Draytek 2820 & Juniper SSG6

Posted on 2009-04-05
Last Modified: 2012-05-06
He Experts,

We are trying to use the Draytek Vigor to pass an external range of 8 ISP assigned  IP's through so the SSG5 can deal with the security side of things and NAT rather than the Vigor.

So far no matter what we try only the wan interface IP gets forwarded for some reason. Draytek support told me it can be done but they are only here to deal witth faulty equipment (nice eh)

This maybe either the router or the firewall being misconfigured but as I am not even 5% sure which i figured you guys would know how to set this on up.

If you are wondering why the SSG is being used as a firewall rather than just using the Vigor... is a compliancy thing with the company involved and I cant change it.

If you could give the correct settings for the router and how to setup the SSG5 I would be most grateful.

Question by:AndiBates
  • 7
  • 6
LVL 32

Expert Comment

ID: 24121145
Please have a look at the link below which helps with configuring multiple IP addresses behind vigor:

For SSG5, I think the setup is as below:

Internet----Vigor-----[{eth0/0- untrust}---SSG5-----{bgroup2---trust}]

If this is the case, then you console in the device or already on network then use webUI, configure following at CLI:
set int eth0/0 zone untrust
set int eth0/0 ip <public-ip>/<netmask>
set route int eth0/0 gateway <gateway-ip-as-given-by-isp>

This would get things going.

Thank you.

Author Comment

ID: 24138035
Thanks for the reply,

coudl you fo into more depth on the second part though?

Internet----Vigor-----[{eth0/0- untrust}---SSG5-----{bgroup2---trust}]

this is indeed how we intend to go but with the SSG doing the NAT fand port opening for 4 WAN IP's

I am getting totally confused with VIP MIP DIP etc and could really do with some help here

LVL 32

Expert Comment

ID: 24144504
Configure bgroup2 in nat mode:
set interface bgroup0 nat

DIP - dynamic IP; VIP - virtual IP; MIP - managed IP
Above three mechanisms are used for NAT translation on SOS. DIP is used for dynamic translations [you can translate over VPN or for normal internet access], VIP/MIP are used for incoming NAT translations.

If you are not hosting any server, also if you do not need any specific outbound NAT translations to be done for internet access, then you need not worry about these things at this time.
Setting interface in nat mode would take care of default PAT.

Thank you.
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Author Comment

ID: 24146049
Sorry but I should really have given more info here. My Bad.

We will be putting 4 servers behind the SSG

Exchange with RPC/HTTP
FTP server
and 2 Web Servers

The external WAN IP's need to mapped across to Static LAN IP's and only have the required parts open and this is where the SSG gets quite confusing.

If you could give me one example then I can hopefully extrapolate into the others.

Again thanks
LVL 32

Expert Comment

ID: 24147440
If you have 4 public IP addresses other than one needed for untrust interface, then you can create MIP. MIP gives you the flexibility to 1-1 map internal machines to external IP.
If the IP addresses are less or if you wish to use one single IP for accessing multiple services, then create VIP.
Finally create a policy to allow the traffic inbound.

The CLIs would be:
set int e0/0 vip <public-ip-address> <port> <service> <internal-machine-ip>
set int e0/0 mip <public-ip-address> <internal-machine-ip>
set policy id x from untrust to trust any mip("ip-address") <service> permit
set policy id x from untrust to trust any vip("ip-address") <service> permit

Please let know if you need more details.

Thank you.

Author Comment

ID: 24156099
Ok, we gave this a go last night and this was the outcome

Vigor configured as shown and worked without issue. We set a PC up on the LAN with a WAN IP and this tested the router was passing the IP's through without issue.

As for the SSG... well not quite so successful.

We configured the router so the eth0/1 untrust was in the same subnet as the vigors routed IP's and enabled NAT.

Created a MIP from a spare WAN IP to a known HTTP server within the LAN.
Created a Policy to allow HTTP from the spare WAN IP to the LAN IP
changed the LAN gateway to point at the LAN interface for the SSG

and nope it didnt work.

Do we need to setup the VIP as well?
LVL 32

Expert Comment

ID: 24156477
No we would either configure VIP or MIP not both; can you post few sanitized logs from the device which would help explain what happened.
For policy after disposition (accept/reject/deny) please put keyword "log" to enable logging.
You can view logs by:
get log
get log traffic

If nothing helps we would configure debug/snoop and figure out where the problem is.

Thank you.

Author Comment

ID: 24180161
well we enabled logging on the policy in question but so fae it hasnt logged a single line!

on that basis I figured the config file may help

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset auto-route-export
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nJ+GH8rMGcCMcvcFgslN9iAtuACdXn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip
set interface ethernet0/0 nat
set interface bgroup0 ip
set interface bgroup0 nat
set interface ethernet0/0 gateway
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface "ethernet0/0" mip host netmask vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" ""
set address "Trust" ""
set address "Untrust" ""
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
set vrouter "trust-vr"
set url protocol websense

hope that is of use

Author Comment

ID: 24181296
sorry forgot to add that we can connect to the .74 physical interface of the SSG from outside so the vigor is routing OK

Author Comment

ID: 24181425
I think i may have just spotted the problem.
I will come back tomorrow with an update
LVL 32

Accepted Solution

dpk_wal earned 500 total points
ID: 24182041
Please update on the results; in the config all policy definitions are missing, so far configuration looks good.

Please note a less restrictive or any policy which allows access should be placed up the order in the configuration file from more restrictive or policy which denies/rejects access. The policies are applied from top to bottom.

Thank you.

Author Comment

ID: 24313896
sorry for the delay but here is how we fixed it

basicaly we reset the firewall using the good old paper clip and started from sdcratch again. this time though with the router working 100% the setup went flawlessly.

amazing isnt it what a paper clip can do!

dpk_wal i appreciate your feedback as it proved to me that i wasnt going mad and was really on the right track.

thanks again
LVL 32

Expert Comment

ID: 24314370
Thank you for the appreciation and points! :)

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question