ScreenOS Firewalls (NOT SRX)
Reply
Contributor
martech
Posts: 20
Registered: ‎10-18-2011
0

DMZ not routing?

Hello everyone,

 

I have a Juniper SSG20 and want to use it as a basic firewall. There are two zones called kantoor (office) and TD (technical room). The kantoor part works great, but the TD part not. Everyone at the TD can't get internet. Ping on 192.168.110.180 was good, but our modem which is on 192.168.110.100 didn't work. The routing tables look fine.

The TD group was untrusted before,but because of the errors I changed it to DMZ in the hope that it would work which it didn't do. I added my config file and added a simple network overview.

 

Can someone help me out?

 

---

Jonathan

Contributor
khurram.khalid
Posts: 17
Registered: ‎05-25-2011
0

Re: DMZ not routing?

Hi,

 

If you see your sent configuration then you wil find that bgroup0 is on DMZ zone and bgroup2 is on untrust zone. While you do not have any policy which is necessary in order to allow the trafffic between these zones.

 

Regards

kkhalid

Contributor
martech
Posts: 20
Registered: ‎10-18-2011
0

Re: DMZ not routing?

Than you for your reply Khurram.

 

I totally forgot about changing the Policy, but now that I have done that there is no change.

Am I forgetting something? I added the new config.

Regular Visitor
khurrum_
Posts: 9
Registered: ‎10-28-2010

Re: DMZ not routing?

Appearently there is no other thing which could block traffic towards internet except NAT mode on local bgroup interfaces in your configuration,
set interface bgroup0 ip 192.168.112.180/24
set interface bgroup0 nat
set interface bgroup1 ip 192.168.111.100/24
set interface bgroup1 nat
I am expecting that you are taking care of this thing.
 
Regards,
khurram
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009

Re: DMZ not routing?

Hi,

 

Interafce based NAT is not NATting the traffic going from the DMZ zone to the Untrust zone if both zones are mapped to the trust-vr. Interface based NAT is absolutely unflexible. I never use it.

Change interface mode to the "route" and configure src-NAT in the policies. It takes a couple of minutes but saves a lot of time in the future.

As soon as you have assigned an IP to a new interface check  twice if it is running in the route mode. This is a good practice.

Kind regards,
Edouard
Contributor
martech
Posts: 20
Registered: ‎10-18-2011
0

Re: DMZ not routing?

Thank you Edouard for the reply!

 

After messing arround I found out that the problem is probably nat just as you said. Changing it to nat didn't work. I'm now going to look at this "src-NAT" what you suggested Edouard. I'll search for it and if I get it to work I'll report back!

Regular Visitor
khurrum_
Posts: 9
Registered: ‎10-28-2010
0

Re: DMZ not routing?

Hi Edouard,

 

I agree , best thing to do src-nat and put interfaces in route mode. Could you please eleborate any situation where we could get benefit to put interfaces in nat mode.

 

This is just to eleborate or highlight the essence of NAT mode verses src-nat/DIP (provided that interface having routable IP in case of internet access scnario in this case specifically).

 

Regards,

Khurram

Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: DMZ not routing?

You're all right about the natting. DMZ to untrust in trust-vr will not NAT. The interfacebased nat rules are:

 

In single (trust) VR from trust zone to untrust zone.

In multiple VR: Any VR to untrust VR.

 

Of course for clearity it's a good idea to put the ingress interface in route mode when you change to policy nat. But The order NAT takes place in is:

 

MIP

VIP

policy

interface

 

So regardless of the interface mode src-nat will happen as you configure it in the policy: it has higher priority then interface nat.

 

My advise, as others above: Put all interfaces in route mode and configure source nat in the policies!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: DMZ not routing?

Hi Screenie,

 

I fully agree with you. Though the policy based src-NAT overrides the interface based NAT, there is no single reason to use the last one. Interface based NAT is a legacy feature from very early days of ScreenOS and not an alternative to the MIPs/VIPs and policy based NAT, that might have an advantage.

Kind regards,
Edouard
Contributor
martech
Posts: 20
Registered: ‎10-18-2011
0

Re: DMZ not routing?

Thank you all for your reply's.

 

This is really confusiong for me, because I thought this was the only way I could forward ports. As a student I don't have much knowledge about this and get it from tutorials on the net and people like you that are willing to help me. To nat I first make a VIP on the interface where to connection begins. In the VIP I define the ports and the IP location where the ports should go. After VIP I go to the policy's and make a policy with NAT Destination Translation > Translate IP: (Location where port needs to go). I made some screenshots about this which is in this post.

 

I really have no idea what this src-NAT is and how you can configure it. I have half of the network working and don't really want to bring more downtime then nessasary. Is there some documentation where I can find this or a bit of an explanation? 

 

The only thing I want is two different zones called kantoor and TD that I can manage with the policy's, but do get there internet from the untrusted interface.

 

Thank you for your help! Really.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.