[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I open ports to the untrust interface on a Juniper SSG-140?

Posted on 2011-05-11
23
Medium Priority
?
2,623 Views
Last Modified: 2012-06-27
We have a Juniper SSG-140, I know how to create MIPs and open ports to those MIPs. However I can't seem to figure out how to open ports to the default IP of the untrust interface.
0
Comment
Question by:ThorinO
  • 12
  • 11
23 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35739252
the default ip on the untrust interface can only be mapped to another internal IP using a VIP (virtual IP) the process to setup a VIP is very similar to the setup for a MIP. If you need help with specifics or run into problems, please post :)
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35739488
To be more specific, what I am trying to do is open a few ports incoming (untrust) to 2 IPs on the trust side. I know how to do this on a MIP but not on the untrust IP.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 2000 total points
ID: 35739699
Yes you have to create a VIP if you want to use the untrust IP address. and open ports to an internal server.

for example i used my untrust IP to map ports for my xbox live on a netscreen 5gt running screenOS 6.2

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/A_4190-XBox-360-open-NAT-setup-Juniper-Netscreen-SSG.html

The approach is exactly the same for any other service/server
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35739708
you can not create a MIP on the ip assigned to the untrust interface, but you can create a VIP
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35739917
OK thanks, I will give this a try, I assume that like with the MIP that creating a VIP won't interrupt traffic assuming I do it correctly?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35739942
Yes you are correct. If configured correctly the process will not interrupt inbound or outbound traffic. I have created temporary VIPs for my corporate office in the middle of the day without any issues at all.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35756240
OK so I followed the guide, I created the custom services, created the VIP to the untrust IP and mapped it to the IP of the desktop I want to allow the ports to go through to. I created a policy from any to the VIP with the 3 services I created.

It is still not working, I did not do #4 as I assume it has to restart the firewall? Do I need to do step 4 for this to work?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35756530
Yes you must enable multiport VIP if you are mapping more than 1 ip address to an internal server/desktop.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35756608
If I am just using the untrust IP do I need to do this? If I already have multiple VIPs would this already be enabled?

Do I have to reboot the firewall to enable this?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35756643
You do have to reboot the firewall for the change to take effect. If you have other VIP with multiple ports then its probably enabled. But if you have MIPs, then the setting does not apply. VIPs and MIPs even though they do the same thing are handled differently by the device.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35756694
How about if I can get away with just 1 port on the VIP, can I get it working without the reboot?

Would this be why it isn't currently working?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35756763
Yes if you only forward one port in the VIP, you can get away without setting up the multi-port option. I often test with one port first before enabling the multiport.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35756835
Cool, I will try that, would I be able to go to 2 desktops with just 1 port without the reboot?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35757002
you can not forward the same port to two different desktops. Port forwarding is a 1 to 1 mapping. for example i can not forward RDP port to two different computers.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35771475
Can I open the port globally to the untrust interface?
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35771516
No, with port mapping you must specify a target workstation/server on your local network. you can not open up a port to nowhere since ti defeates the purpose of a firewall.
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35771608
For some reason it was not working when I was testing with 1 computer. We are running firmware 5.4.0r1a.0 . Attached are the screenshots of the VIP, policy, and service I have defined. I verified that the target system firewall is off as well.

VIP
Services
Policy
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35771635
I also just saw this in the alarms: crit       VIP server 10.100.0.65 cannot be contacted.

I verified that I can ping it and the other day I had him verify his IP.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35771737
In the VIP configuration, turn off the option for server auto-detection. Ive noticed with that enabled. for some reason the device disables the VIP if it can not detect the server on the LAN. This would be ok if when the server is online the check passes, but even on screenOS 6.2 it always fails!

BTW i noticed your services are for SC2. I am surprised you would need to go through all this just to play or update SC2 on your PC. I have SC2 myself and play on both PC and Macintosh without having to do anything special on the firewall.

Something that might help is source based translation.

got to policy and choose your main outgoing policy (trust to untrust) and select edit, then advanced. At the top enable  

Source Translation        (DIP on) None use eggress interface IP.

basically what this does is make sure that traffic from your SC2 workstation has the correct info so that the return traffic makes it back to the PC. It also helps with VOIP phones (which is where i learned the trick)
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35773496
I unchecked the detection box and it still did not work. I am going off of the following: http://us.blizzard.com/support/article.xml?locale=en_US&articleId=34063

I have not tried the outgoing policy change as I don't want to affect anyone else if something goes wrong.

I'm not sure why the connection isn't working though. I have this person in an outgoing policy that allows any and I have the firewall setup correctly to allow port 1119 incoming :*(
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35773941
Ah i see now. For the service 'StarCraft II' add UDP port 1119 in addition to TCP 1119, and on the outgoing policy for the users computer add the source based routing i mentioned in my previous port :)
0
 
LVL 10

Author Comment

by:ThorinO
ID: 35883069
Do you think the outgoing policy change will affect anything? There are multiple users (and servers) on this policy and I don't want to break anything for the sake of SC2 ;)
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 35883181
you can always create a single policy for the user that wants to play SC2. Just make their IP the source ip address of a trust - untrust policy. In the advanced options of the policy, enable source translation.
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month19 days, 6 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question