Juniper NetScreen 5GT configuration question

Edward van Nijmweegen
Edward van Nijmweegen used Ask the Experts™
on
Hello,

I'm having the following issue:
I received the following info from my provider:
a WAN IP address: 87.213.225.42/30
a default gateway: 87.213.225.41/30
subnet : 255.255.255.252

Then a range of IP numbers i can use for my firewall:
87.213.232.79-87.213.232.84 /29 subnet

Now i have to configure my Netscreen with the above information so, the my internal LAN on 10.0.92.0 network can connect the internet via an existing proxyserver on 10.0.92.11. Also mail should come in via this Netscreen and send to 10.0..92.2.

Is there someone please who can urgently help me out with this.

I've attached the config file from my Netscreen, with all relevant info.

Thanks a lot.

Edward


set clock timezone 1
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "******"
set admin user "administrator" password "*****" privilege "all"
set admin scs password disable username administrator
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.0.92.11/24
set interface trust nat
set interface untrust ip 87.213.225.42/30
set interface untrust route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set flow tcp-mss
set hostname ns5gt
set dns host dns1 62.58.62.132
set dns host dns2 62.58.94.130
set address "Trust" "Exchange server" 10.0.92.2 255.255.255.255
set address "Trust" "Netwerk" 10.0.92.0 255.255.255.0
set address "Untrust" "edgekaart" 10.0.92.9 255.255.255.255
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 2 name "VPN rule" from "Untrust" to "Trust"  "Dial-Up VPN" "Netwerk" "ANY" nat src tunnel vpn "VPN_Verhoeven" id 1 log count 
set policy id 3 name "E-mail" from "Untrust" to "Trust"  "Any" "MIP(87.213.225.41)" "MAIL" permit 
set policy id 4 from "Untrust" to "Trust"  "edgekaart" "Netwerk" "ANY" permit 
set policy id 4 disable
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp community "public" Read-Write Trap-on  traffic version any
set snmp host "public" 10.0.92.11 255.255.255.255 trap v2
set snmp name "ns5gt"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
first you want to configure the untrust interface with the first usable static IP and subnet mask. The second step would be to go to destination based routing and add the default route from 0.0.0.0/0 to the default gateway provided to you by your ISP. The create a policy from trust to untrust, source any, dest any service any.
This will take care of making sure you can route traffice from your LAN to the internet.

To allow mail traffic to come from the internet into your lan to your server. On the untrust interface you want to configure a MIP (mapped ip). Choose one of your un-used public ip addresses and use that to map to the mail server. after you have created the MIP you then need to create a policy from untrust to trust with source any, destination: the MIP you created and service allowed (SMTP/pop/IMAP ...etc)

This is the general over view of what you need to do. if you have specific questions about any step please post. and i can go into more detail.
Edward van NijmweegenICT employee

Author

Commented:
I miss the part where you use range off ip addresses 87.213.232.79 to 87.213.232.84 with /29 subnet.

It seems that the gateway of my provider only accepts traffice from one of these ip's and not ony just from 87.213.225.42/30.
So i think i have to forward all my LAN traffic to 87.213.232.79, from there via 87.213.225.42/30 to 87.213.225.41/30 and the to the internet.
I already can ping 87.213.225.42 and .41 from my router, but that is all.

Any more ideas?

Thanks,

Edward
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

It ain't be supposed to be like that. Talk to your provider, may be they haven't done their end completely?

Cheers,
rsivanandan
Edward van NijmweegenICT employee

Author

Commented:
After some discussion with my provider, i now got it to work on the following way:
I know have a truseted / non-trusted network and i can access the internet now. My VPN connections to the 87.213.225.42. At this moment incomming mail goes also via this IP adres, so i need to a kind of port forwarding so that all traffic on 87.213.225.42 on port 25 will be forwarded to my exchange server on 10.0.92.2.

How can i do this?

Thanks,

Edward
set vip multi-port

set interface untrust vip 87.213.225.42 25 10.0.92.2 25

Then put in the policy as below;


Set policy id 5 from untrust to trust any vip(87.213.225.42) 25 permit log

Cheers,
rsivanandan
Edward van NijmweegenICT employee

Author

Commented:
@rsivanandan

Still does not working.  :-((

I did the modification you described.

I included the configuration as it is now, including your remarks.

Any suggestions?

Thanks a lot.

Edward
set clock timezone 1
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "************"
set admin user "administrator" password "**************" privilege "all"
set admin scs password disable username administrator
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 10.0.92.11/24
set interface trust nat
set interface untrust ip 87.213.225.42/30
set interface untrust route
set interface untrust gateway 87.213.225.41
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust vip untrust 25 "MAIL" 10.0.92.2
set flow tcp-mss
set hostname ns5gt
set dns host dns1 62.58.62.132
set dns host dns2 62.58.94.130
set address "Trust" "Exchange server" 10.0.92.2 255.255.255.255
set address "Trust" "Netwerk" 10.0.92.0 255.255.255.0
set address "Untrust" "edgekaart" 10.0.92.9 255.255.255.255
set address "Untrust" "ExterneMail" 87.213.225.41 255.255.255.252 "Created for Exchange"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 5 name "ExchangeMail" from "Untrust" to "Trust"  "ExterneMail" "VIP::1" "MAIL" permit log 
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 2 name "VPN rule" from "Untrust" to "Trust"  "Dial-Up VPN" "Netwerk" "ANY" nat src tunnel vpn "VPN_Verhoeven" id 1 log count 
set policy id 4 from "Untrust" to "Trust"  "edgekaart" "Netwerk" "ANY" permit 
set policy id 4 disable
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit

Open in new window

Edward van NijmweegenICT employee

Author

Commented:
I also receive the following error on my alarms:
level: crit
Description: VIP server 10.0.92.2 cannot be contacted

That also doesn't look good, or am i wrong ?

Thanks,

Edward

Commented:
"ExterneMail" what are the ip addresses that are memebers of this group?
>set policy id 5 name "ExchangeMail" from "Untrust" to "Trust"  "ExterneMail" "VIP::1" "MAIL" permit log

The policy is wrong.

"ExternalMail" points only to 10.0.92.2 and we want from internet, traffic to hit the VIP right?

So modify it as below;

set policy id 5 name "ExchangeMail" from "Untrust" to "Trust"  any "VIP::1" "MAIL" permit log

Cheers,
rsivanandan
Edward van NijmweegenICT employee

Author

Commented:
THANKS A MILLION !!!!!!!!!!!!

This worked perfect for me.

Edward
:-) Edward is a happy man now... :-)

Glad to help you man.

Cheers,
rsivanandan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial