Screen OS

Hi,

I am new to the Netscreen and am finding it very confusing to configure what should be pretty basic functions.  All I want to do is enable Remote Desktop (3389) from any external source to a Small Business Server on the trusted interface.

Initially I attempted to set up a PPTP VPN pass through to the SBS 2k3 box, only to discover that this proved to be virtually impossible with the lack of clear information available on the net and gave up in frustration.  I then attempted to get a L2TP VPN connection to work from a Windows XP PC to the NS5GT, this also didnt work ... even when I attempted to use the NS Remote Client.  So I have given up on VPN's.

Most of the syntax I have come across in my research is not recognized in the CLI for ScreenOS 5.4 and there appears to be several different ways to accomplish the same thing.

Can someone please point me to a KB that has some clear step-by-step instructions on setting this up?

I have looked at many and they all end up taking you to another one to perform something else, then I discover that the CLI syntax I am meant to enter does not work (i.e. set interface ethernet0/0 is not recognized).

http://kb.juniper.net/index?page=content&id=KB11909 --> http://kb.juniper.net/KB11910 --> http://kb.juniper.net/KB12631 (these do not work, CLI syntax not recognized)

So can someone please provide clear instructions on how to get traffic through the Netscreen 5GT to the server for a simple Windows Remote Desktop Connection on fixed port 3389.

I work on Watchguard Firewalls all the time and these just seem a lot more straight forward to setup and configure than the Netscreen.  I dont think this should be the case and perhaps I am just not familiar with the layout and the workings of the device.

Thanks for reading.

LJ

Hi LJ

Sorry to hear that you find ScreenOS confusing

It always takes some time to get used to a new product. It also took me sometime to get used to MIP, VIP instead of NAT and PAT - Today i wouldnt' live without.

Can you post the output from get int

Hi Hans,

Thanks for reading my post and replying.

I think you may have somthing in the VIP, MIP as opposed to NAT, PAT which seems to be more widely used.  The confusing thing is that the NS seems to have both ... that is probably where I am getting unstuck.

Anyway the out put is as follows:

The untrust is going into a Modem and is assigned by DHCP, the trust is going into the switch and is the IP of the NS5GT.  I have pretty much wiped everything execpt the any - any policy that allows all outgoing traffic from trust - untrust.

I still have my custom services for RDP but will await your advice before I trash them also.

Cheers,

Lance

Hi LJ

One thing you must be aware of is that the naming of interfaces can vary between models.

So when you see a sample config stating set interface ethernet0/0 you have to use interface naming on your device.

You can always use the "?" if in doubt, so when you have to configure interface specific settings you can start typing

set interface ?

Then you get a list of available interfaces you can use.

Ok thanks that was kind of obvious, not sure why I didnt see that myself ... 😞

So then what would be the best way to configure the NS5GT to direct traffic from untrust to trust? Using VIP then creating a policy? using a policy with NAT? still getting my head around VIP.

Cheers,

Lance

We use a vip or a mip depending on the situation.

If you only have 1 IP, then a VIP on the untrusted interface as the same IP as the interface

In the policy, you do:
Source ANY

Dest VIP(x.x.x.)

Service(RDP) --- I think you need to create custom service, cant remember

Permit

and thats about all there is to it.

Here is an example from my ssg 5, replace ethernet0/4 with untrust

set interface ethernet0/4 vip interface-ip 80 "HTTP" x.x.x.x

set interface ethernet0/4 vip interface-ip 514 "SYSLOG" x.x.x.x
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/4)" "HTTP" permit log

If you want to use a MIP, let me know.

Thanks Travis it worked.

Here is what I did: 

Used Custom Service to Set up RDC 

FROM WEBUI

Objects --> Services --> Custom --> NEW

Service Name: RDC

Service Timeout: use protocol default

1 | TCP | Source Port Low 1024 / High 65535 | Destination Port Low 3389 / High 3389 | ICMP left blank

2 | TCP | Source Port Low 1024 / high 65535 | Destination Port Low 80 / High 80 | ICMP left blank

OK

FROM CLI

Telnet to Firewall

ns5gt-adsl--> set interface untrust vip 66.666.xx.xx 3389 "RDC" 192.168.xx.xx

ns5gt-adsl--> set policy id x from "untrust" to "trust" "any" "VIP(untrust)" "RDC" permit log

66.666.xx.xx is the same IP as your untrusted interface (assigned by your ISP), I have a dynamic IP so I am going to have to modify my policy and VIP when the IP changes. 

192.168.xx.xx is the IP of the PC or Server you are wanting to Remote Desktop to.

id x - x is the policy number, ensure that it is unique and does not share a number with an existing policy

I think the thing that was tripping me up was that the interface list on my firewall was different to what was being described in many of the knowledgebase articles, thanks to Hans for clearing that up for me.  Also it seemed to me that I was telling the firewall the same thing at least twice, but I have now come to realise that the NS Devices has the VIP layer then the Policy Layer and the service you are forwarding needs to be referred to in both layers.  It all makes sense now but coming from a NAT Device it took some head scratching to realise this.

Thanks for the help.

Lance

Happy to hear it is working for you.

As to changing the policy and vip with the dynamic ip, if you use the IP as the interface IP, it won't need to be changed.  It will automatically pick up the new IP's.  I have done this in the past and used a DynDNS service.

Sorry, one last edit......

Instead of set int untrust vip x.x.x.x

use the set int untrust vip interface-ip

Oh, and please give kudos 🙂

Thanks Travis,

good tip.

Cheers,

Lance