ScreenOS Firewalls (NOT SRX)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Setting up a DMZ on an SSG-20

Hate to create a new post on something that already exists in the forum but i have a question on it and i didnt want to steal someone else's post. I am attempting to setup a guest network in my DMZ zone. I am unable to reach the internet. Below are the steps i have taken.

 

1. Setup eth0/1 with address 10.2.2.1/24 with nat

2. Created a DIP under eth0/1 for addresses 10.2.2.2-10.2.2.250 with port translation unchecked and using "In the same subnet as the interface IP or its secondary IPs"

3.Created a DMZ -> Untrust policy any any any with nat source -> DIP from step 2

4. Created a Untrust -> DMZ policy any any any deny.

 

I can ping all the way up to my external WAN IP address, anything after that is ded   X(

 

i created the DIP based on the old post listed below. Seems as if the user was having the exact same problem as me and this fixed it for him. Perhaps i missed something or mis understood.

 

http://forums.juniper.net/t5/Firewalls/Setting-up-DMZ-with-a-private-address-on-SSG-20/m-p/13559

 

Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Hi

 

First - You are not supposed to create a DIP on eth0/1 which is the interface of your DMZ. If you want to create a DIP it should be on your external interface, and with a public ip-address.

 

Secondly  - If you have configured your DMZ-interface in NAT-mode, and your external interface in route-mode you dont' need to configure a DIP unless you want the traffic from your DMZ-zone, to use a different ip than the ip-address of your external interface.

 

Traffic from an interface in NAT-mode passing out an interface in route-mode will be NAT'ed to the ip-address of that interface unless anything else is configured.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

Thanks for the response Moerkholt, very informative!

 

I did not have a DIP setup until i read the post in the link. I did remove the DIP and i still have the same issue. My primary interface (not in the DMZ) is set to ROUTE. So i still have an issue.

 

IP ADDRESS: 10.2.2.100  (From DHCP server from SSG-20)

Network Mask: 255.255.255.0

Gateway: 10.2.2.1 (eth0/1)

 

Any other ideas as to what would restrict me? Outbound connections are unrestricted. Inbound connections are pretty much all locked down.

Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

Should my DMZ's gateway be my primary address?

Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Hi

 

Have you tried to configure a policy like this int your firewall:

 

set policy from dmz to untrust any any any nat src permit

 

that nat src will force the traffic to get NATed to the ip of the egress interface.

 

If this doesn't work then try to do a debug flow basic and try to initiate fraffic from the DMZ then you can past it into this thread and I will be happy to review the output.

 

it can be done like this:

 

set ff src-ip xx.xx.xx.xx

 

debug flow basic - activates debugging

 

clear db - clears the debug memory in case it should contain information from a previous debug

 

Try accessing a site.

 

get db stream - Gets the content from the debug buffer.

 

The output will give you information as to what the firewall does with the traffic.

 

Regards
Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Hi

 

I have send you a private message with my email.

 

If you want  to you can send me a mail with your config and i will see if i can find the problem.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

Please excuse my paranoia, we had a breach earlyer this year and it was a rather uncomfortable experience Smiley Happy

 

I am confused, as the earlier post said not to setup a DIP if i had a NAT dmz and a ROUTE primary. If you want me to configure a DIP, should i be doing this on the primary (eth0/3)?

 

I had setup a DIP on eth0/1 before with the policy dmz -> untrust any any any nat-src(dip4) permit

 

I assumed i was suppose to use the DIP for the nat-src (under advanced), not egress correct?

 

I did run the debug, kept saying something about sending packet to self 10.2.2.1/23 -> my WAN address. I can give you the exact output but maybe first we should make sure i am setup correctly Smiley Happy

 

 

Thanks again for all your replies!

Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

All steps taken are listed below, hopefully  this should give you exactly what you need.

 

1. Setup Eth0/1 on 10.2.2.1/24 configured as NAT.

2. Enabled DHCP on Eth0/1 for

     A. 10.2.2.100 - 10.2.2.200

     B. 255.255.255.0

     C. 10.2.2.1

     D. ISPs DNS

3. Configured Wireless AP which passes all info from SSGs DHCP to clients

4. Setup Policies:

     A. Dmz - >Untrust any any any permit

     B. Untrust -> DMZ any any any deny

 

---------------------------------------------------------------------------------------------------------------------------

 

Bgroup 0 is my primary (any only other) network. it runs on 10.72.82.1 (NAT configured)

 

All traffic runs through my Serial0/2 interface (ROUTE configured)

Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Hi

 

There's nothing wrong with being a bit paraniod in this business. Smiley Wink

 

Steps 1 through 4 seems allright.

 

the nat src part of the policy does not require a DIP. What the it does is forcing the source-ip to be NAT'ed with the ip-address of the egress(outgoing) interface. Why I wrote this was because I remembered that there might be a issue that the NAT-mode only have effect on interfaces in the trust zone.

 

So what you should try is: set policy from dmz to untrust any any any nat src permit

 

As to 4 B: You really dont' need this policy as the Juniper firewall works in a way thas says - What isnt' expicitly permitted is denied.

 

The only reason to use a : set policy from untrust to dmz any any any  deny, is if you place a log at the end of the statement, so that you can see what traffic gets blocked by the firewall.

 

It the above does not work you should try to do debugging as i stated earlier.

 

You are welcome to mail me the debug or post it in this thread, if you are not sure about interpreting the result.

 

A get route would also b helpfull.

 

Regards

 

Hans

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

So half way there....

 

I am getting a failure at the application level it seems..

 

If i go to the command line on my laptop, i can nslookup any address so it seems my DNS is working correctly. When i go into my browser, i cannot resolve any names. If i type in the IP address, it works.

 

i haven't seen it fail for one but not the other..

Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Hi

 

????????? Smiley Surprised

 

This sounds really spooky.

 

I cannot understand that your pc dan do a dns lookup, but cant' resolve the ip-address the fully qualified domain name when you type it into your browser??

 

What happens if you try to type the following from the comman line on your laptop:

 

telnet www.google.com 80

 

Your command line should go blank to show you are connected. (You can break that with CTRL + ¨  and then type quit)

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

Epic....

 

(this isnt copy paste, its just typed out so... Smiley Happy)

 

telnet www.google 80
Connecting to www.google.com..... Failed to connect to www.google.com on port 80

 

nslookup www.google.com

74.125.63.106 XX.XX.XX.XX XX.XX.XX.XX

 

telnet 74.125.63.106 80

*works*

 

 

 

 

 

 

I've seen others who have had this issue so its not a real oddity, but i havent found a solution. Would anything block dns from resolving to the application layer? Oh, and i dont have any proxies setup in my browsers. Also tried multiple browsers.

Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Allright!

 

1. Which ScreenOS version do you run.

 

2. As i understood you have configured wireless in the DMZ-zone is that an external AP or is it integrated with the SSG-20.

 

3. What is the model of your laptop and which wireless adapter has it got.

 

4. Do you experience the same problems both on wireless and wired connection.

 

5. Have you tried doing the debugging part i mentioned in an earlier post.

 

6 If your firewall is configured with dns, hostname and domain-name you should try the following.

 

ping www.google.com from ethernet0/1

 

 

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

1.  6.1.0r4.0 (Firewall+VPN)

2. It is an external AP which i pulled from our existing wireless network. (Netgear)

3. I have a Dell Precision m2400 (Intel wifi link 5300 AGN)  (I have attempted to get to google from multiple laptops with the same outcome)

4. The DMZ eth0/1 port goes directly into the AP. I do not have access to a wired port. I could remove the wireless though.

5. The last time i did the debugging part, it seemed like the same spam message over and over again. I will run it and post what i get.

6. My Firewall is configured with DNS, not sure i follow you with the domain or host name. My SSG20 does not have a domain name.

 

 

 

Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

Removing the AP from the picture didnt do anything. STill the same problem. Below is the debug, this continues pretty much on forever:

 

Processing packet through normal path.

Packed passed sanity check

self:10.2.2.1/23 _> 10.2.2.105/1153,6<root>

existing session found. sess token 5

flow got session.

flow session id 7473

skip ttl adjust for packet from self.

post addr xlation 10.2.2.1->10.2.2.105.

flow_send_vector_, vid=0, is layer_2_if=0

packet send out to 0019b956515c through ethernet0/1

****8548727.0: <DMZ/ethernet0/1> packet receieved [41]*******

ipid = 16337<3fd1>, @033c1fd0

packet passed sanity check

ethernet0/1:10.2.2.105/1153->10.2.2.1/23,6<root>

existing session found. sess token 13

flow got session flow session id 74.73

post addr xlation 10.2.2.105->10.2.2.1.

packet is for self, copy packet to self

copy packet to us

****** 8548727.0 >self/self> packet received [40] *************

ipid = asoihgapsidew6y9-12ht-

 

--more---

 

 

This continues for pages and pages and pages... i think it eventually gets to my wan address. my computer died before i could get to it though.

 

hopefully this gives you an idea.

 

You said in your second post to configure a DIP. Would you still like me to do this?

Super Contributor
Posts: 171
Registered: ‎11-05-2007
0

Re: Setting up a DMZ on an SSG-20

Hi

 

The debug yoy have pasted into the post doesn't' show anything as it is not traffic going through firewall.

 

As to nat you dont' have to configure DIP as long as you use the nat src in your policy it will translate the source-ip to that of the external interface.

 

Right now I have the problem that I cannot see the configuration and see what goes wrong.

 

What I would recommend is that you open a Case at JTAC. What they wil probably do is ask for the output from get tech or get you to connect to a secure metting where the can see the output from your Terminal emulation, so that they can see what is wrong.

 

I am convinced that as soon as you have a JTAC engineer looking at your configuration he will quickly see where the problem is.

 

Regards

Hans

Regards

Hans
JNCIS-FWV

If this worked for you then please flag my post as an "Accepted Solution" so others can benefit from it. A kudo would be nice if you think I earned it
Highlighted
Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

Unfortunately my tech support has ran up. I will post the solution once i figure something out.

Contributor
Posts: 44
Registered: ‎03-16-2010
0

Re: Setting up a DMZ on an SSG-20

So i did the dishonorable thing and did a work around. There is something with Juniper routers and DMZ's that i do not know about which is giving me the above error. Anyways...

 

 

I bound eth0/4 to bgroup1 and setup a new subnet with in it on the trust network. I then created a new policy to restrict the subnet of bgroup1 from bgroup0. Got it up and running in 1.5 minutes using the exact same settings as those used in the DMZ minus the nat-src setting.

 

I would still be interested in knowing what extra step is needed for the DMZ to work correctly.