Screen OS

Hello,

 

I have a SSG 5 Firewall for my company internet connection. I have another (from nom called secondary) office with a static public IP.

My firewall is configured without any policy restriction and with some VIP services on the ethernet 0/0 untrust zone. In my main connection LAN I have an internal web server.

 

I need to have access to my web server from computers connected behind the "secondary" office. Could someone please tell me step by step what have I to configure in the firewall?

 

Any help would be appreciated. Thanks in advance!

 

 

I can't follow the connection streams from the text description.  If you can post a diagram or indicate the zones and connection paths we would be better able to help.

 

For example, What is the secondary office with a static public ip? 

A VPN connection to the SSG

A router private connection and in what zone

A public address you want to connect to over the internet

 

Also you say "My firewall is configured without any policy restriction".  But bear in mind that if there are no policies then the traffic is dropped not permitted.  By default only traffic within the same zone is allowed.  Any connection across zones is blocked unless you specifically allow it.

Hi! Thanks for answering

 

That public IP is 80.34.x.y like and actually has no configuration in my firewall. It's just a remote address of another internet connection where I want to have access to my internal internet server behind the firewall.

 

Sorry for that unclear explanation with the policies. What I mean is that I have two policies (I don't know if they were configured by default or not): One from untrust to trust and other the inverse, both with all services permitted for any source and destination.

 

If you need more details, just tell me!

You can create a vip that forwards one of your public addresses to the web server.  The basic procedure is in kb4740.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

 

In your case, you will modify step 13, instead of allowing "any" address on the internet to hit the web server, you create an address object in the untrust zone for your public ip on the remote site.  Then use this object instead of "any" for the policy in step 13.

 

This will secure the access to the server to only your remote site.

I can't follow these steps since in the VIP menu of this interface I have already some VIP services configured, set with my public IP address. I can't have It cloned there.

To allow access by the public address you would need an address with the right port available.

 

If your remote site has a vpn capable firewall then you can setup then you can setup a VPN tunnel between the two sites and access the server by the private ip address just like the local computers do.The instructions for this are in kb8533 just pick the scenario that matches your operating system and ip assignments.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB8533

Yes, I know it's a similar idea as a VPN and that's the point: I've already configured a 80 port fowarding for another IP of my LAN, but I need not only for one but for more servers to have the same port opened for some remote IP addresses. Some services I need to be working doesn't allow to change it.

 

I initally thought that I could get to have remote access to a LAN server by some other way than configuring VIP services inside my ethernet 0/0 interface.

Do you have any spare public IP addresses? If so what about using a MIP. I have used a MIP in the past with remote desktop s/w. http://kb.juniper.net/InfoCenter/index?page=content&id=KB10923 If it is remote access you need you can also install some famous remote control s/w and as long as policy allows access you can get in without a public ip.

No. I have only 1 IP address with my main internet connection

Is it remote access you need so you can remote control the LAN server?

If you have only one ip address than the http port can only forward to one server. There is no way around this basic limitation.

 

Your options for getting to this internal web server from the remote site are as follows:

 

Change the access port from 80 to some other number like 880 and forward this port using vip.  Your users would then need to add that port to the URL to access server.  http://domain.com:880.

 

Create a site-to-site vpn as noted above and access this on the internal ip address.

 

Create a dynamic vpn and install software on the client.  Connect using the software from the remote site and access the server by the internal address.  See this example using the open source Shrew Soft package.

 

http://www.shrew.net/support/wiki/HowtoJuniperSsg

All right! Now I've figured it all out.

Thank you very much for your support!