Screen OS

Hi I have new primary ISP which offered us /24 IP range via BGP. Could you please send me information to activate BGP for both ISP ports on mine SSG140 Firewal.

Primary ISP- ethernet0/2

backup ISP- ethernet0/3 

Thank you in advance!

Hello,

You can make use of the below article.

https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch17s02.html

To prefer one ISP path over other, you can use local preference as mentioned below:

https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch17s12.html

Regards,

Rushi

Where i need to add the below information which ISP has been sent me:

1) Vlan 1111 - International Traffic
Communication network: 145.148.140.120/29
International Router1, ASN57344, 145.148.140.121/29 <> 145.148.140.126, DoT, ASN4578
International Router2, ASN57344, 145.148.140.122/29 <> 145.148.140.126, DoT, ASN4578

2) Vlan 1122 - UK Peering
Communication network: 145.148.140.128/29
UK Peering Router1, ASN57344, 185.148.140.129/29 <> 185.148.140.134/29, DoT, ASN4577
UK Peering Router2, ASN57344, 185.148.140.130/29 <> 185.148.140.134/29, DoT, ASN4577
Prefix 6300

3) BGP Network: 72.142.56.0/24

Example for the one peer.  Assign the 145.148.140.121 address to ethernet 0/2

Add the BGP to the VR and set the neighbors

set vr untrust protocol bgp 57344
set vr untrust-vr protocol bgp enable 
set vrouter "untrust-vr" protocol bgp neighbor 145.148.140.126 remote-as 4578 local-ip 145.148.140.121/32 outgoing-interface ethernet0/2
set vr untrust-vr protocol bgp neighbor 145.148.140.126 enable
set interface e0/2 protocol bgp

Export policy added to for route advertisment as desired.  This assumes you create a static route for this subnet and forward this on your device.  If this is a direct route

set vrouter "untrust-vr"
set access-list 1
set access-list 1 permit ip 72.142.56.0/24 1
set route-map name "route-map" permit 1
set match ip 1
exit
static route:
set route 72.142.56.0/24 interface ethernet0/x gateway x.x.x.x
set vrouter trust-vr protocol bgp redistribute route-map route-map protocol static

direct route:
set vrouter trust-vr protocol bgp redistribute route-map route-map protocol direct

Documentation

Chapter 35 on BGP

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_all.pdf

Hi,

Will it be a problem if we have configured Vrouter in vtrust not in untrust?

With this configuration we have acccess to most of webpages but no access to Internet services as Skype for example. Do we need to configure some kind of routing between internal and external (BGP) network?

Virutal routers maintain separate forwarding tables.  And are separate routers.

So if you have the peer in vtrust and your main clients in vuntrust you will need to create a connection where the traffic can reach each other.

this can be simply setting up a route with a next hop of the next vrouter or you can treat the vrouters as separate and connect two ports on the firewall together with one port in vtrust and the other port in vuntrust and setup a routed link between the vrouters.

But if there is no reason compelling you to have the peer in a separate router you should just setup the peer in the same vrouter as your other networks.

Hi,

We have managed to establish BGP connection but we are unable to access any of internet services like Skype, viber and websites. 

We are able to ping WAN port from external network. 

do you have idea what can cause this issue.

If the peer is in the Trust VR and your main site is in the untrust VR then I would expect that result.

Simplest solution is to establish the interface and peer into the same VR as your main site.

Hi,

We were able to fix this issue but there is another problem which we do not know what is causing it.

When we establish site to site vpn with other sites via new BGP provider we are unable to access services hosted on other site for example to ping other site firewall device but via old provider we are able to access them/.

These are the steps to troubleshoot a VPN that comes up but does not pass traffic.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

Hi,

All configurations seems to be ok but again we do not have access to remote side IPs.There is one specification in our system.

E0/6 port is connected to ISP and it is with IP from another network. Via this IP SSG device receives real BGP network and we had to assign  IP from real BGP network on Loopback port. Is it possible our issue to be related with using of loopback port? 

From you thread I assume you have a site to site VPN that is not passing traffic.

to assist I would need you to follow the steps in this kb article, and then post the results of the step where the tests fail.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

Hi,

I will try to colelct the required infomration in next two weeks.

VPN-s are UP ad they are route-based destionation routings on boths sides are same and the most strange thing is that from other side to use there is traffic but from us to other side there is not traffic 😞

It would be best to run the testing then from the side that does not send traffic.

Hi Spuluka,

We have managed to fix the problem with VPNs.

Thank you!