Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  SSG-20 and ADSL configuration help

    Posted 04-02-2010 07:44

    I have a SSG-20 with two ADSL interfaces.  Ideally I would like to configure bgroup0 to only use adsl1/0 and bgroup1 to only use adsl2/0.  I don’t need any failover, I just would like to keep the two networks seperated.

     

    Is this possible? If it is could anyone assist me with how to configure it. 

     

    Thanks

     


    #ADSL
    #SSG-20


  • 2.  RE: SSG-20 and ADSL configuration help

    Posted 04-07-2010 12:40

    Hi

     

    Just to verify that I understand you right.

     

    What you want to achieve is in fact having "2 separate firewalls" in one SSG-20.

     

    If this is the case it should be possible in the following way.

     

    ADSL1 and bgroup1:

     

    Configure ADSL1 in the untrust zone which can be attached to trust-vr virtual router.

     

    Confígure bgrou1 interface in the trust zone using the same virtual router.

     

     

    ADSL2 bgroup 2:

     

    create a untrust2 zone and attach that to th untrust-vr virual router.

     

    Configure the ADSL2 interface in the untrust2-zone

     

    Create a trust2 zone attached to the same virtual router.

     

    Configure bgroup2 interface in the trust2 zone

     

     

    Now you have 2 pair of zone with their own routing instances, which are unaware of each other, and you can begin configuring policies from trust-to-untrust and trust2-to-untrust 2 zones.

     

    I have newer tried this with ADSL-interfaces, but I have tried i with ethernet interfaces, and that works.



  • 3.  RE: SSG-20 and ADSL configuration help

    Posted 04-08-2010 03:21

    Hi

     

    Thanks for the reply.  Your solution is where I am roughly at since my weekend of playing, although I did create a new vr rather than using then untrust-vr.  Is there any reason why you have used the untrust-vr?

     

    Answering your question, you are correct I am trying to create 2 separate firewalls on the same SSG-20.  This particular case is a home office network and a home network.  I am trying to use one SSG-20 device to control all access but keep the home office with adsl isolated from the home network with adsl.

     

    When both adsl's are connected the routing tables populate correctly and both networks are allocated DNS servers from their appropriate ISP.  The only problem that I have now is the new vr doesn't allow internet access and isn't able to resolve DNS.  I am now sure if this is a routing issue or an access rule.

     

    Any additional pointers would be greatly appreciated.



  • 4.  RE: SSG-20 and ADSL configuration help

    Posted 04-08-2010 03:43

    Hi

     

    It would be nice to see the output from get route

     



  • 5.  RE: SSG-20 and ADSL configuration help

    Posted 04-09-2010 05:40

    Hi

     

    Here tis the ouput from get route.  Just to clarify things I also have a public-vr configured which I intend to use to share devices like printers in the future between the other two vr's.

     

    IPv4 Dest-Routes for <untrust-vr> (0 entries)
    --------------------------------------------------------------------------------------
    H: Host C: Connected S: Static A: Auto-Exported
    I: Imported R: RIP/RIPng P: Permanent 😧 Auto-Discovered
    N: NHRP
    iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
    E2: OSPF/OSPFv3 external type 2 trailing B: backup route


    IPv4 Dest-Routes for <trust-vr> (7 entries)
    --------------------------------------------------------------------------------------
             ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
    --------------------------------------------------------------------------------------
    *        14          0.0.0.0/0        adsl1/0    81.139.128.1   C    0      1     Root
    *        12  81.139.136.107/32        adsl1/0         0.0.0.0   C    0      0     Root
    *        13  81.139.136.107/32        adsl1/0         0.0.0.0   H    0      0     Root
    *         2     192.168.0.1/32        bgroup0         0.0.0.0   H    0      0     Root
    *        17     192.168.2.1/32        bgroup2         0.0.0.0   S   20      1     Root
    *        16     192.168.2.0/24        bgroup2         0.0.0.0   S   20      1     Root
    *         1     192.168.0.0/24        bgroup0         0.0.0.0   C    0      0     Root

     

    IPv4 Dest-Routes for <public-vr> (6 entries)
    --------------------------------------------------------------------------------------
             ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
    --------------------------------------------------------------------------------------
    *         8     192.168.1.1/32        bgroup1         0.0.0.0   S   20      1     Root
    *         6     192.168.0.1/32        bgroup0         0.0.0.0   S   20      1     Root
    *         2     192.168.2.1/32        bgroup2         0.0.0.0   H    0      0     Root
    *         1     192.168.2.0/24        bgroup2         0.0.0.0   C    0      0     Root
    *         7     192.168.1.0/24        bgroup1         0.0.0.0   S   20      1     Root
    *         5     192.168.0.0/24        bgroup0         0.0.0.0   S   20      1     Root

     

    IPv4 Dest-Routes for <home-vr> (7 entries)
    --------------------------------------------------------------------------------------
             ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
    --------------------------------------------------------------------------------------
    *        10          0.0.0.0/0        adsl2/0  217.47.111.250   C    0      1     Root
    *         2     192.168.1.1/32        bgroup1         0.0.0.0   H    0      0     Root
    *         7     192.168.2.1/32        bgroup2         0.0.0.0   S   20      1     Root
    *         8  86.140.156.194/32        adsl2/0         0.0.0.0   C    0      0     Root
    *         9  86.140.156.194/32        adsl2/0         0.0.0.0   H    0      0     Root
    *         6     192.168.2.0/24        bgroup2         0.0.0.0   S   20      1     Root
    *         1     192.168.1.0/24        bgroup1         0.0.0.0   C    0      0     Root



  • 6.  RE: SSG-20 and ADSL configuration help

    Posted 04-10-2010 06:53

    Hi

     

    As to routing to the internet I dont' se any problems - Maybe a get int and get zone could cast some light on this.

     

    The problem I see is the routing to and from the public net.

     

    Here I would expect the below output:

     

    Pv4 Dest-Routes for <trust-vr> (7 entries)
    -------------------------------------------------- ------------------------------------
             ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
    -------------------------------------------------- ------------------------------------
    *        14          0.0.0.0/0        adsl1/0    81.139.128.1   C    0      1     Root
    *        12  81.139.136.107/32        adsl1/0         0.0.0.0   C    0      0     Root
    *        13  81.139.136.107/32        adsl1/0         0.0.0.0   H    0      0     Root
    *         2     192.168.0.1/32        bgroup0         0.0.0.0   H    0      0     Root
    *        16     192.168.2.0/24             n/a             public-vr     S   20      1     Root
    *         1     192.168.0.0/24        bgroup0         0.0.0.0   C    0      0     Root

     

    IPv4 Dest-Routes for <public-vr> (6 entries)
    -------------------------------------------------- ------------------------------------
             ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
    -------------------------------------------------- ------------------------------------
    *         2     192.168.2.1/32        bgroup2         0.0.0.0   H    0      0     Root
    *         1     192.168.2.0/24        bgroup2         0.0.0.0   C    0      0     Root
    *         7     192.168.1.0/24            n/a             home-vr   S   20      1     Root
    *         5     192.168.0.0/24            n/a              trust-vr  S   20      1     Root

     

    IPv4 Dest-Routes for <home-vr> (7 entries)
    -------------------------------------------------- ------------------------------------
             ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
    -------------------------------------------------- ------------------------------------
    *        10          0.0.0.0/0        adsl2/0  217.47.111.250   C    0      1     Root
    *         2     192.168.1.1/32        bgroup1         0.0.0.0   H    0      0     Root
    *         8  86.140.156.194/32        adsl2/0         0.0.0.0   C    0      0     Root
    *         9  86.140.156.194/32        adsl2/0         0.0.0.0   H    0      0     Root
    *         6     192.168.2.0/24                n/a       public-vr   S   20      1     Root
    *         1     192.168.1.0/24        bgroup1         0.0.0.0   C    0      0     Root

     

    one way to troubleshoot the inability to communicate towards the internet from the Home part of the firewall would be doing debugging.

     

    it can be done in the following way:

     

    First you setup a flowfilter to record only the traffic you need to debug.

     

    set ff src-ip xx.xx.xx.xx dst-ip yy.yy.yy.yy

    set ff src-ip yy.yy.yy.yy dst-ip xx.xx.xx.xx

     

    debug flow basic - activates debugging

     

    clear db - clears the debug memory in case it should contain information from a previous debug

     

    Now the firewall records what traffic that matches the flowfilter.

     

    get db stream - Gets the content from the debug buffer.

     

    If you want to save the debug information it can be send to a tftp-server.

     

    get db stream > tftp zz.zz.zz.zz debugfile.txt

     

    The debug can be stopped with undebug all 

     

    The output will give you information as to what the firewall does with the traffic.



  • 7.  RE: SSG-20 and ADSL configuration help
    Best Answer

    Posted 05-03-2010 10:24

    The configuration was nearly there.  We were just missing a PBR configuration to push all bgroup1 traffic through adsl/2