Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Trouble accessing internet from new zone

    Posted 01-08-2013 05:39

    I'm trying to setup on my NetScreen-208 a second zone for public wireless. I setup the zone, applied it to an interface with it's own IP scope, setup DHCP, setup policy to allow Public to Untrusted, any, any, any.  I plug my laptop right into the Public interface and get an IP addess but have no internet access, I can ping the firewall but nothing past that. My config is attached with appropriate things x'ed out.  Yes the private subnet is screwy, I inherited that.  I'll take any other recommendations if anything else stands out, I'm more accustomed to working with Cisco and Sonicwall than Juniper.  Thanks for the help!



  • 2.  RE: Trouble accessing internet from new zone

    Posted 01-08-2013 05:46

    I noticed you have no netmask on ethernet4 DHCP,(like you do on eth1)

     

    set interface ethernet1 dhcp server service
    set interface ethernet4 dhcp server service
    set interface ethernet1 dhcp server enable
    set interface ethernet4 dhcp server enable
    set interface ethernet1 dhcp server option lease 10080 
    set interface ethernet1 dhcp server option gateway 172.21.10.1 
    set interface ethernet1 dhcp server option netmask 255.255.255.0 
    set interface ethernet1 dhcp server option dns1 97.81.22.195 
    set interface ethernet1 dhcp server option dns2 71.92.29.130 
    set interface ethernet4 dhcp server option lease 1440 
    set interface ethernet4 dhcp server option gateway 172.21.20.1 
    set interface ethernet4 dhcp server option dns1 8.8.8.8 
    set interface ethernet1 dhcp server ip 172.21.10.100 to 172.21.10.200 
    set interface ethernet4 dhcp server ip 172.21.20.100 to 172.21.20.129 


  • 3.  RE: Trouble accessing internet from new zone
    Best Answer

     
    Posted 01-08-2013 05:47

    You will need to enable Source-NAT on the policy. You can enable logging on the policy to check as well.

     

    Current:

       set policy id 12 from "Public" to "Untrust"  "Any" "Any" "ANY" permit [log]

     

    Change to:

      set policy id 12 from "Public" to "Untrust"  "Any" "Any" "ANY" nat src permit [log]

     

    By default, only traffic from "trust" zone is source-NAT'ed if the interface is set to "nat" (set interface ethernet1 nat).  For custom zones, the nat/route setting has no effect.  Need to explicitly specify NAT.

     

    Hope this helps.

     

    Regards,

    Sam



  • 4.  RE: Trouble accessing internet from new zone

    Posted 01-15-2013 14:16

    Enabling NAT fixed it, thanks.