Solved

Multiple Internet Gateways Interfaces Routing+VPN on Juniper SSG5

Posted on 2009-05-17
4
4,010 Views
Last Modified: 2012-05-07
Hello !

I have been having a real hard time trying to setup a Juniper SSG5 Firewall device. I need to set it up for the company I work - a multimedia agency.
I need to say I am new to Juniper routers - and routing in general, so maybe the terminology I will use won't be very accurate.

Well, I`ve had setup already an SSG5 some time ago to use two (dynamic ip) cable internet connections [[ethernet0/0 & ethernet0/6]] on a fail-safe basis to route to our main network - 192.168.2.0 [[bgroup0 = ethernet0/2]]

We have recently acquired a Mac Pro with Os X Leopard Server [[192.168.2.2]] to run some services such as Open(Active) Directory, DNS, File Versioning server and it works very well on our internal network.
- Our first requirement is to open up VPN access so that we can securely access our file sharing services outside our network.

Secondly, aside from the two cable internet connections we already have, we have signed up for two more - so that we can securely publish live footage to the internet in real time. One of them is a fiber optic link (1Mbps U/D) [[ethernet 0/5]], and the other one a radio link (512 Kbps U/D) [[ethernet 0/4]]. Both of them have static IPs.

- We want to make another fail-safe configuration for a second network [[ethernet0/3]] that will be connected only to our studio equipment, that will publish directly the content to the internet.

- And lastly (finally!), We want to take advantage of the static ip of our fiber optic link (we actually have 4 static ip addresses by this link) to make it our VPN address, and maybe use it as the address of our server, to use it as a mail server as well. The first thing that comes into my mind is DMZ, but I don't even know how a DMZ setup really is[[ethernet0/1]].

I am sending our current config. As you can see the bgroup has the ethernet0/3 also, as I haven't been able to correctly setup the ethernet0/3 yet.
current config:
 
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "aragorn"
set admin password "xxx"
set admin auth timeout 10
set admin auth server "Local"
set admin privilege read-write
set admin format dos
 
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/5" zone "Untrust"
set interface "ethernet0/6" zone "Untrust"
set interface "wireless0/0" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port wireless0/1
unset interface vlan1 ip
set interface ethernet0/0 ip 201.e0.e0.181/22
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.7.1/24
set interface ethernet0/1 nat
set interface ethernet0/4 ip 201.e4.e4.10/29
set interface ethernet0/4 route
set interface ethernet0/5 ip 201.e5.e5.66/29
set interface ethernet0/5 route
set interface ethernet0/6 ip 201.e6.e6.88/20
set interface ethernet0/6 route
set interface bgroup0 ip 192.168.2.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/5 manage-ip 201.e5.e5.67
set interface ethernet0/4 manage-ip 201.e4.e4.11
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/5 ip manageable
set interface ethernet0/6 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 backup interface ethernet0/6 type tunnel-if
set interface ethernet0/0 dhcp client enable
set interface ethernet0/6 dhcp client enable
unset interface ethernet0/6 dhcp client settings update-dhcpserver
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway 192.168.2.1 
set interface bgroup0 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option domainname ajato.com.br 
set interface bgroup0 dhcp server option dns1 192.168.2.2 
set interface bgroup0 dhcp server option dns2 200.162.194.244 
set interface bgroup0 dhcp server option wins1 192.168.2.2 
set interface bgroup0 dhcp server ip 192.168.2.150 to 192.168.2.220 
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain gondor.c***ti.com
set hostname ssg5
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 192.168.2.2 src-interface bgroup0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set monitor cpu 100
set global-pro policy-manager primary outgoing-interface ethernet0/0
set global-pro policy-manager secondary outgoing-interface ethernet0/0
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
set wlan 0 channel auto
set wlan 1 channel auto
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set source-routing enable
unset add-default-route
set route source 192.168.7.1/24 interface ethernet0/1 gateway 
227.66 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
Comment
Question by:waneck
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 24410838
Phoooh, that's a lot of stuff. Let's consider one ofter another.

VPN
Your options are many. It depends on the remote side - mobile clients, corporate clients, Windows or Mac. If the Juniper should serve as VPN gateway (recommended!), you will either need a (IPSec) VPN client to be installed on each computer which should have access, or use a VPN router and site-2-site tunneling. With Mac, the client options are rare.
We need more info here.

Failsave configuation with eth0/3
I do not know what you mean exactly. Do you want to hardwire eth0/3 with eth0/4 & eth0/5 in failsave configuration, i.e. if eth0/5 is not available, use eth0/4, but only for the studio equipment?

Static IPs/Public Services
I would recommend to put public services into DMZ zone. That requires that the corresponding server is in an own network segment isolated from all other traffic, and plugged into a separate eth of SSG. You will have to define policies from Untrust to DMZ, DMZ to Trust, and Trust do DMZ according to your used services to have traffic flowing.

Why DMZ? Software flaws can be used to obtain access to the network for malicious code. If DMZ can't access important services on Trust, the harm is strongly restricted. Without DMZ, it could be more critical, e.g. infecting other PCs via network shares.

You should use one IP for mail and other public available services (or even another one for the latter).

VPN should have it's own IP - that way, you can easy drill-down what service is used. And it's less likely hacking attempts are applied. Not of high importance, IPSec on SSG is secure.

0
 

Author Comment

by:waneck
ID: 24415541
Qlemo:
I kindly thank you for your comment! It has helped me structure the problem in a better way!

Falsave configuration on eth0/3:
Yes!! You understood it correctly! My main doubt is in regard to how can I configure this setup on the SSG5? I know how to make eth0/3 act as another DHCP server, give it another subnet address, define eth0/5 as a backup interface of eth0/4 but I can't seem to figure out how to configure where will they route to. By default, they seem to route to bgroup0. Should I define another vrouter for them? I have tried, but wasn't successful at all. (Many solutions come to my mind. Is it by source routing? Hasn't worked either. But still, I might not have been able to correctly configure this)

This problem extends to the static services, because it still is a source routing/vrouter/whatever configuration, and what really changes is that I don't know how to have multiple IPs (eg. 201.e5.e5.66 for the studio, 201.e5.e5.67 for VPN AND 201.e5.e5.68 for the mail server) coming out from a single ethernet interface. Is that possible on ScreenOS ?

I'm sorry to have written so many questions in only one. It's my first Experts Exchange question. I guess we could leave the VPN & DMZ-specific questions for another question, then! : )

Thank you very much!
Waneck
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 24416947
Agreed to VPN part, we can consider that later in another question.

Let's have a look on routing. I do not know how the SSG5 is structured internally with that bgroup0 thing, but I know about interface based routing.
In WebUI, Routing, choose Source Interface Routing,
choose eth0/3,
create a new default route (0.0.0.0/0) for eth0/3 using interface eth0/5 as gateway,
and again with eth0/4 and lower preference or higher metric, whatever you like best.

Of course you need to setup IP adresses for all interfaces, and assign them to Trust (eth0/3) respective Untrust (eth0/4, eth0/5).

You could use own zones (if you are able to add two with SSG5), but then you have to create policies for them. If you want to secure it with own policies, this is one track to follow (another one are normal Trust-Untrust policies based on the IP addresses).

As you have asked for it: vrouters are needed to separate routing domains, which is useful if you have dynamic routing protocols like OSPF or RIP (aaaarggh), and want to separate the routes gotten for one interface from those from others.


Next point, multipe static IPs. Yes, it's possible and called MIP. You define them on the interface, and create a 1:1 mapping to an internal address. You will need to create a policy Untrust to Trust, with MIP as source address and the internal network as destination, and service restrictions as you like.



0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question