Screen OS

Hello all !

I'm a beginner engineer.

I'm suffering from configuring at SSG-320M, especially setting on mapping! (VIP,MIP,DIP)

[The purpose]

I want to configure mapping between SSG-320M and DB Servers.

So, I'm here to ask you guys to get an advice.

[Situation]

The point at here is to communicate with SSG-320M and DB servers.

DB Servers have private&public IP, separately.

After searching on the internet, I figured out Juniper Firewall can do mapping using VIP (Public N : Private 1)

(I think Public IP doesn't need to configure VIP because it is connected directly.)

[Issues]

I configured Firewall(320M) to VLAN, but I connected it to PC using UTP and entered WebUI.

By the way, VLAN is not supporting VIP, it is only supporting DIP..(Public N : Private N)

I have an available IP : 30EA

So, I think that it is possible if I can configure IP at port, separately.

But, you know, we cannot configure same domain at separate port even though it is not same IP.

As you can see the below picture, you can understand my meaning!

I'm so panicked... because what can I do next...

Even though I googled a lot, I didn't find good answers..

I tried to understand to you guys so that you can give a more better answer!

but I don't know its picture is helpful to you guys understanding my meaning!

Please give me an advice.

Thank you.

Best Regars,

Welcome to ScreenOS and sorry you have having so much confusion.  

I am also confused by exactly what your setup is.

1-Are you using ScreenOS transparent mode or in Layer 3 mode?

The zone names you are using V1-  mean the device is configured transparent mode.  This means that there is only one ip address on the SSG and ALL connected devices are in the same broadcast domain.  The SSG is a layer 2 device.

But your lower diagram seems to indicate the SSG may be layer 3 with multiple ip addresses assigned and in a multi zone layer 3 deploy.

How we approach your NAT issues will vary depending on where your a transparent or layer 3.

2-Definitions for NAT options

NAT is highly flexible and configurable in ScreenOS which also means it is complicated.  Here is what these objects are and how they are used in NAT.  Which option makes the most sense can vary depending on your traffic patterns, available ip address space, whether it is destination or source nat and the number of servers involved.

VIP - virtual ip address - this is generally used for destination nat where a single ip address or an interface ip address has different ports forwarded to separate destinations.  Other platforms refer to this as port forwarding.

MIP - Mapped ip address - this cannot be used with an interface address.  This connects a single external ip address to a single internal address for all ports AND is bi-directional for both outbound source nat and inbound destination nat.  As this is one-to-one mapping you cannot share the external address by splitting different ports out to other destinaitons.  Other platforms tend to refer to this as static NAT.

DIP Pool - Dynamic IP pool - this is an object attached to an egress interface that can make ip addresses available for traffic across this interface for source NAT.  Once created and associated with the interface these can be used in security policies to perform source NAT.

Policy Destination NAT - on an security policy for inbound traffic you can add an advance option for destination nat for any traffic that matches the policy.  This is done on the policy creation advanced tab itself.

First of all, Happy New Year, spuluka!!

To put forth the conclusion first, after meeting, I figured out that I should change the Network design and SSG should be L2 mode because we have only one network area!

Please see changed picture.

To recapitulate briefly, private IP is for connecting Web servers and DB servers.

and public IP is for connecting Internet above SSG-320M.

Gateway is located in above SSG-320M (actually I don't know exact location because that above SSG is for IDC = another company = ISP)

The things that I really want to know now are how can I connect all devices which is shown picture.

The idea that I think continuously is like this.

1. Configuring VLAN 1 ip 

2. Deviding zones ; V1-DMZ, V1-Untrust, V1-Trust -> you can see the zones at picture.

Until now, maybe devices are connected each other -> right..?

3. Enable policies

The end.

This is my idea..

How about your thought?

The setup will work as long as you understand that only the pubic subnet traffic is going through the SSG.  The private networks will be separate via the link you indicate and not touching the SSG.

Also bear in mind that there is no routing control on the SSG in this mode.  You rely on your layer 3 devices to make sure the ONLY path into the public subnet is via the interfaces you setup on the SSG.  In this case that will be the v1-untrust interface.

If you setup VLAN interfaces in this subnet on switches this will bypass the firewall rules for any devices that have access to that VLAN interface.

You mentioned that VLAN will bypass the F/W's rules..

Then, no matter how I configure, the policies does not valid to traffic?

In other words, even though I setup the policies, the traffic merely pass the firewall because I setup the firewall to VLAN(L2 mode)?

That is,

The thing I configured (L2 + enable policies)  == The thing I configured (L2 + not configure policies)

it is same thing??

Regards,

Sorry for the confusion.  I am talking about the switch you label L4 on the left side of the diagram. Since this is a source to bring in layer 3 traffic to the private interfaces, I assume this is a layer 3 switch.

If you setup Layer 3 VLAN interfaces on this switch that include the public server subnet you have a path to bypass the firewall for traffic to these server interfaces.

you just need to confirm that when you insert the layer 2 firewall into the infrastructure you are doing so in a way that traffic to these servers must pass thorugh the firewall and do not have an alternate path to bypass your rules.

Thank you expert!

Actually, I'm supposed to configure L4 switch to have 2 IP (Private, Public)

Public should pass through firewall like you mentioned, and Private don't need to pass through firewall.

That is, Private should pass to L2 switch. <-- it is just for remote connecting.

If I mentioned like that, can you explain to me more?

If you are willing to see the configuration file, I want you to see attatched text file(config)

Like text message, private IP pass through to L2 switch, public IP pass through to firewall?

That is, public should not bypass the L2 swith's route?

Can I setup like text message?

Thank you for your quick reply!^^

cf) I just found some engineer mentioned like this <--- Is is right?

1. TP(Transparent) Mode

The outside and inside is same thing(Public IP)

Down Time is really short.

You can just insert cable to the F/W which is also connected Gateway.

However, firewall cannot do packet filtering which firewall is performing.

I'm wondering if bold sentence is correct one?

Attachment(s)

SSG-140, configuration.txt   4 KB 1 version

I'm not sure what they mean by the firewall cannot do packet filtering.  There is only one ip address and all the interfaces facing the firewall need to be in the same broadcast domain.  The firewall acts like a switch and uses arp to determine where to forward traffic and has just a default route out to the untrust zone in your case.

But as you see in the rules you created, you can assign interfaces to the v1 zones and then create rules that control traffic between those interfaces.

Hello spuluka!

Thanks to you, I configured well.

Everything is going well !

But, I have a question about configuring Gateway!

I configured "set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway [GW_IP]"

The purpose that I configured like that is to transfer traffic to the Gateway!

Do you think, can I configure correctly?

Best regards,

This is the corect command to set the gateway.  But remember that in this mode the SSG is just a switch.  So the only traffic that will use this gateway for a route lookup is traffic generated by the SSG itself.  This is only used so that the SSG can be managed remotely and make NTP, DNS and other network lookups as a switch.

The SSG ip address is used only for management of the device itself and devices services.

The SSG ip address is NOT a default gateway for any device in the subnet.  Treat this address as you would the management address for your layer 2 switch on the right side of the diagram.

The SSG forwards local layer two traffic only via arp requests.

Thank you so much, expert!

By the way, please see your email?? on gmail!!

I hope to here from you soon!