12-13-2011 02:56 AM
I have a Juniper SSG20 and want to use it as a basic firewall. There are two zones called kantoor (office) and TD (technical room). The kantoor part works great, but the TD part not. Everyone at the TD can't get internet. Ping on 192.168.110.180 was good, but our modem which is on 192.168.110.100 didn't work. The routing tables look fine.
The TD group was untrusted before,but because of the errors I changed it to DMZ in the hope that it would work which it didn't do. I added my config file and added a simple network overview.
Can someone help me out?
12-13-2011 03:04 AM
If you see your sent configuration then you wil find that bgroup0 is on DMZ zone and bgroup2 is on untrust zone. While you do not have any policy which is necessary in order to allow the trafffic between these zones.
12-13-2011 04:27 AM
Than you for your reply Khurram.
I totally forgot about changing the Policy, but now that I have done that there is no change.
Am I forgetting something? I added the new config.
12-13-2011 05:39 AM
set interface bgroup0 ip 192.168.112.180/24 set interface bgroup0 nat set interface bgroup1 ip 192.168.111.100/24 set interface bgroup1 nat
I am expecting that you are taking care of this thing.
12-13-2011 07:14 AM
Interafce based NAT is not NATting the traffic going from the DMZ zone to the Untrust zone if both zones are mapped to the trust-vr. Interface based NAT is absolutely unflexible. I never use it.
Change interface mode to the "route" and configure src-NAT in the policies. It takes a couple of minutes but saves a lot of time in the future.
As soon as you have assigned an IP to a new interface check twice if it is running in the route mode. This is a good practice.
12-13-2011 07:54 AM
Thank you Edouard for the reply!
After messing arround I found out that the problem is probably nat just as you said. Changing it to nat didn't work. I'm now going to look at this "src-NAT" what you suggested Edouard. I'll search for it and if I get it to work I'll report back!
12-13-2011 09:58 AM
I agree , best thing to do src-nat and put interfaces in route mode. Could you please eleborate any situation where we could get benefit to put interfaces in nat mode.
This is just to eleborate or highlight the essence of NAT mode verses src-nat/DIP (provided that interface having routable IP in case of internet access scnario in this case specifically).
12-13-2011 02:05 PM
You're all right about the natting. DMZ to untrust in trust-vr will not NAT. The interfacebased nat rules are:
In single (trust) VR from trust zone to untrust zone.
In multiple VR: Any VR to untrust VR.
Of course for clearity it's a good idea to put the ingress interface in route mode when you change to policy nat. But The order NAT takes place in is:
So regardless of the interface mode src-nat will happen as you configure it in the policy: it has higher priority then interface nat.
My advise, as others above: Put all interfaces in route mode and configure source nat in the policies!
12-14-2011 12:06 AM
I fully agree with you. Though the policy based src-NAT overrides the interface based NAT, there is no single reason to use the last one. Interface based NAT is a legacy feature from very early days of ScreenOS and not an alternative to the MIPs/VIPs and policy based NAT, that might have an advantage.
12-14-2011 01:49 AM
Thank you all for your reply's.
This is really confusiong for me, because I thought this was the only way I could forward ports. As a student I don't have much knowledge about this and get it from tutorials on the net and people like you that are willing to help me. To nat I first make a VIP on the interface where to connection begins. In the VIP I define the ports and the IP location where the ports should go. After VIP I go to the policy's and make a policy with NAT Destination Translation > Translate IP: (Location where port needs to go). I made some screenshots about this which is in this post.
I really have no idea what this src-NAT is and how you can configure it. I have half of the network working and don't really want to bring more downtime then nessasary. Is there some documentation where I can find this or a bit of an explanation?
The only thing I want is two different zones called kantoor and TD that I can manage with the policy's, but do get there internet from the untrusted interface.
Thank you for your help! Really.
12-15-2011 02:33 AM
If you have defined a VIP you do not need to activate the dst-NAT in the policy where this VIP is used. The VIP is already an object that contains the dst-NAT in its definition. The MIP is also a dst-NAT object that maps an IP to another IP for all protocols. But MIP is a src-NAT object at the same time. If the host configured in a MIP establisches a connection and this connection goes out through the interface which accomodates the MIP, the original host IP is replaced with its MIP.
The src-NAT uses either the egress interface IP or a DIP (the DIPs) configured on this interface. The only exception is the MIP described above. It has an own "public" address for the src-NAT. All your policies for access to Internet should be configured with a src-NAT. In most cases the egress interface IP is used for this. If a source-object in an Trust-to-Untrust policy has a MIP on the untrust interface, the src-NAT configured in the policy is ignored for this object. The MIP is used instead as it has precedence.
The hosts used in a VIP definition are src-natted as any other host, namely by the src-NAT configured in the outbound policy.