Solved

Juniper SSG 20 Configuration Question

Posted on 2009-05-07
6
1,744 Views
Last Modified: 2012-05-06
I was wondering if it were possible to configure the SSG 20 we currently have to only filter Web Traffic from our satellite offices and to ignore traffic coming from our corporate office?

We have a MPLS cloud so all six satellite offices come through Corp for INET access
Corp 172.x.1.0
(satellite 1) 172.x.2.0
(satellite 2) 172.x.3.0
etc..

Is it as simple as creating an Address Group, (Satellite Group), with the172.x 2.0 -7.0 addresses then creating a policy Trust to Untrust with source addy (Satellite Group) destination addy (Any) and apply the filter to only this policy or am I wasy off?

Best Regards,
John
0
Comment
Question by:Pe12f3cT_d12uG
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:arcaex
ID: 24329452
Is that SSG running Websense?
0
 
LVL 2

Expert Comment

by:arcaex
ID: 24329488
Sorry about that..I typed too soon. Disregard previous.

Try this:

In order to limit URL filtering/blocking from a particular direction of traffic flow, (from a source interface to a destination interface), the following CLI command can be entered to allow the Netscreen to restrict the Websense server from performing URL filtering/blocking in this direction.

set url no-block <src-int> <des-int> [Enter]
Example :Assume you want URL blocking to be performed on the trust zone, but not have URL blocking performed on the DMZ zone:

set url no-block Untrust DMZ[Enter]

Link here:
http://kb.juniper.net/index?page=content&id=KB5786&actp=search&searchid=1241723524632
0
 

Author Comment

by:Pe12f3cT_d12uG
ID: 24329710
Yep running the intergrated webfiltering on the SSG 20.  That is close to what I need Arcaex, however I would like to keep everyone in the trust zone but only apply the filtering to the 2.0 ,3.0 ,4.0 etc subnets.

This is our current network

172.x.2.0-----|ADTRAN|
172.x.3.0-----|ADTRAN|====>ADTRAN|---172.x.1.0--->SSG20--->ADTRAN Router (t1) to Internet
172.x.4.0-----|ADTRAN|
Is it possible to apply the filter to only the traffic from 2.0-7.0 while keeping everyone in the trust zone using a policy setting or is this impossible.  Thanks again for the quick response.

John
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Accepted Solution

by:
arcaex earned 500 total points
ID: 24329976
Do you have Junipers at the satelltile offices or are you simply using a MPLS router with VPN?

My intitial thought would be simply to create a policy from the trusted subnet to the untrusted interface and only allow what services you need. You can remove standard services or customimzed ones. 80 would certainly be one you will have.

Actually, look at your outgoing policy for that subnet. I assume its ANY-ANY. Can you just remove your ANY-ANY and pick specific services?

I'll keep looking at mine.

0
 

Author Comment

by:Pe12f3cT_d12uG
ID: 24330229
Nope I removed the SSG5s we were using at each of the satellite offices by request of deltacom, so only have the 20 in place.  Indeed the current Policy is Any-Any I was wondering is I could just change the policy to look like this.

First, under "Objects" -> "Addresses"->  "Groups" -> New.  Create an address group named Satellite Group.  Add the 172.x.2.0 through 172.x.7.0 subnets to this group.  Remove the Any - Any policy and add two new policies that look like this.

Satellite Address Group - 80  (intergrated filter applied to this policy)

Corp(172.x.1.0) - 80  (intergrated filter not applied tp this policy).

Still kind of fuzzy on this and not sure if I am making sense, also not sure if the Juniper 20 "Knows" the other subnets are there since the the VPN policies between the SSG5s and SSG 20 were all removed.

Thanks again Arcaex
0
 
LVL 2

Expert Comment

by:arcaex
ID: 24330309
I'm not sure having the old VPN matters. If you were in the same building and you wanted different subnets that you wouldn't even need VPN obviosuly. What the box does know is that each interface is designated to a specific setting; e.g. 0/0 could be trust, 0/1 could be eth1, 0/2 could be eth two and one of your subnets and then 0/3 could be your final subnet.

You must have outgoing policies for each subnet. If so you can apply whatever filter you want on that source through the edit button. Then choose whatever policy you stated above. So yes you should be able to do exactly what you stated. You can just either do it in a 'global' fashion or on a single level like I stated.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP and Internet Access Issue Cisco 4331 Router 9 43
Automated backups of ASA's and Nexus (5k and 7K) 24 89
how to determine subnet mask? 11 38
Cisco WRVS4400N 11 37
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question