Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Fresh SSG-140 Setup

    Posted 08-25-2009 23:41

    Hello All -

     

    I went through the ICW to get my new SSG-140 up and running. However I am stumped on why I cannot get out to the internet. The syslog is showing that I am on the internet on the untrust port (tons of IP Spoofing happening).

     

    Wouldn't the DFGWY be the IP of the Trust Port 0/0 ?

     

    I even created a policy of any/any from Trust to Untrust

    I do have a policy to block any/any from Untrust to Trust. However, even disabled, I still cannot get out to the internet.

     

    It's been about 6 years since I have worked with a Netscreen Firewall.

     

    - Rick


    #Access
    #setup
    #SSG-140
    #Internet
    #new
    #Clean


  • 2.  RE: Fresh SSG-140 Setup

    Posted 08-26-2009 04:43

    If you meant your host connected to firewall cannot get out to Internet. Yes, your host should be configured with next hop (default route) to the IP address you are connecting on firewall.

    You'd better give out your tracert log to clarify it.



  • 3.  RE: Fresh SSG-140 Setup

    Posted 08-26-2009 05:08

    Check the IP address of your host so that it matches the network of the trust 0/0. Then make sure the host has trust 0/0 as default gateway. IS the SSG-140 also the dhcp server for your host?

     

    Another question is if the trust zone gavce been chnged from NAT to route (I just assume you use RFC1918 network behind your firewall)?

     

     



  • 4.  RE: Fresh SSG-140 Setup

    Posted 08-27-2009 21:49

    Host PC: 192.168.1.10/ 24 for subnet, 192.168.1.253 for DFGY.

    No - The SSG-140 is not the DHCP server for our domain.

     

    - RG

     

    here is my config file.

     

    unset key protection enable
    set clock timezone -8
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set alg appleichat enable
    unset alg appleichat re-assembly enable
    set alg sctp enable
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin http redirect
    set admin auth web timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    set zone "Untrust" block
    unset zone "Untrust" tcp-rst
    set zone "MGT" block
    unset zone "V1-Trust" tcp-rst
    unset zone "V1-Untrust" tcp-rst
    set zone "DMZ" tcp-rst
    unset zone "V1-DMZ" tcp-rst
    unset zone "VLAN" tcp-rst
    set zone "Untrust" screen alarm-without-drop
    set zone "Untrust" screen icmp-flood
    set zone "Untrust" screen udp-flood
    set zone "Untrust" screen winnuke
    set zone "Untrust" screen port-scan
    set zone "Untrust" screen ip-sweep
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ip-spoofing
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "Untrust" screen syn-frag
    set zone "Untrust" screen tcp-no-flag
    set zone "Untrust" screen unknown-protocol
    set zone "Untrust" screen ip-bad-option
    set zone "Untrust" screen ip-record-route
    set zone "Untrust" screen ip-timestamp-opt
    set zone "Untrust" screen ip-security-opt
    set zone "Untrust" screen ip-loose-src-route
    set zone "Untrust" screen ip-strict-src-route
    set zone "Untrust" screen ip-stream-opt
    set zone "Untrust" screen icmp-fragment
    set zone "Untrust" screen icmp-large
    set zone "Untrust" screen syn-fin
    set zone "Untrust" screen fin-no-ack
    set zone "Untrust" screen limit-session source-ip-based
    set zone "Untrust" screen syn-ack-ack-proxy
    set zone "Untrust" screen block-frag
    set zone "Untrust" screen limit-session destination-ip-based
    set zone "Untrust" screen icmp-id
    set zone "Untrust" screen tcp-sweep
    set zone "Untrust" screen udp-sweep
    set zone "Untrust" screen ip-spoofing drop-no-rpf-route
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface "ethernet0/0" zone "Trust"
    set interface "ethernet0/1" zone "DMZ"
    set interface "ethernet0/2" zone "Untrust"
    set interface ethernet0/0 ip 192.168.1.253/24
    set interface ethernet0/0 nat
    unset interface vlan1 ip
    set interface ethernet0/1 ip 10.0.0.0/24
    set interface ethernet0/1 nat
    set interface ethernet0/2 ip 67.237.xxx.xx/30
    set interface ethernet0/2 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    set interface ethernet0/1 ip manageable
    set interface ethernet0/2 ip manageable
    set interface ethernet0/2 manage ssl
    set interface ethernet0/2 manage web
    set interface vlan1 manage mtrace
    set zone V1-Untrust manage ssl
    set zone V1-Untrust manage web
    set interface "ethernet0/2" mip 67.235.xx.xxx host 192.168.1.xx netmask 255.255.255.255 vr "trust-vr"
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set domain domain.com
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 208.xx.xxx.xx src-interface ethernet0/2
    set dns host dns2 207.xx.xxx.xx src-interface ethernet0/2
    set dns host dns3 0.0.0.0
    set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
    set crypto-policy
    exit
    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    set url protocol websense
    exit
    set policy id 1 name "Inet" from "Trust" to "Untrust"  "192.168.1.0/24" "Any" "ANY" permit no-session-backup
    set policy id 1
    exit
    set policy id 2 name "Deny All" from "Untrust" to "Trust"  "Any" "Any" "ANY" deny
    set policy id 2
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    unset license-key auto-update
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit



  • 5.  RE: Fresh SSG-140 Setup
    Best Answer

    Posted 08-27-2009 23:29
    Maybe I am missing it, but I found no default rouet in the trust-vr for you SSG 140?


  • 6.  RE: Fresh SSG-140 Setup

    Posted 08-31-2009 14:12

    Thanks - got it working. The cobwebs are slowly being lifted.

     

    - RG