[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2045
  • Last Modified:

Why when using our Juniper SSG320 as default router are connections to other subnets are dropped or reset?

We recently moved from a Watchguard Firebox firewall to a Juniper SSG 320.  We have 7 total locations/branches and they all can access the Internet via the Juniper.  The Juniper has static routing entries for each of the branches.  I can ping any system at any branch from the main office and I can ping anything at any branch from any other branch... so it appears routing is set up.  Here is the problem:

When users attempt to utilize our Intranet or other services hosted at our main branch (where the Juniper is located and is the default route) they are unable to access anything.  I can ping, but I cannot ssh or telnet or anything else.  If I enter static routes to each of the branches in the servers everything works as it should.

Is there a setting in the Juniper I am missing?  Could there be an ARP issue?  

As a side note, I still have the Watchguard online (with a different internal IP address than it used to have) and I can still get to the Internet (via a different ISP which we are cancelling).
0
jasoncraddock
Asked:
jasoncraddock
  • 9
  • 7
1 Solution
 
dpk_walCommented:
By default watchguard allows traffic between the subnets which are on the same physical interface [secondary networks]; however by default in Juniper firewalls intrazone traffic is blocked.

If you wish to open traffic between two subnets which are on the same zone (say trust); then you need to have a policy which would explicitly allow the traffic as below:
set policy id x from trust to trust source-subnet remote-subnet application permit
set policy id x from trust to trust remote-subnet source-subnet application permit

In above CLI, source-subnet and remote-subnet are addresses which are already added; for application if you wish all traffic then you specify "any".

Thank you.
0
 
jasoncraddockAuthor Commented:
Thank you dpk_wal.  I have entered the policies as described in your solution.  I am still experiencing the issue, though.  I can still connect to another subnet, but the connection (VNC, for example) only last for 10 or so seconds.  HTTP connections never get fully established.

I have posted a snippet of the config from the firewall fo you to look over.

Thanks again for your assistance.
set policy id 20 name "Main to Lindon" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.89.0/24" "ANY" permit 
set policy id 20
exit
set policy id 21 name "Lindon to Main" from "Trust" to "Trust"  "172.22.89.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 21
exit
set policy id 22 from "Trust" to "Trust"  "172.22.83.0/24" "172.22.90.0/24" "ANY" permit 
set policy id 22
exit
set policy id 23 name "SOB 2 Main" from "Trust" to "Trust"  "172.22.90.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 23
exit
set policy id 24 name "Main to PG" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.85.0/24" "ANY" permit 
set policy id 24
exit
set policy id 25 name "PG to Main" from "Trust" to "Trust"  "172.22.85.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 25
exit
set policy id 26 name "Payson to Main" from "Trust" to "Trust"  "172.22.88.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 26
exit
set policy id 27 from "Trust" to "Trust"  "172.22.83.0/24" "172.22.88.0/24" "ANY" permit 
set policy id 27
exit
set policy id 28 name "Springville to Main" from "Trust" to "Trust"  "172.22.86.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 28
exit
set policy id 29 name "Main to Springville" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.86.0/24" "ANY" permit 
set policy id 29
exit
set policy id 30 name "AF to Main" from "Trust" to "Trust"  "172.22.84.0/24" "172.22.83.0/24" "ANY" permit 
set policy id 30
exit
set policy id 31 name "Main to AF" from "Trust" to "Trust"  "172.22.83.0/24" "172.22.84.0/24" "ANY" permit 
set policy id 31
exit

Open in new window

0
 
dpk_walCommented:
Have you added the subnets like 172.22.83.0/24 as network addresses on the needed zone. Also, wanted to make sure all these subnets are actually part of the trust zone or are they on different zones; in Juniper all policies are based on zones; the sample CLI I posted was keeping in mind that the subnets are on the trust zone themselves.

Thank you.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
jasoncraddockAuthor Commented:
I just verified the config and the addresses are included in the trust zone only.  Physically, they are all internal, trusted networks, too.
0
 
dpk_walCommented:
can you enable logging for the policies by appending "log" keyword at the end, for eg:
set policy id x from trust to untrust any any any permit log

and then check the logs as:
get log traffic

Finally, if nothing comes up we can use debug:
debug flow basic --- to start debug
clear db --- to clear db
get db stream --- to show the packets

We would now know what is blocking the traffic.

Thank you.
0
 
jasoncraddockAuthor Commented:
OK.  Logging enabled.  
I've attached the logging information.  It looks like the connection lasted 19 seconds and was closed out due to "AGE OUT"
2008-10-15 11:16:33	172.22.83.74:49927 	172.22.89.30:5900	172.22.83.74:49927	172.22.89.30:5900	TCP PORT 5900	19 sec.	9736	0	Close - AGE OUT

Open in new window

0
 
dpk_walCommented:
Is the traffic coming back; can you ensure that the machines have SSG as the default gateway; and not any other device.

Please update.

Thank you.
0
 
jasoncraddockAuthor Commented:
When I look at the logging for the policy which permits the traffic to flow back there is nothing listed.  Here is how they connect to everything:

Branch A has the Juniper and other routers for the branches.  All branches connect to branch A for service.  Branch B has a small Cisco router which is that branch's default route.  The router is connected via a T1 to another Cisco router at Branch A.  The Cisco router at Branch A has a default route of the Juniper firewall.  The only thing I can see is that traffic flowing from Branch B to Branch A will not hit the Juniper because the Cisco router located at Branch A is on the same subnet and does not need to route packets within its subnet.

All branches are set up in a similar fashion.
0
 
dpk_walCommented:
I am assuming your network diagram is as I have attached below.

Then you should have created routes on SSG320 to reach different subnets using the IP of router A [which is on the same subnet as the interface IP of SSG320]; further you also need route on each router to first forward all the traffic to router A and on router A to then forward the traffic to SSG320.

If all the above routes are in place then the things should work.

Please check and update.

Thank you.
Q-23814589.JPG
0
 
jasoncraddockAuthor Commented:
I am out of the office for knee surgery.  I will reply with a diagram later tonight.  Sorry for the delay.  Thanks again for your input
0
 
jasoncraddockAuthor Commented:
I've attached a small diagram of our layout.
The Juniper has all the static routes to each branch included in its config.

What I *think* is happening is this:

System at branch A initiates a session with a system at another branch.  The session starts and the other branch system communicates via its router on branch A side, completely bypassing the Juniper.  The Juniper never "sees" the response from the other branch and terminates the initial session.

Any ideas on how to work around this?  I know I can set a default route to be one of the Cisco routers and have it handle the work, I am just trying to avoid that for now.

Thanks again
routers.png
0
 
dpk_walCommented:
You can configure route map on cisco router; this would allow you configure routes based on specific subnet; so all traffic for branch A network from any of the routers would use SSG as the gateway and rest would use the default route as configured.

I am not a router expert so would not be able to help you best with the route maps; they are something like this [the syntax might not be 100% correct and there are many more options than the ones I listed]:
route-map <name> permit/deny <priority>
 match ip address <access-list-name>
 match interface <interface-name>

Thank you.
0
 
jasoncraddockAuthor Commented:
Thank you.  Will try later today when I get back in.
0
 
jasoncraddockAuthor Commented:
sorry... recovery from knee surgery is taking longer than I thought.  I do not have access to the firewall from home.  I will try to get in early next week and give this a try.

I believe the route-map on the Cisco devices is the way to go, I just need to figure out exactly how to implement it.
0
 
dpk_walCommented:
No problem please update per your convenience; have a speedy recovery! :)
0
 
jasoncraddockAuthor Commented:
Thanks for your help.  Sorry for the delay in rewarding points!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now