Juniper NetScreen 5GT configuration question

first you want to configure the untrust interface with the first usable static IP and subnet mask. The second step would be to go to destination based routing and add the default route from 0.0.0.0/0 to the default gateway provided to you by your ISP. The create a policy from trust to untrust, source any, dest any service any.
This will take care of making sure you can route traffice from your LAN to the internet.

To allow mail traffic to come from the internet into your lan to your server. On the untrust interface you want to configure a MIP (mapped ip). Choose one of your un-used public ip addresses and use that to map to the mail server. after you have created the MIP you then need to create a policy from untrust to trust with source any, destination: the MIP you created and service allowed (SMTP/pop/IMAP ...etc)

This is the general over view of what you need to do. if you have specific questions about any step please post. and i can go into more detail.

http://rsivanandan.com/Data/10Juniper.pdf

Cheers,
rsivanandan

I miss the part where you use range off ip addresses 87.213.232.79 to 87.213.232.84 with /29 subnet.

It seems that the gateway of my provider only accepts traffice from one of these ip's and not ony just from 87.213.225.42/30.
So i think i have to forward all my LAN traffic to 87.213.232.79, from there via 87.213.225.42/30 to 87.213.225.41/30 and the to the internet.
I already can ping 87.213.225.42 and .41 from my router, but that is all.

Any more ideas?

Thanks,

Edward

It ain't be supposed to be like that. Talk to your provider, may be they haven't done their end completely?

Cheers,
rsivanandan

After some discussion with my provider, i now got it to work on the following way:
I know have a truseted / non-trusted network and i can access the internet now. My VPN connections to the 87.213.225.42. At this moment incomming mail goes also via this IP adres, so i need to a kind of port forwarding so that all traffic on 87.213.225.42 on port 25 will be forwarded to my exchange server on 10.0.92.2.

How can i do this?

Thanks,

Edward

set vip multi-port

set interface untrust vip 87.213.225.42 25 10.0.92.2 25

Then put in the policy as below;


Set policy id 5 from untrust to trust any vip(87.213.225.42) 25 permit log

Cheers,
rsivanandan

@rsivanandan

Still does not working.  :-((

I did the modification you described.

I included the configuration as it is now, including your remarks.

Any suggestions?

Thanks a lot.

Edward

set clock timezone 1
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "************"
set admin user "administrator" password "**************" privilege "all"
set admin scs password disable username administrator
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.0.92.11/24
set interface trust nat
set interface untrust ip 87.213.225.42/30
set interface untrust route
set interface untrust gateway 87.213.225.41
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust vip untrust 25 "MAIL" 10.0.92.2
set flow tcp-mss
set hostname ns5gt
set dns host dns1 62.58.62.132
set dns host dns2 62.58.94.130
set address "Trust" "Exchange server" 10.0.92.2 255.255.255.255
set address "Trust" "Netwerk" 10.0.92.0 255.255.255.0
set address "Untrust" "edgekaart" 10.0.92.9 255.255.255.255
set address "Untrust" "ExterneMail" 87.213.225.41 255.255.255.252 "Created for Exchange"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 5 name "ExchangeMail" from "Untrust" to "Trust"  "ExterneMail" "VIP::1" "MAIL" permit log 
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 2 name "VPN rule" from "Untrust" to "Trust"  "Dial-Up VPN" "Netwerk" "ANY" nat src tunnel vpn "VPN_Verhoeven" id 1 log count 
set policy id 4 from "Untrust" to "Trust"  "edgekaart" "Netwerk" "ANY" permit 
set policy id 4 disable
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

Select allOpen in new window

I also receive the following error on my alarms:
level: crit
Description: VIP server 10.0.92.2 cannot be contacted

That also doesn't look good, or am i wrong ?

Thanks,

Edward

"ExterneMail" what are the ip addresses that are memebers of this group?

THANKS A MILLION !!!!!!!!!!!!

This worked perfect for me.

Edward

:-) Edward is a happy man now... :-)

Glad to help you man.

Cheers,
rsivanandan