Netscreen enable subnet internet access
Hi,
I have a 5GT - and have recently added a subnet onto the network. My local LAN is on the 192.168.44.0/24 network, and I would like to give the new 172.16.44.0/24 network, internet access through my firewall. I have setup up static routes, which work ok - I can ping hosts on the new subnet - but no internet access is working. I have an internet access policy, trust-untrust, from any network to any destination. The problem seems to be related to policies - is anyone able to shed some light on this? Should I be using source route entries?
Thanks,
ZM
I have a 5GT - and have recently added a subnet onto the network. My local LAN is on the 192.168.44.0/24 network, and I would like to give the new 172.16.44.0/24 network, internet access through my firewall. I have setup up static routes, which work ok - I can ping hosts on the new subnet - but no internet access is working. I have an internet access policy, trust-untrust, from any network to any destination. The problem seems to be related to policies - is anyone able to shed some light on this? Should I be using source route entries?
Thanks,
ZM
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Add these 2 lines and it should work;
set address "Trust" "<NAME OF NEW NETWORK" 172.16.44.0 255.255.255.0
set policy id <ID> from "Trust" to "Untrust" "<NAME OF NEW NETWORK" "Any" "ANY" permit
This should take care of patting the other network as well.
Cheers,
Rajesh
set address "Trust" "<NAME OF NEW NETWORK" 172.16.44.0 255.255.255.0
set policy id <ID> from "Trust" to "Untrust" "<NAME OF NEW NETWORK" "Any" "ANY" permit
This should take care of patting the other network as well.
Cheers,
Rajesh
ASKER
Thanks I will try that, although I think I have tried it already, through the GUI. Are there any NAT considerations to take care of?
Thanks Rajesh
ZM
Thanks Rajesh
ZM
Right now the above commands should use the pat (ip assigned on the untrust interface) and go out to internet and while coming back you already have a route on the box. So it should work as expected. If not, we will see if a dip is required or not.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
I get this entry in the logs:
2007-03-04 10:03:02 172.16.45.21:1734 207.46.248.119:80 xxx.xxx.86.45:1233 207.46.248.119:80 HTTP 22 sec. 198 198
Which looks ok, I am getting bytes sent and received - but still no browsing....
I also need to forward FTP to one of the servers on the new subnet - which would be actually more important than allowing the servers on the remote subnet internet access. I have tried a VIP - pointing directly at the server's subnet address: in this case, 172.16.45.21, but that does not appear to be working. I also set up a MIP, with a local address mapped to the server's subnet address, and tried to direct the VIP, to the MIP, but that didn't work either. Please can you help?
Thanks,
ZM
2007-03-04 10:03:02 172.16.45.21:1734 207.46.248.119:80 xxx.xxx.86.45:1233 207.46.248.119:80 HTTP 22 sec. 198 198
Which looks ok, I am getting bytes sent and received - but still no browsing....
I also need to forward FTP to one of the servers on the new subnet - which would be actually more important than allowing the servers on the remote subnet internet access. I have tried a VIP - pointing directly at the server's subnet address: in this case, 172.16.45.21, but that does not appear to be working. I also set up a MIP, with a local address mapped to the server's subnet address, and tried to direct the VIP, to the MIP, but that didn't work either. Please can you help?
Thanks,
ZM
ZM,
Lets get the first problem working. It is a good sign you have translations.
1. Can you ping and the results are coming in ?
2. The new policy statement has an id that is lesser than the 'all deny' stuff ? Can you post the config again with the new commands included?
Cheers,
Rajesh
Lets get the first problem working. It is a good sign you have translations.
1. Can you ping and the results are coming in ?
2. The new policy statement has an id that is lesser than the 'all deny' stuff ? Can you post the config again with the new commands included?
Cheers,
Rajesh
ASKER
Ok, sure.
I have activated logging for the policy, that is from the new network name, trust to untrust, any any permit. The id number is more than the deny - but it is right at the top of the policy list. The log is recognising traffic - but it seems not to be receiving bytes from the destination address, as below:
2007-03-04 18:23:18 172.16.45.21:1552 207.46.248.119:80 172.16.45.21:1552 207.46.248.119:80 HTTP 20 sec. 198 0
There is no NAT being applied to this rule, as the translated source address, is the same as the source as above. Is this correct? I assume not, would this be why there is no bytes received?
Anyway, here is the current config:
set group service "Web Surfing" add "FTP"
set group service "Web Surfing" add "FTP-Get"
set group service "Web Surfing" add "FTP-Put"
set group service "Web Surfing" add "HTTP"
set group service "Web Surfing" add "HTTPS"
set group service "Web Surfing" add "MAIL"
set group service "Web Surfing" add "PING"
set group service "Web Surfing" add "POP3"
set group service "Web Surfing" add "TSE"
set policy id 46 from "Untrust" to "Trust" "Any" "SomeNew DMZ" "ANY" permit log
set policy id 13 from "Untrust" to "Trust" "MMC-NSremoteUsers-10.10.2
set policy id 15 from "Untrust" to "Trust" "Any" "MMC Lan-192.168.44.0/24" "ANY" permit
set policy id 45 from "Trust" to "Untrust" "SomeNew DMZ" "Any" "ANY" permit log
set policy id 31 name "Deskbank" from "Trust" to "Untrust" "Any" "Any" "Deskbank" nat src permit
set policy id 32 name "OpenVPN" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "OpenVPN" nat src permit
set policy id 29 from "Trust" to "Untrust" "Any" "Any" "PPTP" nat src permit
set policy id 20 name "SomeDomain" from "Trust" to "Untrust" "Any" "Any" "SomeDomain" nat src permit
set policy id 19 name "FTP" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "FTP" nat src permit
set policy id 19 application "FTP"
set policy id 1 name "MMC Internet Access" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "Web Surfing" nat src permit
set policy id 14 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "ANY" permit
set policy id 9 from "Untrust" to "Trust" "MMC-NSremoteUsers-10.10.2
set policy id 8 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "MMC-NSremoteUsers-10.10.2
set policy id 2 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "K Lan-192.168.11.0/24" "ANY" permit
set policy id 7 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "K Vax Firewall" "TELNET" nat src permit log
set policy id 17 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "BT_PIE Network" "ANY" nat src dip-id 4 permit log
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 6 from "Untrust" to "Trust" "K Lan-192.168.11.0/24" "MMC Lan-192.168.44.0/24" "ANY" permit
set policy id 4 from "Untrust" to "Trust" "Kauri Lan-192.168.11.0/24" "MMC Lan-192.168.44.0/24" "Printing" permit log
set policy id 16 from "Untrust" to "Trust" "BT_PIE Network" "MIP(192.168.15.5)" "ANY" nat src permit
set policy id 18 name "SMTP" from "Untrust" to "Trust" "Any" "VIP::1" "smtp" permit
set policy id 21 name "SFTP" from "Untrust" to "Trust" "Any" "VIP::1" "SSH" permit
set policy id 21 disable
set policy id 25 name "FTP" from "Untrust" to "Trust" "Any" "VIP::1" "FTP" permit log
set policy id 23 name "RWW-4125" from "Untrust" to "Trust" "Any" "VIP::1" "RWW-4125" permit
set policy id 24 name "HTTPS" from "Untrust" to "Trust" "Any" "VIP::1" "HTTPS" permit
set policy id 30 name "FTP + 50 PASV" from "Untrust" to "Trust" "Any" "VIP::1" "New FTP" permit
set policy id 5 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 11 from "Trust" to "Trust" "MMC Lan-192.168.44.0/24" "MIP(192.168.44.69)" "ANY" permit
set policy id 34 from "Trust" to "Trust" "SomeNew DMZ" "Any" "ANY" permit
set policy id 34
set src-address "Servers"
exit
set vpn "Tunnel-user1" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.103/32 "ANY"
set vpn "Tunnel-user2" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.101/32 "ANY"
set vpn "Tunnel-user3" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.102/32 "ANY"
set vpn "Tunnel-user4" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.104/32 "ANY"
set vpn "K-Tunnel" proxy-id local-ip 192.168.44.0/24 remote-ip 192.168.11.0/24 "ANY"
set vpn "BT_VPN" proxy-id local-ip 192.168.15.0/24 remote-ip xxx.xx.xxx.0/24 "ANY"
set vpn "Tunnel-C" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.106/32 "ANY"
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.11.0/24 interface tunnel.1
set route 10.10.200.0/24 interface tunnel.2
set route xxx.xx.xxx.0/24 interface tunnel.3 gateway 192.168.15.50
set route xxx.xx.44.0/24 interface trust gateway 192.168.44.253
set route xxx.xx.45.0/24 interface trust gateway 192.168.44.253
exit
I have activated logging for the policy, that is from the new network name, trust to untrust, any any permit. The id number is more than the deny - but it is right at the top of the policy list. The log is recognising traffic - but it seems not to be receiving bytes from the destination address, as below:
2007-03-04 18:23:18 172.16.45.21:1552 207.46.248.119:80 172.16.45.21:1552 207.46.248.119:80 HTTP 20 sec. 198 0
There is no NAT being applied to this rule, as the translated source address, is the same as the source as above. Is this correct? I assume not, would this be why there is no bytes received?
Anyway, here is the current config:
set group service "Web Surfing" add "FTP"
set group service "Web Surfing" add "FTP-Get"
set group service "Web Surfing" add "FTP-Put"
set group service "Web Surfing" add "HTTP"
set group service "Web Surfing" add "HTTPS"
set group service "Web Surfing" add "MAIL"
set group service "Web Surfing" add "PING"
set group service "Web Surfing" add "POP3"
set group service "Web Surfing" add "TSE"
set policy id 46 from "Untrust" to "Trust" "Any" "SomeNew DMZ" "ANY" permit log
set policy id 13 from "Untrust" to "Trust" "MMC-NSremoteUsers-10.10.2
set policy id 15 from "Untrust" to "Trust" "Any" "MMC Lan-192.168.44.0/24" "ANY" permit
set policy id 45 from "Trust" to "Untrust" "SomeNew DMZ" "Any" "ANY" permit log
set policy id 31 name "Deskbank" from "Trust" to "Untrust" "Any" "Any" "Deskbank" nat src permit
set policy id 32 name "OpenVPN" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "OpenVPN" nat src permit
set policy id 29 from "Trust" to "Untrust" "Any" "Any" "PPTP" nat src permit
set policy id 20 name "SomeDomain" from "Trust" to "Untrust" "Any" "Any" "SomeDomain" nat src permit
set policy id 19 name "FTP" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "FTP" nat src permit
set policy id 19 application "FTP"
set policy id 1 name "MMC Internet Access" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "Web Surfing" nat src permit
set policy id 14 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "ANY" permit
set policy id 9 from "Untrust" to "Trust" "MMC-NSremoteUsers-10.10.2
set policy id 8 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "MMC-NSremoteUsers-10.10.2
set policy id 2 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "K Lan-192.168.11.0/24" "ANY" permit
set policy id 7 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "K Vax Firewall" "TELNET" nat src permit log
set policy id 17 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "BT_PIE Network" "ANY" nat src dip-id 4 permit log
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 6 from "Untrust" to "Trust" "K Lan-192.168.11.0/24" "MMC Lan-192.168.44.0/24" "ANY" permit
set policy id 4 from "Untrust" to "Trust" "Kauri Lan-192.168.11.0/24" "MMC Lan-192.168.44.0/24" "Printing" permit log
set policy id 16 from "Untrust" to "Trust" "BT_PIE Network" "MIP(192.168.15.5)" "ANY" nat src permit
set policy id 18 name "SMTP" from "Untrust" to "Trust" "Any" "VIP::1" "smtp" permit
set policy id 21 name "SFTP" from "Untrust" to "Trust" "Any" "VIP::1" "SSH" permit
set policy id 21 disable
set policy id 25 name "FTP" from "Untrust" to "Trust" "Any" "VIP::1" "FTP" permit log
set policy id 23 name "RWW-4125" from "Untrust" to "Trust" "Any" "VIP::1" "RWW-4125" permit
set policy id 24 name "HTTPS" from "Untrust" to "Trust" "Any" "VIP::1" "HTTPS" permit
set policy id 30 name "FTP + 50 PASV" from "Untrust" to "Trust" "Any" "VIP::1" "New FTP" permit
set policy id 5 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 11 from "Trust" to "Trust" "MMC Lan-192.168.44.0/24" "MIP(192.168.44.69)" "ANY" permit
set policy id 34 from "Trust" to "Trust" "SomeNew DMZ" "Any" "ANY" permit
set policy id 34
set src-address "Servers"
exit
set vpn "Tunnel-user1" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.103/32 "ANY"
set vpn "Tunnel-user2" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.101/32 "ANY"
set vpn "Tunnel-user3" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.102/32 "ANY"
set vpn "Tunnel-user4" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.104/32 "ANY"
set vpn "K-Tunnel" proxy-id local-ip 192.168.44.0/24 remote-ip 192.168.11.0/24 "ANY"
set vpn "BT_VPN" proxy-id local-ip 192.168.15.0/24 remote-ip xxx.xx.xxx.0/24 "ANY"
set vpn "Tunnel-C" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.106/32 "ANY"
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.11.0/24 interface tunnel.1
set route 10.10.200.0/24 interface tunnel.2
set route xxx.xx.xxx.0/24 interface tunnel.3 gateway 192.168.15.50
set route xxx.xx.44.0/24 interface trust gateway 192.168.44.253
set route xxx.xx.45.0/24 interface trust gateway 192.168.44.253
exit
ASKER
I can ping, from one of the servers, on the new subnet, to the local LAN gateway. I cannot ping past the gateway, onto the internet. I have a feeling that packets are just not being routed back, past the lan firewall, to the wan router, which sits inside the lan..., even though I have setup static routes - does that make sense?
Thx
Thx
ASKER
Ok, I have activated egress, outgoing nat on the policy, and I am now receiving bytes, on the policy log:
2007-03-04 20:30:13 172.16.45.21:2483 66.102.7.99:80 xxx.xxx.86.45:1781 66.102.7.99:80 HTTP 20 sec. 198 192
So it seems as if packets are coming back in to the lan firewall properly - but not back to the subnet servers?
2007-03-04 20:30:13 172.16.45.21:2483 66.102.7.99:80 xxx.xxx.86.45:1781 66.102.7.99:80 HTTP 20 sec. 198 192
So it seems as if packets are coming back in to the lan firewall properly - but not back to the subnet servers?
>>set route 172.16.44.0/24 interface trust gateway 192.168.44.253
Is this the correct interface address where the lan router is ?
From the firewall, can you ping 172.16.45.21 ? See if that works.
Cheers,
Rajesh
Is this the correct interface address where the lan router is ?
From the firewall, can you ping 172.16.45.21 ? See if that works.
Cheers,
Rajesh
Start a ping from 172 network and do a 'get session', post it here.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
From the lan firewall, I can ping the 172 network fine. yes, the 192.168.44.253 is the IP of the lan router, which connects the new subnet.
The get session is below:
alloc 22/max 2000, alloc failed 0, di alloc failed 0
id 362/s**,vsys 0,flag 00000040/0080/20,policy 320002,time 180, dip 0
1(0601):125.237.230.80/141
0,route 7
3(0010):125.237.230.80/141
0,route 0
id 1259/s**,vsys 0,flag 00000000/0000/00,policy 20,time 179, dip 2
2(9801):192.168.44.65/8198
sd 0,route 0
1(1800):xxx.xxx.86.45/2867
d 0,route 7
id 1378/s**,vsys 0,flag 00000050/0080/20,policy 320000,time 1, dip 0
3(0011):192.168.44.254/177
sd 0,route 0
2(0000):192.168.44.254/177
sd 0,route 9
id 1415/s**,vsys 0,flag 00000040/0000/00,policy 15,time 170, dip 0
20(0801):192.168.11.23/23-
001,vsd 0,route 4
001,vsd 0,route 4
0,route 1
id 1471/s**,vsys 0,flag 40000000/0000/00,policy 45,time 1, dip 2
2(9801):172.16.45.21/1996-
,route 0
1(1800):xxx.xxx.86.45/2112
,route 7
id 1651/s**,vsys 0,flag 00000000/0000/00,policy 20,time 180, dip 2
2(9801):192.168.44.65/8292
d 0,route 0
1(1800):xxx.xxx.86.45/2986
0,route 7
id 1985/s**,vsys 0,flag 00000050/0080/20,policy 320000,time 1, dip 0
3(0011):192.168.44.254/178
vsd 0,route 0
2(0000):192.168.44.254/178
vsd 0,route 1
--- more ---
id 1998/s**,vsys 0,flag 04400000/0000/00,policy 15,time 179, dip 0
20(0801):10.10.200.106/139
0001a,vsd 0,route 5
2(0000):10.10.200.106/1399
0,route 9
Total 8 sessions shown
The get session is below:
alloc 22/max 2000, alloc failed 0, di alloc failed 0
id 362/s**,vsys 0,flag 00000040/0080/20,policy 320002,time 180, dip 0
1(0601):125.237.230.80/141
0,route 7
3(0010):125.237.230.80/141
0,route 0
id 1259/s**,vsys 0,flag 00000000/0000/00,policy 20,time 179, dip 2
2(9801):192.168.44.65/8198
sd 0,route 0
1(1800):xxx.xxx.86.45/2867
d 0,route 7
id 1378/s**,vsys 0,flag 00000050/0080/20,policy 320000,time 1, dip 0
3(0011):192.168.44.254/177
sd 0,route 0
2(0000):192.168.44.254/177
sd 0,route 9
id 1415/s**,vsys 0,flag 00000040/0000/00,policy 15,time 170, dip 0
20(0801):192.168.11.23/23-
001,vsd 0,route 4
001,vsd 0,route 4
0,route 1
id 1471/s**,vsys 0,flag 40000000/0000/00,policy 45,time 1, dip 2
2(9801):172.16.45.21/1996-
,route 0
1(1800):xxx.xxx.86.45/2112
,route 7
id 1651/s**,vsys 0,flag 00000000/0000/00,policy 20,time 180, dip 2
2(9801):192.168.44.65/8292
d 0,route 0
1(1800):xxx.xxx.86.45/2986
0,route 7
id 1985/s**,vsys 0,flag 00000050/0080/20,policy 320000,time 1, dip 0
3(0011):192.168.44.254/178
vsd 0,route 0
2(0000):192.168.44.254/178
vsd 0,route 1
--- more ---
id 1998/s**,vsys 0,flag 04400000/0000/00,policy 15,time 179, dip 0
20(0801):10.10.200.106/139
0001a,vsd 0,route 5
2(0000):10.10.200.106/1399
0,route 9
Total 8 sessions shown
Looks to be correct. You're sure that the traffic is not being denied by the policy you have right ? Would it be possible for you to turn off the policy which denies everything and see ?
>>set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
If not, you can see if it is logging about the new traffic.
Cheers,
Rajesh
>>set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
If not, you can see if it is logging about the new traffic.
Cheers,
Rajesh
ASKER
I think I have found the problem. It seems that now, all the traffic is working correctly, in and out of the firewall. BUT, the Trust interface is ion route mode, not NAT, so any returning packets, from the internet, are being forwarded with the source address (being the public IP) unchanged, which the internal router is rejecting. What implications will be there, if I change the trust interface to be NAT? I have ipsec tunnel remote access clients, which looks like they are the only beneficiaries of a natless trust-untrust policy rule
Thanks for your help.
Thanks for your help.
Jeez, man that is the first point and that is what I first asked as well :-)
Only if the Trust in nat mode and Untrust in route mode, the interface pat will work on a netscreen box.
I do not see any problems by you changing the int to nat mode now.
Cheers,
Rajesh
Only if the Trust in nat mode and Untrust in route mode, the interface pat will work on a netscreen box.
I do not see any problems by you changing the int to nat mode now.
Cheers,
Rajesh
ASKER
Uhumm, right, sorry... I assumed you thought that the subnet, was a separate interface on the actual device... But it was my Trust interface.
So one more question... I have got incoming FTP working now - but I had to create a rule untrust-trust with source nat enabled in the rule for it to work. So now my FTP server thinks that all my incoming connections are from the trust interface ip. Not ideal, but I am still not able to browse the internet from the servers - does putting the interface in NAt mode, change anything? It looks like all the policies are the same, and behave the same... It appears that any traffic, initiated from within the new subnet, going out, and then coming back, the source ip is unchanged, even after changing to nat mode. So the subnet router is still refusing to route public IP's...
So one more question... I have got incoming FTP working now - but I had to create a rule untrust-trust with source nat enabled in the rule for it to work. So now my FTP server thinks that all my incoming connections are from the trust interface ip. Not ideal, but I am still not able to browse the internet from the servers - does putting the interface in NAt mode, change anything? It looks like all the policies are the same, and behave the same... It appears that any traffic, initiated from within the new subnet, going out, and then coming back, the source ip is unchanged, even after changing to nat mode. So the subnet router is still refusing to route public IP's...
>>I assumed you thought that the subnet, was a separate interface on the actual device... But it was my Trust interface.
Yeah, true but again everything behind the Trust interface is again trust as far as a Juniper firewall is considered.
Putting the interface in nat mode enables the inbuilt functionality of natting all outgoing connections with the untrust assigned ip address. I don't see why you're still not able to browse. You should be; You don't need source natting (I mean, if you are doing VIP that is okay - I guess that is what you meant???)
Cheers,
Rajesh
Yeah, true but again everything behind the Trust interface is again trust as far as a Juniper firewall is considered.
Putting the interface in nat mode enables the inbuilt functionality of natting all outgoing connections with the untrust assigned ip address. I don't see why you're still not able to browse. You should be; You don't need source natting (I mean, if you are doing VIP that is okay - I guess that is what you meant???)
Cheers,
Rajesh
ASKER
Ok, the TRUST is now in NAT mode, but the Untrust is still route mode - is this ok? Putting the TRust in NAT mode, didn't appear to change anything. I was still not able to FTP inbound, until I created a specific NAT policy... Doing something wrong still..?
Yeah, the Untrust has to be in route mode.
I guess that is good to go.
Cheers,
Rajesh
I guess that is good to go.
Cheers,
Rajesh
ASKER
set clock timezone 11
set vrouter trust-me sharable
unset vrouter "trust-me" auto-route-export
set service "Deskbank" protocol tcp src-port 0-65535 dst-port 6025-6025
set service "Freeparking" protocol tcp src-port 81-81 dst-port 81-81
set service "FTP - 20" protocol tcp src-port 0-65535 dst-port 20-20
set service "OpenVPN" protocol udp src-port 0-65535 dst-port 1194-1194
set service "PASV FTP" protocol tcp src-port 0-65535 dst-port 40000-45000
set service "RWW-4125" protocol tcp src-port 0-65535 dst-port 4125-4125
set service "smtp" protocol tcp src-port 0-65535 dst-port 25-25
set service "TSE" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "Printing" protocol tcp src-port 0-65535 dst-port 515-515
set service "Printing" + tcp src-port 0-65535 dst-port 9100-9100
set service "ADomain" protocol udp src-port 0-65535 dst-port 48129-48137 timeout 30
set service "ADomain" + tcp src-port 0-65535 dst-port 8194-8294
set service "ADomain IN" protocol udp src-port 48129-48137 dst-port 48129-48137 timeout 30
set service "ADomain IN" + tcp src-port 0-65535 dst-port 8194-8294
set service "New FTP" protocol tcp src-port 0-65535 dst-port 2121-2121
set service "New FTP" + tcp src-port 0-65535 dst-port 50000-50050
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "xxxx"
set admin port 8081
set admin ssh port 2002
set admin scs password disable username netscreen
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-me"
set zone "Untrust" vrouter "trust-me"
set zone "VLAN" vrouter "trust-me"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.44.254/24
set interface trust route
set interface untrust ip xxx.xxx.86.45/24
set interface untrust route
set interface tunnel.1 ip unnumbered interface trust
set interface tunnel.2 ip unnumbered interface untrust
set interface tunnel.3 ip 192.168.15.50/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust vip untrust 25 "smtp" 192.168.44.20
set interface untrust vip untrust 22 "SSH" 192.168.44.20
set interface untrust vip untrust 21 "FTP" 192.168.44.20
set interface untrust vip untrust 4125 "RWW-4125" 192.168.44.20
set interface untrust vip untrust 443 "HTTPS" 192.168.44.20
set interface untrust vip untrust 2121 "New FTP" 192.168.44.20
set interface untrust dhcp-client enable
set interface tunnel.3 dip 4 192.168.15.51 192.168.15.100
set interface untrust ext ip 192.168.44.0 255.255.255.0 dip 5 192.168.44.61 192.168.44.61 fix-port
set interface "trust" mip 192.168.44.69 host 192.168.11.12 netmask 255.255.255.255 vrouter "trust-me"
set interface "trust" mip 192.168.44.70 host 192.168.11.254 netmask 255.255.255.255 vrouter "trust-me"
set interface "tunnel.3" mip 192.168.15.5 host 192.168.44.250 netmask 255.255.255.255 vrouter "trust-me"
set flow tcp-mss
set domain lan
set hostname HOSTNAME01
set dns host dns1 10.0.0.138
set dns host dns2 xxx.xx.xxx.40
set address "Trust" "192.168.44.20/32" 192.168.44.20 255.255.255.255
set address "Trust" "MMc 192.168.15.0" 192.168.15.0 255.255.255.0
set address "Trust" "MMC Lan-192.168.44.0/24" 192.168.44.0 255.255.255.0
set address "Trust" "VirtualVax-192.168.44.69/
set address "Untrust" "xx.xx.xx.82/32" xx.xx.xx.82 255.255.255.255
set address "Untrust" "BT_PIE Network" xxx.xx.xxx.0 255.255.255.0
set address "Untrust" "Kauri Lan-192.168.11.0/24" 192.168.11.0 255.255.255.0
set address "Untrust" "Kauri Systems Firewall" xx.xxx.xx.66 255.255.255.255
set address "Untrust" "Kauri Vax Firewall" xx.xxx.xx.36 255.255.255.255
set address "Untrust" "KauriServer-192.168.11.12
set address "Untrust" "peter-10.10.200.103/32" 10.10.200.103 255.255.255.255
set address "Untrust" "robert-10.10.200.101/32" 10.10.200.101 255.255.255.255
set address "Untrust" "shayne-10.10.200.104/32" 10.10.200.104 255.255.255.255
set address "Untrust" "tom-10.10.200.102/32" 10.10.200.102 255.255.255.255
set user "Ceiba" uid 5
set user "Ceiba" ike-id u-fqdn "user1@domain.co.nz" share-limit 1
set user "Ceiba" type auth ike xauth
set user "Ceiba" password "password"
set user "Ceiba" "enable"
set user "peter" uid 17
set user "peter" ike-id u-fqdn "user2@domain.co.nz" share-limit 1
set user "peter" type auth ike xauth
set user "peter" password "password"
set user "peter" "enable"
set user "robert" uid 15
set user "robert" ike-id u-fqdn "user3@domain.co.nz" share-limit 1
set user "robert" type auth ike xauth
set user "robert" password "password"
set user "robert" "enable"
set user "shayne" uid 18
set user "shayne" ike-id u-fqdn "user4@domain.co.nz" share-limit 1
set user "shayne" type auth ike xauth
set user "shayne" password "password"
set user "shayne" "enable"
set user "tom" uid 16
set user "tom" ike-id u-fqdn "user5@domain.co.nz" share-limit 1
set user "tom" type auth ike xauth
set user "tom" password "password"
set user "tom" "enable"
set user-group "NSRemoteUsers" id 9
set user-group "NSRemoteUsers" user "user1"
set user-group "NSRemoteUsers" user "user2"
set user-group "NSRemoteUsers" user "user3"
set user-group "NSRemoteUsers" user "user4"
set user-group "NSRemoteUsers" user "user5"
set ike p1-proposal "BT_P1" preshare group5 esp aes256 sha-1 second 86400
set ike p2-proposal "BT_P2" group5 esp aes256 sha-1 second 86400
set ike gateway "Kauri-Gateway" address xx.xxx.xx.66 Main outgoing-interface "untrust" preshare "/RNLClOKNUgcl4s0i1CqcRZvO
set ike gateway "Gateway-NSRemote" address 0.0.0.0 id "nsremote@domain.co.nz" Main local-id "mmcnz.co.nz" outgoing-interface "untrust" preshare "Nywq5g8yNgr01qsxxxxxxV3v+
set ike gateway "Gateway-NSRemote" cert peer-ca all
unset ike gateway "Gateway-NSRemote" nat-traversal
set ike gateway "BT_PIE GW" address 203.10.111.10 Main outgoing-interface "untrust" preshare "HM6hBEyhNha4ezsaVdCWJDzOl
set ike respond-bad-spi 1
set vpn "Tunnel-user2" gateway "Gateway-NSRemote" no-replay tunnel idletime 0 sec-level standard
set vpn "Tunnel-user2" id 20 bind interface tunnel.2
set interface tunnel.2 nhtb 10.10.200.103 vpn "Tunnel-user2"
set vpn "Tunnel-user3" gateway "Gateway-NSRemote" no-replay tunnel idletime 0 sec-level standard
set vpn "Tunnel-user3" id 21 bind interface tunnel.2
set interface tunnel.2 nhtb 10.10.200.101 vpn "Tunnel-user3"
set vpn "Tunnel-user4" gateway "Gateway-NSRemote" no-replay tunnel idletime 0 sec-level standard
set vpn "Tunnel-user4" id 22 bind interface tunnel.2
set interface tunnel.2 nhtb 10.10.200.102 vpn "Tunnel-user4"
set vpn "Tunnel-user5" gateway "Gateway-NSRemote" no-replay tunnel idletime 0 sec-level standard
set vpn "Tunnel-user5" id 23 bind interface tunnel.2
set vpn "Kauri-Tunnel" gateway "Kauri-Gateway" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "Kauri-Tunnel" id 1 bind interface tunnel.1
set vpn "BT_VPN" gateway "BT_PIE GW" no-replay tunnel idletime 0 proposal "BT_P2"
set vpn "BT_VPN" id 25 bind interface tunnel.3
set vpn "Tunnel-Ceiba" gateway "Gateway-NSRemote" no-replay tunnel idletime 0 sec-level standard
set vpn "Tunnel-Ceiba" id 26 bind interface tunnel.2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set group address "Untrust" "MMC-NSremoteUsers-10.10.2
set group address "Untrust" "MMC-NSremoteUsers-10.10.2
set group address "Untrust" "MMC-NSremoteUsers-10.10.2
set group address "Untrust" "MMC-NSremoteUsers-10.10.2
set group address "Untrust" "MMC-NSremoteUsers-10.10.2
set group service "Web Surfing"
set group service "Web Surfing" add "DNS"
set group service "Web Surfing" add "FTP"
set group service "Web Surfing" add "FTP-Get"
set group service "Web Surfing" add "FTP-Put"
set group service "Web Surfing" add "HTTP"
set group service "Web Surfing" add "HTTPS"
set group service "Web Surfing" add "MAIL"
set group service "Web Surfing" add "PING"
set group service "Web Surfing" add "POP3"
set group service "Web Surfing" add "TSE"
set policy id 13 from "Untrust" to "Trust" "MMC-NSremoteUsers-10.10.2
set policy id 15 from "Untrust" to "Trust" "Any" "MMC Lan-192.168.44.0/24" "ANY" permit
set policy id 31 name "Deskbank" from "Trust" to "Untrust" "Any" "Any" "Deskbank" nat src permit
set policy id 32 name "OpenVPN" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "OpenVPN" nat src permit
set policy id 29 from "Trust" to "Untrust" "Any" "Any" "PPTP" nat src permit
set policy id 20 name "ADomain" from "Trust" to "Untrust" "Any" "Any" "ADomain" nat src permit
set policy id 19 name "FTP" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "FTP" nat src permit
set policy id 19 application "FTP"
set policy id 1 name "MMC Internet Access" from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "Web Surfing" nat src permit
set policy id 14 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Any" "ANY" permit
set policy id 9 from "Untrust" to "Trust" "MMC-NSremoteUsers-10.10.2
set policy id 8 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "MMC-NSremoteUsers-10.10.2
set policy id 2 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Kauri Lan-192.168.11.0/24" "ANY" permit
set policy id 7 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "Kauri Vax Firewall" "TELNET" nat src permit log
set policy id 17 from "Trust" to "Untrust" "MMC Lan-192.168.44.0/24" "BT_PIE Network" "ANY" nat src dip-id 4 permit log
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 6 from "Untrust" to "Trust" "Kauri Lan-192.168.11.0/24" "MMC Lan-192.168.44.0/24" "ANY" permit
set policy id 4 from "Untrust" to "Trust" "Kauri Lan-192.168.11.0/24" "MMC Lan-192.168.44.0/24" "Printing" permit log
set policy id 16 from "Untrust" to "Trust" "BT_PIE Network" "MIP(192.168.15.5)" "ANY" nat src permit
set policy id 18 name "SMTP" from "Untrust" to "Trust" "Any" "VIP::1" "smtp" permit
set policy id 21 name "SFTP" from "Untrust" to "Trust" "Any" "VIP::1" "SSH" permit
set policy id 21 disable
set policy id 25 name "FTP" from "Untrust" to "Trust" "Any" "VIP::1" "FTP" permit
set policy id 25 disable
set policy id 23 name "RWW-4125" from "Untrust" to "Trust" "Any" "VIP::1" "RWW-4125" permit
set policy id 24 name "HTTPS" from "Untrust" to "Trust" "Any" "VIP::1" "HTTPS" permit
set policy id 30 name "FTP + 50 PASV" from "Untrust" to "Trust" "Any" "VIP::1" "New FTP" permit
set policy id 5 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 11 from "Trust" to "Trust" "MMC Lan-192.168.44.0/24" "MIP(192.168.44.69)" "ANY" permit
set vpn "Tunnel-peter" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.103/32 "ANY"
set vpn "Tunnel-robert" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.101/32 "ANY"
set vpn "Tunnel-tom" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.102/32 "ANY"
set vpn "Tunnel-shayne" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.104/32 "ANY"
set vpn "Kauri-Tunnel" proxy-id local-ip 192.168.44.0/24 remote-ip 192.168.11.0/24 "ANY"
set vpn "BT_VPN" proxy-id local-ip 192.168.15.0/24 remote-ip 172.24.205.0/24 "ANY"
set vpn "Tunnel-Ceiba" proxy-id local-ip 192.168.44.0/24 remote-ip 10.10.200.106/32 "ANY"
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-me"
exit
set vrouter "trust-me"
unset add-default-route
set route 192.168.11.0/24 interface tunnel.1
set route 10.10.200.0/24 interface tunnel.2
set route xxx.xx.xxx.0/24 interface tunnel.3 gateway 192.168.15.50
set route xxx.xx.xx.0/24 interface trust gateway 192.168.44.253
set route xxx.xx.xx.0/24 interface trust gateway 192.168.44.253
exit