Screen OS

I am at a stopping point!! The SSG 5 is in a trusted internal infrastucture. LAN on 0/0, WAN on 0/1 both set to any any permit. OSPF enabled. Set my DNS, LAN and WAM addresses. I can see the LAN.... but I can not get out to the Internet. Any Ideas ..

You could post your config - Is your 0/0 in trust and 0/1 in untrust? Is 0/0 set to NAT?

They are both on route

 

then you need to make sure that you enable nat on the policy from trust to internet side.

 

edit the policy -> go to advanced -> there should be a box you need to select or nat to egress interface ip near the top of the page

Yes this is enabled.  I am having to go between the SSG and another computer to check. 

I think it will probably be esaier for you to jus post the entire conf for us to take a look. it could be you have no route, could be the dns policy has no nat etc.

 

*** Go to the webUI, configuration -> update -> configuration file -> click the Save to File . then post the file that you copied cos that the configuration.

 

Please check:

 

(1) Did you check that your PC has dns by trying to do nslookup on PC?

(2)Can you try to ping 4.2.2.2 from PC and see if that works and let us know?

 

(3) Forgot to say as well. Is the PC able to ping the gateway (which I assume is the firewall).

(4) You can also turn on access to the firewall via telnet or ssh or http so you dont need to walk around to accesss it 🙂

since ping to 4.2.2.2 timed out, either you dont have policy allowing ping to exit the firewall OR the nat on the policy is not correctly done so the traffic is not being natted out into the internet.

Here it is... rookie1 boot camp.
 

set clock timezone -6

set vrouter trust-vr sharable

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset auto-route-export

set protocol ospf

set enable

set advertise-def-route metric 1 metric-type 1

set area 0.0.0.xx

exit

exit

set alg appleichat enable

unset alg appleichat re-assembly enable

set alg sctp enable

set auth-server "Local" id 0

set auth-server "Local" server-name "Local"

set auth default auth server "Local"

set auth radius accounting port 1646

set admin name "xxxxxxx"

set admin password "nBI6IKroPAbDcz0EyslIYRMtJ/L2pn"

set admin auth web timeout 0

set admin auth dial-in timeout 3

set admin auth server "Local"

set admin format dos

set zone "Trust" vrouter "trust-vr"

set zone "Untrust" vrouter "trust-vr"

set zone "DMZ" vrouter "trust-vr"

set zone "VLAN" vrouter "trust-vr"

set zone "Untrust-Tun" vrouter "trust-vr"

unset zone "Trust" tcp-rst

set zone "Untrust" block

unset zone "Untrust" tcp-rst

set zone "MGT" block

set zone "DMZ" tcp-rst

set zone "VLAN" block

unset zone "VLAN" tcp-rst

set zone "Untrust" screen tear-drop

set zone "Untrust" screen syn-flood

set zone "Untrust" screen ping-death

set zone "Untrust" screen ip-filter-src

set zone "Untrust" screen land

set zone "V1-Untrust" screen tear-drop

set zone "V1-Untrust" screen syn-flood

set zone "V1-Untrust" screen ping-death

set zone "V1-Untrust" screen ip-filter-src

set zone "V1-Untrust" screen land

set interface "serial0/0" zone "Untrust"

set interface "ethernet0/0" zone "Trust"

set interface "ethernet0/1" zone "Untrust"

set interface "bgroup0" zone "Null"

unset interface vlan1 ip

set interface ethernet0/0 ip xxx.xx.xx.x/xx

set interface ethernet0/0 route

set interface ethernet0/1 ip xxx.xx.x.xxx/xx

set interface ethernet0/1 nat

set interface ethernet0/0 mtu 1500

set interface ethernet0/1 mtu 1500

unset interface vlan1 bypass-others-ipsec

unset interface vlan1 bypass-non-ip

set interface ethernet0/0 ip manageable

set interface ethernet0/1 ip manageable

set interface ethernet0/1 manage ping

set interface ethernet0/1 manage ssh

set interface ethernet0/1 manage telnet

set interface ethernet0/1 manage snmp

set interface ethernet0/1 manage ssl

set interface ethernet0/1 manage web

set interface ethernet0/0 dhcp server service

set interface ethernet0/0 dhcp server enable

set interface ethernet0/0 dhcp server option lease 1440000

set interface ethernet0/0 dhcp server option gateway xxx.xx.xx.x

set interface ethernet0/0 dhcp server option netmask xxx.xxx.xxx.x

set interface ethernet0/0 dhcp server option dns1 xxx.xx.x.xx

set interface ethernet0/0 dhcp server ip xxx.xx.xx.xxx to xxx.xx.xx.xxx

unset interface ethernet0/0 dhcp server config next-server-ip

set interface "serial0/0" modem settings "USR" init "AT&F"

set interface "serial0/0" modem settings "USR" active

set interface "serial0/0" modem settings "mod1" init "AT&F"

set interface "serial0/0" modem isp "isp_juniper" priority 1

set interface "serial0/0" modem isp "isp_juniper" primary-number "1234567"

set interface "serial0/0" modem isp "isp_juniper" account login "juniper" password "IrpwGZOcNayS0isVQIC0s7PNpvnfkC8Iag=="

set interface "serial0/0" modem speed 115200

set interface "serial0/0" modem retry 3

set interface "serial0/0" modem interval 10

set interface "serial0/0" modem idle-time 20

set interface "serial0/0" modem dial-in enable

set flow tcp-mss

unset flow no-tcp-seq-checkA

set flow tcp-syn-check

unset flow tcp-syn-bit-check

set flow reverse-route clear-text prefer

set flow reverse-route tunnel always

set pki authority default scep mode "auto"

set pki x509 default cert-path partial

set dns host dns1 xxx.xx.x.xx src-interface ethernet0/0

set dns host dns2 xxx.xx.x.xx src-interface ethernet0/0

set dns host dns3 0.0.0.0

set ike respond-bad-spi 1

set ike ikev2 ike-sa-soft-lifetime 60

unset ike ikeid-enumeration

unset ike dos-protection

unset ipsec access-session enable

set ipsec access-session maximum 5000

set ipsec access-session upper-threshold 0

set ipsec access-session lower-threshold 0

set ipsec access-session dead-p2-sa-timeout 0

unset ipsec access-session log-error

unset ipsec access-session info-exch-connected

unset ipsec access-session use-error-log

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

set url protocol websense

exit

set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" nat src permit

set policy id 1

exit

set nsmgmt bulkcli reboot-timeout 60

set ssh version v2

set config lock timeout 5

unset license-key auto-update

set snmp port listen 161

set snmp port trap 162

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

unset add-default-route

set route 0.0.0.0/0 interface serial0/0

exit

set interface ethernet0/0 protocol ospf area 0.0.0.xx

set interface ethernet0/0 protocol ospf passive

set interface ethernet0/0 protocol ospf enable

set interface ethernet0/0 protocol ospf retransmit-interval 5

set interface ethernet0/0 protocol ospf cost 10

set interface ethernet0/1 protocol ospf area 0.0.0.xx

set interface ethernet0/1 protocol ospf enable

set interface ethernet0/1 protocol ospf retransmit-interval 5

set interface ethernet0/1 protocol ospf cost 10

set vrouter "untrust-vr"

exit

set vrouter "trust-vr"

exit

 

I guess you are using the eth0/1 as untrust and you are running ospf. Can you ping the next hop from the firewall?

 

Try to ping next hop and see if the ospf adjacency is up. Also if the ospf routes are being populated.

 

get vr trust proto ospf neigh

get route

I/F Eth0/1 is your egress point - curious as to why your deault route goes to the serial I/F.

Unable to ping the WAN ,  I can ping the Gateway and other LAN addresses.

Just to clarify, you want access for the internet  to go out of eth0/1 for now right? eth0/1 is the ethernet interface NOT WAN by the way though...

 

Can you put in the next hop for the eth0/1 interface first. Once you get that working then can figure out what is wrong with the WAN.

 

 delete rout 0.0.0.0/0

set route 0.0.0.0/0 int eth0/1 gate <gateway IP>

 

 

 Way TO Go Muttbarker and WL: well, there were a few issues. The reason I could not connect to the Internet, the default address needed to point to 0/1 and add the gateway. also route and nat settings on 0/0 and 0/1

 

                                                                                               -FIXED-

 

From WL: see previous reply.

 

 From muttbarker;

Ok - one thing jumps right out at me. I am assuming that eth0/1 is your Inet G/W. That needs to be set to route. Set your eth0/0 I/F which is your internal private network to NAT. You have that backwards

 

Also there is no default route that will get anywhere. Your default route is pointing to the serial I/F. It should be set to point to a next-hop of Gateway - I/F eth0/1 and the IP of your next device. Following is a simple config from one of my internal test F/W -

 

Thank you both - until we meet again.

Glad to help - welcome to the world of Juniper firewalls and this great forum!