Screen OS

Hi All,

 

Need some help here.

We've just purchased SSG320M to replace our old NS5GT.

Everything is identical except all client with static IP behind SSG320M unable to access internet.

I've policy opened any-any on both trust-untrust and untrust-trust.

I can telnet into SSG320M but unable login with SSH event it's checked under untrust interface.

I can ping to static IP workstation but unable to login with remote desktop from outside network.

Client IP issued from SSG320M DHCP server work fine without any issue.

Any thought?

 

 

(1) If clients in trust are not able to access internet, could be a few things:

 

i) DNS not setup correctly.

- can you try to do "nslookup" and see if you are able to resolve DNS

 

ii) Natting not configured properly.

- for a quick test, just go to the "trust" to "Untrust" policy, go to Advanced, select first check box Source  Translation and select the Egress interface

 

(2) If you are outside the network, then you need to check the VIP or MIP configured. If you can show the policy we can take a look 

 

(3) For ssh, can you telnet into the firewall and check if SSH has been enabled?

get ssh

I've change real IP to 10.1.1.x

Run tract-route from ssg320m with no issue.

Run nslookup from workstation with no luck.

Enabled SSH through telnet and it's working by now.

 

One thing doesn't look right on policy traffic log here is "Translated Source Address/Port" always associates with last three digits local IP address instead Gateway IP.

 

Date/Time      Source Address/Port      Destination Address/Port      Translated Source Address/Port      Translated Destination Address/Port      Service      Duration      Bytes Sent      Bytes Received      Close Reason
5/14/2009 11:26    192.168.1.102:50428    64.60.0.17:53    10.1.1.102:50428    64.60.0.17:53    DNS    62 sec.    160    0    Close - AGE OUT
5/14/2009 11:26    192.168.1.201:50428    64.60.0.18:53    10.1.1.201:50428    64.60.0.18:53    DNS    60 sec.    80    0    Close - AGE OUT

 

 

Here's config file.

unset key protection enable
set clock ntp
set clock timezone -8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Null"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip 10.1.1.137/27
set interface ethernet0/2 route
set interface ethernet0/2 gateway 10.1.1.129
set interface "ethernet0/2" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/0 manage mtrace
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
set interface vlan1 manage mtrace
set interface ethernet0/0 dhcp server service
set interface ethernet0/0 dhcp server enable
set interface ethernet0/0 dhcp server option gateway 192.168.1.1
set interface ethernet0/0 dhcp server option netmask 255.255.255.0
set interface ethernet0/0 dhcp server option dns1 64.60.0.17
set interface ethernet0/0 dhcp server option dns2 64.60.0.18
set interface ethernet0/0 dhcp server ip 192.168.1.101 to 192.168.1.199
unset interface ethernet0/0 dhcp server config next-server-ip
set interface "ethernet0/2" mip 10.1.1.155 host 192.168.1.201 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain kcal.net
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 64.60.0.17
set dns host dns2 208.57.0.11
set dns host dns3 4.2.2.1
set dns host schedule 06:28
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 6 from "Untrust" to "Trust"  "Any" "MIP(10.1.1.155)" "ANY" permit log
set policy id 6
set log session-init
exit
set policy id 5 from "Trust" to "Untrust"  "MIP(10.1.1.155)" "Any" "ANY" permit log
set policy id 5
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 4
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set ntp server "132.163.4.102"
set ntp server backup1 "time-nw.nist.gov"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

yes, you are right, firewall should have natted that to the untrust interface address.

Can you try to move policy ID 1 before ID 5 ?

 

I think policy 5 is not correctly configured as well. But try that first and see if it works.

 

 

Thanks for the tips.

I have move policy ID 1 before ID 5 and DHCP client can get online.

Static IP client still not able to get online unless I delete policy 5 and remove MIP.

Doesn't making any sense if MIP in place will cause it failed.

The goal of the MIP is to achieve bidirectional one to one natting. 

 

But looking at the session information that you showed, it seemed as if the MIP was kicking in for all traffic which was not correct but my guess was that the MIP policy was affecting that even though it should not have.

 

So once policy ID 1 is hit first by most of the hosts, DHCP clients work fine.

 

So I guess by static IP you mean the client which was 192.168.1.201 right? If you want to do one to- one mapping for these client , then MIP is the way to go.

 

If you want to just allow access from Internet to the PC for RDP, then you can use VIP.

 

In any case, you should only need one policy for the MIP as its bidirectional, so I think policy 5 was not correctly setup anyway. 

If I set Any to MIP and MIP to Any with "ANY" permit. It should alow everything get in and out without restriction.

 

set policy id 6 from "Untrust" to "Trust"  "Any" "MIP(10.1.1.155)" "ANY" permit log
set policy id 5 from "Trust" to "Untrust"  "MIP(10.1.1.155)" "Any" "ANY" permit log

 

Can't think about anything will block it access internet.

 

What else I need to add for it to work?

Can you show me some examples?

All settings was copy from NS5GT and it's still connect to the network right now.

 

Thanks,

Heres a pretty good guide for the NAT:

http://kb.juniper.net/index?page=content&id=KB11909&smlogin=true

 

It should still have worked though with the MIP, the MIP should have only pickd up that one IP address. As usual, going to ask you to run some debugs so we can check whats actually going on:

 

set ff src-ip X.X.X.X

set ff dst-ip X.X.X.X (X is ip of PC with static IP)

cl db

debug flow basic

-> try to access internet 

undebug all

get db srtr (post this output)

 

That will be easier to see.

Debug attached.

Thanks again!

I think the DNS server configured for the static IP client is not right. See the debug below:

****** 05208.0: <Trust/ethernet0/0> packet received [60]******
  ipid = 2709(0a95), @05bf6064
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/0:192.168.1.201/59112->192.168.1.1/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/0>, out <N/A>
  self check, not for us
  chose interface ethernet0/0 as incoming nat if.
  packet dropped: for self but not interested

 So you can see 192.168.1.201 is sending DNS request to firewall interface IP. Can you check the DNS setting?

I think proper DNS server configured should be  as you setup for the DHCP server:

 

set interface ethernet0/0 dhcp server option dns1 64.60.0.17
set interface ethernet0/0 dhcp server option dns2 64.60.0.18

 

Can you check with "ipconfig/all" on the PC

@WL

 

This PC setup as static IP address with DNS point to 192.168.1.1 and 2nd to 64.60.0.17.

We've no issue with PC setup as DHCP IP.

 

Once statics IP set and MIP added, this PC no longer able to get online.

If I remove MIP then it works without issue.

 

I'm at remote site and our tech left for the day.

BTW, I'm not able to ping 192.168.1.201 if I telnet into ssg320m. But I was able to ping it if workstation setup as DHCP.

 

Thank you.

So my point was that for this client 192.168.1.201,the DNS server should not be configuredto be192.168.1.1.

 192.168.1.1 is the firewall and not the DNS server. The effect ofthis configuration may cause some DNS request to fail like in the debug I showed you.

 

This is only for this static IP pc.The DHCP ones will be correct cos DHCP configuration is correct on the firewall.

 

Did you remove pol id 5 and leave the pol id 6?

 

Can you try to run the debug when doing ping to the PC from firewall? Also please check if you can ping this static IP PCfrom some other DHCP PC

@WL, Thanks again!

 

First try was successful by following step:

 

1. Policy 5 removed.

2. Set static IP workstation 1st DNS point to 64.60.0.17 (After this step we're able to access internet)

3. Set static IP workstation 2nd DNS point to 192.168.1.1 (After this step I can ping from firewall to PC)

4. Set static IP workstation 3rd DNS point to local DNS server (Just in case need to access local network host name)

 

We will try out full scale testing later today after roll back configuration file.