ScreenOS Firewalls (NOT SRX)
Reply
Visitor
explorer1979
Posts: 3
Registered: ‎08-07-2010
0
Accepted Solution

SSG5 DMZ inside server to Untrust not work

Hi all,

I am newbie on ScreenOS, but I am not a networking newbie, since I am good knowledge on it and successful with SonicWALL Firewall Series.

Okay.

Now I had a SSG 5 on my home with the latest ScreenOS 6.3.0r11 . I setting it
A WAN on eth0/0 with DHCP to the Internet
A DMZ on eth0/1 with static IP 192.168.18.2/24 and enable it DHCP service for the DMZ zone server can take the IP auto from it.
A LAN on bgroup0 with eth0/2 to 0/6 with static IP 192.168.1.1/24 with DHCP service enable for all the workstation.

Okay, LAN to Untrust is all working well on the bgroup0 with all of my workstation.
And I am manual set the VIP for the Untrust to DMZ, it look work for the Web Server 80, and the FTP Server 21 by VIP port forward!!
And the Server on the DMZ zone are Linux.

OK, the problems there, I had set the POLICY to make DMZ to Untrust ANY ANY ALLOW, but the Linux Server on the DMZ zone try ping www.yahoo.com WILL NEVER response and until it time out. Then I unplug the Linux Server and Plug my Win7 workstation from bgroup0 to the DMZ zone, waiting about 20s, it auto assign a IP from the DMZ zone DHCP server, then I look on the right side lower conrner that the LAN icon on Windows 7 have a "X" mean that the network is connect but no internet.

I am checked both the Linux and Win on it DHCP setting, gateway is port to the SSG 5 DMZ IP 192.168.18.2 and DNS1 and DNS2 is auto same as the ISP give to me.

I am wonder .... why SSG 5 logic is look like not same as other firewall, special the POLICY setted let it DMZ to Untrust ANY ANY ALLOW still like that?

 

And the Linux box

/etc/resolv.conf show below, it have the DNS Server List, and I am also try ping www.yahoo.com by it IP also no response at all.

; generated by /sbin/dhclient-script
search SSG5-Serial-WLAN eaea.org
nameserver 218.102.52.81
nameserver 218.102.23.77

 

Thank you.

And here are the config file on my SSG 5 Box



============== Start ============
unset key protection enable
set clock dst-off
set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Kerberos" protocol tcp src-port 0-65535 dst-port 88-88
set service "Kerberos" + udp src-port 0-65535 dst-port 88-88
set service "XBOX Live" protocol tcp src-port 0-65535 dst-port 3074-3074
set service "XBOX Live" + udp src-port 0-65535 dst-port 3074-3074
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin port 8088
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen tcp-sweep
set zone "Untrust" screen udp-sweep
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 42.2.193.201/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.18.2/24
set interface ethernet0/1 nat
set interface wireless0/0 ip 192.168.31.1/24
set interface wireless0/0 nat
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface wireless0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssl
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip interface-ip 88 "Kerberos" 192.168.1.28 manual
set interface ethernet0/0 vip interface-ip 3074 "XBOX Live" 192.168.1.28 manual
set interface ethernet0/0 vip interface-ip 80 "HTTP" 192.168.18.81
set interface ethernet0/0 vip interface-ip 21 "FTP" 192.168.18.81
set interface ethernet0/0 dhcp client enable
set interface ethernet0/1 dhcp server service
set interface wireless0/0 dhcp server service
set interface bgroup0 dhcp server service
set interface ethernet0/1 dhcp server enable
set interface wireless0/0 dhcp server auto
set interface bgroup0 dhcp server auto
set interface ethernet0/1 dhcp server option lease 1440000
set interface ethernet0/1 dhcp server option dns1 218.102.52.81
set interface ethernet0/1 dhcp server option dns2 218.102.23.77
set interface wireless0/0 dhcp server option dns1 218.102.52.81
set interface wireless0/0 dhcp server option dns2 218.102.23.77
set interface bgroup0 dhcp server option dns1 218.102.52.81
set interface bgroup0 dhcp server option dns2 218.102.23.77
set interface ethernet0/1 dhcp server ip 192.168.18.201 to 192.168.18.220
set interface ethernet0/1 dhcp server ip 192.168.18.88 mac 0021859721d4
set interface wireless0/0 dhcp server ip 192.168.31.33 to 192.168.31.126
set interface bgroup0 dhcp server ip 192.168.1.61 mac 001a4d5f8a71
set interface bgroup0 dhcp server ip 192.168.1.200 to 192.168.1.230
set interface bgroup0 dhcp server ip 192.168.1.28 mac 001dd8448a1b
unset interface ethernet0/1 dhcp server config next-server-ip
unset interface wireless0/0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set interface wireless0 wlan 0
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0 src-interface ethernet0/0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set dns ddns
set dns ddns id 1 server "free.ddo.jp"server-type ddo clear-text
set dns ddns id 1 username explorerhome.ddo.jp password =
set dns ddns id 1 src-interface ethernet0/0   
set dns ddns enable
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "BT" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "BT" permit
set policy id 2
exit
set policy id 3 name "E-XBOX360" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "Kerberos" permit log
set policy id 3
set service "XBOX Live"
exit
set policy id 4 name "E-XBOXOut" from "Trust" to "Untrust"  "Any" "Any" "DNS" permit log
set policy id 4
set service "HTTP"
set service "Kerberos"
set service "XBOX Live"
exit
set policy id 5 name "DMZ to Internet" from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 5
exit
set policy id 6 name "LAN to DMZ" from "Trust" to "DMZ"  "Any" "Any" "ANY" permit
set policy id 6
exit
set policy id 7 name "WAN to DMZ WWW" from "Untrust" to "DMZ"  "Any" "VIP(ethernet0/0)" "HTTP" permit log
set policy id 7
set log session-init
exit
set policy id 8 name "E-FTP-D81" from "Untrust" to "DMZ"  "Any" "VIP(ethernet0/0)" "FTP" permit log
set policy id 8
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set wlan country-code HK
set wlan 0 channel auto
set wlan 1 channel auto
set wlan change-channel-timer 0
set ssid name Explorer
set ssid Explorer authentication wpa-psk passphrase = encryption aes
set ssid Explorer interface wireless0
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162082008003554"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
================= End ==============

Best Regards,
Jimmy Chan
http://explorerhome.dyndns.org/blog
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: SSG5 DMZ inside server to Untrust not work

Hi,

 

You should enable the src-NAT to the egress interface IP in the DMZ-to-Untrust policy.

ScreenOS has a kind of "default" src-NAT mode, namely interface based NAT. If the ingress interface (Trust) is in the nat mode (it is in your configuration) all connection will be automatically src-natted to the egress interface IP (Untrust). But DMZ-to-Untrust traffic will not be src-natted even when the DMZ-interface is in the nat mode. As explained in KB4761:

 

"Interface based NAT only works From and To the following zones in the Trust-VR:

  • Trust zone to Untrust zone
  • Trust zone to DMZ Zone

Traffic From and To other zones will be routed.

The behavior for interface NAT with the Untrust-VR is different.  If the destination zone is in the Untrust-VR, then NAT will take place from ANY zone."

 

I personally never use interface based NAT and prefer to activate the src-NAT explicitely in the policy. Interface based NAT is misleading and sometimes useless. Who needs e.g. a src-NAT from Trust zone to DMZ?

 

 

Kind regards,
Edouard
Contributor
abdullah@asacogroup.com
Posts: 21
Registered: ‎01-09-2012
0

Re: SSG5 DMZ inside server to Untrust not work

hi,

just enable the src-translation in the policy from dmz to untrust  and try to ping any 4.2.2.2 from dmz zone. 

 

regards

Visitor
explorer1979
Posts: 3
Registered: ‎08-07-2010
0

Re: SSG5 DMZ inside server to Untrust not work

abdullah,

 

First at all, thank you, but I am real new on ScreenOS, how to do this by GUI or CLI?

 

And I have enable the log

 

LAN to Untrust
http://explorerhome.dyndns.org/photoevent/TrustToUntrust.jpg

 

DMZ to Untrust
http://explorerhome.dyndns.org/photoevent/DMZToUntrust.jpg

 

The DMZ not work look like it NAT haven't change to the Untrust one...

Best Regards,
Jimmy Chan
http://explorerhome.dyndns.org/blog
Distinguished Expert
Screenie
Posts: 1,078
Registered: ‎01-10-2008
0

Re: SSG5 DMZ inside server to Untrust not work

In gui go to policy click om dmz to untrust. Click on advanced click the check box at source nat. Click back and apply or ok.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.