Screen OS

Hello,

I'm new here. Glad to found this forum.

Actually i need some help to configure my Juniper SSG-550M

This is my situation :

My SSG-550M have 2 active interface :

- ethernet0/0 untrust zone have private ip from ISP (172.16.30.2/30)

- ethernet0/1 trust zone have public ip from ISP (203.x.x.33/28).

Default gateway to outside (internet) is 172.16.30.1 (to ISP side)

My problem is, i can't making outgoing action such us traceroute, AV update, ntp sync, DNS request from my BOX (router SSG 550M) since the're use private ip gateway.

My question: how to make it work, i wondering to using my public ip address that assign in trust interface (ethernet0/1).

Any advise will be great.

Thank you.

Hi,

You can do this! Use ping/trace with the keyword "from": ping xxx.xxx.xxx.xxx from eth0/1. The syntax for telnet is slightly different: telnet xxx.xxx.xxx.xxx port number src-interface eth0/1.

While configuring ntp, dns,snmp you can always select eth0/1 as the source interface.

You cannot configure a source interface for the AV updates but you can try to install an internal proxy for downloading the AV patterns indirectly: SSG --> Proxy --> Juniper AV server.

Kind regards,

Edouard

thank you for fast reply,

what about retrieve license key? are they need a proxy to?

Hi,

You can retrieve it from the Juniper Licensing Site (using a Web browser) and install on the SSG using the command 

exec license-key key_str. Your device should be registered by Juniper for this.

Kind regards,

Edouard

thank you for the solutions, great apriciates 🙂

by the way, could be NAT applied in a situation like this?

Hi,

You are welcome!

Sorry, I did not understand your question. If you send a packet from the trust interface to Internet, it has already got a public IP as it's source IP. If you send a packet from the untrust interface to Internet, it's src IP is a private one and the packet is away! It will be sent but never responded.

Kind regards,

Edouard

Sorry,

Since i don't have any internal proxy in my local network, it make me searching for solutions to update AV.

I think when the packet go out from untrust interface, the packet will be sent  but never responded, so i have to NAT it using public ip. The Question is : is it possible? (in this case)

Hi Dianse,

Hmm... This is not a trivial problem and a solution might be very, very tricky. The SSG would not NAT packets generated by itself. This can only be done on the ISP router, perhaps with the one of your public IPs.

I would recommend to install a simple proxy. There are free proxy applications in Internet.

Kind regards,

Edouard

Dear,

Ic ic ic.

"The SSG would not NAT packets generated by itself."  <--- this is what i want to know actually.

Thank you very much Edouard.

Hi Dianse,

Please read the post http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Untrust-Interface-172-16-1-1-30-Site-to-Site-VPN/td-p/59052

SSHSSH knows a trick, that might solve your problem:

"....create a MIP on the untrust interface  like the below:

host address:interface ip

Mapped address: a public ip

This will translate the packets sent from the firewall itself..."

Kind regards,

Edouard

wow, thanks for your advanced.

i've succesfully to retrieve license key from the box.

ping / traceroute to outside (without using keyword "from source" command in cli) also working well