Configuration help with Juniper SSG 20!

Krocodile used Ask the Experts™
I am looking for some troubleshooting and configuration help on a Juniper Netscreen SSG 20.  Here is my setup.  I have a 2wire DSL modem provided by Qwest assigned a block of 8 (5 useable) static IP's.  The 2wire is configured in un-numbered mode so that the public IP's can be assigned to other devices on the network that are plugged into the 2wire's switch.  The 2wire automatically was given the gateway address of my static block.  Plugged into the 2wire's switch is the Juniper Netscreen SSG 20, and in the configuration it is assigned one of the static IP's from my block on the Ethernet 0/0, and Ethernet 0/0 is plugged into one of the switch ports on the 2wire.  Ethernet 0/0 is assigned to UNTRUST, and I have assigned Ethernet 0/1 0/2 0/3 to be part of a TRUST group called BGROUP0, and BGROUP0 is assigned a private IP address on my network.  Also Ethernet 0/1, which is part of the BGROUP0, has a cable plugged from that port into a port on my network switch.

Now to my issue.  With the configuration the way it is, I am able to browse the internet fine through the Juniper.  However I created a policy (under the configuration Policies in the Juniper), that is supposed to take traffic from one of my other static IP addresses on the 2wire that is assigned to my block of 5 useable, and pass it through to one of the servers on my private network switch.  The policy reads as such:
Untrust - 70.56.x.201/29  to  Trust - 10.34.x.240/24  allow RDP,SMTP,POP3.

However, when I try to access the server using RDP from the outside, or SMTP for that matter, there is nothing.  It would appear that the Juniper is not letting traffic pass from the Ethernet0/0 port into the Ethernet 0/1 port (or BGROUP0) into the private network.  Even if I modify the policy to use any of the 5 useable static IP addresses I have been assigned, it still does not work so it's not specific to one IP.  

Something I forgot to mention that is also part of my config.  The PC's, and server's, instead of using the Juniper as it's default gateway, are using a Cisco 1700.  In the configuration of the Cisco 1700, there is a route command that is passing traffic from the Cisco to the Juniper.  The Cisco is mainly used for a T1 P2P between a remote office and ours.

One thing I should mention that I did as a troubleshooting step that's really got me baffled.  Just out of curiousity, I went to on one of my server's, and that server showed it was using 70.56.x.203 as it's IP address it is communicating out of.  However, when I did the same from another server on the same network, said I was using 70.56.x.201.  I thought that a policy in the Juniper might have been causing this so I removed any policies I created, and this particular server still showed that IP address.  Also like the Juniper has a one to one NAT statement, but I was unable to find this.  

At this time, bottom line, no port porwarding is occurring, and we host our own email.  So at this time we have a completely down email server and I need to find a solution immediately.  Thank you very much for your assistance or any you can give, and please let me know if you need more information!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007
Please make sure that you add a VIP [virtual IP] to the e0/0 interface in the untrust zone. Then you would be able to use VIP and create policy for incoming traffic.
Also, make sure that the cisco routers forwards all traffic to the SSG properly otherwise the packets would go inside but would not come back, this even can be part of your problem. Make sure that the router does no NAT/PAT on the packet when it forwards it to the SSG but pure routing only.

You can create MIP and or DIP for 1:1 IP mapping or for NAT to be implemented. By default the device would NAT all outgoing traffic using the external IP of the SSG. For reverse DNS lookup for mail servers, it would be good to create 1:1 mapping.


Wow thanks for the information!   This was very helpful, and I was able to get it up and running by troubleshooting with your information in mind.  Awesome, A++ help, you have a great one!
Top Expert 2007

Thank you! am happy I was able to help. :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial