ScreenOS Firewalls (NOT SRX)
Reply
Visitor
jmcdaniel
Posts: 3
Registered: ‎11-03-2010
0
Accepted Solution

NAT not allowed

I am new to the forum, but I did search for a few days and haven't seen anything like this.

My situation is as follows:

 

SSG-550M with ScreenOS 6.2.0r7.0

Public IP range (ex. 200.100.50.0/24) - Gateway is 200.100.50.1 - NAT is strictly prohibitted.  All devices must have registered, routeable (Public) IP addresses.

 

I tried to set the Untrust interface as 200.100.50.2 and the Trust interface as 200.100.50.3 but received the overlapping subnet error.  I tried the "Set interface [interface] no-subnet-conflict-check" command on both eth0/0 and eth0/2 but apparently it is not a known keyword in this version.

 

I have also tried to set the eth0/0 as 192.168.1.1 and installed another SSG-550M with its eth0/2 address as 192.168.1.5 and the eth0/0 address as 200.100.50.3.  Set the default routes to 192.168.1.1 on the 2nd firewall and 200.100.50.1 on the 1st firewall.

 

For testing purposes I set both devices to allow ANY address, ANY port and ANY service in and out.   No devices behind the firewall can get to the internet.  I am not sure, but I would venture to guess that no devices upstream can get to me either.

 

I would greatly appreceiate any assistance in getting this to work.

Thank you.

Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008
0

Re: NAT not allowed

If you are not allowed to do NAT, I would put the firewall into layer-2 (transparent) mode.  There is quite a good deal of information in the user guide about transparent mode, but the basic steps are to put all of the physical interfaces into L2 security zones, and then reboot the device.  Once that is done, the box will be running in transparent mode.

 

Ron

Visitor
jmcdaniel
Posts: 3
Registered: ‎11-03-2010
0

Re: NAT not allowed

I must have the wrong User Guide.  I can't find anything about transparent mode in my manual.

Super Contributor
terosa
Posts: 177
Registered: ‎10-26-2010

Re: NAT not allowed

[ Edited ]

Google is your friend, but here's one manual: http://www.debianadmin.com/howto-set-netscreen-ssg-model-firewall-into-transparent-mode.html

Other option is that you could ask your operator to route that public network with other small network. Which you will use as link-network and then you can set public addresses in your LAN-port -voila!

 

Regards,
Tero S
Trusted Contributor
rfrederick
Posts: 213
Registered: ‎07-14-2008

Re: NAT not allowed

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v2.pdf

 

It is in the section under "Interface Modes"

 

Ron

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: NAT not allowed

Hi!

 

Network overlapping is possible and this works fine. But it should be configured on the VR and not on the interfaces:

 

set vrouter <name> ignore-subnet-conflict

Sure, both interfaces with overlapping addressing should be mapped to the same VR.

You can also try to configure Untrust interface with a private IP and create a proxy arp entry on this interface: set interface interface proxy-arp-entry 200.100.50.2. 200.100.50.254 . The FW will be responding the ARP requests from the router for these IPs.

Additionally you need a static arp entry for the ISP router's IP: set arp ip_addr mac_addr interface. Otherwise the FW will not be able to find it's default gateway.

I did not test this solution but it should work.

But the best solution would be to change addressing both on the FW and ISP router, provided that your ISP is flexible enough.

What I would not recommend is switching to the transparent mode. This is a different world full of limitations and bad surprices. I only use the L2 if the FW must be put into the middle of an existing and complex productive infrastructure.

 

Kind regards,

Edouard

Kind regards,
Edouard
Visitor
jmcdaniel
Posts: 3
Registered: ‎11-03-2010
0

Re: NAT not allowed

Thank you all for your assistance.  My Basic guide never mentioned transparent mode.

@Edouard - I have no control on the premise router and like you said, that is exactly why I needed to put the FW in L2 in line between it and my network.

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: NAT not allowed

Hi,

 

This control is not required if the first solution (set vrouter <name> ignore-subnet-conflict) is used. But if you have already switched to the L2 mode it's OK.

Kind regards

Edouard

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.