03-16-2010 07:43 AM
Hate to create a new post on something that already exists in the forum but i have a question on it and i didnt want to steal someone else's post. I am attempting to setup a guest network in my DMZ zone. I am unable to reach the internet. Below are the steps i have taken.
1. Setup eth0/1 with address 10.2.2.1/24 with nat
2. Created a DIP under eth0/1 for addresses 10.2.2.2-10.2.2.250 with port translation unchecked and using "In the same subnet as the interface IP or its secondary IPs"
3.Created a DMZ -> Untrust policy any any any with nat source -> DIP from step 2
4. Created a Untrust -> DMZ policy any any any deny.
I can ping all the way up to my external WAN IP address, anything after that is ded X(
i created the DIP based on the old post listed below. Seems as if the user was having the exact same problem as me and this fixed it for him. Perhaps i missed something or mis understood.
03-16-2010 11:44 AM
First - You are not supposed to create a DIP on eth0/1 which is the interface of your DMZ. If you want to create a DIP it should be on your external interface, and with a public ip-address.
Secondly - If you have configured your DMZ-interface in NAT-mode, and your external interface in route-mode you dont' need to configure a DIP unless you want the traffic from your DMZ-zone, to use a different ip than the ip-address of your external interface.
Traffic from an interface in NAT-mode passing out an interface in route-mode will be NAT'ed to the ip-address of that interface unless anything else is configured.
03-16-2010 01:50 PM
Thanks for the response Moerkholt, very informative!
I did not have a DIP setup until i read the post in the link. I did remove the DIP and i still have the same issue. My primary interface (not in the DMZ) is set to ROUTE. So i still have an issue.
IP ADDRESS: 10.2.2.100 (From DHCP server from SSG-20)
Network Mask: 255.255.255.0
Gateway: 10.2.2.1 (eth0/1)
Any other ideas as to what would restrict me? Outbound connections are unrestricted. Inbound connections are pretty much all locked down.
03-16-2010 02:11 PM
Have you tried to configure a policy like this int your firewall:
set policy from dmz to untrust any any any nat src permit
that nat src will force the traffic to get NATed to the ip of the egress interface.
If this doesn't work then try to do a debug flow basic and try to initiate fraffic from the DMZ then you can past it into this thread and I will be happy to review the output.
it can be done like this:
set ff src-ip xx.xx.xx.xx
debug flow basic - activates debugging
clear db - clears the debug memory in case it should contain information from a previous debug
Try accessing a site.
get db stream - Gets the content from the debug buffer.
The output will give you information as to what the firewall does with the traffic.
03-16-2010 02:28 PM
I have send you a private message with my email.
If you want to you can send me a mail with your config and i will see if i can find the problem.
03-17-2010 08:32 AM
Please excuse my paranoia, we had a breach earlyer this year and it was a rather uncomfortable experience
I am confused, as the earlier post said not to setup a DIP if i had a NAT dmz and a ROUTE primary. If you want me to configure a DIP, should i be doing this on the primary (eth0/3)?
I had setup a DIP on eth0/1 before with the policy dmz -> untrust any any any nat-src(dip4) permit
I assumed i was suppose to use the DIP for the nat-src (under advanced), not egress correct?
I did run the debug, kept saying something about sending packet to self 10.2.2.1/23 -> my WAN address. I can give you the exact output but maybe first we should make sure i am setup correctly
Thanks again for all your replies!
03-17-2010 09:10 AM
All steps taken are listed below, hopefully this should give you exactly what you need.
1. Setup Eth0/1 on 10.2.2.1/24 configured as NAT.
2. Enabled DHCP on Eth0/1 for
A. 10.2.2.100 - 10.2.2.200
D. ISPs DNS
3. Configured Wireless AP which passes all info from SSGs DHCP to clients
4. Setup Policies:
A. Dmz - >Untrust any any any permit
B. Untrust -> DMZ any any any deny
Bgroup 0 is my primary (any only other) network. it runs on 10.72.82.1 (NAT configured)
All traffic runs through my Serial0/2 interface (ROUTE configured)
03-17-2010 11:52 AM
There's nothing wrong with being a bit paraniod in this business.
Steps 1 through 4 seems allright.
the nat src part of the policy does not require a DIP. What the it does is forcing the source-ip to be NAT'ed with the ip-address of the egress(outgoing) interface. Why I wrote this was because I remembered that there might be a issue that the NAT-mode only have effect on interfaces in the trust zone.
So what you should try is: set policy from dmz to untrust any any any nat src permit
As to 4 B: You really dont' need this policy as the Juniper firewall works in a way thas says - What isnt' expicitly permitted is denied.
The only reason to use a : set policy from untrust to dmz any any any deny, is if you place a log at the end of the statement, so that you can see what traffic gets blocked by the firewall.
It the above does not work you should try to do debugging as i stated earlier.
You are welcome to mail me the debug or post it in this thread, if you are not sure about interpreting the result.
A get route would also b helpfull.
03-17-2010 01:46 PM
So half way there....
I am getting a failure at the application level it seems..
If i go to the command line on my laptop, i can nslookup any address so it seems my DNS is working correctly. When i go into my browser, i cannot resolve any names. If i type in the IP address, it works.
i haven't seen it fail for one but not the other..
03-17-2010 02:24 PM
This sounds really spooky.
I cannot understand that your pc dan do a dns lookup, but cant' resolve the ip-address the fully qualified domain name when you type it into your browser??
What happens if you try to type the following from the comman line on your laptop:
telnet www.google.com 80
Your command line should go blank to show you are connected. (You can break that with CTRL + ¨ and then type quit)
03-18-2010 08:41 AM
(this isnt copy paste, its just typed out so... )
220.127.116.11 XX.XX.XX.XX XX.XX.XX.XX
telnet 18.104.22.168 80
I've seen others who have had this issue so its not a real oddity, but i havent found a solution. Would anything block dns from resolving to the application layer? Oh, and i dont have any proxies setup in my browsers. Also tried multiple browsers.
03-18-2010 11:14 AM
1. Which ScreenOS version do you run.
2. As i understood you have configured wireless in the DMZ-zone is that an external AP or is it integrated with the SSG-20.
3. What is the model of your laptop and which wireless adapter has it got.
4. Do you experience the same problems both on wireless and wired connection.
5. Have you tried doing the debugging part i mentioned in an earlier post.
6 If your firewall is configured with dns, hostname and domain-name you should try the following.
ping www.google.com from ethernet0/1
03-18-2010 11:44 AM
1. 6.1.0r4.0 (Firewall+VPN)
2. It is an external AP which i pulled from our existing wireless network. (Netgear)
3. I have a Dell Precision m2400 (Intel wifi link 5300 AGN) (I have attempted to get to google from multiple laptops with the same outcome)
4. The DMZ eth0/1 port goes directly into the AP. I do not have access to a wired port. I could remove the wireless though.
5. The last time i did the debugging part, it seemed like the same spam message over and over again. I will run it and post what i get.
6. My Firewall is configured with DNS, not sure i follow you with the domain or host name. My SSG20 does not have a domain name.
03-18-2010 12:02 PM
Removing the AP from the picture didnt do anything. STill the same problem. Below is the debug, this continues pretty much on forever:
Processing packet through normal path.
Packed passed sanity check
self:10.2.2.1/23 _> 10.2.2.105/1153,6<root>
existing session found. sess token 5
flow got session.
flow session id 7473
skip ttl adjust for packet from self.
post addr xlation 10.2.2.1->10.2.2.105.
flow_send_vector_, vid=0, is layer_2_if=0
packet send out to 0019b956515c through ethernet0/1
****8548727.0: <DMZ/ethernet0/1> packet receieved *******
ipid = 16337<3fd1>, @033c1fd0
packet passed sanity check
existing session found. sess token 13
flow got session flow session id 74.73
post addr xlation 10.2.2.105->10.2.2.1.
packet is for self, copy packet to self
copy packet to us
****** 8548727.0 >self/self> packet received  *************
ipid = asoihgapsidew6y9-12ht-
This continues for pages and pages and pages... i think it eventually gets to my wan address. my computer died before i could get to it though.
hopefully this gives you an idea.
You said in your second post to configure a DIP. Would you still like me to do this?
03-19-2010 02:43 AM
The debug yoy have pasted into the post doesn't' show anything as it is not traffic going through firewall.
As to nat you dont' have to configure DIP as long as you use the nat src in your policy it will translate the source-ip to that of the external interface.
Right now I have the problem that I cannot see the configuration and see what goes wrong.
What I would recommend is that you open a Case at JTAC. What they wil probably do is ask for the output from get tech or get you to connect to a secure metting where the can see the output from your Terminal emulation, so that they can see what is wrong.
I am convinced that as soon as you have a JTAC engineer looking at your configuration he will quickly see where the problem is.
03-19-2010 07:41 AM
So i did the dishonorable thing and did a work around. There is something with Juniper routers and DMZ's that i do not know about which is giving me the above error. Anyways...
I bound eth0/4 to bgroup1 and setup a new subnet with in it on the trust network. I then created a new policy to restrict the subnet of bgroup1 from bgroup0. Got it up and running in 1.5 minutes using the exact same settings as those used in the DMZ minus the nat-src setting.
I would still be interested in knowing what extra step is needed for the DMZ to work correctly.