ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Titan
Posts: 5
Registered: ‎12-22-2008
0

SSG320M Multiple VLAN

Hello All,

I am in need of some help with a Juniper SSG320M.

I need to have the following Setup working.

Untrust[VLAN 100,101,102 etc] -- FIREWALL -- Trust[VLAN 500,501,502 etc]

Example: CUSTOMER A owns Public Range VLAN 100 and is assigned a Private Range on VLAN 500

This is the same config that is going to be applied to all Customers.

I am able to Setup the Untrust and Trust side to accept Pings for VLAN's on Public IP's and for VLAN's on Private IP's.

The Problems I have:

1.) I cannot get internet access from Private VLAN's. They need to be NAT'd to the Public Range they own.
2.) All Private VLAN's can ping each other. I do not want that.


As I am not a Juniper Specialist your Help is much Appreciated.

If you need anymore info let me know.

Thank You...
Super Contributor
shashlik
Posts: 70
Registered: ‎02-20-2008
0

Re: SSG320M Multiple VLAN

to answer your question...

1) it's possible that traffic is being natted to the wrong vlan...  but you'll need to debug to see exactly why.

2) traffic between trust zone interfaces are allowed by default.  To change this behavior, "set zone trust block"

 

 

Do you have only two zones defined -- trust and untrust?

 

Depending on how many customers you have,  it may be possible to create a custom untrust/trust zone for each of your customer. 

 

i.e, for customer1:

 

set zone name Customer1-Untrust

set zone name Customer1-Trust

set int eth1 tag 100 Customer1-Untrust

set int eth2 tag 500 Customer1-Trust

set policy from Customer1-Trust to Customer1-Untrust any any any nat src permit

 

This way, you'll have more granular control.

 


 

 

Visitor
Titan
Posts: 5
Registered: ‎12-22-2008
0

Re: SSG320M Multiple VLAN

[ Edited ]

Thanks for the reply...

 

1.) I am guessing that is the issue here...I will need to investigate how to debug...Any Pointers?

2.) Thanks, that worked.

 

I Liked your Idea on creating a Zone for each Customer, my Config below:

 


set zone id 100 "CompanyB-Untrust"
set zone id 101 "CompanyB-Trust"
set zone "CompanyB-Untrust" tcp-rst
set zone "CompanyB-Trust" tcp-rst
set interface "ethernet0/0.1" tag 900 zone "CompanyB-Trust"
set interface "ethernet0/2.2" tag 209 zone "CompanyB-Untrust"
set interface ethernet0/0.1 ip <internal Company B>/24
set interface ethernet0/0.1 nat
set interface ethernet0/2.2 ip <external Company B>/29
set interface ethernet0/2.2 route
set interface ethernet0/2.2 ip manageable
set interface ethernet0/2.2 manage ping
set interface ethernet0/2.2 manage web
set policy id 17 from "CompanyB-Trust" to "CompanyB-Untrust" "Any" "Any" "ANY" nat src permit log
set route 0.0.0.0/0 interface ethernet0/2.2 gateway <Company B Gateway>

 

I have a Port forward setup for RDP and that works fine and I can connect to a PC on the Inside.

 

Now I cannot Ping the External Interface from Outside. I can however logon to the WebUI from outside.

 

There is nothing in the Logs for the Policy Log I enabled on Policy 17.

 

I still do not have internet access on Inside PC's.

 

Any Idea's?

Message Edited by Titan on 12-22-2008 12:30 PM
Super Contributor
shashlik
Posts: 70
Registered: ‎02-20-2008
0

Re: SSG320M Multiple VLAN

"set int eth0/2.2 manage ping" to allow the external interface to be pingable.

 

to troubleshoot the internal not getting to the internet:

 

set dbuf size 4096

debug flow basic

set ff src-ip <Internal-IP> dst-ip <External-IP> ip-proto 1

set ff src-ip <External-IP> dst-ip <External company B IP> ip-proto 1

snoop

snoop filter ip src-ip <Internal-IP> dst-ip <External-IP> ip-proto 1

snoop filter ip src-ip <External company B IP> dst-ip <External-IP> ip-proto 1

snoop filter ip src-ip <External-IP> dst-ip <External company B IP> ip-proto 1

snoop filter ip src-ip <External-IP> dst-ip <Internal-IP> ip-proto 1

clear db

 

*** ping from Internal-IP to External-IP ***

 

snoop off

undebug all

get db stream

 

The above debug should give us a fairly good idea of the problem.

 

regards,

Visitor
Titan
Posts: 5
Registered: ‎12-22-2008
0

Re: SSG320M Multiple VLAN

Thanks for the Quick reply...

 

I have pasted the output below....I have removed the external IP and replace it with *.*.*.161....It looks like it is not choosing the correct default Gateway for that specific range for Company B....I should be ***.*.***.20 as *.*.*.161 is the Gateway for Company A...

 

11146.0: ethernet0/0(i) len=78:00b0d038c1dc->001db5034480/8100/0800, tag 900
              10.10.1.100 -> 208.67.222.222/1
              vhl=45, tos=00, id=16069, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0

****** 11146.0: <TTS/FCT-Trust/ethernet0/0.1> packet received [60]******
  ipid = 16069(3ec5), @04de5ae8
  packet passed sanity check.
  ethernet0/0.1:10.10.1.100/29696->208.67.222.222/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0.1>, out <N/A>
  chose interface ethernet0/0.1 as incoming nat if.
  flow_first_routing: in <ethernet0/0.1>, out <N/A>
  search route to (ethernet0/0.1, 10.10.1.100->208.67.222.222) in vr trust-vr for vsd-0/flag-0/
ifp-null
  [ Dest] 7.route 208.67.222.222->*.*.*.161, to ethernet0/2.1
  routed (x_dst_ip 208.67.222.222) from ethernet0/0.1 (ethernet0/0.1 in 0) to ethernet0/2.1
  policy search from zone 101-> zone 1
 policy_flow_search  policy search nat_crt from zone 101-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 208.67.222.222, por
t 55131, proto 1)
  No SW RPC rule match, search HW rule
  Searching global policy.
  packet dropped, denied by policy
11152.0: ethernet0/0(i) len=78:00b0d038c1dc->001db5034480/8100/0800, tag 900
              10.10.1.100 -> 208.67.222.222/1
              vhl=45, tos=00, id=16082, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0

****** 11152.0: <TTS/FCT-Trust/ethernet0/0.1> packet received [60]******
  ipid = 16082(3ed2), @04e1f2e8
  packet passed sanity check.
  ethernet0/0.1:10.10.1.100/29952->208.67.222.222/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0.1>, out <N/A>
  chose interface ethernet0/0.1 as incoming nat if.
  flow_first_routing: in <ethernet0/0.1>, out <N/A>
  search route to (ethernet0/0.1, 10.10.1.100->208.67.222.222) in vr trust-vr for vsd-0/flag-0/
ifp-null
  [ Dest] 7.route 208.67.222.222->*.*.*.161, to ethernet0/2.1
  routed (x_dst_ip 208.67.222.222) from ethernet0/0.1 (ethernet0/0.1 in 0) to ethernet0/2.1
  policy search from zone 101-> zone 1
 policy_flow_search  policy search nat_crt from zone 101-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 208.67.222.222, por
t 54875, proto 1)
  No SW RPC rule match, search HW rule
  Searching global policy.
  packet dropped, denied by policy
11157.0: ethernet0/0(i) len=78:00b0d038c1dc->001db5034480/8100/0800, tag 900
              10.10.1.100 -> 208.67.222.222/1
              vhl=45, tos=00, id=16088, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0

****** 11157.0: <TTS/FCT-Trust/ethernet0/0.1> packet received [60]******
  ipid = 16088(3ed8), @04e4bae8
  packet passed sanity check.
  ethernet0/0.1:10.10.1.100/30208->208.67.222.222/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0.1>, out <N/A>
  chose interface ethernet0/0.1 as incoming nat if.
  flow_first_routing: in <ethernet0/0.1>, out <N/A>
  search route to (ethernet0/0.1, 10.10.1.100->208.67.222.222) in vr trust-vr for vsd-0/flag-0/
ifp-null
  [ Dest] 7.route 208.67.222.222->*.*.*.161, to ethernet0/2.1
  routed (x_dst_ip 208.67.222.222) from ethernet0/0.1 (ethernet0/0.1 in 0) to ethernet0/2.1
  policy search from zone 101-> zone 1
 policy_flow_search  policy search nat_crt from zone 101-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 208.67.222.222, por
t 54619, proto 1)
  No SW RPC rule match, search HW rule
  Searching global policy.
  packet dropped, denied by policy
11162.0: ethernet0/0(i) len=78:00b0d038c1dc->001db5034480/8100/0800, tag 900
              10.10.1.100 -> 208.67.222.222/1
              vhl=45, tos=00, id=16092, frag=0000, ttl=128 tlen=60
              icmp:type=8, code=0

****** 11162.0: <TTS/FCT-Trust/ethernet0/0.1> packet received [60]******
  ipid = 16092(3edc), @04e76ae8
  packet passed sanity check.
  ethernet0/0.1:10.10.1.100/30464->208.67.222.222/512,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0.1>, out <N/A>
  chose interface ethernet0/0.1 as incoming nat if.
  flow_first_routing: in <ethernet0/0.1>, out <N/A>
  search route to (ethernet0/0.1, 10.10.1.100->208.67.222.222) in vr trust-vr for vsd-0/flag-0/
ifp-null
  [ Dest] 7.route 208.67.222.222->*.*.*.161, to ethernet0/2.1
  routed (x_dst_ip 208.67.222.222) from ethernet0/0.1 (ethernet0/0.1 in 0) to ethernet0/2.1
  policy search from zone 101-> zone 1
 policy_flow_search  policy search nat_crt from zone 101-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 208.67.222.222, por
t 54363, proto 1)
  No SW RPC rule match, search HW rule
  Searching global policy.
  packet dropped, denied by policy

Super Contributor
shashlik
Posts: 70
Registered: ‎02-20-2008
0

Re: SSG320M Multiple VLAN

OK.  I think I know what's happening.

 

The key is "policy search from zone 101-> zone 1"    We're trying to search from TTS/FCT-Trust zone to Untrust zone.  ("get zone"), but there is no such policy, so the packet is dropped.

 

 So you'll need a policy from "TTS/FCT-Trust to Untrust any any any nat src permit"  and traffic will go through.  BUT the internal IP will be translated to the interface in the untrust zone....

 

Let me think about how to get this working for you.  It's easier with Virtual systems, but the SSG doesn't support this...


Rgrds,
Super Contributor
shashlik
Posts: 70
Registered: ‎02-20-2008
0

Re: SSG320M Multiple VLAN

Hi Titan,

 

Don't know if anyone else has other ideas but I could come up with only 2 scenarios:

 

Scenario#1:

========

- Use custom "trust" zone for each customer.  Use unique VLAN on the "trust" interface.

- don't use VLANs on "untrust".   All customers use the default "Untrust" zone.

- Create DIP pool of customer A's public IP.

- setup policy from "CustomerA-Internal" to "Untrust" any any any nat dip id 5 permit

 

* This way all of the customer A's traffic will be NAT'ed to CustomerA's external IP address.

* Might be tricky if there must be traffic from Internet to Customer-A's internal IP.

 

 

Scenario#2:

========

- Use customer "trust" and "untrust" zone for each customer.  Use unique VLAN for both "trust" and "untrust" interfaces

- Use policy-based routing to force traffic from CustomerA-Internal IP out specific "untrust" sub-interface.

- Add policy to apply NAT for this traffic

 

* not sure how this will scale

 

 

Rgrds,

 

Visitor
Titan
Posts: 5
Registered: ‎12-22-2008
0

Re: SSG320M Multiple VLAN

Once again thank you for the reply.

 

Scenario 2 sounds like the best solution to get me where I need to be. I have about 50 Customers that will be going through the firewall once we have it up and running. As the 320M allow's 100ish VLAN's it hits the spot.

 

Can you give me a complete example of how this will look in the Config?

 

Does anyone else have an Idea?

 

Your assistance is much appreciated...

Visitor
Titan
Posts: 5
Registered: ‎12-22-2008
0

Re: SSG320M Multiple VLAN

Does anyone else have an Idea of how this can work?

 

I have tried various options still with no Luck.

 

Any Help Appreciated!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.