ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Juniper SSG5 - ICW Help

Hi Juniper Forum

 

I'm wondering if I could get some help with my Juniper SSG-5 firewall, just to get it simply online with basic firewall on.

To be honest i'm completely new to firewalls so I hope its ok to post in here.

 

First up I'll tell you my equipment:

I have a Billion ADSL modem (I can run this in router or bridged mode, not sure which mode to choose).

IP: 192.168.1.254

Subnet: 255.255.255.0

(DHCP is currently on)

Internet provider: giving me dynamic address.

 

Next I have a Juniper SSG-5 firewall which is running on it's default settings so far.

IP: 192.168.1.1

Subnet: 255.255.255.0

(DHCP is currently on)

 

I have 3x PC's I want to put behind the firewall

Currently they are on IP range: 192.168.0.1 (which I can change if you guys suggest)

Subnet: 255.255.255.0

 

So I have read the Juniper setup guide and manual but i'm really getting lost even running the ICW wizard.

 

In the Wizard I am up to the section where I need to configure the iterfaces:

I have three zones to fill out: eth0/0(untrust zone), eth0/1(dmz zone), bgroup0(trust zone).

 

This is my understanding so far of the three zones

eth0/0(untrust zone): I figure this is the port I plug the modem into

 

eth0/1(dmz zone): I am not 100% up to date on dmz but as far as I understand its used to seperate a network from all other networks? so you'd put a public web server on it?

 

bgroup0(trust zone): I figure this is for the pc's on the network.

 

Where i'm lost is what do I set for these three zones.
Do I use Dynamic IP by DHCP or Static IP?

If I use Static IP what IP and Subnet should I use?

 

Anyway I hope my explanation is not too hard to understand. I hope someone might be able to give me some quick pointers in the right direction.


Regard

JimmyJames

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

[ Edited ]

Welcome to the SSG.  Answers to your questions:

***I have a Billion ADSL modem (I can run this in router or bridged mode, not sure which mode to choose
Definately use bridged mode with no ip at all on the modem.  If at all possible use a bride-mode only device.  Bridge mode puts nothing between your primary firewall external interface and the interenet.  Any other action on these modems essentially puts your firewall behind another firewall which just complicates matters.


***I have 3x PC's I want to put behind the firewall
***Currently they are on IP range: 192.168.0.1 (which I can change if you guys suggest)
Personally I avoid using 192.168.0.0/24 and 192.168.1.1/24 just because they are the default addressing on so many devices.  But this is mainly because I have to setup connections to remote networks and thus frequently connect to these segments remotely and don't want to deal  nat issues.


***Zone list
Your definitions are all correct.


Do I use Dynamic IP by DHCP or Static IP?
If I use Static IP what IP and Subnet should I use?


eth0/0 untrust will be dynamic and configured for your DSL parameters.
eth0/1 DMZ should be assigned your DMZ ip range static
bgroup0 trust should be assigned your pc ip range static
bgroup0 should also have a dhcp server configured to give you computers ip addresses automatically.  Typically servers in the DMZ will get static addresses.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hi spuluka

Thank you for your great explanation. I think I am getting somewhere! Smiley Happy

Here's where I've been able to get up to.

I have reset the firewall to defaults again and run the "Initial Configuration Wizard".
Here are the settings I used:

**ADSL Modem Configuration
- IP set to: 192.168.0.1
- Subnet set to: 255.255.255.0
- DHCP on
- Modem mode: RFC2684 Bridging mode (hopefull that bridge mode is ok to use in this setup)

eth0/0(untrust zone)
- Plugged in ADSL modem into this port.
- Set ip to: DHCP with PPPOE Profile
**Juniper PPPOE Profile Config
- Set with my internet provider settings
- When I click connect it says connected. I figure that's enough to tell me the PPPOE settings are correct?

eth0/1(dmz zone)
- Set to ip: 10.1.3.1
- Subnet set to: 255.255.255.0
- DHCP off
- Currently don't have anything plugged into this port
 
bgroup0(trust zone)
- IP set to: 10.1.2.1
- Subnet set to: 255.255.255.0
- Set DHCP range to 10.1.2.100/150
- Have 1x laptop plugged into eth0/2 port on the firewall which should be part of bgroup0


From your guide I figure that should get me online.
However, I can't ping any internet websites (e.g. google) and my network icon says "no internet access".

Do you think there any other settings I need to modify before the internet will work?

Regards
JimmyJames

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

Most likely your modem is not fully bridged.  In the vast majority of these combination dsl/firewalls when you do successfully bridge the modem you will have NO ip information or services in the device at all.  And you will configure your DSL authentication (pppoe or whatever your carrier uses) on the firewall untrust interface.  Some devices do allow the authentication in the modem while in bridge mode.

 

When your SSG connects it should be getting an internet routable ip address when it is done on the untrust interface.

 

In short you turn the fancy firewall off and disable everything on the modem so it is nothing but a bridge.

 

The procedure differs by make/model.  I have Netopia devices that had 15 steps to get into full bridge, and others that were ony 3-5 steps.

 

I would google your exact model with along with the words bridge mode instructions.  If this doesn't turn up the procedure then your best bet is to call your service provider.  They do get this question all the time and will walk you through how to get it configured for the model they gave you.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hey spuluka

 

I'll download the manual for the modem and see if it has a guide to change it to full bridge mode. If that doesn't work I'll try another brand modem.


Just to be sure, there aren't any routes or nat routes I need to set between the untrust and the trust group to allow internet? Or will that be done automatically by the Juniper firewall?

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

Yes, by default there is a configuration that has internet access from trust to untrust on the SSG.  The untrust interface is in nat mode and there is a rule from trust to untrust to allow all.  This interface based nat is the method that most small firewalls use for internet access.

 

But the preferred method for full control of all nat rules would be to convert that default setup over to use policy based nat rules.  In this method your change the untrust setting to be route mode instead of nat.  You then modify the trust to untrust rule to have source nat in the policy.  This is on the advanced page just selecting source nat and the interface.  When you do this the policy icon in the web interface will change from green to blue.

 

As a practical matter either will work fine.

 

With dhcp on the untrust interface routing is handled by an automatic installation of a default route during the dhcp process.  So you don't need any changes there either.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hey spuluka I've had sucess! Smiley Very Happy

 

I had to reset the modem to defaults and re-apply the bridge mode. Now's its letting me online in simple nat mode.

 

The next step is I would like to setup policy based nat rules.

Is this something that is easy to do? Where should I start with this kind of configuration?

 

Kind Regards

JimmyJames

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

You convert from interface nat to policy nat by making two changes.

 

1-untrust interface changes from nat to route mode.

 

Network-Interfaces-List

Hit edit by ethernet0/0

move the radio button from nat to route

 

2-Add source nat to your internet access policy

 

Policy-Policies

Edit on the trust to untrust policy

Hit advanced

add the "source translation" button with the default egress interface option

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hey Spuluka

 

Thanks for helping me start configuring the policy nat features.

 

I have checked the section for network-list-eth0/0-edit and there doesn't seem to be the options to "move the radio button from nat to route".

 

I have a similar issue with Policy-Policies. After I hit edit, I don't have an advanced option to choose.

 

Would this be because I am configuring the Juniper through the web interface in my browser? Or maybe i'm missing something hehe!

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

Those are the descriptions for version 6 software are you running version 5 maybe?

Here are the command line versions to make the same changes.

1-change untrust eth0/0 to route mode

set interface eth0/0 route
save

2-add policy source nat to the trust to untrust policy

get policy

Look for the id number on the trust to untrust any any any policy

Then use that policy number to set the source nat

set policy id 1 from Trust to Untrust  Any Any ANY nat src permit
save

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hey Spuluka

 

I'm not so good with command line, so I might see if I can download and install version 6 software and then get back to you if i get stuck Smiley Happy

Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hey Spuluka

 

I've updated to version 6.3 software which I believe is the lastest but I still don't get those options to change the nat route and policy. Quite strange!

 

So this means I might have to do it by command line! 
To run those commands, do I need to connect the Juniper by console to the serial port of my PC?

 

 

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

The cli is availabe from the console or by logging in with ssh or telnet to the trust interface setup for management using the same user/password as the web site.

 

I've attached screen shots of the areas in the interface for the web.  The nat/route selection is a section nearer the top of the interace page.  While the policy advancded button is on the very bottom of the policy edit page.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Posts: 8
Registered: ‎12-03-2010
0 Kudos

Re: Juniper SSG5 - ICW Help

Hey spuluka

 

I'll try the cli config tonight.

I had a look at those images and I definately don't have those as an option.


Here are screenshots of my web config interface for those sections. The first image includes the firmware revision 6.3.

webconfig - main page

interface list

edit properties for eth0/0

 

Let me know if you can't view those images.

 

Regards

JimmyJames

Distinguished Expert
Posts: 3,800
Registered: ‎03-30-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

Well I can see the images just fine and am confused.  It is clearly missing the one section.  I only have 6.3 deployed in a test location as 6.2 is still the JTAC recommendation.  But I have this section on that device.

 

Hopefully, the cli works for you.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL JNCDA
JNCIS-SP
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Distinguished Expert
Posts: 858
Registered: ‎11-02-2009
0 Kudos

Re: Juniper SSG5 - ICW Help

Hi Jimmy

 

You should configure an interface IP first and apply this change. After that you will be able to change the interface mode (route/NAT).  ScreenOS UI is very intelligent and flexible. All user inputs are analized, the changes that make no sense are blocked, many input fileds do not appear if certain settings are not configured yet.

Kind regards,
Edouard