ScreenOS Firewalls (NOT SRX)
Reply
Visitor
DustinBoyle
Posts: 7
Registered: ‎12-29-2008
0

Multiple VIPs on a NS5GT?

Good Morning Folks, Hope everyone had a great holiday weekend. =)

 

This would be my first post in these forums.  

 

I'm trying to set up a SSH service for a second server in our office using the VIP service.  I already have a VIP set up for our main server and I can't see how to add another in the Untrust interface.

 

I tried using a MIP to the second server using the SSH protocol and it works, however the MIP is letting all traffic pass and not just SSH as I can easily telnet into the server making it a far less secure solution.  Is there a way to use multiple public IP addresses with the VIP service or at least a better way to secure the MIP from letting everything through?

 

 

Many thanks in advance for any help.

 

-Dustin

 

Distinguished Expert
firewall72
Posts: 806
Registered: ‎05-04-2008
0

Re: Multiple VIPs on a NS5GT?

Hi,

 

If you want to use a VIP, you need to make sure the services defined are unique.  The same IP can be used with unique internal services permitted.  I would either modify the existing VIP and add SSH to the internal server or use a MIP with a policy that permits only SSH.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
DustinBoyle
Posts: 7
Registered: ‎12-29-2008
0

Re: Multiple VIPs on a NS5GT?

[ Edited ]
I did try to set up a unique service and map it through the VIP but I couldn't get the SSH to go through then.  (Our company uses a UNIX server that gets reconciled by a company in Hawai'i and they require SSH for secure transactions)  when I set up the custom service on the VIP they couldn't dial in.  They could dial in when its set up as a MIP.  I did set up a MIP policy for only SSH but everything comes through I can ping and hit every port.  Which seems highly odd to me.
Message Edited by DustinBoyle on 12-29-2008 08:20 AM
Distinguished Expert
firewall72
Posts: 806
Registered: ‎05-04-2008
0

Re: Multiple VIPs on a NS5GT?

Hi,

 

Yes, that is odd.  Do you have SSH enabled on the Untrust Interface?  If so, this may be preventing the VIP from working.  With regards to the MIP, are you using the MIP as ther destination object in the trust VR?

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
DustinBoyle
Posts: 7
Registered: ‎12-29-2008
0

Re: Multiple VIPs on a NS5GT?

Sorry had to run and fix an issue quick I'm back now,

 

SSH isn't checked in the untrust basic settings but it is checked in the trust settings should this be different?

 

As far as the MIP is concerned I have no MIP entries in the trust interface only in the untrust and it points directly to the Database server.

Visitor
DustinBoyle
Posts: 7
Registered: ‎12-29-2008
0

Re: Multiple VIPs on a NS5GT?

Just thought I'd add this,

 

If I try to create a custom service for SSH and apply it to the current VIP I receive this error message

 

Service (port=22) not supported for this vip xx.xx.xxx.xxx.   (the x's being my real IP address)

 

the same happens if I try to use the existing SSH predefined service.

 

Distinguished Expert
firewall72
Posts: 806
Registered: ‎05-04-2008
0

Re: Multiple VIPs on a NS5GT?

Hi,

 

I found a KB that addresses this (see link below).  I hope this helps.

 

http://kb.juniper.net/index?page=content&id=KB5535&actp=search&searchid=1230587274159

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT, JNCIA-JUNOS, JNSS-Firewall

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: Multiple VIPs on a NS5GT?

Hi,

 

Could you post your config so that we can have a look at the config, remember to mask sensitive data.

 

Also you say that the MIP works but the vip doesnt, can you turn on logging on the mip policy and then make the connection to the server and make sure that it is only SSH that is connecting through and you dont need any other ports.

 

Regards

 

Andy

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Visitor
DustinBoyle
Posts: 7
Registered: ‎12-29-2008
0

Re: Multiple VIPs on a NS5GT?

[ Edited ]

Hi Andy,

 

As requested here is my config

 

set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "DVR - UDPxxxx" protocol udp src-port x dst-port x
set service "Remote Desktop" protocol tcp src-port x dst-port x
set service "telexper" protocol tcp src-port x dst-port x
set service "telexper TCPxxxx" protocol tcp src-port x dst-port x
set service "dvr2" protocol tcp src-port x dst-port x
set service "dvr2" + udp src-port x dst-port x
set service "dvr2" + tcp src-port x dst-portx
set service "RealVNC" protocol tcp src-port x dst-port x
set service "RealVNC" + udp src-port x dst-port x
set service "SBS Remote Web Workplace" protocol tcp src-port x dst-port x
set service "SBS Sharepoint" protocol tcp src-port x dst-port x
set service "UPS" protocol tcp src-port x dst-port x timeout never
set service "DSI" protocol tcp src-port x dst-port x
set service "DSI" + udp src-port x dst-port x
set service "DSI" timeout 60
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Peserver" id 1
set auth-server "Peserver" server-name "x.x.local"
set auth-server "Peserver" backup1 "x.xs.local"
set auth-server "Peserver" account-type xauth
set auth-server "Peserver" radius secret "x"
set auth default auth server "Local"
set auth radius accounting port x
set admin name "x"
set admin password "x"
set admin manager-ip xx.xxx.xx.xxx xxx.xxx.xxx.xxx
set admin manager-ip xxx.xxx.x.x xxx.xxx.xxx.x
set admin scs password disable username peadmin
set admin http redirect
set admin auth timeout 60
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip xxx.xxx.x.x/xx
set interface trust nat
set interface untrust ip xx.xx.xxx.xxx/xx
set interface untrust nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage telnet
set interface untrust manage ssl
set interface untrust manage web
set interface untrust vip untrust 3389 "Remote Desktop" 192.168.1.10 manual
set interface untrust vip untrust 443 "HTTPS" 192.168.1.10 manual
set interface untrust vip untrust 1220 "telexper TCP1220" 192.168.1.116 manual
set interface untrust vip untrust 6716 "telexper" 192.168.1.150
set interface untrust vip untrust 1350 "DVR - UDP1350" 192.168.1.116 manual
set interface untrust vip untrust 25 "MAIL" 192.168.1.10 manual
set interface untrust vip untrust 4125 "SBS Remote Web Workplace" 192.168.1.10 manual
set interface untrust vip untrust 444 "SBS Sharepoint" 192.168.1.10 manual
set interface "untrust" mip xx.xx.xxx.xxx host xxx.xxx.x.xx netmask 255.255.255.255 vr "trust-vr"
set flow tcp-mss 1380
set flow path-mtu
unset flow tcp-syn-check
set domain x.local
set hostname penetscreen

set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn country-name "US"
set pki x509 dn state-name "WI"
set pki x509 dn org-name "x"
set pki x509 dn name "x"
set pki x509 dn email "x@x.com"
set pki x509 cert-fqdn x.x.com
set dns host dns1 192.168.1.10 src-interface trust
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set address "Trust" "192.168.1.110/255.255.255.255" 192.168.1.110 255.255.255.255
set address "Trust" "192.168.1.116/255.255.255.255" 192.168.1.116 255.255.255.255
set address "Trust" "192.168.1.99/255.255.255.0" 192.168.1.99 255.255.255.0
set address "Trust" "192.168.1.99/255.255.255.255" 192.168.1.99 255.255.255.255
set address "Trust" "DustinB" 192.168.1.66 255.255.255.255 "Dustin's PC"
set address "Trust" "PESBS2K3" 192.168.1.10 255.255.255.255 "SBS Server"
set address "Trust" "x" 192.168.1.0 255.255.255.0
set address "Untrust" "Public IP 3" xx.xx.xxx.xxx xxx.xxx.xxx.xxx
set ippool "PE Xauth Pool" 60.60.60.1 60.60.60.254
set user "x" uid 13
set user "x" ike-id u-fqdn "x.x@xx.com" share-limit 1
set user "x" type  ike xauth
set user "x" password "x="
unset user "x" type auth
set user "x" "enable"
set user "x" uid 14
set user "x" ike-id u-fqdn "x.x@xx.com" share-limit 1
set user "x" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" password "x"
unset user "x" type auth
set user "x" "enable"
set user "x" uid 11
set user "x" ike-id u-fqdn "x@x.com" share-limit 1
set user "x" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" "enable"
set user "x" uid 5
set user "x" ike-id u-fqdn "x@x.com" share-limit 1
set user "x" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" "enable"
set user "x" uid 9
set user "x" ike-id u-fqdn "x.x@x.com" share-limit 1
set user "xn" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" "enable"
set user "x" uid 6
set user "x" ike-id u-fqdn "x" share-limit 1
set user "x" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" "enable"
set user "x" uid 10
set user "x" ike-id u-fqdn "x.x.com" share-limit 1
set user "x" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" "enable"
set user "x" uid 8
set user "x" ike-id u-fqdn "x.x@x.com" share-limit 1
set user "x" type  ike xauth
set user "x" remote ippool "PE Xauth Pool"
set user "x" "enable"
set user "x" uid 7
set user "x" ike-id u-fqdn "x.x@x" share-limit 1
set user "x" type  ike xauth
set user "x" "enable"
set user-group "VPN Users Group" id 6
set user-group "VPN Users Group" location external
set user-group "VPN Users Group" type xauth
set user-group "Xauth Group" id 5
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set user-group "Xauth Group" user "x"
set ike gateway "Xauth VPN Gateway" dialup "Xauth Group" Aggr outgoing-interface "untrust" preshare "x" proposal "pre-g2-3des-sha"
unset ike gateway "Xauth VPN Gateway" nat-traversal udp-checksum
set ike gateway "Xauth VPN Gateway" nat-traversal keepalive-frequency 5
set ike gateway "Xauth VPN Gateway" xauth server "x" user-group "VPN Users Group"
unset ike gateway "Xauth VPN Gateway" xauth do-edipi-auth
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "PE Xauth Pool"
set xauth default dns1 192.168.1.10
set xauth default auth server Peserver
set vpn "Xauth VPN" gateway "Xauth VPN Gateway" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set l2tp default dns1 192.168.1.5
set l2tp default ppp-auth chap
set attack db mode Update
set attack db schedule daily 00:00
set url protocol websense
exit
set policy default-permit-all
set policy id 12 name "DSI SSH" from "Untrust" to "Trust"  "Any" "MIP(xx.xx.xx.xxx)" "SSH" permit log
set policy id 12
set log session-init
exit
set policy id 4 name "Pridham L2TP Users" from "Trust" to "Untrust"  "Pridham Internal" "Dial-Up VPN" "ANY" tunnel vpn "Xauth VPN" id 10 pair-policy 3 log count
set policy id 4
exit
set policy id 10 name "POP3 Outbound - PESBS2K3" from "Trust" to "Untrust"  "PESBS2K3" "Any" "POP3" permit log
set policy id 10
exit
set policy id 9 name "POP3 Outbound" from "Trust" to "Untrust"  "Pridham Internal" "Any" "POP3" deny log
set policy id 9
exit
set policy id 8 name "SMTP" from "Trust" to "Untrust"  "Pridham Internal" "Any" "SMTP" permit log count
set policy id 8 application "SMTP"
set policy id 8
exit
set policy id 3 name "Pridham L2TP Users" from "Untrust" to "Trust"  "Dial-Up VPN" "Pridham Internal" "ANY" tunnel vpn "Xauth VPN" id 10 pair-policy 4 log count
set policy id 3
exit
set policy id 5 name "DVR (TCPxxx,UDPxxx)" from "Untrust" to "Trust"  "Any" "VIP(untrust)" "telexper" permit log count
set policy id 5
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 6 name "Real VNC" from "Untrust" to "Trust"  "Any" "xxx.xxx.x.xxx/255.255.255.255" "RealVNC" permit
set policy id 6
exit
set policy id 7 name "SBS Remote Web Ports" from "Untrust" to "Trust"  "Any" "VIP(untrust)" "SBS Remote Web Workplace" permit log count
set policy id 7
set service "SBS Sharepoint"
set log session-init
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log count
set policy id 2
exit
set policy id 11 name "DSI" from "Untrust" to "Trust"  "Any" "VIP(untrust)" "DSI" permit log
set policy id 11
exit
set monitor cpu 100
set nsmgmt report proto-dist enable
set nsmgmt report statistics ethernet enable
set nsmgmt report statistics attack enable
set nsmgmt report statistics flow enable
set nsmgmt report statistics policy enable
set nsmgmt report alarm other enable
set nsmgmt report log info enable
set nsmgmt report log self enable
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ssl port 6666
set ntp server "ntp.psu.net"
set ntp server src-interface "untrust"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 30
set ntp max-adjustment 666
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway xx.xx.xxx.xxx preference 20 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

 

 

 

Let me know if I have masked too much

Message Edited by DustinBoyle on 12-30-2008 11:33 AM
Trusted Expert
AndyC
Posts: 441
Registered: ‎07-08-2008
0

Re: Multiple VIPs on a NS5GT?

Hi,

 

Config looks all ok. So does it work with the MIP and is it restricted with the SSH policy in place??? Or is traffic still getting through to the server?

 

If you want to get the VIP working then I suggest that you set it up and then do a debug flow basic to capture the traffic when it hits the firewall and see what it is doing with it. This will show us why the firewall is dropping the traffic.

 

Regards

 

Andy

 

JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-ER
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.