Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG 140 VIP's, having some trouble

    Posted 11-06-2008 10:42

    Here is my setup:

    SSG140

    Hardware Version 1010(0)-( 0)

    Software Version 6.1.0r2.0

     

    eth0 private LAN - 192.1.1.0/24 (mail server 192.1.1.250)

    eth2 public network - 1.1.1.33/27 - renamed to 1.1.1.x for privacy (wan ip of ssg 1.1.1.38)

     

    My mission is is to forward mail traffic from 1.1.1.45 to 192.1.1.250 - port 25 smtp

    I followed these instructions for a VIP

    http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&article_id=KB4740

     

    On the VIP page the status says OK under the smtp service
    I can telnet into the ssg and ping 192.1.1.250

    When i try to telnet to 1.1.1.45 port 25 i get a timeout (from another system connected to the public WAN side)

    When i check my policy log (created as per the instruction kb above) i get this:

    bytes sent 198, bytes received 0, close reason: age out, source/destination and translated address/port all show correct

    Destination route table shows lan and wan assgned to the correct interfaces

    policy is

    Untrust/Any Global/VIP(1.1.1.45) SMTP Permit

    I turned on all logging including debug, nothing shows in the logs related to this 

     

    I am not sure what to check next, any ideas?

    Message Edited by techguru on 11-06-2008 10:51 AM
    Message Edited by techguru on 11-06-2008 11:01 AM
    Message Edited by techguru on 11-06-2008 11:07 AM


  • 2.  RE: SSG 140 VIP's, having some trouble

    Posted 11-06-2008 11:42

    Could you please confirm whether the policy destination is the trust zone ? Doesnt show in your policy rule:

     

    Untrust/Any Global/VIP(1.1.1.45) SMTP Permit



  • 3.  RE: SSG 140 VIP's, having some trouble

    Posted 11-06-2008 11:48
    the policy is set from untrust to trust


  • 4.  RE: SSG 140 VIP's, having some trouble

    Posted 11-06-2008 11:50
    Could you post the log entry ? and possibly a cleaned config ?


  • 5.  RE: SSG 140 VIP's, having some trouble

    Posted 11-06-2008 11:54

    Traffic log for policy :

    ID Source Destination Service Action 32 Untrust/Any Global/VIP(1.1.1.45) SMTP Permit 

    Date/Time

    Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason 2008-11-06 11:30:59 1.1.1.62:8982 1.1.1.45:25 1.1.1.62:8982 192.1.1.250:25 SMTP (TCP) 22 sec. 198 0 Close - AGE OUT 2008-11-06 11:29:37 1.1.1.62:8981 1.1.1.45:25 1.1.1.62:8981 192.1.1.250:25 SMTP (TCP) 21 sec. 198 0 Close - AGE OUTconfig is coming soon, thanks

     

     

    the formatting didnt work out right, ill post again when i get the config if you cant read it.

    Message Edited by techguru on 11-06-2008 11:54 AM


  • 6.  RE: SSG 140 VIP's, having some trouble
    Best Answer

    Posted 11-06-2008 11:57
    Maybe an obvious one, but does the mailserver have its default gateway set to the netscreen ? Logging seems to be OK indeed.


  • 7.  RE: SSG 140 VIP's, having some trouble

    Posted 11-06-2008 13:04
    ahhhh thanks, i forgot to switch the gateway over.


  • 8.  RE: SSG 140 VIP's, having some trouble

    Posted 11-06-2008 13:10
    at your service 😉