Solved

Draytek 2820 & Juniper SSG6

Posted on 2009-04-05
13
2,666 Views
Last Modified: 2012-05-06
He Experts,

We are trying to use the Draytek Vigor to pass an external range of 8 ISP assigned  IP's through so the SSG5 can deal with the security side of things and NAT rather than the Vigor.

So far no matter what we try only the wan interface IP gets forwarded for some reason. Draytek support told me it can be done but they are only here to deal witth faulty equipment (nice eh)

This maybe either the router or the firewall being misconfigured but as I am not even 5% sure which i figured you guys would know how to set this on up.

If you are wondering why the SSG is being used as a firewall rather than just using the Vigor... is a compliancy thing with the company involved and I cant change it.

If you could give the correct settings for the router and how to setup the SSG5 I would be most grateful.

Andi
0
Comment
Question by:AndiBates
  • 7
  • 6
13 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Please have a look at the link below which helps with configuring multiple IP addresses behind vigor:
http://www.draytek.co.uk/support/kb_vigor_2ndsubnet.html#disablenat

For SSG5, I think the setup is as below:

Internet----Vigor-----[{eth0/0- untrust}---SSG5-----{bgroup2---trust}]

If this is the case, then you console in the device or already on network then use webUI, configure following at CLI:
set int eth0/0 zone untrust
set int eth0/0 ip <public-ip>/<netmask>
set route 0.0.0.0/0 int eth0/0 gateway <gateway-ip-as-given-by-isp>

This would get things going.

Thank you.
0
 

Author Comment

by:AndiBates
Comment Utility
Thanks for the reply,

coudl you fo into more depth on the second part though?

Internet----Vigor-----[{eth0/0- untrust}---SSG5-----{bgroup2---trust}]

this is indeed how we intend to go but with the SSG doing the NAT fand port opening for 4 WAN IP's

I am getting totally confused with VIP MIP DIP etc and could really do with some help here


thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Configure bgroup2 in nat mode:
set interface bgroup0 nat

DIP - dynamic IP; VIP - virtual IP; MIP - managed IP
Above three mechanisms are used for NAT translation on SOS. DIP is used for dynamic translations [you can translate over VPN or for normal internet access], VIP/MIP are used for incoming NAT translations.

If you are not hosting any server, also if you do not need any specific outbound NAT translations to be done for internet access, then you need not worry about these things at this time.
Setting interface in nat mode would take care of default PAT.

Thank you.
0
 

Author Comment

by:AndiBates
Comment Utility
Sorry but I should really have given more info here. My Bad.

We will be putting 4 servers behind the SSG

Exchange with RPC/HTTP
FTP server
and 2 Web Servers

The external WAN IP's need to mapped across to Static LAN IP's and only have the required parts open and this is where the SSG gets quite confusing.

If you could give me one example then I can hopefully extrapolate into the others.

Again thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
If you have 4 public IP addresses other than one needed for untrust interface, then you can create MIP. MIP gives you the flexibility to 1-1 map internal machines to external IP.
If the IP addresses are less or if you wish to use one single IP for accessing multiple services, then create VIP.
Finally create a policy to allow the traffic inbound.

The CLIs would be:
set int e0/0 vip <public-ip-address> <port> <service> <internal-machine-ip>
set int e0/0 mip <public-ip-address> <internal-machine-ip>
set policy id x from untrust to trust any mip("ip-address") <service> permit
set policy id x from untrust to trust any vip("ip-address") <service> permit

Please let know if you need more details.

Thank you.
0
 

Author Comment

by:AndiBates
Comment Utility
Ok, we gave this a go last night and this was the outcome

Vigor configured as shown and worked without issue. We set a PC up on the LAN with a WAN IP and this tested the router was passing the IP's through without issue.

As for the SSG... well not quite so successful.

We configured the router so the eth0/1 untrust was in the same subnet as the vigors routed IP's and enabled NAT.

Created a MIP from a spare WAN IP to a known HTTP server within the LAN.
Created a Policy to allow HTTP from the spare WAN IP to the LAN IP
changed the LAN gateway to point at the LAN interface for the SSG

and nope it didnt work.

Do we need to setup the VIP as well?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
No we would either configure VIP or MIP not both; can you post few sanitized logs from the device which would help explain what happened.
For policy after disposition (accept/reject/deny) please put keyword "log" to enable logging.
You can view logs by:
get log
get log traffic

If nothing helps we would configure debug/snoop and figure out where the problem is.

Thank you.
0
 

Author Comment

by:AndiBates
Comment Utility
well we enabled logging on the policy in question but so fae it hasnt logged a single line!

on that basis I figured the config file may help

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nJ+GH8rMGcCMcvcFgslN9iAtuACdXn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 85.xxx.xxx.74/29
set interface ethernet0/0 nat
set interface bgroup0 ip 192.168.1.4/24
set interface bgroup0 nat
set interface ethernet0/0 gateway 85.xxx.xxx.73
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface "ethernet0/0" mip 85.xxx.xxx.75 host 192.168.1.151 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "192.168.1.150/32" 192.168.1.150 255.255.255.255
set address "Trust" "192.168.1.151/24" 192.168.1.151 255.255.255.0
set address "Untrust" "85.xxx.xxx.75/29" 85.xxx.xxx.75 255.255.255.248
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit


hope that is of use
0
 

Author Comment

by:AndiBates
Comment Utility
sorry forgot to add that we can connect to the .74 physical interface of the SSG from outside so the vigor is routing OK
0
 

Author Comment

by:AndiBates
Comment Utility
I think i may have just spotted the problem.
 
I will come back tomorrow with an update
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
Please update on the results; in the config all policy definitions are missing, so far configuration looks good.

Please note a less restrictive or any policy which allows access should be placed up the order in the configuration file from more restrictive or policy which denies/rejects access. The policies are applied from top to bottom.

Thank you.
0
 

Author Comment

by:AndiBates
Comment Utility
sorry for the delay but here is how we fixed it

basicaly we reset the firewall using the good old paper clip and started from sdcratch again. this time though with the router working 100% the setup went flawlessly.

amazing isnt it what a paper clip can do!

dpk_wal i appreciate your feedback as it proved to me that i wasnt going mad and was really on the right track.

thanks again
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Thank you for the appreciation and points! :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Watchguard XTM 2 50
MPLS Network Question 2 31
Static route between two Sonicwalls 6 33
Calyptix AE1200 VLAN Question 3 12
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now