Screen OS

Hello all,

I have been running an SSG20 for afew years without any need for reconfiguration, so I am now rusty with Juniper hardware.

We installed a new T1 circuit and I wish to use this as my primary WAN connection and default gateway. Our current WAN conenction is on ethernet0/0 and the new connection is on ethernet0/3.

I have ethernet0/3 is configured in the untrust zone and listed as a source interface. How do I direct all traffic to use ethernet0/3 instead of ethernet0/0?

I am using the WebUI and would appreciate any guidance on how to accomplish this.

unset route 0.0.0.0/0

set route 0.0.0.0/0 int e3 gateway <IPof router in new link>

test it and if ok

save

Once this is set up using the CLI, will I be able to continue using the WebUI? It is currently accessed on port 1025 at my IP address. Will this configuration carry over to the new IP address?

The next step is to move all the policies for ethernet/0 to ethernet/3. I would have an easier time with the WebUI to accomplish this.

Of course you can use the gui. menu routing => destination-routing. Delete old 0.0.0.0, add new one. And yes if tou change an IP you should connect to the new IP. Policy won't change as log as the new interface is in the zone as the old one. Policies are from zone to zone, not int to int!!

---

@Screenie wrote:

Policy won't change as log as the new interface is in the zone as the old one. Policies are from zone to zone, not int to int!!

---

He might have address objects defined in the zones that will need to be updated.  

creativealliancegroup, the CLI might actually be easier, depending on how much needs to be migrated.  You could post your existing config and your desired changes, and we could take a quick look and suggest some CLI tricks that might save you a lot of time.

I usually find the CLI to be much faster for bulk changes or migrations, because with a few "stupid unix tricks" or some text-editor-fu, you can make changes across the whole config quickly and easily.

I have ethernet0/0 and ethernet0/3 are both in the Untrust Zone. What confused me is my policies have are set up with Any as the source and VIP ethernet0/0 with the destination. I can't recall why I did that.

My documentation seems to be related to the WebUI, so this is what I've been most familiar with using. I don't have many policies so I didn't think I would need the speed of CLI commands to get them set up again.

Would anyone mind if I paste the entire Config File here for more detail?

You can attach your config as a text file attachment to your post.  You will probably want to sanitize it and remove anything you or your company might consider sensitive, such as admin account names, passwords, etc.  Some people choose to hide their public and private IP address space, but that can make reading the policies and address objects difficult.

Here is the sanitized configuration. Ethernet0/3 is meant to replace ethernet0/0 as the default gateway. I am not certain how to complete the configuration.

Attachment(s)

config.txt   8 KB 1 version

Ok, if you want ethernet 0/3 to completely replace ethernet 0/0 (as in, eth 0/0 is going away...), this list of commands should do the trick.  You'll need to put in the appropriate IP addresses.

First, you'll need to set up your VIP services on your new interface:

set interface ethernet3/0 vip interface-ip 80 "HTTP" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 8151 "Camera - Front Desk" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 1419 "Timbuktoo" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 5003 "FileMaker" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 21 "FTP" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 548 "Apple Filing Protocol" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 8150 "Camera - Elevator" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 8152 "Camera - Back Office" xxx.yyy.zzz.aaa
set interface ethernet3/0 vip interface-ip 8008 "iCal" xxx.yyy.zzz.aaa

I'm not sure why you're doing the source routing, it looks like you're throwing away packets coming into your network (routing through interface null).  You can probably do whatever you're trying to do there with a security policy, and I'd get rid of the source routing:

set vrouter "trust-vr"
unset route source in-interface ethernet0/0 0.0.0.0/0
unset route source in-interface ethernet0/3 0.0.0.0/0

And you'll also want to remove the default route going out eth0/0, and probably clean up how the correct default route is defined:

set vrouter "trust-vr"
unset route 0.0.0.0/0
set route 0.0.0.0/0 gateway xxx.yyy.zzz.aaa

xxx.yyy.zzz.aaa should be the next-hop of your new default route (which goes out via ethernet0/3)

There's no real need to specify interface or preference unless you have a specific need, and from looking at your config it doesn't appear that you'd need it.

You have ethernet0/3 set to "nat" mode, but I don't see any NAT policies configured, you probably want to set it to "route" mode unless you will be doing source NAT through this interface (in which case you'll need to configure all the policies to do that):

set interface ethernet0/3 route

Then you'll want to fix policy ID 4 to use your new VIP.  Since we're already in the CLI, we can do it here:

unset policy id 4

set policy id 4 from "Untrust" to "DMZ"  "Any" "VIP(ethernet0/3)" "Apple Filing Protocol" permit log 
set policy id 4 anti-spam ns-profile
set policy id 4
set service "Camera - Back Office"
set service "Camera - Elevator"
set service "Camera - Front Desk"
set service "FileMaker"
set service "FTP"
set service "HTTP"
set service "HTTP-EXT"
set service "IMAP"
set service "SMTP"
set service "Timbuktoo"
set service "VNC"
set log session-init
exit

 Finally, you can take ethernet0/0 out completely:

unset interface ethernet0/0 ip

unset interface ethernet0/0 zone

Just a note that you may want to consider...  you may not want to have services like telnet and unencrypted http open on your untrust interface.  I see you currently have the following:

set interface ethernet0/3 manage ping
set interface ethernet0/3 manage ssh
set interface ethernet0/3 manage telnet
set interface ethernet0/3 manage snmp
set interface ethernet0/3 manage ssl
set interface ethernet0/3 manage web

I would recommend you take telnet and web out, at a minimum, and manage the device via ssl / https, and SSH if you must manage it from your Untrust zone.  The better option, of course, is to not manage the device from the Untrust interface.

These changes *should* get you to where you've described you want to be.  You can copy/paste them into a text editor and put in the IP addresses, etc., and then just copy/paste them into the CLI to make the changes.  Maybe some of the other members can read through my changes and make sure I haven't been hitting the cold medicine too hard, but I don't think I've missed anything and I don't think anything will break.  However, backup your config before you make any changes!!!!   That way, if it blows up, you can revert your config back to the saved copy.

Thank you for taking the time to provide such detailed assistance.

I am not even certain why I have the source routing set up. Again, it's been a while since I've done any reconfiguration with the firewall, and I was new to Juniper hardware when I started. Sorry for the confusing configuration!

Ther services and NAT mode were set up on ethernet0/3 since I never completed the configuration untill I got some help here. They will be removed and the interface does not need to be in NAT mode.

I should get more familiar with the CLI since it is far more efficient than the WebUI. I have been using the "SSG 20 Hardware Installation and Configuration Guide" Is there anything more indepth that I should be reading up on?

My backup config is ready in case of distaster. I will report back later when I put these changes into play. 

I would suggest you take a look through the "Concepts & Examples" and the "CLI Reference Guide."

Assuming you're using ScreenOS 6.2, you can find them here.

From your assistance I learned a few more CLI commands, which are likely going to be the only ones I will need in the future. Thanks for the documentation, certainly will be using it is I plan to set up a backup interface next.