Solved

SSG5 with VPN and Remote Desktop

Posted on 2009-06-29
7
1,184 Views
Last Modified: 2012-05-07
Hi,
I have a Juniper SSG5. I just setup a successful VPN from my laptop. Now, I need to setup remote desktop to my Windows 2008 Servers. I had that working before the SSG5 install. So, I assume that I need to allow the VPN connection to connect to the servers. I have the VPN policy going from Untrust to Trust. So, I thought that should give me unlimited access. But, I guess not. Do I have to create another policy or object since the firewall has no idea what my internal server IPs are?

Thanks :)
0
Comment
Question by:wn411
  • 4
  • 2
7 Comments
 
LVL 18

Expert Comment

by:deimark
Comment Utility
Are you trying to connect to the internal, ie private address of the server?

Can you flesh this out a bit with example address please?
0
 

Author Comment

by:wn411
Comment Utility
Yes, I am going from an external address to internal address. My plan is connect via VPN (that is working) then fire up remote desktop on my laptop, enter the private IP (or computer name) and connect :) From studying my book and docs, looks like I will need to create an object and a policy?
0
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
Comment Utility
Are you connecting using a remote access P{ON, ie do you use Netscreen Remote on your laptop to connect to the SSG?  Or are you goin through a site to site VPN using a firewall where your laptoop is?

If its remote access, then yes, you will need a policy to allow the access.

If its a site to site VPN, then normally, you would need a policy to allow the traffic, but you can get round that in other ways

I would create 2 objects, 1 for your laptop and 1 for your server.
Create a rule where your laptop can access the server on RDP.
and test

Make sure you enable logging on the rules tho, it will give us somewhere to look if this does not work initially

HTH
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:wn411
Comment Utility
Yes, I am using Netscreen Remote and connecting to the firewall via VPN. There is no firewall at my location accept for my home router and ZoneAlarm.

OK, thanks. I will try that today :)
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
If your VPN policy is allowing any source to any destination with any service, you do not have any restriction. Your VPN client IP however might not be known by the office network, as you need to define an own VPN network. If SSG isn't office default gateway, it will not work, unless you set a route on the target PCs for VPN network passing SSG.
0
 

Author Comment

by:wn411
Comment Utility
Still working on it...
0
 

Author Comment

by:wn411
Comment Utility
OK, here is what I have below. I tried so many things, I lost track. So I removed them all. What I have working is the VPN connection.

What I am trying to do is:
1)Connect via VPN
2)RDP to an internal IP being used by the server.

The VPN is to 10.0.0.1
Server #1 is plugged into Interface 0/1, Server #2 is plugged into 0/2
The internal server IPs start @ 10.0.0.2. So, I am trying to get RDP working with Server #1 10.0.0.2.
I assume that once I VPN, I should have access to all IPs in the 10.0.0.1/24 space?

Step 2 is killing me, lol. Sanitized config below:

set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "ADMINNAMEHERE"
set admin password "PASSWORDHERE"
set admin access attempts 5
set admin http redirect
set admin auth web timeout 30
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip XXX.XXX.XX.194/24
set interface ethernet0/0 route
set interface bgroup0 ip 10.0.0.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway XXX.XXX.XX.193
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
unset interface ethernet0/0 g-arp
unset interface ethernet0/1 manage ssh
unset interface ethernet0/1 manage telnet
unset interface ethernet0/1 manage snmp
unset interface ethernet0/1 manage ssl
unset interface ethernet0/1 manage web
set interface bgroup0 manage mtrace
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname XXXX_ssg5_XXXX
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 XXX.XXX.XX.18
set dns host dns2 XXX.XXX.XX.11
set dns host dns3 0.0.0.0
set dns host schedule 06:28 interval 12
set address "Trust" "Internal Net" 10.0.0.1 255.255.255.0
set user "ABC1" uid 2
set user "ABC1" ike-id u-fqdn "ABC1@domain.com" share-limit 1
set user "ABC1" type ike
set user "ABC1" "enable"
set ike gateway "ABCGateway1" dialup "ABC1" Aggr outgoing-interface "ethernet0/0" preshare "KEY" sec-level standard
unset ike gateway "ABCGateway1" nat-traversal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "ABCVPN1" gateway "ABCGateway1" no-replay tunnel idletime 0 sec-level standard
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Dial-Up VPN" "Internal Net" "ANY" tunnel vpn "ABCVPN1" id 0x7
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set ssl encrypt 3des sha-1
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now