[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1952
  • Last Modified:

Configuring Juniper NS-5GT

Hello experts,
I'am new on juniper netscreen. I have NS-5GT  and I want to put three different s networks on it.
I don't want those networks to communicate. What configuration should i do and how if it's possible ?

Best regards!
0
brainskill
Asked:
brainskill
  • 11
  • 7
  • 2
1 Solution
 
rsivanandanCommented:
Yes it can be done and what purpose are you looking for ? Putting 3 networks and you don't want them to talk to each other is as equal as not connecting them at all :-)

So is it like 2 networks internal and you don't want to talk between each but go out through the third for internet or some sort ?

Please provide more information. As a basic, you can do that and you would be able to put it into 3 different network security zones (trust, untrust and dmz)

Cheers,
Rajesh
0
 
amoldkelkarCommented:
So basically in addition to what Rajesh mentioned about 3 different zones you can have different firewall policies by which you can differentiate amongst the zones and the users you want the access to be given.
Moreover you can specifically assign the users in the respective zones while creating the entries as well.
For example:
set add trust address_1 10.205.0.1/32 host_1
set add untrust address_2 10.205.1.1/32 host_2
set add dmz address_3 10.205.2.1/32 host_3

So lets say you want to give access for host_1 to host_2 and host_2 with host_3
then the policy rules would like these,
set policy id 1 from trust to untrust host_1 host_2 any permit
set policy id 2 from untrust to dmz host_2 host_3 any permit

If the networks are remotely located then you can still keep the traffic and access separate using different kind of VPNs supported by the netscreen firewall.

-AK
0
 
brainskillAuthor Commented:
OK, i see but,
My architecture will be like 3 networks internal but each go out through the fourth (untrust) for internet .
It seems that I can do only 3 zones including untrust.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
amoldkelkarCommented:
Oh you can even have customized zones created for yourself and then playaround with policy rules for them
0
 
amoldkelkarCommented:
For example like,
set zone name brainskill-1

So u want acces for guys bound to brainskill-1 zone to untrust then use following rule,
set policy from brainskill-1 to untrust any any any permit
0
 
amoldkelkarCommented:
Also to know how many total number of zones your ns5gt would be supporting use following cli,
get license-key

so the number of zones listed in are all the security zones that is wrt ns5gt it would be provided its in trust-untrust mode,
nat/route mode:
trust
untrust
dmz
xparent mode:
v1-trust
v1-untrust
v1-dmz

So you might want to get an additional license for few more zones from the JTAC
0
 
brainskillAuthor Commented:
I don't see well. is that means I will have four zones (3 + customized) ?
How i will assigned a port to this cusomized zone ?
0
 
brainskillAuthor Commented:
Sorry, I see late the last answer.
the solution is that i have to get an additionnal licence.
0
 
rsivanandanCommented:
When you do 'get license' on the 5gt, what number does it display next to "Zones:"

Cheers,
Rajesh
0
 
amoldkelkarCommented:
I didnt get your question.
But from what i understand, there is no port dedicated to any customized zone. Not that  know. Its basically once you have separate customized zone you can have policy for those.
Before that, how many zones capability you have got on your firewall device?
Using get license-key you can find that out.

If its 6 then you probably need license for having custom zones.

But even if you have 3 predefined security zones you can still stop the access in between the users assigned to for example trust zone.
Usnig intrazone blocking traffic feature you can do so and then play around the user traffic through policy rules.
Do let me know your port question?
0
 
amoldkelkarCommented:
Any update/questions?

-AK
0
 
brainskillAuthor Commented:
About port let say, i have 5 ports and i need 4 zones.
here is the display of "get licence":
Sessions:           2064 sessions
Capacity:           10 users
NSRP:               Disable
VPN tunnels:        10 tunnels
Vsys:               None
Vrouters:           3 virtual routers
Zones:              7 zones
VLANs:              10 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
AV:                 Disable(0)
Anti-Spam:          Disable(0)
Url Filtering:      Disable
0
 
amoldkelkarCommented:
I am assuming that the device is in Trust-Untrust mode.
You can see it using 'get system'

So looking at your license it looks like you have 7 zones capability so that means 6 what i mentioned above plus you can have one as a custom security zone.

Now you can have, trust,untrust,dmz and customized zone as well.

Follow the cli mentioned above for creating a custom zone and a policy for that zone.

Let me know.
-AK
0
 
brainskillAuthor Commented:
let's suppose this port attribution:
- trust ---- port 1
- untrust --- port 5
- dmz --- port 3
- customized zone ---- port ???
or where users from customized zone will be connected on the firewall ? shall we attribute a specific port to this customized zone ?
0
 
amoldkelkarCommented:
What OS you are using?
0
 
amoldkelkarCommented:
Hi,
I got some good info for you.

Firstly what mode you have your box in,
is it in Base mode or Advanced mode.
If its in advanced mode then you will be able to see the extra port-mode option which is "Dual-DMZ mode"  where in you can have 4 zones.
trust
untrust
DMZ
DMZ2

so this could be the ideal solution which you are looking for.

For to find the support of different modes use the following cli,
ns5gt-> exec port-mode ?
combined             change to combined mode
dmz-dual-untrust     change to dmz-dual-untrust mode
dual-dmz             change to dual-dmz mode
dual-untrust         change to dual-untrust mode
extended             change to extended mode
home-work            change to home-work mode
trust-untrust        change to trust-untrust mode

get license-key
above cli will tell you whether you have the 'extended-key' installed

Bingo
This should work out

Thanks

Let me know
-AK
0
 
brainskillAuthor Commented:
here is "get system" dis^lay:
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r4.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Mon Jul 31 09:19:33 PDT 2006
File Name: ns5gt.5.3.0r4.0
0
 
amoldkelkarCommented:
Please try my previous post to your's recent post.

Let me know
0
 
brainskillAuthor Commented:
I'am not in advanced mode. I think it could be what i'am looking for.
Extended-key is not installed
ns5gt-> exec port-mode  ?
combined             change to combined mode
dual-untrust         change to dual-untrust mode
home-work            change to home-work mode
trust-untrust        change to trust-untrust mode

0
 
amoldkelkarCommented:
Yup.
You dont seem to have the extended key.

You can get the extended key from the customer support for having the Dual-DMZ and thats it.
You will be good to go.

-AK
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now