July 6, 2008 02:57pm pdt

1. batry_boy 256,950
2. lrmoore 96,375
3. dpk_wal 78,877
4. Cyclops3590 41,826
5. rsivanandan 36,775
6. RobWill 34,275
7. Voltz-dk 33,850
8. harbor235 32,598
9. MrHusy 32,000
10. naughton 31,880
11. JFrederi... 28,000
12. from_exp 27,885
13. stuknhawaii 21,000
14. arnold 20,476
15. mkielar 20,100

1. lrmoore 1,052,247
2. batry_boy 448,179
3. RobWill 357,774
4. rsivanandan 237,794
5. dpk_wal 141,877
6. grblades 118,615
7. JFrederi... 115,919
8. harbor235 105,714
9. pseudocyber 90,643
10. Cyclops3590 86,854
11. nodisco 85,522
12. calvinetter 76,413
13. PeteLong 73,331
14. Freya28 67,550
15. giltjr 67,195

02.26.2008 at 12:12AM PST, ID: 23192804

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.4

POP3 Problem with SSG-520 Juniper Firewall

Zone: Networking Hardware Firewalls

Tags: Juniper, Firewall

Hi All
I have juniper SSG-520 and i made static mapping for my exchange mail server which contain web , pop3 , smtp , imap services ,, i add MIP on untrusted interface and policy to allow defined services ( HTTP ,POP3 , SMTP, IMAP ) from ANY to this MIP ,, web and smtp working ok from outside but IMAP and POP3 dont work and this result appear in LOG :
Close - age out .

Can you help me ..

Start your free trial to view this solution

Question Stats

Zone: Computer Hardware

Question Asked By: ahfaris

Solution Provided By: Geyybecca

Participating Experts: 2

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

02.26.2008 at 12:34AM PST, ID: 20982504

Geyybecca:

can you post your firewall config here? change the real IP addresses, i'll take a look

02.26.2008 at 12:53AM PST, ID: 20982577

ahfaris:

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 27911
set admin name "iugfw"
set admin password "nFu6P2rFHQYMc7FA0ssB53At4iAfRn"
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Null"
unset interface vlan1 ip
set interface ethernet0/0 ip 10.10.0.7/24
set interface ethernet0/0 nat
set interface ethernet0/1 ip 172.16.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/2 ip x.x.x.68/27
set interface ethernet0/2 route
set interface ethernet0/2 gateway x.x.x.65
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/0 manage mtrace
set interface ethernet0/1 manage telnet
set interface vlan1 manage mtrace
set interface "ethernet0/2" mip x.x.x.80 host 10.10.0.13 netmask 255.255.255.255 vr "trust-vr"
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "Mail" 10.10.0.13 255.255.255.255
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set anti-spam profile ns-profile
set sbl default-server enable
exit
set policy id 4 name "Mail" from "Untrust" to "Trust" "Any" "MIP(x.x.x.80)" "HTTP" permit log
set policy id 4
set service "IMAP"
set service "POP3"
set service "SMTP"
exit
set policy id 16 name "NAT_Servers" from "Trust" to "Untrust" "Mail" "Any" "ANY" nat src permit
exit
set monitor cpu 100
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

02.26.2008 at 04:05AM PST, ID: 20983468

Qlemo:

Don't know whether that is the problem, but policy 16 uses NAT src on eth0/2 ip, which is .68. Shouldn't this be a NAT src on MIP?

02.26.2008 at 04:38AM PST, ID: 20983655

Geyybecca:

Ok Policy id 4 deals with incoming HTTP IMAP POP3 and SMTP policy id 16 I need a little more info on when you say po3 and IMAP are not working is that from outside or inside?

02.26.2008 at 04:45AM PST, ID: 20983696

ahfaris:

policy id 4 handle the nat connection from inside to outside for this server ,, the problem is from outside to inside .

02.26.2008 at 04:46AM PST, ID: 20983704

ahfaris:

some one in juiper forum add this thread :
------------------------
Yeah I think I can help. Close age out learns you to things:

1 a session is created, so policy is ok
2 Reason for closing is no return packets arive at the SSG. That's what age out means here.

So your pop traffic is probably not send directly to the SSG. Check your routing on the pop server (or service ?).

This is most likely not a problem on your SSG but on your routing config of the mail server.
--------------------------------
i dont know how to track this and what is the routing he said ?

02.26.2008 at 04:49AM PST, ID: 20983740

Geyybecca:

think they are barking up the wrong tree, if HTTP and SMTP work on that server then the routing cannot be an issue, if there was a routing issue then nothing would work

Accepted Solution

02.26.2008 at 11:28PM PST, ID: 20992035

ahfaris:

Simply i found the POP3 service on the server have some problems ,, i restart the server and every thing ok now .

20080236-EE-VQP-29 / EE_QW_2_20070628