ScreenOS Firewalls (NOT SRX)
Reply
Visitor
dianseh
Posts: 6
Registered: ‎10-13-2010
0
Accepted Solution

how to using trust ip address at my router to outside

[ Edited ]

Hello,

 

I'm new here. Glad to found this forum.

Actually i need some help to configure my Juniper SSG-550M

This is my situation :

 

My SSG-550M have 2 active interface :

- ethernet0/0 untrust zone have private ip from ISP (172.16.30.2/30)

- ethernet0/1 trust zone have public ip from ISP (203.x.x.33/28).

Default gateway to outside (internet) is 172.16.30.1 (to ISP side)

My problem is, i can't making outgoing action such us traceroute, AV update, ntp sync, DNS request from my BOX (router SSG 550M) since the're use private ip gateway.

 

My question: how to make it work, i wondering to using my public ip address that assign in trust interface (ethernet0/1).

Any advise will be great.

 

Thank you.

 



Regards,

Dianse H
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: how to using trust ip address at my router to outside

Hi,

 

You can do this! Use ping/trace with the keyword "from": ping xxx.xxx.xxx.xxx from eth0/1. The syntax for telnet is slightly different: telnet xxx.xxx.xxx.xxx port number src-interface eth0/1.

While configuring ntp, dns,snmp you can always select eth0/1 as the source interface.

You cannot configure a source interface for the AV updates but you can try to install an internal proxy for downloading the AV patterns indirectly: SSG --> Proxy --> Juniper AV server.

 

Kind regards,

Edouard

 

 

 

Kind regards,
Edouard
Visitor
dianseh
Posts: 6
Registered: ‎10-13-2010
0

Re: how to using trust ip address at my router to outside

thank you for fast reply,

 

what about retrieve license key? are they need a proxy to?



Regards,

Dianse H
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: how to using trust ip address at my router to outside

Hi,

 

You can retrieve it from the Juniper Licensing Site (using a Web browser) and install on the SSG using the command 

exec license-key key_str. Your device should be registered by Juniper for this.

Kind regards,

Edouard

Kind regards,
Edouard
Visitor
dianseh
Posts: 6
Registered: ‎10-13-2010
0

Re: how to using trust ip address at my router to outside

[ Edited ]

thank you for the solutions, great apriciates :smileyhappy:

 

by the way, could be NAT applied in a situation like this?




Regards,

Dianse H
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: how to using trust ip address at my router to outside

Hi,

 

You are welcome!

Sorry, I did not understand your question. If you send a packet from the trust interface to Internet, it has already got a public IP as it's source IP. If you send a packet from the untrust interface to Internet, it's src IP is a private one and the packet is away! It will be sent but never responded.

 

Kind regards,

Edouard

Kind regards,
Edouard
Visitor
dianseh
Posts: 6
Registered: ‎10-13-2010
0

Re: how to using trust ip address at my router to outside

[ Edited ]

Sorry,

 

Since i don't have any internal proxy in my local network, it make me searching for solutions to update AV.

I think when the packet go out from untrust interface, the packet will be sent  but never responded, so i have to NAT it using public ip. The Question is : is it possible? (in this case)



Regards,

Dianse H
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: how to using trust ip address at my router to outside

Hi Dianse,

 

Hmm... This is not a trivial problem and a solution might be very, very tricky. The SSG would not NAT packets generated by itself. This can only be done on the ISP router, perhaps with the one of your public IPs.

I would recommend to install a simple proxy. There are free proxy applications in Internet.

 

Kind regards,

Edouard

Kind regards,
Edouard
Visitor
dianseh
Posts: 6
Registered: ‎10-13-2010
0

Re: how to using trust ip address at my router to outside

Dear,

 

Ic ic ic.

 

"The SSG would not NAT packets generated by itself."  <--- this is what i want to know actually.

 

Thank you very much Edouard.



Regards,

Dianse H
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: how to using trust ip address at my router to outside

Hi Dianse,

 

Please read the post http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Untrust-Interface-172-16-1-1-30-Site-to-Site...

 

SSHSSH knows a trick, that might solve your problem:

 

"....create a MIP on the untrust interface  like the below:

host address:interface ip

Mapped address: a public ip

This will translate the packets sent from the firewall itself..."

 

Kind regards,

Edouard

 

Kind regards,
Edouard
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.