Screen OS

Hi,

I have a customer with a new SSG 140 and I hope that you
can recommand how to the setup the system:

The customer connected to the internet via ADSL (PPPoE on int 2).
The LAN connected to the int 0 and the DMZ connected to int 1.

The PPOE (int. 2) obtain the IP from the ISP (DHCP): 212.143.225.61
The LAN int. (int. 0) 192.168.30.254, with the network 192.168.30.0/24
The dmz int. (int. 1) 10.10.10.254, with the network 10.10.10.0/24

The customers have to servers that need to be accessed from outside:

Exchange server: 192.168.30.1 on the LAN.

SA 2500: 10.10.10.253 on the dmz and 192.168.30.253 on the lan.


Currentlly the Exchange use the public IP: 212.235.0.148 (SMTP)
and the SA 2500 use the public IP: 212.235.0.149 (IKE + HTTPS)

Please advice.

Thanx

  Yuval

Hi,

 

You can create MIP with desired local IPs at int 2 for IPs  212.235.0.148 (SMTP) & SA 2500  212.235.0.149 (IKE + HTTPS), create policy from untrust to trust for SMTP MIP and Untrust to DMZ for SA2500 MIP.

 

Hope it helps.

 

SiD

Thank you SID!

 

One of the issues with MIP is that one of Juniper docs "say" that you need

the same IP range as the external interface for MIB.

However, this isnt the current scnario (I hope that I will install the SSG next week

and find the correct solution).

Other tip was to use Dst. NAT - But this look very complex for regular task like this

(Check Out Check Point solution for it... two mouse click and thats all.

 

Thanx

Hi,

 

You could use NAT-Dst. Following steps. I will show 2 ways one way is shorter but dont know if it will work correctly for you, second way should work.

 

First Way:

1. Create and address book for the public addresses that you want to forward to internal servers in the Untrust zone address book.
2. Create a policy from untrust to untrust Source (any) Destination (212.235.0.148/32) Service (SMTP) Nat-Dst 192.168.30.1
3. Create a policy from untrust to untrust Source (any) Destination (212.235.0.149/32) Service (IKE+HTTPS) Nat-Dst 10.10.10.253

Im assuming that the ISP will forward those two public addresses to the IP address of the untrust interface on the firewall 212.143.225.61.

 

If that doesnt work (which I Think it should do) you will need to do some extra config.

 

1. Create and address book for the public addresses that you want to forward to internal servers. 212.235.0.148/32 in the trust zone address book, 212.235.0.149/32 in the DMZ zone address book
2. Create two route entries. set route 212.235.0.148/32 int (lan interface) , set route 212.235.0.149/32 in (DMZ interface)
3. Create a policy from Untrust to Trust Source (any) Destination (212.235.0.148/32) Service (SMTP) Nat-Dst 192.168.30.1
4. Create a policy from Untrust to DMZ Source (any) Destination (212.235.0.149/32) Service (IKE+HTTPS) Nat-Dst 10.10.10.253

 Hope this helps.

 

Regards

 

Andy

 

Hi there all,

Sorry to bring back such an old topic, but i didn't felt i could create an another one, since the problem i'm facing it's always the same.

I Have no experience in Juniper products and i must conffess i'm lost even tough i have a bunch os materials here to read.

But got no sucess at all until now.

I'm trying to setup a Lan port wich is it going to be connected to a swichcore inside our datacenter and an another port whose objective is to and give internet access throughout and static ip adress given by our ISP, this interfce will usee inityally only webfiltering to all users coming troughtout the lan.

 

So here's what i have planned.

Unbinded all  default interrfaces and seted  as follow:

 

e0/1 it's goig to be my LAN interface that's going to be connected to the switchcore

e0/2 it's goiing to receive a WAN link with static IP and it's going to be used to provide internet access to my LAN.

 

e0/1 is setted in the trust zone and the e0/2 is setted in the Untrusted zone, both of them are in the trust-vr.

 

How can i assign all the traffic coming from  e0/1 to the e0/2 and apply webfiltering on it?

 

Any help will be appreciated, since the subject it's URGENT.

 

Regards,

Cristiano Sina