ScreenOS Firewalls (NOT SRX)
Reply
Contributor
chosroes
Posts: 16
Registered: ‎02-17-2009
0

ISG1000 - How do i allow untrust to trust ?

Hi All

 

My organisation had just bought an ISG 1000 and i have no experience on these.

I have configured it up as per the examples on the disk

Everything fine from trust to untrust - policies working etc.

Cant get the untrust to trust working - i just want to get it working on a test network.

I notice on the disk that apparently you dont need to use VIP .if you have screenos 6.0

or later.

But i tried it anyway and cant get access from untrust

to trust.

Is there something basic i am missing.

I have the policies set for both sides.

I havent had a course so if there is something obvious i am not doing can someone

point me in the right direction - and if i dont need vip what do i do to get it working

 

Many thanks

 

Chosroes

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: ISG1000 - How do i allow untrust to trust ?

Hi

 

(1) Do you mean that you want to manage the ISG from the untrust interface?

Make sure that the untrust interface has the SSH or whichever manage options turned on.

EG: set int e0/0 manage ssh

 

Or do you want to:

 

Internet ---> VIP IPs ---FW (FW will translate these IPs to internal network IPs based on the VIP mapping)---> Internal IPs

 

You can try ref to this:

 http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=4937&jump=true

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Distinguished Expert
Screenie
Posts: 1,080
Registered: ‎01-10-2008
0

Re: ISG1000 - How do i allow untrust to trust ?

I think the question was how to allow transit traffic from untrust to trust. If routed just set up routing and allow in the policy. If inbound natting is needed:

 

Create a VIP on untrust interface. It's kind like portforwarding. Then create a policu from untrust to trust with VIP(publicIP) as destination

 

For bidirectionall natting (inbound and outbound) creat a MIP on untrust interface and specify host IP in it.

 

Policy for outbound: just allow the traffic (Note the MIP public address will be used to NAT src to !!)

Policy inbound: (untrust to trust, MIP(opublicip) as destination.

 

Hope this helps, together with the outside management WL describe very well. One thing to add on this: When you manage from the outside it's wise to use permitted IP's, a list of host/networks allowed to manage. Don't forget to include your inside addres to this list (:-.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.