08-08-2012 05:01 AM
I would appreciate any pointer on this as a non-security person working on juniper for the first time, it sometimes get confusing.
I have 2 NS5GT's connected to two different ISP's configured to failover when the primary link goes down. The failover works fine but the problem is that internal users can't access the internet when cluster fails over to the backup device.
The excerpt of the configuration on the backup firewall is posted below.
The same policies are present on both firewalls. The first two DNS servers are for the first ISP while the third is for the second ISP.
set DNS host dns1 220.127.116.11
set dns host dns2 18.104.22.168
set DNS host dns3 22.214.171.124
set address "Trust" "172.16.15.0/24" 172.16.15.0 255.255.255.0
set address "Untrust" "126.96.36.199/32" 188.8.131.52 255.255.255.255
set address "Untrust" "184.108.40.206/32" 220.127.116.11 255.255.255.255
set policy id 4 from "Trust" to "Untrust" "172.16.15.0/24" "Any" "Netbios" deny log
set policy id 4
set policy id 1 from "Trust" to "Untrust" "172.16.15.0/24" "Any" "ANY" permit log
set policy id 1
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 2
set policy id 5 from "Untrust" to "Trust" "18.104.22.168/32" "MIP(22.214.171.124)" "ANY" permit log
set policy id 5
set policy id 3 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 3
set policy id 6 from "Untrust" to "Trust" "Any" "MIP(126.96.36.199)" "ANY" permit log
set policy id 6
set route 0.0.0.0/0 interface ethernet0/0 gateway 188.8.131.52
set route 0.0.0.0/0 interface ethernet0/2 gateway 184.108.40.206 metric 5
I have been told it could be a problem with the DNS that I need to set up DNS proxy, if this is so, how is this done?
I have also been made to understand that the policy 6 is not necessary for the second firewall as IP address provided by ISP is not enough to use MIP (only 2 available addresses but 3 are required for MIP i.e.. ADSL router, eth0/2 untrust and MIP ) Will simple NAT provide a workaround this? If so, how.
08-08-2012 06:40 AM
Have you been able to check if the firewall is able to reach internet after failover.
log into CLI and try to ping an IP address on internet (220.127.116.11)
The try to source the ping from trust interface :
ping ip from trust-interface
If this works check if LAN user can ping firewall trust ip, then try pinging internet gateway and then ping an address on internet.
Once you complete the tests, it can give more clues.
08-08-2012 06:49 AM
You have an IP conflict. The second MIP has the same IP as the gateway (18.104.22.168).
If you have no free IPs you can configure a MIP-Same-as-Untrust. Read more on this in Concepts and examples, vol. Address Translation. I would recommend to use the VIP-Same-as-Untrust but this will be a problem if service Any is used in the policy.
The policies opening all (!) ports inbound are very confusing me. On the other hand, both policies with MIPs make no sense. The policy 5 opens an unrestricted access from ADSL router IP 22.214.171.124 only. I have no idea what is the reason to have such a policy. The policy 6 cannot be hit due to the IP conflict.
08-08-2012 09:08 AM
Many Thanks Edouard,
The documentation you refered me to was very helpful indeed.
I wont be availble till next week but will try this out and come back to you as regards the results.
I am most grateful
08-08-2012 09:10 AM
Many thanks for your helpful pointers.
I will check all this, will be away for some time but will let update you as soon as I do.