• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1426
  • Last Modified:

Create DMZ on Juniper Netscreen NS-5Gt

Experts-

We recently did a circuit cutover at one of our newly acquired sites and inherited a Cisco VPN Concentrator 3000. Before the cutover, the VPN concentrator was connected to the internet router via a linksys workgroup switch which in turn connected to the internet router. The Juniper Netscreen NS-5Gt also connected to this Linksys switch as well as the core router which logically divided the two campuses.

We have since taken out the linksys from the equation and have connected the core router directly to the internet router. The Juniper Netscreen naturally is connected to the internet router as well. So now the VPN concentrator is offline and I am looking to reconfigure starting with creating a DMZ on the netscreen to house the Cisco VPN Concentrator.

Being new to the DMZ world, I am needing a little assistance to get his process going. I currently have three interfaces on my netscreen ns-5gt trust, untrust and dmz (1,3,2). . My question is how to go about setting up the DMZ first since I have never had one in place before. Thanks in advance for the assistance and let me know if you need more info.
0
beargonefishing
Asked:
beargonefishing
  • 7
  • 7
1 Solution
 
Sanga CollinsSystems AdminCommented:
With the juniper device a DMZ may not accomplish what you want. If the cisco and the juniper where connected to a switch, they may have both had public IP addresses and even more probable statically configure public ip address.

Can you confirm the above?
0
 
beargonefishingDirector of Network InfrastructureAuthor Commented:
Yes, the Juniper and the Cisco are still currently connected to the LAN switch and both have static public IP addresses.

I will take any suggestions does not have to be a DMZ, just trying to get it setup again so it can work in a secure manner.
0
 
Sanga CollinsSystems AdminCommented:
You could connect the cisco WAN to the Juniper LAN and use VPN passthrough in combination with a MIP (mapped IP)

- Basically you change the cisco WAN to an IP address on the LAN of the Juniper.
- In the juniper untrust interface, you can edit it to create a MIP that maps the original static IP to the new LAN ip of the cisco.
- You can then use the following juniper KB article to configure VPN passthrough to allow the correct traffic to and from the Cisco. http://kb.juniper.net/InfoCenter/index?page=content&id=KB9243
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
beargonefishingDirector of Network InfrastructureAuthor Commented:
Since I already have a dedicated public IP address, couldn't I just create a MIP for the VPN concentrator and then add a policy in the firewall to allow traffic to the public IP address of the VPN through the VPN ports. Or would this not be secure enough.
0
 
Sanga CollinsSystems AdminCommented:
That is the process i described. I added the first step because the VPN concentrator will not be able to use the public IP address on its WAN anymore. It would need a LAN ip from the netscreen and the MIP + resulting policy would point to that new IP.

You probably wouldnt need the VPN pass through since the clients are remote from your network rather than on your LAN trying to connect outbound to VPNs.
0
 
beargonefishingDirector of Network InfrastructureAuthor Commented:
Ok, yes so I do have dedicated LAN IP already associated with the VPN concentrator which I could use to map to the public IP. So the LAN interface would be the only interface which is connected and its new gateway address would be the LAN IP of the firewall correct?

Now if I have a policy such as Any to just the public IP of the VPN using vpn ports, will that still be secure enough.
0
 
Sanga CollinsSystems AdminCommented:
The LAN ip from the netscreen would be assigned to the same interface on the concentrator that used to have the public IP. This will keep things as close to how it was originally.

If you have the untrust-trust policy pointing to the MIP with only the VPN ports open you will be secure, actually even more secure than having the concentrator configured with the public IP connected to the old linksys switch
0
 
beargonefishingDirector of Network InfrastructureAuthor Commented:
But could I just connect the internal interface to the LAN, assign it an internal IP and do the following which you mentioned. Then just leave the public interface unplugged altogether. And give the VPN concentrator a default gateway of the internal IP of the netscreen.

This may be just what you mentioned, if it is I apologize. Still feeling the effects of a circuit cutover the other night. lol
0
 
Sanga CollinsSystems AdminCommented:
I do not have enough knowledge about how the VPN concentrator works so I cant confidently give specific details. I assume the concentrator had a WAN with a public IP and LAN that was connected to some protected servers/workstations.

From what you describe it seems you want to take that concentrator LAN and connect it to the Juniper LAN. If the device will still funtion as intended in this manner then yes you can leave the public interface disconnected and just use the LAN interface (i do this with sonicwall ssl VPN 200)

If it can not function in this manner you will have to connect the concentrator WAN to the netscreen and leave the LAN for the protected network resources.

Hope this helps :)
0
 
beargonefishingDirector of Network InfrastructureAuthor Commented:
The way it was setup before was the WAN interface plugged into the linksys workgroup switch along with the netscreen and that uplinked into the internet router. The LAN interface has always been plugged directly into the core switch stack. So I could just use that interface as you mentioned.
0
 
beargonefishingDirector of Network InfrastructureAuthor Commented:
sangamc-

I tried just using assigning the private interface on the vpn concentrator and changing the default gateway to the internal IP of my gateway and no go. It is almost like it has to use the public interface as well, but currently I do not have anywhere to plug it into without the linksys workgroup hub.

Is there a way to configure the vpn concentrator in a one-armed mode and hang it off one of the interfaces on juniper netscreen. Since interface eth2 is already assigned the DMZ role in extended mode, could I just put the concentrator in the dmz with a bogus subnet.
0
 
Sanga CollinsSystems AdminCommented:
Yes, this is what i had described earlier I just ignore the DMZ interface in my setups and use trust zone/interfaces.

You can however:

create a LAN on the DMZ for example 192.168.1.1/24
give the concentrator public interface and ip 192.168.1.10
create a MIP from concentration original public IP to 192.168.1.10
create a policy from untrust to DMZ allowing relevant VPN traffic.

This is the same as comment:ID: 38422082 except i like to use trust interface :)
0
 
beargonefishingDirector of Network InfrastructureAuthor Commented:
Will the IP address which gets assigned to the DMZ just be from an arbitrary subnet outside of my current LAN to fend off intrusions.

What happens to the private interface, does that one still keep and IP on the LAN? I have already created the MIP for the concentrator within the firewall.
0
 
Sanga CollinsSystems AdminCommented:
IP address you assign to DMZ can be an arbitrary subnet outside of the current LAN. This is a sound approach for this kind of setup. I often use subnets such as 10.10.1.1/24, 10.10.2.1/24 and so on, since i have multiple VPN devices for different services and/or separate client companies.

If the concentrator is for connecting to protected servers or workstations on the LAN, then the private interface should maintain its original LAN ip so that the routing can continue to work.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now