Screen OS

One of my remote users has a netscreen 5gt at her home office. Since this device has been installed the rest of her family has had to live under the shadow of our strict security policies. this in turn has created problems for me since i get alot of requests to extend dhcp ranges, open ports for the sling box, and figure out how too allow the new xbox and nintendo wii they got for christmas play online matches through the strict NAT that the 5gt uses.

 

i have decided to now take a different approach. and that involves letting the user have a standard linksys or netgear router connected to her cable modem. then have the ns5gt sit behind that router.

 

i would like to know what ports and protocols in need to forward to allow the creation of juniper to juniper vpn tunnels, as well as allow NSM to manage that netscreen when it is sitting behind a residential router. i know that i was able to accomplish this with a ns5gt sitting behind an ns204, but of course i had additional static ip's that could be utilized and the robustness of the Juniper OS to allow me to do what i needed.

 

any help would be great. they are willing to invest in any router that would help get this setup for them

 

thanks

 

#NS5GT
#router

I have setup a few of our older 5GTs for some execs in the same fashion.  Here are a couple of things that can make your life a bit easier.  This has worked for most brands of home router ( Linksys, DLINK, etc ). 

 

Most home routers are open from the inside.  They allow all outbound access.  So ports shouldnt be an issue for the outbound connections.

 

NSM

 

When add the device in the NSM you want to add the device as unreachable.  When you go through the wizard you can either generate a confliglet, or you can just generate the cli and paste it on the 5GT.  The 5GT will then connect to the NSM, and this persistant connection will allow you to manage it without having direct access.  One neat feature of the NSM is the ability to use the connection to send cli commands for troubleshooting. You can right click on the device in the NSM, and use the troubleshoot functionality to run some cli commands.  Its not pretty, but is functional.

 

Residential Routers Gaming DMZ

 

You can use a combination of the residential routers gaming dmz function and Dynamic DNS on the residential router to allow remote access to the 5GT for management via SSH. Create a reservation on the residential router for your 5GT, and then publish it via the gaming DMZ function that most residential routers have. 

 

VPN

 

With the 5GT using DHCP on the untrust interface, when you go into the VPN manager it should create a dynamic VPN. Make sure you check the nat transversal button in the VPN manager in the NSM. Both Dynamic VPN and NAT transversal must be configured for this to work behind the NAT device.

 

That has worked for me.  Anytime you are behind a NAT device it complicates the config a bit.  Hope this helps you.

the device is already in NSM, and did have a dynamic ip assigned via DHCP from comcast. i was thinking of putting it as RMA, and then activating the device as unreachable. is this a strategy you recommend, or should i just import the device from scratch and forget about the existing device in NSM?

Considering that you are going to jump through the same amount of hoops RMAing it, and then running through the re-add with unreachable you might as well just remove it and re-add with unreachable from scratch.  You just have to be mindful of duplicate policy, and object cleanup. 

Gave it a shot but was unable to get any communication through to the ns5gt. Had the untrust IP reserved, then put that in the DMZ. but cannot ssh, http or telnet to the ns5gt. generating the CLI so the device could be imported did not work either. tried adding the Linksys LAN as one of the permitted ip addresses incase that was the problem but no luck there.

 

if there is anything else i can try please let me know what i can do to help this process along

 

thanks!

On the 5GT.

 

Verify your IP address that you have received via DHCP.  Try pinging your default gateway, then an internet IP such as 4.2.2.2.

Verify that ssh is enabled and is accepting connections.   "get ssh"

Verify that your Untrust interface is allowing for ssh to be managed.  "get int untrust or get int eth3"

 

 

Then verify your NSM config on the 5GT.  Perform a "get nsm".  Verify that its using the MIP address instead of the internal NSM IP.   You should see connecting/disconnected as it attempts to connect.  Sometimes I have seen where the device doesn't connect right away with an unreachable.  Save and reboot.  See if the device comes up and connects to the NSM.   

k was able to get the Juniper managed behind the router by replacing the juniper (no idea what the deal was with that) my next problem is the VPN tunnel. At the hub where i have a static ip address, i get the error message:  Rejected IKe packet because intial phase 1 packet arrived from an unrecognized peer gateway.

 

the public ip is the peer gateway that the Hub device is seeing, but the untrust ip address on the juniper is a private ip (192.168.x.x) i do have NAT traversal enabled and dynamic VPN as well.

 

is there anything else i should be looking for?

SOLVED!!!

 

on the juniper behind the NAT device: 

 

enable NAT-T, UDP checksum, aggressive mode for the gateway

enable rekey for the IKE

 

and it worked

 

thanks for the help