Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SSG5 with VPN and Remote Desktop

Posted on 2009-06-29
7
Medium Priority
?
1,219 Views
Last Modified: 2012-05-07
Hi,
I have a Juniper SSG5. I just setup a successful VPN from my laptop. Now, I need to setup remote desktop to my Windows 2008 Servers. I had that working before the SSG5 install. So, I assume that I need to allow the VPN connection to connect to the servers. I have the VPN policy going from Untrust to Trust. So, I thought that should give me unlimited access. But, I guess not. Do I have to create another policy or object since the firewall has no idea what my internal server IPs are?

Thanks :)
0
Comment
Question by:wn411
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 24740626
Are you trying to connect to the internal, ie private address of the server?

Can you flesh this out a bit with example address please?
0
 

Author Comment

by:wn411
ID: 24741818
Yes, I am going from an external address to internal address. My plan is connect via VPN (that is working) then fire up remote desktop on my laptop, enter the private IP (or computer name) and connect :) From studying my book and docs, looks like I will need to create an object and a policy?
0
 
LVL 18

Accepted Solution

by:
deimark earned 2000 total points
ID: 24742938
Are you connecting using a remote access P{ON, ie do you use Netscreen Remote on your laptop to connect to the SSG?  Or are you goin through a site to site VPN using a firewall where your laptoop is?

If its remote access, then yes, you will need a policy to allow the access.

If its a site to site VPN, then normally, you would need a policy to allow the traffic, but you can get round that in other ways

I would create 2 objects, 1 for your laptop and 1 for your server.
Create a rule where your laptop can access the server on RDP.
and test

Make sure you enable logging on the rules tho, it will give us somewhere to look if this does not work initially

HTH
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 

Author Comment

by:wn411
ID: 24743861
Yes, I am using Netscreen Remote and connecting to the firewall via VPN. There is no firewall at my location accept for my home router and ZoneAlarm.

OK, thanks. I will try that today :)
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 24776468
If your VPN policy is allowing any source to any destination with any service, you do not have any restriction. Your VPN client IP however might not be known by the office network, as you need to define an own VPN network. If SSG isn't office default gateway, it will not work, unless you set a route on the target PCs for VPN network passing SSG.
0
 

Author Comment

by:wn411
ID: 24789568
Still working on it...
0
 

Author Comment

by:wn411
ID: 24791569
OK, here is what I have below. I tried so many things, I lost track. So I removed them all. What I have working is the VPN connection.

What I am trying to do is:
1)Connect via VPN
2)RDP to an internal IP being used by the server.

The VPN is to 10.0.0.1
Server #1 is plugged into Interface 0/1, Server #2 is plugged into 0/2
The internal server IPs start @ 10.0.0.2. So, I am trying to get RDP working with Server #1 10.0.0.2.
I assume that once I VPN, I should have access to all IPs in the 10.0.0.1/24 space?

Step 2 is killing me, lol. Sanitized config below:

set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ADMINNAMEHERE"
set admin password "PASSWORDHERE"
set admin access attempts 5
set admin http redirect
set admin auth web timeout 30
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip XXX.XXX.XX.194/24
set interface ethernet0/0 route
set interface bgroup0 ip 10.0.0.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway XXX.XXX.XX.193
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
unset interface ethernet0/0 g-arp
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage telnet
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
unset interface ethernet0/1 manage web
set interface bgroup0 manage mtrace
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname XXXX_ssg5_XXXX
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 XXX.XXX.XX.18
set dns host dns2 XXX.XXX.XX.11
set dns host dns3 0.0.0.0
set dns host schedule 06:28 interval 12
set address "Trust" "Internal Net" 10.0.0.1 255.255.255.0
set user "ABC1" uid 2
set user "ABC1" ike-id u-fqdn "ABC1@domain.com" share-limit 1
set user "ABC1" type ike
set user "ABC1" "enable"
set ike gateway "ABCGateway1" dialup "ABC1" Aggr outgoing-interface "ethernet0/0" preshare "KEY" sec-level standard
unset ike gateway "ABCGateway1" nat-traversal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "ABCVPN1" gateway "ABCGateway1" no-replay tunnel idletime 0 sec-level standard
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "Internal Net" "ANY" tunnel vpn "ABCVPN1" id 0x7
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set ssl encrypt 3des sha-1
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question