ScreenOS Firewalls (NOT SRX)
Reply
B77
Contributor
B77
Posts: 28
Registered: ‎11-21-2010
0
Accepted Solution

Redirect certain websites through untrust interface

Hi,

 

My current set up is an SSG20 with an adsl interface and VPN tunnel to head office (where our DNS servers are located).  DNS on the SSG is set with the DHCP section pointing to our internal DNS servers, therefore taking all traffic through the tunnel.

 

The DNS section itself is not configured on the SSG.

 

I'd like to redirect traffic to certain websites via the untrust interface so they are not hitting the VPN tunnel.  What would be the best way of attacking this?

 

Thanks in advance..

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Redirect certain websites through untrust interface

Hi,

 

DNS resolution has nothing to do with routing. If you route all Internet traffic into the tunnel using a default route, the only way to reach certain web servers directly through Untrust interface are the static routes for their IPs. The host and network routes take precedence over the default route.

Kind regards,
Edouard
Trusted Expert
samc
Posts: 467
Registered: ‎07-23-2012
0

Re: Redirect certain websites through untrust interface

Are all web traffic passing over the VPN tunnel?

 

As Edouard mentioned, you can create a specific /32 host routes for the web sites and set the next hop out the untrust interface.

 

Alternatively, policy-based routing may also work in this situation.

 

Regards,

Sam

B77
Contributor
B77
Posts: 28
Registered: ‎11-21-2010
0

Re: Redirect certain websites through untrust interface

Hi guys,

 

Thanks for your replies. Sorry, after looking into it a bit further, I gave you some incorrect info.  Only internal traffic to the head office goes over the vpn, however, the site they want is also available internally so they are connecting using internal ip.

 

It's basically too slow over the vpn so I'd like to fire it out via the external.  I won't be able to route the internal ip out as it won't resolve.  Their DNS will resolve the site as the internal ip.  Is there a way to catch traffic going to that ip/hostname and redirect it out of the external?

 

Cheers

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Redirect certain websites through untrust interface

Hi,

 

The simplest solution is to enable DNS Proxy on Trust interface and create a couple of static cache entries for these web servers which are mapped to the public IPs (Network -> DNS -> Cache). The firewall itself should be able to resolve DNS requests using the internal DNS server (Network -> DNS -> Host). The option Network -> DNS -> Host->Show DNS Lookup Table can be used to check/troubleshoot the DNS name resolution.

A complexer solution would be Proxy DNS Address Splitting (Vol. Fundamentals. C&E). This solution is more flexible. But if you need to resolve certain DNS requests to the public IPs and others to the internal IPs, while both groups of IPs are mapped to the same domain, this solution might become too complex.

Kind regards,
Edouard
Trusted Expert
samc
Posts: 467
Registered: ‎07-23-2012
0

Re: Redirect certain websites through untrust interface

So you want to intercept traffic to a server with, say, IP 10.1.1.2, and change the dst-ip to a public IP, and route out the internet? If you know the specific ip addresses, then either policy based routing (pbr) or destination-nat+source nat should work. Sam
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Redirect certain websites through untrust interface

Hi,

 

Sam wants that certain urls are resolved to the public IPs rather than to the private ones.

Kind regards,
Edouard
B77
Contributor
B77
Posts: 28
Registered: ‎11-21-2010
0

Re: Redirect certain websites through untrust interface

Hi Sam,

 

Yes that's exactly what I want to do with the least amount of changes.  I'm not currently using PBR so is it pretty straightforward to configure?

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Redirect certain websites through untrust interface

Hi,

 

PBR is not simple and, what is more, it does not solve your problem without NAT. But if you have configured a NAT PBR is not required...

Yes, you can translate the private IPs of your internal services to their public IPs on Trust interface, using eg. MIPs.

Kind regards,
Edouard
B77
Contributor
B77
Posts: 28
Registered: ‎11-21-2010
0

Re: Redirect certain websites through untrust interface

[ Edited ]

Hi Edouard,

 

Thanks for that.  So, I've set up a MIP entry on the Bgroup trust interface and set the mapped ip to the internal address and the host IP to the external ip that i want to reroute to. Netmask I've selected as 255.255.255.255 as it's just the one ip and host vr name is untrust.

 

I checked the access policy list too, and allowed any-any from trust-untrust.  I'm still have no luck, it just doesn't connect now.  I'm clearly missing something?

 

Cheers

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.