Screen OS

I finally was able to get the relay working on the SSG for my wireless portion which is in the same zone as my trust. I could never get it to work until a chose route VS NAT in the wireless0/0 interface list.  I get the IP from my domain controller however it is like I do not have a route. my wifi gateway is 192.168.2.1 and the gateway my DC is on is 10.1.1.1 so from within DHCP scope options I add both routes. I do a tracert on a resource on the 10.1.1.1 from my wireless laptop and I am able to resolve. If I do the same for www.yahoo.com it does not get past the laptops gateway of 192.168.2.1.

 

I also notice that I am able to ping to the DC (192.168.2.2 - to 10.1.1.5) however I  not able to do the same from the DC to the latptop. I check and I have an (A) record as well as a PTR record.

 

I switch it back and the DNS portion from my DC works fine.

 

I am not sure where to go with this however I am betting on a default route? Should I enable Route VS NAT on the WiFi int since it at least allowed my DC to give it an IP? My issues is obviously DNS. Any help would be great thanks.

 

I think my config is set back to the SSG handing out IP VS my DC. Regardless the dhcp relay will work if I put it back to the settings I was using earlier, it is just that I am not able to resolve externally.

 

Hi Friend,

 

Can u please clear ur toplogy with diagram? It will definetely help us

 

Thanks

I cleaned it up a bit not sure which part of the topology you want to to clear sorry. Are you asking me to clear the router config and replace with screen shots???

 

I may be having a blond moment.... sorry.

hi,

 

i mean rough network diagram 

Hi,

 

I am not quite sure I understand but can I ask a couple of questions first:

 

• Are you using both internal and external DNS servers?
• Are your users conecting from the 10.1.1.0 network using 192.168.2.1 as the gateway?

 

It looks to me as if it might be as simple as setting a secondry DNS on the users PC's or as complex as setting up an internal DNS Server and doing zone transfers etc. Currently your only DNS rules appear to be from DMZ to TRUST and from TRUST to UNTRUST which seems a bit weird.

 

What is in the DMZ than needs internal DNS and not external? I am wondering if you have missed telling us something.

 

Regards

 

Gavrilo

 

 

 

I am only using one Domain Controller using AD integrated DNS zones. I have a zone for all the segments needed. I will forward screen shots.  As far as the users connecting using a gateway, each segment connects via the Virtual gateway given from the SSG router: 192.168.2.10 connects via 192.168.10.1 and 10.1.1.7 connects via 10.1.1.1.  I have a few DNS rules: 1: the rule for the DMZ ( DMZ to Trust is needed to resolve (A) resource records from within the 10.1.1.0 and 192.168.2.0 zones.2: The rule for the Domain Controller (DNS server) from the trust to the untrust is to allow DNS resolution on the Internet since it acts as a forwarder.  I dont think I need to transfer zone records as I only have one Integrated DNS server which is authoratative to all zones. I have my DMZ mail server and http server setup in the DMZ however I do allow SSH, DNS and syslog messages through. As I said, I have the DHCP working great when I switch the wireless 0/0 interface mode from NAT to Route and configure the DHCP to act as a relay. I justs do not get the DNS resolution.  Could this be that I do not have a route to the 10.1.1.0 from the 192.168.2.0 (wireless) ? I think the default route that i currently have should be fine. The only thing I can think of would be a route or a policy however the Wifi and the 10.1.1.0 are both in the trust group. I dont think I need a route since they can talk to each other just fine whenever I let the router act as the DCHP. 

I am also forwarding a copy of my DNS and DHCP from within the SSG

You need to add NAT as an option for policies 29 and 37 for the outbound internet traffic (DNS queries?).

 

 

They should look like this:

set policy id 29 from "Trust" to "Untrust"  "Workstations" "Any" "InternetGroup" nat src permit

set policy id 37 from "Trust" to "Untrust"  "DC" "Any" "DNS" nat src permit

 

 

Okay I will try that thanks. I am not sure that will work because the clients are on the trusted zone not the untrust. Is this because anything that is not on the same segment and travels accross gateways (even thought in the same zone and using the same router) are untrusted?

 

I do change the config a bit once I let the DNS server had out IP addresses to the Wireless0/0 group. I have even added both gateways for the Wireless0/0 and the bgroup0 interfaces via DHCP scope handed down from the DNS server as well.

 

If I am able to get a DHCP address from my server  I would think NAT is not the issue. I will try it over the weekend and post my results. Thanks for the help.

 

Any internet outbound policies would need to specify to use the Untrust interface's public IP as its NAT source in order to make it out.  Without NAT in the policy the firewall just passes the private address of the workstation upstream.

So here is what I did... I enabled route VS nat from within the interface -                                    

 

I then enabled Source Translation via my policy (Advanced Section) using Egress Interface IP 

 

This seems to have done the trick however what exactly did I do??? Also, is this okay?

 

I am forwarding the screen shots if needed.

 

Thanks.

This is the correct way to do it. 

 

What you've done is set any traffic that uses that policy to move between the trust to untrust zones to use your WAN IP.  The outbound internet traffic from your internal hosts appear to come from whatever the WAN address is.  This is necessary for the next hop (your ISP) to route the traffic.  Without this, the private addresses of the internal workstations are passed and nothing will route.

http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understanding-nat-.html

 

For a good article on what NAT is doing.

Thanks for the URL I will take a look at it.