Screen OS

I'm trying to build a DMZ on an SSG140 (ScreenOS ).  Trust to Untrust works.  DMZ to Trust works. And I have an IPSEC VPN working to.  I just cannot establish any communications between my DMZ and the internet.  Any ideas are most welcome!

Trust is 10.38.71.0/24.  DMZ is 10.38.75.0/24. 

Config is below.   

Thanks,

Dennis

P.S. I have no idea why there's a line reading "set address "Untrust" "192.168.10.0/24" 192.168.10.0 255.255.255.0"  That network does not exist in this environment.

set clock timezone -6

set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00

set vrouter trust-vr sharable

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset auto-route-export

exit

set service "WINFRAME CGP" protocol tcp src-port 0-65535 dst-port 2598-2598 

set service "CITRIX XML" protocol tcp src-port 0-65535 dst-port 100-100 

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "netscreen"

set admin password "*************************"

set admin http redirect

set admin auth timeout 10

set admin auth server "Local"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "DMZ" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

set zone "Trust" tcp-rst 

set zone "Untrust" block 

unset zone "Untrust" tcp-rst 

set zone "MGT" block 

set zone "DMZ" tcp-rst 

set zone "VLAN" block 

unset zone "VLAN" tcp-rst 

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "ethernet0/0" zone "Trust"

set interface "ethernet0/1" zone "DMZ"

set interface "ethernet0/2" zone "Untrust"

set interface "tunnel.1" zone "Trust"

set interface ethernet0/0 ip 10.38.71.1/24

set interface ethernet0/0 nat

unset interface vlan1 ip

set interface ethernet0/1 ip 10.38.75.1/24

set interface ethernet0/1 nat

set interface ethernet0/2 ip x.x.x.x/29

set interface ethernet0/2 route

set interface tunnel.1 ip unnumbered interface ethernet0/2

set interface ethernet0/2 gateway x.x.x.x

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface ethernet0/0 ip manageable

unset interface ethernet0/1 ip manageable

set interface ethernet0/2 ip manageable

set interface ethernet0/2 manage ping

set interface ethernet0/2 manage telnet

set interface ethernet0/2 manage ssl

set interface ethernet0/2 manage web

set interface vlan1 manage mtrace

set interface ethernet0/2 vip x.x.x.y 443 "HTTPS" 10.38.75.10

set interface ethernet0/2 vip x.x.x.y + 80 "HTTP" 10.38.75.10

unset flow no-tcp-seq-check

set flow tcp-syn-check

unset flow tcp-syn-bit-check

set flow reverse-route clear-text prefer

set flow reverse-route tunnel always

set console page 10

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set address "Trust" "10.38.71.0/24" 10.38.71.0 255.255.255.0

set address "Trust" "172.20.0.0/16" 172.20.0.0 255.255.0.0

set address "Untrust" "192.168.10.0/24" 192.168.10.0 255.255.255.0

set address "DMZ" "10.38.75.0/24" 10.38.75.0 255.255.255.0

set ike gateway "MHOI GW" address 0.0.0.0 id "mhoi" Aggr outgoing-interface "ethernet0/2" preshare "BOy1PZVINqRtrasIImCLUMGJKPnZLZ0slw==" proposal "pre-g2-3des-sha"

unset ike gateway "MHOI GW" nat-traversal

set ike respond-bad-spi 1

unset ike ikeid-enumeration

unset ike dos-protection

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vpn "MHOI VPN" gateway "MHOI GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha" 

set vpn "MHOI VPN" monitor

set vpn "MHOI VPN" id 1 bind interface tunnel.1

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

set url protocol websense

exit

set vpn "MHOI VPN" proxy-id local-ip 10.38.71.0/24 remote-ip 172.20.0.0/16 "ANY" 

set policy id 6 name "Intrazone - secured" from "Trust" to "Trust"  "172.20.0.0/16" "10.38.71.0/24" "FTP" permit log 

set policy id 6

set service "HTTP"

set service "HTTPS"

set service "PING"

set service "WINFRAME"

set service "WINFRAME CGP"

exit

set policy id 4 name "Intrazone - secured" from "Trust" to "Trust"  "172.20.0.0/16" "10.38.71.0/24" "ANY" deny log 

set policy id 4

exit

set policy id 2 name "internet access" from "Trust" to "Untrust"  "10.38.71.0/24" "Any" "ANY" permit 

set policy id 2

exit

set policy id 8 from "DMZ" to "Trust"  "10.38.75.0/24" "10.38.71.0/24" "CITRIX XML" permit 

set policy id 8

set service "PING"

set service "WINFRAME"

set service "WINFRAME CGP"

exit

set policy id 7 from "DMZ" to "Trust"  "10.38.75.0/24" "10.38.71.0/24" "ANY" deny 

set policy id 7

exit

set policy id 10 from "Trust" to "DMZ"  "10.38.71.0/24" "10.38.75.0/24" "ANY" permit 

set policy id 10

exit

set policy id 9 from "Untrust" to "DMZ"  "Any" "VIP(206.220.194.35)" "HTTP" permit 

set policy id 9

set service "HTTPS"

exit

set policy id 11 from "DMZ" to "Untrust"  "10.38.75.0/24" "Any" "ANY" permit 

set policy id 11

exit

set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set config lock timeout 5

unset license-key auto-update

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset add-default-route

set route 172.20.0.0/16 interface tunnel.1 preference 20

exit

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

Hi

(1) Do you mean that your VPN doesnt work?

- Is the VPN up? Check by doing "get sa"

- Also note that your tunnel interface is in the trust zone, do you have problems reaching it from the DMZ?

- CHeck the "get event" to see if there are any logs to show why VPN is not up

(2) Do you mean that traffic from your DMZ could not go to the Internet?

- Check to make sure you have a route for the DMZ traffic, based on config there doesnt seem to be a default route out to the internet?

- Check interface for the DMZ to make sure its in nat mode

Thanks WL.

Yes the VPN is OK.  It must be a missing route that's keeping my DMZ from talking to the internet.   

Hmmm.  I'm not getting this. For example, there's no route explicitly defined between Trust and DMZ, or between Trust and the internet, but traffic can pass through as per my policies. What's different about the DMZ to internet traffic?

Thanks,

Dennis

Got it.  After changing the interface from route to nat, I had to modify a policy to use source nat.

Cheers,

Dennis