ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

How I can make BGP configuration on SSG-140

‎12-28-2016 03:03 AM

Hi I have new primary ISP which offered us /24 IP range via BGP. Could you please send me information to activate BGP for both ISP ports on mine SSG140 Firewal.

 

Primary ISP- ethernet0/2

backup ISP- ethernet0/3 

 

Thank you in advance!

14 REPLIES 14
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎12-28-2016 03:15 AM

Hello,

 

You can make use of the below article.

 

https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch17s02.html

 

To prefer one ISP path over other, you can use local preference as mentioned below:

 

https://www.safaribooksonline.com/library/view/screenos-cookbook/9780596510039/ch17s12.html

 

Regards,

 

Rushi

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎01-05-2017 01:18 AM

Where i need to add the below information which ISP has been sent me:

 

1) Vlan 1111 - International Traffic
Communication network: 145.148.140.120/29
International Router1, ASN57344, 145.148.140.121/29 <> 145.148.140.126, DoT, ASN4578
International Router2, ASN57344, 145.148.140.122/29 <> 145.148.140.126, DoT, ASN4578



2) Vlan 1122 - UK Peering
Communication network: 145.148.140.128/29
UK Peering Router1, ASN57344, 185.148.140.129/29 <> 185.148.140.134/29, DoT, ASN4577
UK Peering Router2, ASN57344, 185.148.140.130/29 <> 185.148.140.134/29, DoT, ASN4577
Prefix 6300

3) BGP Network: 72.142.56.0/24

 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎01-07-2017 08:31 AM

Example for the one peer.  Assign the 145.148.140.121 address to ethernet 0/2

 

Add the BGP to the VR and set the neighbors

set vr untrust protocol bgp 57344
set vr untrust-vr protocol bgp enable 
set vrouter "untrust-vr" protocol bgp neighbor 145.148.140.126 remote-as 4578 local-ip 145.148.140.121/32 outgoing-interface ethernet0/2
set vr untrust-vr protocol bgp neighbor 145.148.140.126 enable
set interface e0/2 protocol bgp

Export policy added to for route advertisment as desired.  This assumes you create a static route for this subnet and forward this on your device.  If this is a direct route

 

set vrouter "untrust-vr"
set access-list 1
set access-list 1 permit ip 72.142.56.0/24 1
set route-map name "route-map" permit 1
set match ip 1
exit
static route:
set route 72.142.56.0/24 interface ethernet0/x gateway x.x.x.x set vrouter trust-vr protocol bgp redistribute route-map route-map protocol static
direct route: set vrouter trust-vr protocol bgp redistribute route-map route-map protocol direct

Documentation

Chapter 35 on BGP

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_all.pdf

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-04-2017 01:47 AM

Hi,

 

Will it be a problem if we have configured Vrouter in vtrust not in untrust?

 

With this configuration we have acccess to most of webpages but no access to Internet services as Skype for example. Do we need to configure some kind of routing between internal and external (BGP) network?

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-04-2017 04:36 AM

Virutal routers maintain separate forwarding tables.  And are separate routers.

 

So if you have the peer in vtrust and your main clients in vuntrust you will need to create a connection where the traffic can reach each other.

 

this can be simply setting up a route with a next hop of the next vrouter or you can treat the vrouters as separate and connect two ports on the firewall together with one port in vtrust and the other port in vuntrust and setup a routed link between the vrouters.

 

But if there is no reason compelling you to have the peer in a separate router you should just setup the peer in the same vrouter as your other networks.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

[ Edited ]
‎07-04-2017 05:38 AM

Hi,

 

We have managed to establish BGP connection but we are unable to access any of internet services like Skype, viber and websites. 

We are able to ping WAN port from external network. 

do you have idea what can cause this issue.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-04-2017 03:33 PM

If the peer is in the Trust VR and your main site is in the untrust VR then I would expect that result.

 

Simplest solution is to establish the interface and peer into the same VR as your main site.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-07-2017 09:59 AM

Hi,

 

We were able to fix this issue but there is another problem which we do not know what is causing it.

 

When we establish site to site vpn with other sites via new BGP provider we are unable to access services hosted on other site for example to ping other site firewall device but via old provider we are able to access them/.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-08-2017 04:57 AM

These are the steps to troubleshoot a VPN that comes up but does not pass traffic.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-17-2017 11:16 PM

Hi,

 

All configurations seems to be ok but again we do not have access to remote side IPs.There is one specification in our system.

 

E0/6 port is connected to ISP and it is with IP from another network. Via this IP SSG device receives real BGP network and we had to assign  IP from real BGP network on Loopback port. Is it possible our issue to be related with using of loopback port? 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-19-2017 03:49 PM

From you thread I assume you have a site to site VPN that is not passing traffic.

 

to assist I would need you to follow the steps in this kb article, and then post the results of the step where the tests fail.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-23-2017 11:54 PM

Hi,

 

I will try to colelct the required infomration in next two weeks.

 

VPN-s are UP ad they are route-based destionation routings on boths sides are same and the most strange thing is that from other side to use there is traffic but from us to other side there is not traffic 😞

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: How I can make BGP configuration on SSG-140

‎07-26-2017 02:55 AM

It would be best to run the testing then from the side that does not send traffic.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author Beko
‎08-08-2017 06:46 AM

Re: How I can make BGP configuration on SSG-140

‎08-08-2017 06:46 AM

Hi Spuluka,

 

We have managed to fix the problem with VPNs.

 

Thank you!

Feedback