I'm trying to build a DMZ on an SSG140 (ScreenOS ). Trust to Untrust works. DMZ to Trust works. And I have an IPSEC VPN working to. I just cannot establish any communications between my DMZ and the internet. Any ideas are most welcome!
Trust is 10.38.71.0/24. DMZ is 10.38.75.0/24.
Config is below.
Thanks,
Dennis
P.S. I have no idea why there's a line reading "set address "Untrust" "192.168.10.0/24" 192.168.10.0 255.255.255.0" That network does not exist in this environment.
set clock timezone -6
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "WINFRAME CGP" protocol tcp src-port 0-65535 dst-port 2598-2598
set service "CITRIX XML" protocol tcp src-port 0-65535 dst-port 100-100
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "*************************"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface ethernet0/0 ip 10.38.71.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/1 ip 10.38.75.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip x.x.x.x/29
set interface ethernet0/2 route
set interface tunnel.1 ip unnumbered interface ethernet0/2
set interface ethernet0/2 gateway x.x.x.x
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
set interface ethernet0/2 vip x.x.x.y 443 "HTTPS" 10.38.75.10
set interface ethernet0/2 vip x.x.x.y + 80 "HTTP" 10.38.75.10
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 10
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "10.38.71.0/24" 10.38.71.0 255.255.255.0
set address "Trust" "172.20.0.0/16" 172.20.0.0 255.255.0.0
set address "Untrust" "192.168.10.0/24" 192.168.10.0 255.255.255.0
set address "DMZ" "10.38.75.0/24" 10.38.75.0 255.255.255.0
set ike gateway "MHOI GW" address 0.0.0.0 id "mhoi" Aggr outgoing-interface "ethernet0/2" preshare "BOy1PZVINqRtrasIImCLUMGJKPnZLZ0slw==" proposal "pre-g2-3des-sha"
unset ike gateway "MHOI GW" nat-traversal
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "MHOI VPN" gateway "MHOI GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "MHOI VPN" monitor
set vpn "MHOI VPN" id 1 bind interface tunnel.1
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set vpn "MHOI VPN" proxy-id local-ip 10.38.71.0/24 remote-ip 172.20.0.0/16 "ANY"
set policy id 6 name "Intrazone - secured" from "Trust" to "Trust" "172.20.0.0/16" "10.38.71.0/24" "FTP" permit log
set policy id 6
set service "HTTP"
set service "HTTPS"
set service "PING"
set service "WINFRAME"
set service "WINFRAME CGP"
exit
set policy id 4 name "Intrazone - secured" from "Trust" to "Trust" "172.20.0.0/16" "10.38.71.0/24" "ANY" deny log
set policy id 4
exit
set policy id 2 name "internet access" from "Trust" to "Untrust" "10.38.71.0/24" "Any" "ANY" permit
set policy id 2
exit
set policy id 8 from "DMZ" to "Trust" "10.38.75.0/24" "10.38.71.0/24" "CITRIX XML" permit
set policy id 8
set service "PING"
set service "WINFRAME"
set service "WINFRAME CGP"
exit
set policy id 7 from "DMZ" to "Trust" "10.38.75.0/24" "10.38.71.0/24" "ANY" deny
set policy id 7
exit
set policy id 10 from "Trust" to "DMZ" "10.38.71.0/24" "10.38.75.0/24" "ANY" permit
set policy id 10
exit
set policy id 9 from "Untrust" to "DMZ" "Any" "VIP(206.220.194.35)" "HTTP" permit
set policy id 9
set service "HTTPS"
exit
set policy id 11 from "DMZ" to "Untrust" "10.38.75.0/24" "Any" "ANY" permit
set policy id 11
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 172.20.0.0/16 interface tunnel.1 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit