ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Xavi Informatic
Posts: 6
Registered: ‎01-26-2012
0
Accepted Solution

SSG 5 - Allow public IP external access to a LAN server

Hello,

 

I have a SSG 5 Firewall for my company internet connection. I have another (from nom called secondary) office with a static public IP.

My firewall is configured without any policy restriction and with some VIP services on the ethernet 0/0 untrust zone. In my main connection LAN I have an internal web server.

 

I need to have access to my web server from computers connected behind the "secondary" office. Could someone please tell me step by step what have I to configure in the firewall?

 

Any help would be appreciated. Thanks in advance!

 

 

Distinguished Expert
spuluka
Posts: 2,232
Registered: ‎03-30-2009
0

Re: SSG 5 - Allow public IP external access to a LAN server

I can't follow the connection streams from the text description.  If you can post a diagram or indicate the zones and connection paths we would be better able to help.

 

For example, What is the secondary office with a static public ip? 

A VPN connection to the SSG

A router private connection and in what zone

A public address you want to connect to over the internet

 

Also you say "My firewall is configured without any policy restriction".  But bear in mind that if there are no policies then the traffic is dropped not permitted.  By default only traffic within the same zone is allowed.  Any connection across zones is blocked unless you specifically allow it.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Xavi Informatic
Posts: 6
Registered: ‎01-26-2012
0

Re: SSG 5 - Allow public IP external access to a LAN server

Hi! Thanks for answering :smileyhappy:

 

That public IP is 80.34.x.y like and actually has no configuration in my firewall. It's just a remote address of another internet connection where I want to have access to my internal internet server behind the firewall.

 

Sorry for that unclear explanation with the policies. What I mean is that I have two policies (I don't know if they were configured by default or not): One from untrust to trust and other the inverse, both with all services permitted for any source and destination.

 

If you need more details, just tell me!

Distinguished Expert
spuluka
Posts: 2,232
Registered: ‎03-30-2009
0

Re: SSG 5 - Allow public IP external access to a LAN server

You can create a vip that forwards one of your public addresses to the web server.  The basic procedure is in kb4740.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

 

In your case, you will modify step 13, instead of allowing "any" address on the internet to hit the web server, you create an address object in the untrust zone for your public ip on the remote site.  Then use this object instead of "any" for the policy in step 13.

 

This will secure the access to the server to only your remote site.

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Xavi Informatic
Posts: 6
Registered: ‎01-26-2012
0

Re: SSG 5 - Allow public IP external access to a LAN server

I can't follow these steps since in the VIP menu of this interface I have already some VIP services configured, set with my public IP address. I can't have It cloned there.

Distinguished Expert
spuluka
Posts: 2,232
Registered: ‎03-30-2009
0

Re: SSG 5 - Allow public IP external access to a LAN server

To allow access by the public address you would need an address with the right port available.

 

If your remote site has a vpn capable firewall then you can setup then you can setup a VPN tunnel between the two sites and access the server by the private ip address just like the local computers do.The instructions for this are in kb8533 just pick the scenario that matches your operating system and ip assignments.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB8533

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Visitor
Xavi Informatic
Posts: 6
Registered: ‎01-26-2012
0

Re: SSG 5 - Allow public IP external access to a LAN server

Yes, I know it's a similar idea as a VPN and that's the point: I've already configured a 80 port fowarding for another IP of my LAN, but I need not only for one but for more servers to have the same port opened for some remote IP addresses. Some services I need to be working doesn't allow to change it.

 

I initally thought that I could get to have remote access to a LAN server by some other way than configuring VIP services inside my ethernet 0/0 interface.

Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: SSG 5 - Allow public IP external access to a LAN server

Do you have any spare public IP addresses? If so what about using a MIP. I have used a MIP in the past with remote desktop s/w. http://kb.juniper.net/InfoCenter/index?page=content&id=KB10923 If it is remote access you need you can also install some famous remote control s/w and as long as policy allows access you can get in without a public ip.
Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Visitor
Xavi Informatic
Posts: 6
Registered: ‎01-26-2012
0

Re: SSG 5 - Allow public IP external access to a LAN server

No. I have only 1 IP address with my main internet connection

Trusted Contributor
Stac Polaidh
Posts: 90
Registered: ‎01-24-2012
0

Re: SSG 5 - Allow public IP external access to a LAN server

Is it remote access you need so you can remote control the LAN server?
Pier
Network and telephony support engineer
JNCIA-FWV, CCNP Voice, CCNA
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.