Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2948
  • Last Modified:

Draytek 2820 & Juniper SSG6

He Experts,

We are trying to use the Draytek Vigor to pass an external range of 8 ISP assigned  IP's through so the SSG5 can deal with the security side of things and NAT rather than the Vigor.

So far no matter what we try only the wan interface IP gets forwarded for some reason. Draytek support told me it can be done but they are only here to deal witth faulty equipment (nice eh)

This maybe either the router or the firewall being misconfigured but as I am not even 5% sure which i figured you guys would know how to set this on up.

If you are wondering why the SSG is being used as a firewall rather than just using the Vigor... is a compliancy thing with the company involved and I cant change it.

If you could give the correct settings for the router and how to setup the SSG5 I would be most grateful.

  • 7
  • 6
1 Solution
Please have a look at the link below which helps with configuring multiple IP addresses behind vigor:

For SSG5, I think the setup is as below:

Internet----Vigor-----[{eth0/0- untrust}---SSG5-----{bgroup2---trust}]

If this is the case, then you console in the device or already on network then use webUI, configure following at CLI:
set int eth0/0 zone untrust
set int eth0/0 ip <public-ip>/<netmask>
set route int eth0/0 gateway <gateway-ip-as-given-by-isp>

This would get things going.

Thank you.
AndiBatesAuthor Commented:
Thanks for the reply,

coudl you fo into more depth on the second part though?

Internet----Vigor-----[{eth0/0- untrust}---SSG5-----{bgroup2---trust}]

this is indeed how we intend to go but with the SSG doing the NAT fand port opening for 4 WAN IP's

I am getting totally confused with VIP MIP DIP etc and could really do with some help here

Configure bgroup2 in nat mode:
set interface bgroup0 nat

DIP - dynamic IP; VIP - virtual IP; MIP - managed IP
Above three mechanisms are used for NAT translation on SOS. DIP is used for dynamic translations [you can translate over VPN or for normal internet access], VIP/MIP are used for incoming NAT translations.

If you are not hosting any server, also if you do not need any specific outbound NAT translations to be done for internet access, then you need not worry about these things at this time.
Setting interface in nat mode would take care of default PAT.

Thank you.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

AndiBatesAuthor Commented:
Sorry but I should really have given more info here. My Bad.

We will be putting 4 servers behind the SSG

Exchange with RPC/HTTP
FTP server
and 2 Web Servers

The external WAN IP's need to mapped across to Static LAN IP's and only have the required parts open and this is where the SSG gets quite confusing.

If you could give me one example then I can hopefully extrapolate into the others.

Again thanks
If you have 4 public IP addresses other than one needed for untrust interface, then you can create MIP. MIP gives you the flexibility to 1-1 map internal machines to external IP.
If the IP addresses are less or if you wish to use one single IP for accessing multiple services, then create VIP.
Finally create a policy to allow the traffic inbound.

The CLIs would be:
set int e0/0 vip <public-ip-address> <port> <service> <internal-machine-ip>
set int e0/0 mip <public-ip-address> <internal-machine-ip>
set policy id x from untrust to trust any mip("ip-address") <service> permit
set policy id x from untrust to trust any vip("ip-address") <service> permit

Please let know if you need more details.

Thank you.
AndiBatesAuthor Commented:
Ok, we gave this a go last night and this was the outcome

Vigor configured as shown and worked without issue. We set a PC up on the LAN with a WAN IP and this tested the router was passing the IP's through without issue.

As for the SSG... well not quite so successful.

We configured the router so the eth0/1 untrust was in the same subnet as the vigors routed IP's and enabled NAT.

Created a MIP from a spare WAN IP to a known HTTP server within the LAN.
Created a Policy to allow HTTP from the spare WAN IP to the LAN IP
changed the LAN gateway to point at the LAN interface for the SSG

and nope it didnt work.

Do we need to setup the VIP as well?
No we would either configure VIP or MIP not both; can you post few sanitized logs from the device which would help explain what happened.
For policy after disposition (accept/reject/deny) please put keyword "log" to enable logging.
You can view logs by:
get log
get log traffic

If nothing helps we would configure debug/snoop and figure out where the problem is.

Thank you.
AndiBatesAuthor Commented:
well we enabled logging on the policy in question but so fae it hasnt logged a single line!

on that basis I figured the config file may help

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset auto-route-export
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nJ+GH8rMGcCMcvcFgslN9iAtuACdXn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip
set interface ethernet0/0 nat
set interface bgroup0 ip
set interface bgroup0 nat
set interface ethernet0/0 gateway
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface "ethernet0/0" mip host netmask vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" ""
set address "Trust" ""
set address "Untrust" ""
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
set vrouter "trust-vr"
set url protocol websense

hope that is of use
AndiBatesAuthor Commented:
sorry forgot to add that we can connect to the .74 physical interface of the SSG from outside so the vigor is routing OK
AndiBatesAuthor Commented:
I think i may have just spotted the problem.
I will come back tomorrow with an update
Please update on the results; in the config all policy definitions are missing, so far configuration looks good.

Please note a less restrictive or any policy which allows access should be placed up the order in the configuration file from more restrictive or policy which denies/rejects access. The policies are applied from top to bottom.

Thank you.
AndiBatesAuthor Commented:
sorry for the delay but here is how we fixed it

basicaly we reset the firewall using the good old paper clip and started from sdcratch again. this time though with the router working 100% the setup went flawlessly.

amazing isnt it what a paper clip can do!

dpk_wal i appreciate your feedback as it proved to me that i wasnt going mad and was really on the right track.

thanks again
Thank you for the appreciation and points! :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now