Tricky1974
asked on
How can I configure my Juniper 5GT to bridge two seperate networks with different restrictions ?
Hi Experts
I have configured my Juniper Netscreen 5GT ADSL firewall / router to a very basic level using the getting started guide. This has just replaced an old USR very basic router.
I now have internet conectivity from pc's conected to it and my pc's can see my printserver.
I have a second internal only network comprising of 6, 10 year old machines running NT3.5 on a 486 platform set up with fixed IP addresses conected to an un-managed switch which also has a basic pc running XP on it which acts as a file store. Programs are loaded off the pc by the machines by acsessing the " J" drive.
Currently new programs are created on other pc's and put on this pc by copying them off a USB stick and placing them in a shared folder.
(all pretty simple stuff)
We want to connect this network to the Juniper so our office pc's can put files into this PC without allowing any possibility of any virus or nasties getting on there as well.
Under no circumstances must this PC or the machines ever get any internet visibility or acsess (either way)
We can't upgrade or install anything on the machines as they will fall over !
Would I be best trying just to config the Juniper for this, or should i install a 2nd NIC in the file store PC to act as a bridge and connect this to the Juniper ?
Should I ditch this file store PC and replace it with a NSLU2 or similar NAS ?
I have downloaded all avalible technical documentation from the Juniper website, and none of the 5GT manuals are giving me any clues, and after digging further the Screen OS manual is like 1000 pages !
I'm also not even certain how good the basic "getting started guide" config is, it seems that they expect you to pay your supplier to set it all up rather than DIY.
Any help would be apreciated, know a reasonable bit about hardware, but when it comes to software config I'm most defo a beginner!
I have configured my Juniper Netscreen 5GT ADSL firewall / router to a very basic level using the getting started guide. This has just replaced an old USR very basic router.
I now have internet conectivity from pc's conected to it and my pc's can see my printserver.
I have a second internal only network comprising of 6, 10 year old machines running NT3.5 on a 486 platform set up with fixed IP addresses conected to an un-managed switch which also has a basic pc running XP on it which acts as a file store. Programs are loaded off the pc by the machines by acsessing the " J" drive.
Currently new programs are created on other pc's and put on this pc by copying them off a USB stick and placing them in a shared folder.
(all pretty simple stuff)
We want to connect this network to the Juniper so our office pc's can put files into this PC without allowing any possibility of any virus or nasties getting on there as well.
Under no circumstances must this PC or the machines ever get any internet visibility or acsess (either way)
We can't upgrade or install anything on the machines as they will fall over !
Would I be best trying just to config the Juniper for this, or should i install a 2nd NIC in the file store PC to act as a bridge and connect this to the Juniper ?
Should I ditch this file store PC and replace it with a NSLU2 or similar NAS ?
I have downloaded all avalible technical documentation from the Juniper website, and none of the 5GT manuals are giving me any clues, and after digging further the Screen OS manual is like 1000 pages !
I'm also not even certain how good the basic "getting started guide" config is, it seems that they expect you to pay your supplier to set it all up rather than DIY.
Any help would be apreciated, know a reasonable bit about hardware, but when it comes to software config I'm most defo a beginner!
ASKER
Hi Rich,
Thanks for your time.
Yes it sounds like you have grasped my setup ok.
Basically:
Ethernet port 1 allow internet (WAN) both directions
Ethernet port 2 block internet totally (WAN) in either direction (even ping's)
Ethernet port 1 can talk (file share) to port 2
As my Juniper Netcren is a 5GT ADSL model it's internet / WAN port plugs straight into phone socket rather than going through another router or modem.
Any help is much apreciated
Thanks
Thanks for your time.
Yes it sounds like you have grasped my setup ok.
Basically:
Ethernet port 1 allow internet (WAN) both directions
Ethernet port 2 block internet totally (WAN) in either direction (even ping's)
Ethernet port 1 can talk (file share) to port 2
As my Juniper Netcren is a 5GT ADSL model it's internet / WAN port plugs straight into phone socket rather than going through another router or modem.
Any help is much apreciated
Thanks
Right this should be easy enough. . . . he say's!!
Basically we need to set up the firewall and router rules to accomodate this.
Ideally you want each of the 2 lan interfaces to support a different IP range, makes it a bit easier, for instance, lan 1, 192.168.100.xxx, lan 2 192.168.102.xxx
Set up routes for each segment from the other, thus maintaining comm's, and then set up the firewall to allow appropriate comms between the 2 segments, if the firewall governs traffic between the 2 interfaces.
Lan 1 needs a route to the net,
Lan 2 does not need a route to the net,
Lan 1 needs appropriate firewall rules to allow and deny the traffic you want
Lan 2 does not.
Hey presto all should be good.
I have not worked on this particular device in question so will have to spend some time tomorrow looking at it, if you need some help with the config.
Hope this helps somewhat anyway!!
Rich
Basically we need to set up the firewall and router rules to accomodate this.
Ideally you want each of the 2 lan interfaces to support a different IP range, makes it a bit easier, for instance, lan 1, 192.168.100.xxx, lan 2 192.168.102.xxx
Set up routes for each segment from the other, thus maintaining comm's, and then set up the firewall to allow appropriate comms between the 2 segments, if the firewall governs traffic between the 2 interfaces.
Lan 1 needs a route to the net,
Lan 2 does not need a route to the net,
Lan 1 needs appropriate firewall rules to allow and deny the traffic you want
Lan 2 does not.
Hey presto all should be good.
I have not worked on this particular device in question so will have to spend some time tomorrow looking at it, if you need some help with the config.
Hope this helps somewhat anyway!!
Rich
ASKER
Hi Rich,
That all sounds well and good, but what commands do I need to use !
Thanks
That all sounds well and good, but what commands do I need to use !
Thanks
Try following some of the following online tutorials on the Juniper website, they are all configured from the web gui which should make it fairly easy. Much easier than the command line interface. However
Configuring a Manage IP Address
http://kb.juniper.net/CUSTOMERSERVICE/KB4059
Configuring Route Mode
http://kb.juniper.net/CUSTOMERSERVICE/KB4056
with a whole host of other information available here.
http://kb.juniper.net/ui.jsp?facetReset=true&ui_mode=question&charset=UTF-8&language=en-US&facet=By+Product.noun%5C.artifact%3Ahardware1.noun%5C.computer%3Afirewall.noun%5C.computer%5C.juniper%3ANetScreen+Firewall%2FIPSec+VPN&question_box=5gt
Is this helping or am i just linking to resources you are already aware of, and you need further assistance talking you through the device setup?? which IP adress goes where, etc.
Configuring a Manage IP Address
http://kb.juniper.net/CUSTOMERSERVICE/KB4059
Configuring Route Mode
http://kb.juniper.net/CUSTOMERSERVICE/KB4056
with a whole host of other information available here.
http://kb.juniper.net/ui.jsp?facetReset=true&ui_mode=question&charset=UTF-8&language=en-US&facet=By+Product.noun%5C.artifact%3Ahardware1.noun%5C.computer%3Afirewall.noun%5C.computer%5C.juniper%3ANetScreen+Firewall%2FIPSec+VPN&question_box=5gt
Is this helping or am i just linking to resources you are already aware of, and you need further assistance talking you through the device setup?? which IP adress goes where, etc.
ASKER
Hi Rich
I'm aware of those resources and not found out mucjh.
The sort of thing i need to be typing in, based on looking at a previous soloution is:
ethernet 1 deny all untrust
ethernet 2 allow all untrust
ethernet 1 allow all ethernet 2
but the difference in "sort of" and a bomb proof soloution is quite large !
any ideas ?
I'm aware of those resources and not found out mucjh.
The sort of thing i need to be typing in, based on looking at a previous soloution is:
ethernet 1 deny all untrust
ethernet 2 allow all untrust
ethernet 1 allow all ethernet 2
but the difference in "sort of" and a bomb proof soloution is quite large !
any ideas ?
fair comment!!
have you tried using the web based configurator for this, Its how i tend to set my firewalls up after the initial config, it can be somewhat clearer to understand, especially when it comes to allowing and denying various sources, for instance you can allow service x y and z to the file share server from any of the other devices which you set up individually by IP address and add to a group. and allow services xy and z to and from the devices drop anyother service automatically. As such if you choose to allow telnet, and not pop for instance you will be able to telnet to the machine, but not use it as a mail server. etc.
I am not sure how this firewall itself works having never used it, it seems a bit more basic than a full scale firewall and as such may just allow connections rather than specific services. hence the above commands, you have typed. allow or deny all, opposed to allow telnet, deny pop, etc
I think you should try having a look around the web based utility to see if that makes things clearer from your perspective I will try to find out as much as i can but juniper do tend to play there cards fairly close to there chest as far as getting specific info without having the box sat in front of you.
It is often useful to swap between command line view and web view, somethings are easier on one than the other, and you will often find the 2 services compliment each other oppose to replace each other.
have you tried using the web based configurator for this, Its how i tend to set my firewalls up after the initial config, it can be somewhat clearer to understand, especially when it comes to allowing and denying various sources, for instance you can allow service x y and z to the file share server from any of the other devices which you set up individually by IP address and add to a group. and allow services xy and z to and from the devices drop anyother service automatically. As such if you choose to allow telnet, and not pop for instance you will be able to telnet to the machine, but not use it as a mail server. etc.
I am not sure how this firewall itself works having never used it, it seems a bit more basic than a full scale firewall and as such may just allow connections rather than specific services. hence the above commands, you have typed. allow or deny all, opposed to allow telnet, deny pop, etc
I think you should try having a look around the web based utility to see if that makes things clearer from your perspective I will try to find out as much as i can but juniper do tend to play there cards fairly close to there chest as far as getting specific info without having the box sat in front of you.
It is often useful to swap between command line view and web view, somethings are easier on one than the other, and you will often find the 2 services compliment each other oppose to replace each other.
ASKER
There is loads off stuff on Junipers website, but when Volume 2 of the ScreenOS guide is almost 600 pages long, it isn't geared up to give you lots of examples which are remotely as simple as my situation.
I think I'm going to have to fork out for the support contract at £80 UK pounds / yearand get there tech's to tell me how to set it up.
Based on previous soloutions on this site I thought there were several people who knew their way round this kit ?
Maybe they are still hung over from Xmas and New years eve !
I think I'm going to have to fork out for the support contract at £80 UK pounds / yearand get there tech's to tell me how to set it up.
Based on previous soloutions on this site I thought there were several people who knew their way round this kit ?
Maybe they are still hung over from Xmas and New years eve !
Might be worth hanging around a while, maybe reposting the question again then.
an £80 support contract for a £200 ish box is a bit extreme. have you tried searching experts exchange for a solution similar to the question you have asked??
My appologies that you feel somewhat let down by this, It is indeed a simple enough question hence why i have attempted to answer, unfortunately I am unable to guide you too greatly not being familiar with the individual box you are using. I would have hoped that with some guidance from the juniper website, the ability to pop back with specifi, what goes here type questions we might have been able to solve the problem together,
once again appologies that you have not found the answer you are looking for, I would suggest maybe reposting the question to generate fresh interest, obviously this is now a fairly old question to generate fresh responses. Maybe you will be able to find someone with a better working knowledge of this than myself.
Kind Regards, Rich
an £80 support contract for a £200 ish box is a bit extreme. have you tried searching experts exchange for a solution similar to the question you have asked??
My appologies that you feel somewhat let down by this, It is indeed a simple enough question hence why i have attempted to answer, unfortunately I am unable to guide you too greatly not being familiar with the individual box you are using. I would have hoped that with some guidance from the juniper website, the ability to pop back with specifi, what goes here type questions we might have been able to solve the problem together,
once again appologies that you have not found the answer you are looking for, I would suggest maybe reposting the question to generate fresh interest, obviously this is now a fairly old question to generate fresh responses. Maybe you will be able to find someone with a better working knowledge of this than myself.
Kind Regards, Rich
ASKER
Thanks for your efforts Rich, I'll leave it a few more days and re-post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Myself I just about get by on them both.
If I am correct you want to (already do have) 2 Lans, one which you want to allow internet access for, and one which you dont.
at the same time you want both lans to be able to access each other, but not for the net.
Again I dont really know the spec of the firewall / router you are using, I'll get the basics first. but
I assume you have a Wan interface (obviously) and 2 Lan interfaces??
If this is the case then the problem is easy to overcome, simple configure the 2 LAN ports on different subnets, i.e. different IP ranges etc, and then the rest of the work is firewall router based. You must add routes so that the 2 Lan's are able to see each other. Add Firewall rules allowing the one lan to the net, and denying the other lan.
Have I read and understood your question correctly??
Hope this helps, Rich