Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Creating another dmz (ssg20) - Updated with another problem

    Posted 04-27-2011 06:45

    Hi,

    Until today I separated my network to 2 zones, trust was the LAN and dmz was WLAN.

    Today I tried to create new zone for servers, that way I can control which computers in the LAN have access to the servers. The problem is, in the new "servers" zone I get internet access but no access from/to LAN.

     

    This is what I did:

    1. Toke out ethernet0/3 from bgroup0 and set ethernet0/3 with a different IP range (10.0.5.1/24, while the trust use 10.0.0.1/24) and set it with a new zone name "servers".

    2. Created policy from servers to untrust with nat for internet access (and I do have internet access on them, works great).

    3. Created 2 policies from trust to servers and from servers to trust with the group of IP(s) in the LAN that I want to give access to the servers (servers_users_group). Didn't touch other things in the policy as "service" and such (just keep on the default "any").

    4. I don't know if its necessary but anyway on the desktops of server-users and on the servers, I changed their netmask to 255.255.0.0 that way they on 10.0.0.x but in the same netmask with 10.0.5.x servers (other LAN computers still with 255.255.255.0).

     

     

    But still I do not have access (not even ping) between these users and the servers.

     

     

    What did I do wrong?

     

    As always, many thanks in advance (:

     

     

     

    Edit: I now have another problem, please read my second post in this thread. Thanks.

     

     



  • 2.  RE: Creating another dmz (ssg20) - Updated with another problem
    Best Answer

     
    Posted 04-27-2011 09:50

    Hi,

     

    your problem is the netmasks that you've changed. The netmasks should be 255.255.255.0.

    If one of your desktop computers tries to connect to a server in the server zone, it's assuming the server is on the same LAN (because it's netmask is set to 255.255.0.0). So it tries to search for the server on the local LAN, instead of sending the packet to the gateway (interface address of your ssg20).

     

    Steve

     



  • 3.  RE: Creating another dmz (ssg20) - Updated with another problem

    Posted 04-27-2011 09:59

    Thank you!



  • 4.  RE: Creating another dmz (ssg20) - Updated with another problem

    Posted 05-02-2011 13:04

    Ok, Unfortunately I have another problem, one of our server-side software does not support connection outside the internal network (ask for IP Reverse something and just make problems when I run it in the second zone with a different ip mask).

     

    The server runs on windows 7, its just hosting for database. but again, both the client-side application and the diagnostic tools fails when I try to put the server in the new zone I created. same machine with the same configuration, just with the "trust" zone ip and connected to the trust zone switch, works fine.

     

    There is any option to config the second zone ("servers" zone) to use a different port in the firewall, different zone, but the same ip range and net mask as the trust zone? that way they all communicate like they are in the same internal network?

     

     

    Thanks!