Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Technical information required: multiple interfaces on SSG550M

    Posted 09-29-2016 11:23

    Hello Community,

     

    Thi sis my first message here and l hope somebody can share thoughts. We are trying to run an Algosec scan of our SSG firewall from a remote site on a different network.
    The issue is that we have an SRX between the 2 endpoints that cannot cope (we believe) with an ssh connection to the NATed address of the SSG.

    TP.PNG

    The red route would be the theoretical current means of getting to the 139.166.x.x firewall from the NERC link, but NAT on the SRX prevents the Algosec from SSHing direct to anything behind the SRX.
    What we were thinking was to cable on a different interface on the SSG to the WAN switch, or to a switch on the LAN, giving this a different subnet address to 139.166.x.x (red dashed line), circumventing the SRX completely and then limiting the interface on the SSG to only allow access from the Algosec IP address.

     

    Thx,

    Myky



  • 2.  RE: Technical information required: multiple interfaces on SSG550M
    Best Answer

    Posted 09-29-2016 12:18

    Looks like you are try to do asymmetric routing.  This causes issues with stateful devices (firewalls).  I would recommend configuring the path to go either directly back to the SSG from the LAN, or, configure the path so the initial traffic flows through the SRX.

     

    For example,

    Algosec -- cloud -- SSG-550 -- SRX-100 -- SSG-550M

    Return path,

    SSG-550M -- SRX-100 -- SSG-550 -- cloud -- Algosec