Screen OS

Hey guys, I have a client that currently has a BSD-based firewall (whitebox) protecting their network. It has started to act up they wanted to replace it with a major brand appliance, so I went with the Juniper SSG-5-SH.

All of the workstations/servers use real world public IPs. for arguments sake we'll say 1.1.1.10-1.1.1.90. They are on a T1 line. The current firewall just runs transparently and blocks most everything from getting in except for the standard ports (SSL, HTTP, SMTP, blah blah).  We can't change it back to NAT for now, so it has to stay this way.

I've done plenty of NAT networks and that's no problem.  But setting this Juniper up transparently and correctly mapping the eth0/0 and 0/2 interfaces to the correct vlans and trust-vr / untrust-vr is just taking me a bit longer than normal to wrap my head around.

So far the only thing I've done with the Juniper is get it set into Pure L2 mode (Transparent) and I have an IP assigned to VLAN1 so that I can manage it via the WebUI. (also am using console in case i screw up the WebUI).

My end goal is to have the Juniper do exactly what the BSD firewall did and just allow certain traffic in, while allowing everything out. Internet comes in at eth0/0 and internal on eth0/2. Can you guys point me in the right direction for how to continue setting this up?

I'm also looking to have this function as a VPN endpoint, offloading that work from the domain controller.  Any direction there would also be appreciated.

There are examples with sample configurations for both of your scenarios.

Concepts & Examples

For the straight transparent mode deploy.  You will need Volume 2 Fundamentals of the Concepts & Examples Guide.  The scenario is outlined starting on page 92.

The VPN scenarios are covered in Volume 5 VPN of Concepts & Examples.  The transparent mode VPN example is found starting on page 163.

Thanks!  I'll look into those resources.

The first part about transparent mode looks good and I'll put it into use tomorrow, thanks!

reading through the transparent mode VPN left me with a few questions.  I want to set this up as an endpoint where users can dial into it, not an endpoint from another VPN router.  Basically I want to replace the PPTP server functionality of windows server 2003 with this.  Does that work in transparent mode?

Sorry, I don't use the dial in VPN feature at all so I'm not familiar with the requirements on the setup.

maybe dial-in is the wrong terminology.  I want to duplicate the functions of a server 2003 PPTP setup on this firewall while in transparent mode.

There are various terms used.  But what you are looking for is client to firewall VPN and I was referring to site-to-site VPN.

You may want to pose that as a separate question on how to setup the client or dial-in VPN in a transparent environment.  There are a lot of people here using the netscreen remote connections.  I'm just not one of them.

We are replacing MS PPTP with SSL-VPN.

thanks!