08-31-2010 07:14 AM
I am currently in the process of building a Juniper SSG-350M (ScreenOS 6.3.0r4.0) to replace a GTA GB2000.
Currently all the config is in, but we've had problems in the couple of brief testing windows we've managed so far -
Inbound VIP's/rules aren't working at all
Outbound rules (the ones we've tested) are working for the most part for the HTTP/S rules, but the RDP rules for example don't seem to work
Around half of the VPN's don't connect
The VPN's will take some playing with to connect, I don't expect anyone will be able to help much with these without knowing the firewall/config on the other end, but can anyone spot any problem with inbound/outbound rules from the config file?
09-06-2010 05:21 AM
From the quick look at your configuration, I think your primary issue is that your custom services don't have the random port range as the source. The service connections will be sourced from whatever random port the original request is translated to at the source with a fixed destination port of the protocol. So you need to change the fixed port range to the 0-65355 range for a match.
set service "RDP" protocol udp src-port 0-65535 dst-port 3389-3389
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7