Solved

Juniper SSG5 firewall configuration issues....

Posted on 2009-05-08
7
4,538 Views
Last Modified: 2012-05-06
I am supporting a small organization that just recently moved. We got our internet delivered today by XO and i'm trying to configure the firewall to connect. I'm not really sure what i'm doing since this is my first time working on a juniper device. I basically just left the old settings and plugged in the IP address that XO gave us under the interface list of ethernet0/0.
Gateway IP = 65.x.x.129
IP pool = 130-158
subnet = 255.255.255.224
I tried connecting my laptop directly to the XO router interface and gave it a static IP of 65.x.x.135 and that works fine. But when I disconnect and plugin the firewall, none of the PC's are able to get to the internet.
Your help is greatly appreciated.

This is the cofig that I have right now.
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Paychex2500" protocol tcp src-port 1-65535 dst-port 2500-2500
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "***********"
set admin password "*******************************"
set admin mail alert
set admin mail server-name "10.10.10.10"
set admin mail mail-addr1 "info@gimiklive.com"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 65.x.x.129/27
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.0.1/24
set interface ethernet0/1 nat
set interface bgroup0 ip 10.10.10.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage snmp
set interface bgroup0 manage mtrace
set interface "ethernet0/0" mip 140.239.92.40 host 10.10.10.10 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "10.10.10.0/24" 10.10.10.0 255.255.255.0
set address "Trust" "10.10.10.201/255.255.255.0" 10.10.10.201 255.255.255.0
set address "Untrust" "10.10.10.201/255.255.255.0" 10.10.10.201 255.255.255.0
set address "Untrust" "10.10.101.0/24" 10.10.101.0 255.255.255.0
set address "Untrust" "10.10.102.0/24" 10.10.102.0 255.255.255.0
set user "michael" uid 1
set user "michael" ike-id fqdn "mp-vpn" share-limit 1
set user "michael" type  auth ike
set user "michael" password "3eDjho09NAewensVWyCZIohJuGnkqJFUdQ=="
set user "michael" "enable"
set ike gateway "taylor's gateway" address 0.0.0.0 id "taylor.vasthorizons.us" Aggr outgoing-interface "ethernet0/0" preshare "B0toAZnBNoa/o0sguDCN/a/oDVn+4Q+0dQ==" proposal "pre-g2-3des-sha"
unset ike gateway "taylor's gateway" nat-traversal
set ike gateway "Ginger's Gateway" address 0.0.0.0 id "ginger.vasthorizons.us" Aggr outgoing-interface "ethernet0/0" preshare "ems9hTEeNqnYDwshwZCnjceriRn9vNsAFg==" proposal "pre-g2-3des-sha"
unset ike gateway "Ginger's Gateway" nat-traversal
set ike gateway "mp-vpn" dialup "michael" Aggr outgoing-interface "ethernet0/0" preshare "RDBx+Xi3N0uxOjsUntCO0afXbxnaTcGvYA==" proposal "pre-g2-3des-sha" "pre-g2-aes128-sha"
set ike gateway "mp-vpn" nat-traversal udp-checksum
set ike gateway "mp-vpn" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "taylor's vpn" gateway "taylor's gateway" replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "Ginger's VPN" gateway "Ginger's Gateway" replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set url protocol websense
exit
set vpn "taylor's vpn" proxy-id local-ip 10.10.10.0/24 remote-ip 10.10.102.0/24 "ANY"
set vpn "Ginger's VPN" proxy-id local-ip 10.10.10.0/24 remote-ip 10.10.101.0/24 "ANY"
set policy id 5 from "Untrust" to "Trust"  "10.10.101.0/24" "10.10.10.0/24" "ANY" tunnel vpn "Ginger's VPN" id 2 pair-policy 4 log
set policy id 5
set log session-init
exit
set policy id 4 from "Trust" to "Untrust"  "10.10.10.0/24" "10.10.101.0/24" "ANY" tunnel vpn "Ginger's VPN" id 2 pair-policy 5 log
set policy id 4
set log session-init
exit
set policy id 3 from "Untrust" to "Trust"  "10.10.102.0/24" "10.10.10.0/24" "ANY" tunnel vpn "taylor's vpn" id 1 pair-policy 2 log
set policy id 3
set log session-init
exit
set policy id 2 from "Trust" to "Untrust"  "10.10.10.0/24" "10.10.102.0/24" "ANY" tunnel vpn "taylor's vpn" id 1 pair-policy 3 log
set policy id 2
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 6 from "Untrust" to "Trust"  "Any" "MIP(140.239.92.40)" "GRE" permit log
set policy id 6
set service "HTTP"
set service "HTTPS"
set service "PPTP"
set service "SMTP"
exit
unset log module system level alert destination email
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp community "vastsnmpro" Read-Only Trap-off  version v1
set snmp host "vastsnmpro" 209.31.29.32 255.255.255.224 src-interface ethernet0/0
set snmp location "Vast Horizons - HQ"
set snmp name "ssg5-v92.domain.us"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
Comment
Question by:oykits
  • 3
  • 2
  • 2
7 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 24342377
since you are using static ips it looks like you are missing the default route

set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface <WAn interface> gateway <gateway ip from ISP>
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24342950
That line is wrong:
set interface ethernet0/0 ip 65.x.x.129/27

129 is the gateway itself (the router), you will have to use an other address of your pool, like .130, for eth0/0
And the default route has to be defined, as said already, with

set route 0.0.0.0/0 int eth0/0 gateway 65.x.x.129
0
 

Author Comment

by:oykits
ID: 24351573
I will give this a shot on tomorrow and will follow up as soon as i have implemented. Thanks for your quick response!
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:oykits
ID: 24366608
Ok I feel like an idiot....but where do I plug this on the gui interface? I can'f find any place to plug in the gateway. I attached a screenshot of it. Thanks!
20090512094922.jpg
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 24366736
if you go to Network > Routing > Destination Routing Entries

create a new route in your trust-vr (button on top right) with the following

IP Address/Netmask 0.0.0.0 / 0
Next Hop: Gateway
Interface : untrust (or whatever your WAN interface is)
Gateway IP Address 65.107.32.129

this will create the default route for you to connect to the internet

0
 

Author Closing Comment

by:oykits
ID: 31579684
Thanks a lot! I'm good to go!
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 24369734
Did you correct the IP address of eth0/0, too?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
increase internet speed 3 57
server can't ping default gateway 25 91
MPLS VRF bridging 4 47
Internet bottleneck? 11 74
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now