Wireless zone Juniper SSG5

elit2007
elit2007 used Ask the Experts™
on
I’m trying to add a new zone that can be used for wireless connection. This zone should only get access to internet and not the “Trust” zone. First I added a new zone called “Wireless” and added it to the “trust-vr” virtual router. Then I released port 0/2 from the Trust zone and added it to the Wireless zone. I added an IP address to the 0/2 port, checked NAT and configured DHCP server.
Last I added a policy to allow all traffic from the Wireless zone to the Untrust zone, and denied traffic between Trust and Wireless zone.
My problem is that the traffic is blocked ore not routed in the firewall. I can manage the firewall from the Wireless zone but I cannot reach internet.
Please help !

set clock timezone 1
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "SIP" timeout 30
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "elit"
set admin password "nNXwCerJLVCNc2hDison"
set admin manager-ip 192.168.1.0 255.255.255.0
set admin manager-ip 192.168.2.0 255.255.255.0
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Wireless"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Wireless" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Wireless"
set interface "ethernet0/2" zone "Wireless"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip xxx.xxx.xxx.xxx/xx
set interface ethernet0/0 route
set interface ethernet0/2 ip 192.168.2.1/24
set interface ethernet0/2 nat
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway xxx.xxx.xxx.xxx
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage web
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/2 dhcp server service
set interface ethernet0/2 dhcp server enable
set interface ethernet0/2 dhcp server option gateway 192.168.2.1 
set interface ethernet0/2 dhcp server option netmask 255.255.255.0 
set interface ethernet0/2 dhcp server option dns1 8.8.8.8 
set interface ethernet0/2 dhcp server ip 192.168.2.100 to 192.168.2.200 
unset interface ethernet0/2 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "Lokalt nett" 192.168.1.0 255.255.255.0
set address "Wireless" "Wireless" 192.168.2.0 255.255.255.0
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 3
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 16 from "Wireless" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 16
exit
set policy id 18 from "Wireless" to "Trust"  "Any" "Any" "ANY" deny 
set policy id 18
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
When I enable policy-based NAT the Wireless zone can access internet.
Now I’m just wondering if this is the right way to do it or just a workaround?
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Yes, it is. Interface NAT works only with Trust to Untrust, not with custom zones (see http://kb.juniper.net/InfoCenter/index?page=content&id=KB4106). So policy-based NAT is the correct way to do it.

Commented:
I agree that (missing) nat in the policy could be your issue.

You could verify this by checking the logs of policy id 16..
or just go into the advanced tab of the policy 16 and tick 'source nat' and use interface ip as the option.

cheers,
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Author

Commented:
There must be something special when setting the firewall to Home/Work mode. Then both zones work without policy-based NAT.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I never used a SSG5, only "higher" devices, and can't tell that. SSG5 is special in some treatment (like bgroup, which does not exist on other devices). Home mode might be a very simplified mode allowing only one Untrust and many Trust-like interfaces, and then it would be correct that it works without policy NAT. But you are certainly much more restricted in what you can setup in Home mode.
Commented:
Hi Elit2007,

Sorry i did not see you already resolved your connectivity in the first reply (to your own question :))

As for the home-office mode, there's no restrictions in functionalty that i am aware of.
The only thing i think of is  that it is not possible to get any traffic from home to office/work zone (due to that auto policy that'll sit on top of that rulebase.
I agree there is something special in home-office mode (for the home and office zones)..., but even in that mode if you'd create a zone "wireless" you'd have to turn on policy based nat. (right??).

as for the bgoups, i think you can make them on any SSG, so all the way up to the 550 (not that you were asking, just  clarifying the post just above).
The asic platforms (ISG, NS5K) don't have that feature (unfortunately).

The 'interface based nat' is really something that has it's roots in screenos 3.x and before.
It's there for backwards compatibility... policy based nat is more flexible and using that you are doing it the right way, it's not a workaround, it's the way to go.

Have a good weekend,
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Neither a NS-25 (out-dated) nor a SSG520 know of bgroups.

I agree that there is absolutely no reason not to use policy-based NAT. At least if you do not have a mass of them - it is much more comfortable not havint to tick that advanced property ;-). Anyways, it is the recommended and official way.

Commented:
Hi Olemo,

thanks for the input.

However, The ns25 is not an ssg, (and ancient, end of sale a long time ago afaik).

The ssg520 supports bgroups just fine.. from the datasheet:

"* Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases"
same is true for the 140, 550 etc....

Cheers,
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
FWIW: The SSG520 does not have any uPIMs as integrated part. Of course you can put cards in, and extend the command set ... My SSG520 does not have any trace of a bgroup in any command available.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial