ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 20
Registered: ‎10-18-2011
0 Kudos

DMZ not routing?

Hello everyone,

 

I have a Juniper SSG20 and want to use it as a basic firewall. There are two zones called kantoor (office) and TD (technical room). The kantoor part works great, but the TD part not. Everyone at the TD can't get internet. Ping on 192.168.110.180 was good, but our modem which is on 192.168.110.100 didn't work. The routing tables look fine.

The TD group was untrusted before,but because of the errors I changed it to DMZ in the hope that it would work which it didn't do. I added my config file and added a simple network overview.

 

Can someone help me out?

 

---

Jonathan

Contributor
Posts: 17
Registered: ‎05-25-2011
0 Kudos

Re: DMZ not routing?

Hi,

 

If you see your sent configuration then you wil find that bgroup0 is on DMZ zone and bgroup2 is on untrust zone. While you do not have any policy which is necessary in order to allow the trafffic between these zones.

 

Regards

kkhalid

Contributor
Posts: 20
Registered: ‎10-18-2011
0 Kudos

Re: DMZ not routing?

Than you for your reply Khurram.

 

I totally forgot about changing the Policy, but now that I have done that there is no change.

Am I forgetting something? I added the new config.

Regular Visitor
Posts: 9
Registered: ‎10-28-2010

Re: DMZ not routing?

Appearently there is no other thing which could block traffic towards internet except NAT mode on local bgroup interfaces in your configuration,
set interface bgroup0 ip 192.168.112.180/24
set interface bgroup0 nat
set interface bgroup1 ip 192.168.111.100/24
set interface bgroup1 nat
I am expecting that you are taking care of this thing.
 
Regards,
khurram
Distinguished Expert
Posts: 858
Registered: ‎11-02-2009

Re: DMZ not routing?

Hi,

 

Interafce based NAT is not NATting the traffic going from the DMZ zone to the Untrust zone if both zones are mapped to the trust-vr. Interface based NAT is absolutely unflexible. I never use it.

Change interface mode to the "route" and configure src-NAT in the policies. It takes a couple of minutes but saves a lot of time in the future.

As soon as you have assigned an IP to a new interface check  twice if it is running in the route mode. This is a good practice.

Kind regards,
Edouard
Contributor
Posts: 20
Registered: ‎10-18-2011
0 Kudos

Re: DMZ not routing?

Thank you Edouard for the reply!

 

After messing arround I found out that the problem is probably nat just as you said. Changing it to nat didn't work. I'm now going to look at this "src-NAT" what you suggested Edouard. I'll search for it and if I get it to work I'll report back!

Highlighted
Regular Visitor
Posts: 9
Registered: ‎10-28-2010
0 Kudos

Re: DMZ not routing?

Hi Edouard,

 

I agree , best thing to do src-nat and put interfaces in route mode. Could you please eleborate any situation where we could get benefit to put interfaces in nat mode.

 

This is just to eleborate or highlight the essence of NAT mode verses src-nat/DIP (provided that interface having routable IP in case of internet access scnario in this case specifically).

 

Regards,

Khurram

Distinguished Expert
Posts: 1,117
Registered: ‎01-10-2008
0 Kudos

Re: DMZ not routing?

You're all right about the natting. DMZ to untrust in trust-vr will not NAT. The interfacebased nat rules are:

 

In single (trust) VR from trust zone to untrust zone.

In multiple VR: Any VR to untrust VR.

 

Of course for clearity it's a good idea to put the ingress interface in route mode when you change to policy nat. But The order NAT takes place in is:

 

MIP

VIP

policy

interface

 

So regardless of the interface mode src-nat will happen as you configure it in the policy: it has higher priority then interface nat.

 

My advise, as others above: Put all interfaces in route mode and configure source nat in the policies!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
Posts: 858
Registered: ‎11-02-2009
0 Kudos

Re: DMZ not routing?

Hi Screenie,

 

I fully agree with you. Though the policy based src-NAT overrides the interface based NAT, there is no single reason to use the last one. Interface based NAT is a legacy feature from very early days of ScreenOS and not an alternative to the MIPs/VIPs and policy based NAT, that might have an advantage.

Kind regards,
Edouard
Contributor
Posts: 20
Registered: ‎10-18-2011
0 Kudos

Re: DMZ not routing?

Thank you all for your reply's.

 

This is really confusiong for me, because I thought this was the only way I could forward ports. As a student I don't have much knowledge about this and get it from tutorials on the net and people like you that are willing to help me. To nat I first make a VIP on the interface where to connection begins. In the VIP I define the ports and the IP location where the ports should go. After VIP I go to the policy's and make a policy with NAT Destination Translation > Translate IP: (Location where port needs to go). I made some screenshots about this which is in this post.

 

I really have no idea what this src-NAT is and how you can configure it. I have half of the network working and don't really want to bring more downtime then nessasary. Is there some documentation where I can find this or a bit of an explanation? 

 

The only thing I want is two different zones called kantoor and TD that I can manage with the policy's, but do get there internet from the untrusted interface.

 

Thank you for your help! Really.

Contributor
Posts: 20
Registered: ‎10-18-2011
0 Kudos

Re: DMZ not routing?

[ Edited ]

I found the src NAT within the policy. This uses DIP instead of VIP. Is this what I need?

Distinguished Expert
Posts: 858
Registered: ‎11-02-2009
0 Kudos

Re: DMZ not routing?

Hi,

 

If you have defined a VIP you do not need to activate the dst-NAT in the policy where this VIP is used. The VIP is already an object that contains the dst-NAT in its definition. The MIP is also a dst-NAT object that maps an IP to another IP for all protocols. But MIP is a src-NAT object at the same time. If the host configured in a MIP establisches a connection and this connection goes out through the interface which accomodates the MIP, the original host IP is replaced with its MIP.

The src-NAT uses either the egress interface IP or a DIP (the DIPs) configured on this interface. The only exception is the MIP described above. It has an own "public" address for the src-NAT.  All your policies for access to Internet should be configured with a src-NAT. In most cases the egress interface IP is used for this. If a source-object in an Trust-to-Untrust policy has a MIP on the untrust interface, the src-NAT configured in the policy is ignored for this object. The MIP is used instead as it has precedence.

The hosts used in a VIP definition are src-natted as any other host, namely by the src-NAT configured in the outbound policy.

Kind regards,
Edouard