ScreenOS Firewalls (NOT SRX)
Reply
New User
IRISGROUP
Posts: 1
Registered: ‎08-31-2010
0

SSG350M Config

I am currently in the process of building a Juniper SSG-350M (ScreenOS 6.3.0r4.0) to replace a GTA GB2000. 

Currently all the config is in, but we've had problems in the couple of brief testing windows we've managed so far -

Inbound VIP's/rules aren't working at all
Outbound rules (the ones we've tested) are working for the most part for the HTTP/S rules, but the RDP rules for example don't seem to work
Around half of the VPN's don't connect

The VPN's will take some playing with to connect, I don't expect anyone will be able to help much with these without knowing the firewall/config on the other end, but can anyone spot any problem with inbound/outbound rules from the config file?

 

Distinguished Expert
spuluka
Posts: 2,750
Registered: ‎03-30-2009
0

Re: SSG350M Config

From the quick look at your configuration, I think your primary issue is that your custom services don't have the random port range as the source. The service connections will be sourced from whatever random port the original request is translated to at the source with a fixed destination port of the protocol.  So you need to change the fixed port range to the 0-65355 range for a match.



set service "RDP" protocol udp src-port 0-65535 dst-port 3389-3389 
Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer - UPMC Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.