interface ethernet0/0
set dns host dns2 68.87.64.146 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set address "Trust" "cyberserve" 10.1.1.7 255.255.255.0
set address "Trust" "p4" 10.1.1.5 255.255.255.0
set address "Trust" "vpnaddress" 10.1.1.1 255.255.255.0
set address "DMZ" "Fedora" 172.16.10.2 255.255.255.0
set address "DMZ" "Mail Server" 172.16.10.3 255.255.255.0
set group service "Remote Access Group"
set group service "Remote Access Group" add "SSH"
set group service "Remote Access Group" add "UDP-ANY"
set user "Gary" uid 3
set user "Gary" ike-id u-fqdn "gary@mail.com" share-limit 1
set user "Gary" type  auth ike
set user "Gary" password "HLv+Be0wNzhvo3sRvJCLeOVXY8nwHUECLg=="
set user "Gary" "enable"
set user "gerald" uid 2
set user "gerald" ike-id u-fqdn "gerald@mail.com" share-limit 1
set user "gerald" type  auth ike
set user "gerald" password "c7GwVEGQNVczTYsSHcCHrA1xNOnLTkN9lw=="
set user "gerald" "enable"
set ike gateway "Garys_Gateway" dialup "Gary" Aggr outgoing-interface "ethernet0/0" preshare "uEKrg80XNRemPTsjt6CGJ90HCXntBRdAudZ7qYtHGT3nr6TRbxF7Jwk=" proposal "pre-g2-3des-sha"
unset ike gateway "Garys_Gateway" nat-traversal
set ike gateway "Geralds_Gateway" dialup "gerald" Aggr outgoing-interface "ethernet0/0" preshare "guqkypjNNigkaIs+jvCmLo5038nPRgpvWuqRjSbq42tKomnb7Z0ezAA=" proposal "pre-g2-3des-sha"
unset ike gateway "Geralds_Gateway" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Garys_Tunnel" gateway "Garys_Gateway" no-replay tunnel idletime 0 sec-level compatible
set vpn "Geralds_Tunnel" gateway "Geralds_Gateway" no-replay tunnel idletime 0 sec-level compatible
set url protocol websense
exit
set policy id 25 name "Gerald" from "Untrust" to "Trust"  "Dial-Up VPN" "vpnaddress" "ANY" tunnel vpn "Geralds_Tunnel" id 5
set policy id 25
exit
set policy id 24 name "Gary" from "Untrust" to "Trust"  "Dial-Up VPN" "vpnaddress" "ANY" tunnel vpn "Garys_Tunnel" id 4
set policy id 24
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 12 from "DMZ" to "Trust"  "Any" "Any" "SSH" permit
set policy id 12
set service "UDP-ANY"
exit
set policy id 13 from "Trust" to "DMZ"  "Any" "Any" "SSH" permit
set policy id 13
set service "UDP-ANY"
exit
set policy id 19 name "Sick Computers" from "Quarantine" to "Untrust"  "Any" "Any" "ANY" nat src permit
set policy id 19 disable
set policy id 19
exit
set policy id 18 from "Untrust" to "DMZ"  "Any" "VIP(ethernet0/0)" "HTTP" permit
set policy id 18
set service "HTTPS"
set service "SMTP"
exit
set policy id 22 from "DMZ" to "Untrust"  "Mail Server" "Any" "SMTP" nat src permit
set policy id 22
exit
set policy id 26 from "Trust" to "DMZ"  "p4" "Mail Server" "TCP-ANY" permit
set policy id 26
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set wlan 0 channel auto
set wlan 1 channel auto
set ssid name cybersluts
set ssid cybersluts authentication wpa-psk passphrase ZJOjsbHANPlvK+sm03CYJZnV/gnUyYYIjMlccQ5TkGhl7lxaIwsUS2A= encryption auto
set ssid cybersluts interface wireless0
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 75.146.xx.xxx preference 20 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

www.cyberwatchers.com
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008

Re: Confused regarding policies

Hi,

 

Policies need are needed to allow connections in the direction that they are initiated. The reason you need a policy from DMZ to Untrust for SMTP is that the mail server needs this to be able to send emails out to other mail servers on the internet.

 

The reason you need a policy from Trust to DMZ to the mail server is you outlook client needs to connect to the mail server to get e-mails.

 

If you turn on loging on on the policy you will be able to see what ports are being used, do you could tie it down more than just using TCP-ANY.

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Contributor
cyberwatcher
Posts: 45
Registered: ‎08-23-2008
0

Re: Confused regarding policies

Andy,

 

Thanks. I will look into the logging then. I tried every service other than the TCP-ANY and it did not work without it. I guess it will need to narrowed down to the actual port or ports that outlook is using between my workstation and the mail server. Thanks for the info I will get back to this post with my findings.

www.cyberwatchers.com
Contributor
cyberwatcher
Posts: 45
Registered: ‎08-23-2008
0

Re: Confused regarding policies

Andy,

 

First I would like to say thank you for your help and this site is awesome. Your solution worked. I was able to figure out that it was port 995 using secure POP3 which I kind of knew. I just did not know about the logging feature in the policy. I also forgot that I could create a custom service object which I have done enabling the port and doing a way with TCP-ANY.

I also did away with UDP-ANY which I was using along with SSH in order to communicate between the trust and DMZ zones. I needed DNS.

 

Regards

www.cyberwatchers.com
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.