ScreenOS Firewalls (NOT SRX)
Reply
tc3
Visitor
tc3
Posts: 5
Registered: ‎08-25-2009
0
Accepted Solution

Fresh SSG-140 Setup

Hello All -

 

I went through the ICW to get my new SSG-140 up and running. However I am stumped on why I cannot get out to the internet. The syslog is showing that I am on the internet on the untrust port (tons of IP Spoofing happening).

 

Wouldn't the DFGWY be the IP of the Trust Port 0/0 ?

 

I even created a policy of any/any from Trust to Untrust

I do have a policy to block any/any from Untrust to Trust. However, even disabled, I still cannot get out to the internet.

 

It's been about 6 years since I have worked with a Netscreen Firewall.

 

- Rick

Juniper Employee
Hongfei
Posts: 4
Registered: ‎08-26-2009
0

Re: Fresh SSG-140 Setup

If you meant your host connected to firewall cannot get out to Internet. Yes, your host should be configured with next hop (default route) to the IP address you are connecting on firewall.

You'd better give out your tracert log to clarify it.

Trusted Contributor
Posts: 54
Registered: ‎08-03-2009
0

Re: Fresh SSG-140 Setup

Check the IP address of your host so that it matches the network of the trust 0/0. Then make sure the host has trust 0/0 as default gateway. IS the SSG-140 also the dhcp server for your host?

 

Another question is if the trust zone gavce been chnged from NAT to route (I just assume you use RFC1918 network behind your firewall)?

 

 

//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
tc3
Visitor
tc3
Posts: 5
Registered: ‎08-25-2009
0

Re: Fresh SSG-140 Setup

Host PC: 192.168.1.10/ 24 for subnet, 192.168.1.253 for DFGY.

No - The SSG-140 is not the DHCP server for our domain.

 

- RG

 

here is my config file.

 

unset key protection enable
set clock timezone -8
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "Untrust" screen tcp-sweep
set zone "Untrust" screen udp-sweep
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 192.168.1.253/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 10.0.0.0/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip 67.237.xxx.xx/30
set interface ethernet0/2 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
set zone V1-Untrust manage ssl
set zone V1-Untrust manage web
set interface "ethernet0/2" mip 67.235.xx.xxx host 192.168.1.xx netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain domain.com
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 208.xx.xxx.xx src-interface ethernet0/2
set dns host dns2 207.xx.xxx.xx src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 name "Inet" from "Trust" to "Untrust"  "192.168.1.0/24" "Any" "ANY" permit no-session-backup
set policy id 1
exit
set policy id 2 name "Deny All" from "Untrust" to "Trust"  "Any" "Any" "ANY" deny
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Trusted Contributor
Posts: 54
Registered: ‎08-03-2009

Re: Fresh SSG-140 Setup

Maybe I am missing it, but I found no default rouet in the trust-vr for you SSG 140?
//Patrik
JNCIS-M, JNCIS-ES
System Engineer
Juniper Networks
tc3
Visitor
tc3
Posts: 5
Registered: ‎08-25-2009
0

Re: Fresh SSG-140 Setup

Thanks - got it working. The cobwebs are slowly being lifted.

 

- RG

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.