ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
chosroes
Contributor
chosroes
Posts: 15
Registered: ‎02-17-2009
0

ISG1000 - How do i allow untrust to trust ?

Options

‎03-16-2009 10:17 AM

Hi All

 

My organisation had just bought an ISG 1000 and i have no experience on these.

I have configured it up as per the examples on the disk

Everything fine from trust to untrust - policies working etc.

Cant get the untrust to trust working - i just want to get it working on a test network.

I notice on the disk that apparently you dont need to use VIP .if you have screenos 6.0

or later.

But i tried it anyway and cant get access from untrust

to trust.

Is there something basic i am missing.

I have the policies set for both sides.

I havent had a course so if there is something obvious i am not doing can someone

point me in the right direction - and if i dont need vip what do i do to get it working

 

Many thanks

 

Chosroes

Message 1 of 3 (2,945 Views)
 
Reply
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 777
Registered: ‎07-26-2008
0

Re: ISG1000 - How do i allow untrust to trust ?

Options

‎03-16-2009 11:04 AM

Hi

 

(1) Do you mean that you want to manage the ISG from the untrust interface?

Make sure that the untrust interface has the SSH or whichever manage options turned on.

EG: set int e0/0 manage ssh

 

Or do you want to:

 

Internet ---> VIP IPs ---FW (FW will translate these IPs to internal network IPs based on the VIP mapping)---> Internal IPs

 

You can try ref to this:

 http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=4937&jump=true

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Message 2 of 3 (2,941 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 944
Registered: ‎01-10-2008
0

Re: ISG1000 - How do i allow untrust to trust ?

Options

‎03-17-2009 02:44 AM

I think the question was how to allow transit traffic from untrust to trust. If routed just set up routing and allow in the policy. If inbound natting is needed:

 

Create a VIP on untrust interface. It's kind like portforwarding. Then create a policu from untrust to trust with VIP(publicIP) as destination

 

For bidirectionall natting (inbound and outbound) creat a MIP on untrust interface and specify host IP in it.

 

Policy for outbound: just allow the traffic (Note the MIP public address will be used to NAT src to !!)

Policy inbound: (untrust to trust, MIP(opublicip) as destination.

 

Hope this helps, together with the outside management WL describe very well. One thing to add on this: When you manage from the outside it's wise to use permitted IP's, a list of host/networks allowed to manage. Don't forget to include your inside addres to this list (:-.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 3 of 3 (2,918 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.