?
Solved

How to block IP subnets on Netscreen 50

Posted on 2010-11-29
3
Medium Priority
?
1,124 Views
Last Modified: 2012-05-10
I have a Juniper Netscreen 50 which was implemented long before I was hired. I've been digging around the web GUI and the CLI and have learned quite a bit but cannot seem to figure out how to block specific subnets/hosts from getting into my network. I'm a Cisco guy and know how to do this on a PIX/ASA/router with ACLs and such but the Juniper way of doing things is a bit confusing. We have a few specific subnets that we need to just deny from accessing our network (FTP dictionary attacks) but I can't seem to figure it out.

It's running ScreenOS 5.4.0r11.0.
There are three virtual routers, trust-vr, untrust-vr, and vpn-vr. We have two different public subnets on this router, one on ethernet2 and one on ethernet3. Our trusted side is on ethernet1. I need to block traffic from specific subnets (193.0.0.0/8 for example) from reaching any host on my network.

Any help would be greatly appreciated. As I've said, I'm a Cisco certified guy and I've been in the networking arena for many years but I'm completely new to Juniper systems. Stepping through the GUI or the CLI is fine by me.
0
Comment
Question by:cmackles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 2000 total points
ID: 34231322
To do this on each VR, add a network object in each external zone you have, ie object called "bad-net" with an address of 193.0.0.0/8

Once we have this object, we can then reference it in a rule.

Note, that screenos uses the concept of zones to allow or deny traffic, so you look for which pair of zones you want involved, ie source zone untrust, destination zone trust.

We can then create the policy as follows:

set pol from untrust to trust bad-net any any deny

(repeat for all pairs of zones)

HTH
0
 

Author Closing Comment

by:cmackles
ID: 34231977
Fantastic! With that help I've managed to get it working. Thanks a million!
0
 
LVL 18

Expert Comment

by:deimark
ID: 34231982
No problem bud.

Welcome to Juniper :P
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question