Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Wireless zone Juniper SSG5

Avatar of elit2007
elit2007 asked on
Hardware Firewalls
9 Comments1 Solution2317 ViewsLast Modified:
I’m trying to add a new zone that can be used for wireless connection. This zone should only get access to internet and not the “Trust” zone. First I added a new zone called “Wireless” and added it to the “trust-vr” virtual router. Then I released port 0/2 from the Trust zone and added it to the Wireless zone. I added an IP address to the 0/2 port, checked NAT and configured DHCP server.
Last I added a policy to allow all traffic from the Wireless zone to the Untrust zone, and denied traffic between Trust and Wireless zone.
My problem is that the traffic is blocked ore not routed in the firewall. I can manage the firewall from the Wireless zone but I cannot reach internet.
Please help !

set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "SIP" timeout 30
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "elit"
set admin password "nNXwCerJLVCNc2hDison"
set admin manager-ip 192.168.1.0 255.255.255.0
set admin manager-ip 192.168.2.0 255.255.255.0
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Wireless"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Wireless" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Wireless"
set interface "ethernet0/2" zone "Wireless"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip xxx.xxx.xxx.xxx/xx
set interface ethernet0/0 route
set interface ethernet0/2 ip 192.168.2.1/24
set interface ethernet0/2 nat
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway xxx.xxx.xxx.xxx
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage web
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/2 dhcp server service
set interface ethernet0/2 dhcp server enable
set interface ethernet0/2 dhcp server option gateway 192.168.2.1 
set interface ethernet0/2 dhcp server option netmask 255.255.255.0 
set interface ethernet0/2 dhcp server option dns1 8.8.8.8 
set interface ethernet0/2 dhcp server ip 192.168.2.100 to 192.168.2.200 
unset interface ethernet0/2 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "Lokalt nett" 192.168.1.0 255.255.255.0
set address "Wireless" "Wireless" 192.168.2.0 255.255.255.0
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 3
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 16 from "Wireless" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 16
exit
set policy id 18 from "Wireless" to "Trust"  "Any" "Any" "ANY" deny 
set policy id 18
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
QlemoFlag of Germany image"Batchelor", Developer and EE Topic Advisor
Commented:
This problem has been solved!
Unlock 1 Answer and 9 Comments.
See Answers