Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Internet dose not work form dmz Client

    Posted 10-29-2009 11:05
      |   view attached

    HI I have ssg5 firewall . My  ethertnet0/0 is ISp Static ip 173.209.128.222 & ethernet 0/1 is DMZ 10.16.28.5

    & My bgroup0 Internal ip 172.16.28.5

     

    My internet is working form trust to untrust But it dose not work form dmz to untrust

     

    [See attachment for config]

     

    Pl help on thsi

     

    Attachment(s)

    txt
    jnet_config.txt   4 KB 1 version


  • 2.  RE: Internet dose not work form dmz Client
    Best Answer

    Posted 10-29-2009 14:31

    Hi,

     

    Change the Policy  id 2:

    set policy id 2 name "DMZ Out" from "DMZ" to "Untrust"  "Any" "Any" "ANY" nat src permit

     

    IF it still do not work , collect the following data:

    Ping from the DMZ PC to 4.2.2.2

    1) set ff src-ip  <PC-ip address> dst-ip 4.2.2.2

    2) set ff src-ip  4.2.2.2 dst-ip <PC-ip address>

    3) debug flow basic

    4) cl db

    Ping from the DMZ PC to 4.2.2.2

    5) get db s

     

     

    Thanks

    Atif

     

     



  • 3.  RE: Internet dose not work form dmz Client

    Posted 11-04-2009 01:57

    Hi Ladraj,

    I always enable logging per policy and check the log for the right NAT in / out.

    So you can see how traffic is forwarded and NAT-ed immediately.

    May be the client has not the correct Gateway (interface SSG) or the DNS-Server is not available. 

    So the "policy"-based logging in ScreenOS can often help you for trouble-shooting.

    Oliver