ScreenOS Firewalls (NOT SRX)
Reply
Visitor
BenjaminProg
Posts: 4
Registered: ‎10-23-2008
0

In line setup

 

First of all i should start by saying that i have little to no experience with Juniper firewall orany other firewall for that matter.

I was given the taskto setup a Juniper NS-G5 at a co-workers home, who will be working from home and willrequire to have VOIP.

Currently  the setup is suppose to go from the VirizonnDSL --> NG-G5--> Work Station but i have never been able to establishinternet connection, and that's all i need, if someone can help me setup and establishinternet connection, i would be forever grateful.

Thanks 

 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: In line setup

Hi,

 

kindly explain ur topology or scenario more

 

Thanks

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Contributor
cmcdaniel
Posts: 47
Registered: ‎10-24-2008
0

Re: In line setup

Ben -

 

First of all we need to know what type of DSL connection you have (bridged, PPPoE, PPPoA)?  This will dictate the type of configuration needed.  If I'm not mistaken, the NS-5GT or SSG-5 units come out of the box with E0/0 as the untrusted (outside) interface and E0/2-0/6 in the trusted (inside) bridge group 0.  This means that any port from 2-6 can be used for workstations.  So in theory, you should connect the DSL modem to E0/0 and the workstation to E0/2.  The default IP address for the NS/SSG should be 192.168.1.1 (perhaps 0.1), and it should answer via HTTP.  If this unit has never been configured, a "wizard" screen will be presented to you.  Follow the prompts and you should be on the Web.  Now as for the VoIP and VPN configuration, we need to know more information.

Chris McDaniel
JNCIA FW/VPN
Visitor
BenjaminProg
Posts: 4
Registered: ‎10-23-2008
0

Re: In line setup

Well this is the setup, alli need is for the trusted to allow me on the web, that way i can just configurethe phone on my end, i have walked thru the wizard and reset it a couple oftimes, but i still unable to gain access to the web, if you can give me step bystep i would be greatly appreciated, keeping in mind that the IP on the DSLwill be dynamic, being that is an home environment, no ISP provides static IPunless is a business account.

 

 

Thank you so much in advance for the help.

 

Contributor
cmcdaniel
Posts: 47
Registered: ‎10-24-2008
0

Re: In line setup

Thanks for the diagram, its helpful.  The setup physically looks ok.  

 

For ease, can you paste a copy of your config, login into the unit via telnet or console access and issue the command "get config".

Chris McDaniel
JNCIA FW/VPN
Visitor
BenjaminProg
Posts: 4
Registered: ‎10-23-2008
0

Re: In line setup

ns5gt-> get config
Total Config size 2905:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
 
 

This is what i have so far, I did all these setting over the phonewith a juniper support person, and I explained to him that  the IP would be changing thus I would need theconnection to remain active even after the IP changes from the ISP.. but hisanswer was that I would loose the connection when the IP is changed…Not Good….is it possible to allow any IP to be received in the untrusted so theconnection to the web is never lost?

Contributor
cmcdaniel
Posts: 47
Registered: ‎10-24-2008
0

Re: In line setup

Most of the config is missing, I cant see the interface settings and such.  The JTAC person was correct, when the IP address from the ISP is changed, the persitent connection to the web is broken.  Its just the nature of the beast.  In an enterprise setting, this can be stopped, but in your case it is unavoidable.

 

Side bar: are you connecting to an enterprise VoIP system (Cisco or Nortel at a HQ site) or to an internet based system?

 

I need the entire config to see what potentially is going on.  Also if the config was setup with JTAC, its probably correct, however I would question the connection to the ISP (verizon).  Please post the enitre config.

 

Thanks

Chris McDaniel
JNCIA FW/VPN
Visitor
BenjaminProg
Posts: 4
Registered: ‎10-23-2008
0

Re: In line setup

 

That was the entireConfig.. unless there is another command that i should be running to pull that information...

as for the VoIP itwill be Lucent corporate account.. i guess i will have no choice but to requestmy bosses to setup a business account for this employee. 

 

Contributor
cmcdaniel
Posts: 47
Registered: ‎10-24-2008
0

Re: In line setup

that seems strange, but oh well.  Lets start with this:

 

Since this sounds like residential DSL service, do you know if it is PPPoE or PPPoA? 

 

Login into the 5GT via the web

Select = Network > Interfaces > List : examine the list, E0/0 should be in the untrust zone and have an IP address assigned, what is it?  Examine E0/1 or Bgroup0, either of these should be in the Trust Zone and also have an IP address assigned to it, what is it?

Edit E0/0 and verify the routing button is selected

Edit Bgroup 0 and verify the NAT button is selected

Select = Network > routing >destination : do you have destination 0.0.0.0?

Select = Policy > Policies :  Do you see a policy from Trust to Untrust Any Any Any Permit (It might be ID1 source:any destination:any service:any action:green circle enable:checkmark)?

 

I'm just trying to get a feel for how far this unit is configured.

Chris McDaniel
JNCIA FW/VPN
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.