How to set up netscreen 5gt

I am running a web server using Apache for Windows.
The server has a software firewall.
I want to use the 5gt to block some annoying ip ranges.
The server is connected to a Comcast broadband modem.
I am able to connect to the 5gt using Hyperterminal.
I am on a static IP
My net settings are:
IP address 173.x.x.x, subnet mask 255.255.x.x, default gateway 173.x.x.x, primay dns 68.x.x.x
Comcast shows my local settings as:
Gateway IP Address      10.x.x.x
Subnet Mask      255.255.x.x
DHCP Server      Enabled
IP Range (start)      10.x.x.x
IP Range (end)      10.x.x.x
I have read the 3 info manuals by Juniper and surfed the web.
Afraid to admit that I am still lost.
I want to go from Comcast modem to netscreen 5gt to web server.
Can I get some direction?
Thanks
Bob
BobbozAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
Ok are you able to get to the web interface of the juniper 5gt? this is usually the gateway IP of your Local Area network. This should simplify setting things up compared to using a console cable and the command line

Let start with that and take it from there :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BobbozAuthor Commented:
I reset the address on the 5gt to 10.1.10.60 earlier.
I do have a wireless network using 192.168.1.1 as a gateway.
The computer I am using to set this thing up is plugged into the wireless router.
When I connect to a modem port and a trusted port on the gt5 I can ping the address.
When I try to call it up in the browser it does not connect.
When I check the software firewall I do not see it being blocked.

0
Sanga CollinsSystems AdminCommented:
ok since you have the console connection available, please post the results of the following commands:

get int trust
get admin manager-ip

you are looking for the line 'web enabled' and you will also need to have your LAN network in the manage ip list. (my lan is 10.160.60.1 and it is on the list of allowed manage ips Mng Host IP: 10.160.0.0/255.255.0.0)

ns5gt-wlan-> get int trust
Interface trust:
  description trust
  number 2, if_info 176, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  *ip 10.160.60.1/28   mac 0012.1eb3.4912
  *manage ip 10.160.60.1, mac 0012.1eb3.4912
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  DNS Proxy disabled, webauth enabled, webauth-ip 10.160.60.5
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace enabled
  PIM: not configured  IGMP not configured
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
              total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server enabled, status on.
Number of SW session: 2051, hw sess err cnt 0

ns5gt-wlan-> get admin manager-ip
Mng Host IP: 209.42.61.129/255.255.255.240
Mng Host IP: 192.168.16.0/255.255.255.0
Mng Host IP: 192.168.60.0/255.255.255.224
Mng Host IP: 192.168.50.1/255.255.255.0
Mng Host IP: 10.160.0.0/255.255.0.0
Mng Host IP: 70.88.37.89/255.255.255.248
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

BobbozAuthor Commented:
Thanks for helping this lost soul.

ns5gt-> get int trust
Interface trust:
  number 2, if_info 176, if_index 0, mode nat
  link down, phy-link down
  vsys Root, zone Trust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  ip 10.1.10.60/24   mac 0010.db3e.7f22
  manage ip 0.0.0.0, mac 0010.db3e.7f22
  route-deny disable
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled
  bandwidth: physical 0kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server enabled, status off.

ns5gt-> get admin manager-ip
No Mng Host IP is specified
0
Sanga CollinsSystems AdminCommented:
ok according to the results you posted, there is nothing plugged into the any of the LAN ports on the juniper (link down, phy-link down on yours, while mine says link up, phy-link up/full-duplex) so you will not be able to manage this device by going to http://10.1.10.60/ until you plug your laptop/computer directly into any of the first 4 ports.

THe ideal setup is comcast pluged into untrust port on the ns5gt. you may need to unplug the comcast modem power for 5 mins (it literally takes this long) to clear the stored mac address of the last device connected to the modem. Then you plug a switch into port 1 of the ns5gt, and plug all your other devices into the switch.

If you do not have a switch do not worry, ports 1 - 4 on the juniper operate like a switch so if you have a small setup you can usually get away with just plugging computers directly into these ports.

once you have this setup and can surf the net, we can then talk about configuring security policies for your web server.

getting close ... so dont give up. once you get the basics you will realise that the 5gt is a very powerful yes simple firewall to use.:)
0
BobbozAuthor Commented:
Thanks for working so hard.
This is what I did.

ns5gt-> get int trust
Interface trust:
  number 2, if_info 176, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  ip 10.1.10.60/24   mac 0010.db3e.7f22
  manage ip 0.0.0.0, mac 0010.db3e.7f22
  route-deny disable
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server enabled, status on.

I unplugged the Comcast modem.
I connected from the Comcast modem to the untrusted port.
I connected a workstation into a trusted port.
I used different configs for protocol:

IP address 10.1.10.51
subnet mask 255.x.x.x
default gateway 173.x.x.x
dns1 and dns2

IP address 10.1.10.51
subnet mask 255.x.x.x
default gateway 10.1.10.1
dns1 and dns2

I can ping 10.1.10.60
I was not able to browse.
There were no software firewall errors.

Thanks for hanging in there.
Bob
0
Sanga CollinsSystems AdminCommented:
ok since 10.1.10.60 is the IP address of your trust interface, then this is the gateway you need to configure on your workstation. Think of it as the rout

ip 10.1.10.51
subnet 255.255.255.0
default gateway: ip 10.1.10.60/24   mac 0010.db3e.7f22  #from above.

if you are going to use the whole 24 bit subnet. its a good idea to make the gateway (ip of trust interface on netscreen) the first  available ip 10.1.10.1/24 or the last 10.1.10.254/24.

you should at this point be able to put the gateway ip into your browser and bring up the management login.
0
BobbozAuthor Commented:
OK-
I reset the gt5.
I connected from the Comcast modem to untrusted port.
I connected workstation to trusted port.
I set workstation to obtain address auto.
I can now access the Rapid Deployment Wizard.

I am awaiting your instructions.
Thanks for being patient.
Bob
0
Sanga CollinsSystems AdminCommented:
just saw your message. give me a moment ill post the steps to setup the 5gt. One question though,

you said comcast provided you with a static IP. is this ip available to be configured on your router? or is it configured on their modem, and theie modem then hands out private ip via DHCP server to your internal network?

0
BobbozAuthor Commented:
The setting for my webserver connection are:
IP 173.12.201.137
subnet 255.255.255.252
gateway 173.12.201.138
dns 68.87.85.98
       68.87.69.146

The Comcast modem settings are:
Internet Settings
Gateway MAC Address       00:22:2D:51:B1:0C
WAN MAC Address       00:22:2D:51:B1:10
WAN DHCP IP Address       71.228.111.184
WAN DHCP Subnet Mask       0.0.0.0
WAN DHCP Default Gateway       0.0.0.0
WAN Internet IP Address       173.12.201.138
DNS (primary)       68.87.85.98
DNS (secondary)       68.87.69.146
DHCP Time Remaining       00h:00m:00s
Date       APR-28-2010
Static IP Block       173.12.201.138/30
Local Settings
Gateway IP Address       10.1.10.1
Subnet Mask       255.255.255.0
DHCP Server       Enabled
IP Range (start)       10.1.10.50
IP Range (end)       10.1.10.199

LAN IP Setup

The LAN section is the IP information distributed by the gateway to your local network (computers connected to your gateway).
LAN IP Settings
LAN Options
IP Address  10.1.10.1      
Subnet Mask 255.255.255.255.0      
Domain Suffix       wp.comcast.net
LAN DHCP
      x  Enable LAN DHCP
Lease Time 1 week      
DHCP Start IP 10.1.10.50      
DHCP End IP 10.1.10.99      
Manual DNS
      x  Assign DNS Manually
Primary DNS 68.87.85.98      
Secondary DNS 68.87.69.146

Firewall Options
      x  Disable Firewall for True Static IP Subnet Only
      x  Disable Gateway Smart Packet Detection
          Disable Ping on WAN Interface      
0
Sanga CollinsSystems AdminCommented:
Ok what you are going to have to do, is take the static ip that you have on the webserver, and give that to the juniper netscreen. I hope you can afford to take it down for a short time while you reconfigure your network. (subnet mask of 255.255.255.252 lets me know you only have 1 static ip)

So following the rapid deployment wizard ...

1. use the intitial configuration wizard
2. Set your admin login and password
3. leave port mode as 'trsut/untrust'
4. Untrust zone should be set to static ip as follows

untrust zone interface ip: 173.12.201.137
netmask: 255.255.255.252
gateway: 173.12.201.138

5. trust zone interface ip: you should use a different ip than the LAN that comes from the comcast modem

ip: 10.2.10.1
netmask: 255.255.255.0 ---> gives you 10.2.10.2 up to 10.2.10.254 as usable ip's

6. choose yse for DHCP server

IP address range start: 10.2.10.64 ----> this is what i use on my networks, you can make the range anything you want
IP address range end: 10.2.10.99
DNS server 1: 68.87.85.98
DNS server 2: 68.87.69.146


the juniuper will then list the config options (copy these to a text file for reference) then click next and the device will reset and apply the new settings.

Once this is complete, you should be able to plug a computer into the juniper and surf the internet.
0
Sanga CollinsSystems AdminCommented:
The next step will be to change the IP address of the web server to a static IP on the netscreen LAN. I like to use x.x.x.10 for windows servers, so the ip address info for the web server will now be

ip: 10.2.10.10
mask; 255.255.255.0
gateway: 10.2.10.1

From what you described before it sounds like you have the SMC comcast modem with 4 lan ports. These will still be available to plug in computers and surf without going through the netscreen firewall. Comes in handy when you want to get online but not be behind the firewall.

Once you have the server IP setup and can confirm that the web server can reach the internet, i will then describe how to configure a VIP (virtual IP) so that you can direct traffic to the webserver through the netscreen :)
0
BobbozAuthor Commented:
You are really putting a lot of time into this.  Thanks

I connected from smc modem to untrust.
I connected web server to trust.
The web server can access the web but it cannot access my hosted web pages.
The web server cannot access 192.168.1.1
The wireless gateway is 192.168.1.1.  Should the 5gt address be changed?
I cannot access my hosted web pages from the wireless lan.
Bob
0
Sanga CollinsSystems AdminCommented:
Ok the wireless network i hadn't addressed in earlier posts, so we can tackle that portion now. How did you have it setup before? Is it a seperate wireless router that you had connected to the modem? seeing as you mentioned it had a lan ip 192.168.1.1 i would assume it is a seperate device, but i dont want to get ahead of myself until you can confirm that.


Also now the the juniper is setup let me know if you are able to get the management page by browsing to 10.2.10.1 from any computer plugged into the juniper. We will need to use the webui to configure the external access to the webserver since using command line can get complicated.
0
BobbozAuthor Commented:
On a workstation:
I connected from comcast modem to untrusted on 5gt.
I connected workstation to trusted on 5gt.
Workstation is set to obtain IP automatically.
Using Google Chrome as a browser I can connect to 10.2.10.1.
The log on screen comes up.

I am using a netgear wireless router.
The router is connected to the Comcast SMC router.
1 work station and a printer are plugged into the router
2 laptops utilize the wireless connection.

Also, please make sure I know what to plug into the untrusted and the trusted.

I have reset my webserver to the old connections.  But, will reconnect with the settings you gave me.
I am not worried about the missed hits, just the mail.
Bob
0
Sanga CollinsSystems AdminCommented:
Ok if you want the netgear to bypass the firewall it is ok to leave it connected to the comcast modem directly. What you will need to do is finish setting up the netscreen to use a VIP and forward http/https traffic from untrust:173.12.201.137 to trust:10.2.10.10.

--this will allow you to connect to the webserver by the comcast IP.

From the webserver you will not be able to connet to 192.168.1.1 without doing some routing gymnastics. It is possible, but if you do not need to go from web server to wifi LAN then do not worry about that for now.

Please note that there might be other steps required to make sure your webserver works after changing the IP from the comcast ip to the 10.2.10.10. Im pretty sure it is not too complicated, but also isnt my specialty.

I think i have a clear picture of how to set this up.

Comcast ---> give static ip to netscreen (untrust port)
Comcast ----> give DHCP to netgear

This will allow netgear and netscreen to connect to internet

netscreen ---> static ip to webserver (trust  port)
netgear ----> give dhcp to workstation, printers, and laptops

this will allow the webs server to get to the internet and vice versa, and also allow all your other equipment to get to the internet and to get to the webserver via the Static ip from comcast.
0
BobbozAuthor Commented:
I am not worried about the netgear wireless.
The workstation plugged into 5gt seems to be working.
Internet works well.
0
Sanga CollinsSystems AdminCommented:
Ok we can leave the wireless until later. for now, log into the web interface of the netscreen and do the following.

Goto on the left side menu tree:

Configuration > Admin > Management
- change the http port to 8080 or 8888 then click apply.
The reason for doing this is since you have a web server, probably using port 80, and you have the netscreen management page at port 80, this will cause a conflict.
- after clicking apply you may have to log back in to the webui using http://10.2.10.1:8080

no you can start setting up the VIP by going to in the menu tree:

Network > interfaces > click on 'Edit' for the untrust interface.

At the interface properties page, at the top click on VIP.

Check the box for 'same as the untrusted interface IP address' then click on Add
           You now have the Virtual IP setup, next step is to point it to your webserver

In the top right, Click on 'New VIP Service, Leave the virtual IP as is, and set the virtual port to 80, and the map to service to 'HTTP (80)'

set the 'Map to IP' to the ip of the webserver 10.2.10.10, you can leave auto detection checked.

click ok to go back to the VIP properties page, you should now see your VIP really start to take shape!!!!

the next step is to setup a policy rule to allow the traffic to get to your web server. On the left side menu tree click on Policies.

In the From drop donw list select untrust
in the To drop down list select trust
on the far right click on new. this will start the creation of a policy from untrust to trust network

Make the source address "ANY" (you want anyone on the web to be able to get to your web server)
Make the  Destination address book entry "VIP(untrust)" .. its in the drop down list.
Choose the service as HTTP and application as none.
Action should be "Permit"
And check the box for Logging

finally click ok at the bottom. (any option i didnt mention should stay at default eg the tunnel option)

Now you shuould be able to put the static ip or domain name if you have one pointing to that ip and see the webpage from your server :)



If you get stuck in any step just post your questions. It seems daunting at first but once you get the hang of it, it is actually very simple.

The next step will be configuring multiple services pointing to the webserver. i noticed you mentioned email services earlier so we can work on getting that going as well.


0
BobbozAuthor Commented:
You have really earned your keep.
The webserver is running - IP 124.115.x.x is really trying to get in.
It is software blocked.

I believe that I am ready for the mail.
(You've done great!)

Now for the mailserver.
Bob
0
Sanga CollinsSystems AdminCommented:
Ok you didnt give much details of the mail server so i am going to assume you want to forward port 25 (smtp) to the mail server, and that the mail server is the same box as the web server.

the first thing you  want to do is run the following from the command line. You can connect using the console cable or telnet 10.2.10.1 and run the folllowing

set vip multi-port
save
reset

this command has to be run from the CLI and can not be set from the web interface.
0
Sanga CollinsSystems AdminCommented:
Ok once your netscreen is back up and running, what you need to do is follow the same steps that you used to create the initial VIP. if you go back to the VIP properties page for the untrust interface, you will notice that you can click on new VIP service with virtual port25, map to service smtp(25) and put the ip address of the target server 10.2.10.10.

After that you can then go back to the policies page and either create a new policy just like the one for HTTP, or you can edit the existing policy and for the service selection choose "multiple" and add multiple services to the list. I like the second method since it keeps the policy page clean of unnecessary clutter.

I recommend adding a 'default deny policy' as the last policy. basically source any, destination any, action: deny, logging: on. This policy being the last one on the list will deny any traffic that does not match any of the policies above it. And will also log this traffic so you can see it for trouble shooting or sometimes just to satisfy curiosity :)
0
BobbozAuthor Commented:
You're doing GREAT!  Many, Many thanks

I played around a bit and added mail and pop3

2      Any      VIP::1      HTTP                  Edit      Clone      Remove            
6      Any      VIP::1      MAIL                  Edit      Clone      Remove            
7      Any      VIP::1      POP3                  Edit      Clone      Remove      

THIS IS THE MAIL SCREEN:
Name (optional)      
Source Address      New Address  /
Address Book Entry  ANY  
Destination Address      New Address  /
Address Book Entry VIP::1  
Service      MAIL  
Application      SMTP
Action  PERMIT         
Tunnel        VPN  NONE
                Modify matching bidirectional VPN policy
        L2TP  NONE  
Logging      X

Things seem to be working.
Does this setup look ok to you?
Should I change it to your suggested way?
Bob
0
Sanga CollinsSystems AdminCommented:
I normally leave the application set to none. I'd have to check the docs to see what this option is used for, but as long as the service is correct then you shouldn't have any problems. Everything else looks great. Were you able to get all your services working? Let me know if there are any more minor issues.

BTW http://kb.juniper.net/index?page=home

is a good website to keep handy, they have a very good search function and plenty of FAQs/HowTos for all things juniper. It is much easier than reading the actual juniper Docs since i find those focus more on theory whereas the docs on the site give you a more practical approach. (Eg. follow steps 1 - 8 to setup route based VPN)

0
BobbozAuthor Commented:
sangamc
You have made me one happy person.
Your knowledge, time spent and patience with me were exceptional.
I could not be more satisfied.

You said that you had another thing to look into.
I am brand new to your services.
Should I close out now or wait for you to come back.
Also, please explain this point system stuff.  I do not want to short change you!
Thanks again
Bob
0
Sanga CollinsSystems AdminCommented:
Oh ya the application option when creating a policy i believe is another way to specify common applications that have several groups of ports needed. Instead of creating a custom service with several allowed ports for allowing Aol instant messenger traffic, you could instead just pick te AIM application from the list.

I am glad that you were able to get the whole setup working, i am always on experts exchange and even get notices if anyone asks a question with the word juniper or netscreen contained :) As far as points go. Just pick the answer(s) that best solved your problem and choose "accept solution" this will automatically award the points to the person that made that specific post. If you get multiple answers from multiple people, you can even divide points between each person depending on their contribution. 60%-40% for example.
0
BobbozAuthor Commented:
Great help
Great patience
Great knowledge
Great followup
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.