Solved

Juniper SSG140 route question and issue

Posted on 2013-01-30
17
490 Views
Last Modified: 2015-05-22
hello experts
i have a SSG140 firewall, there are 2 ADSL connected it and all works, all ADSL circuit is dynamic IP address, now i am want connect a fixed line to SSG140 and i can't make it works.
i found, once ADSL dial up, two Connected route generated it self about destination 0.0.0.0/0, without preference parameter, also both are active.
but for the fixed circuit, it is using static IP address and i must configure static route about 0.0.0.0/0 on it, although i configure it preference to 0 and lower metric than ADSL circuit, this route still not active, because without asterisk on the left, so that i can't make this line work.

do you have any ideas about this?
let me know if you need paste the configuration.

thanks
0
Comment
Question by:beardog1113
  • 8
  • 7
17 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38838335
Create the interface with the static IP in the untrust-vr. A seperate VR will allow you to configure another active default gateway. You can then use interface monitoring and route metrics to configure interface failover.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB8704
0
 

Author Comment

by:beardog1113
ID: 38841243
hello
i my environment, each internet circuit is for different department(VLAN), so don't need monitor and failover, i am just need active the static route.

thank
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38841359
OK then configuring an interface in the untrust-vr with the new static IP will allow you to also configure the appropriate default route without worrying about conflicts from prior configured services.

Depending on how you have your VLANs setup, you can either use source based routing to force traffic from a specific LAN to go to the untrust-vr (where default routes will take care of the rest) Or if possible, you can move the Interface configured for the different dept into the untrust-vr.

If you need help with specific steps or details, please feel free to post.
0
 

Author Comment

by:beardog1113
ID: 38849807
hello
i did try policy route or source based routing, all doesn't help, below is the firewall configuration.

SSG140-> get conf
config               show system configuration
SSG140-> get config
Total Config size 8816:
unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "FTP_20_21" protocol tcp src-port 0-65535 dst-port 20-21
set service "TCP_8809" protocol tcp src-port 0-65535 dst-port 8809-8809
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "nHK8CWrhIzuMc/EGhsBFJ3BtjuHoEn"
set admin auth web timeout 30
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "Untrust_ADSL_20"
set zone id 101 "Untrust_ADSL_12"
set zone id 102 "Trust_ADSL_12"
set zone id 103 "Untrust_Server"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "Untrust_ADSL_20" tcp-rst
unset zone "Untrust_ADSL_12" tcp-rst
unset zone "Trust_ADSL_12" tcp-rst
unset zone "Untrust_Server" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust_Server"
set interface "ethernet0/1" zone "Untrust_ADSL_20"
set interface "ethernet0/2" zone "Untrust_ADSL_12"
set interface "ethernet0/8" zone "Untrust_Server"
set interface "ethernet0/9.1" tag 101 zone "Trust"
set interface "ethernet0/9.2" tag 150 zone "Trust_ADSL_12"
set interface ethernet0/0 ip 61.144.17.117/29
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 59.41.112.119/32
set interface ethernet0/1 route
set interface ethernet0/2 ip 58.62.241.251/32
set interface ethernet0/2 route
set interface ethernet0/9.1 ip 10.137.20.46/24
set interface ethernet0/9.1 nat
set interface ethernet0/9.2 ip 10.137.35.254/24
set interface ethernet0/9.2 nat
set interface ethernet0/9.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
unset interface ethernet0/2 ip manageable
set interface ethernet0/9.1 ip manageable
unset interface ethernet0/9.2 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/1 manage ping
set interface ethernet0/2 manage ping
set interface ethernet0/9.2 manage ping
set interface "ethernet0/0" mip 61.144.17.114 host 10.137.20.5 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip 61.144.17.115 host 10.137.20.6 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip 61.144.17.118 host 10.137.20.14 netmask 255.255.255.255 vr "trust-vr"
set flow all-tcp-mss 1304
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "VLAN101" 10.137.20.0 255.255.255.0
set address "Trust" "VLAN102" 10.137.29.0 255.255.255.192
set address "Trust" "VLAN103" 10.137.28.64 255.255.255.192
set address "Trust" "VLAN104" 10.137.28.128 255.255.255.192
set address "Trust" "VLAN105" 10.137.28.192 255.255.255.192
set address "Trust" "VLAN106" 10.137.21.0 255.255.255.192
set address "Trust" "VLAN107" 10.137.21.64 255.255.255.192
set address "Trust" "VLAN108" 10.137.21.128 255.255.255.192
set address "Trust" "VLAN109" 10.137.21.192 255.255.255.192
set address "Trust" "VLAN110" 10.137.27.0 255.255.255.192
set address "Trust" "VLAN111" 10.137.27.64 255.255.255.192
set address "Trust" "VLAN112" 10.137.27.128 255.255.255.192
set address "Untrust" "122.248.139.144/29" 122.248.139.144 255.255.255.248
set address "Untrust" "122.248.141.0/27" 122.248.141.0 255.255.255.224
set address "Trust_ADSL_12" "VLAN150" 10.137.35.0 255.255.255.0
set group address "Trust" "Guangzhou_Network"
set group address "Trust" "Guangzhou_Network" add "VLAN102"
set group address "Trust" "Guangzhou_Network" add "VLAN103"
set group address "Trust" "Guangzhou_Network" add "VLAN104"
set group address "Trust" "Guangzhou_Network" add "VLAN105"
set group address "Trust" "Guangzhou_Network" add "VLAN106"
set group address "Trust" "Guangzhou_Network" add "VLAN107"
set group address "Trust" "Guangzhou_Network" add "VLAN108"
set group address "Trust" "Guangzhou_Network" add "VLAN109"
set group address "Trust" "Guangzhou_Network" add "VLAN110"
set group address "Trust" "Guangzhou_Network" add "VLAN111"
set group address "Trust" "Guangzhou_Network" add "VLAN112"
set group address "Trust" "ServerVlan"
set group address "Trust" "ServerVlan" add "VLAN101"
set group address "Untrust" "HK_IDC"
set group address "Untrust" "HK_IDC" add "122.248.139.144/29"
set group address "Untrust" "HK_IDC" add "122.248.141.0/27"
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 11 from "Trust" to "Untrust_Server"  "ServerVlan" "Any" "ANY" nat src permit
set policy id 11
exit
set policy id 7 from "Trust" to "Untrust_ADSL_20"  "Guangzhou_Network" "Any" "ANY" nat src permit
set policy id 7
exit
set policy id 10 from "Trust_ADSL_12" to "Untrust_ADSL_12"  "VLAN150" "Any" "ANY" nat src permit
set policy id 10
exit
set pppoe name "20MB"
set pppoe name "20MB" username "02005866704@163.gd" password "Sn9a0zPXN1Sl59sJpjCGGusgepnTD7wgvQ=="
set pppoe name "20MB" interface ethernet0/1
set pppoe name "20MB" default-route-metric 10
set pppoe name "12MB"
set pppoe name "12MB" username "02008632734@163.gd" password "vcRRt2MHN9kLdIs1vzCnXwr0SEn+p8sr2g=="
set pppoe name "12MB" interface ethernet0/2
set pppoe name "12MB" default-route-metric 10
set pppoe name "CMCC"
set pppoe name "CMCC" username "123" password "6KYPXXyWNY3hYisMRxCJfN/O+AnJVtbgBQ=="
set pppoe name "CMCC" interface ethernet0/0
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit        
set vrouter "trust-vr"
unset add-default-route
set route 10.0.0.0/8 interface ethernet0/9.1 gateway 10.137.20.1
set route 192.168.0.0/16 interface ethernet0/9.1 gateway 10.137.20.1
set route 172.16.0.0/12 interface ethernet0/9.1 gateway 10.137.20.1
set route 0.0.0.0/0 interface ethernet0/0 gateway 61.144.17.113 preference 0
set route source 10.137.35.0/24 interface ethernet0/2
set route source 10.137.21.0/24 interface ethernet0/1
set route source 10.137.27.0/24 interface ethernet0/1
set route source 10.137.28.0/24 interface ethernet0/1
set route source 10.137.29.0/24 interface ethernet0/1
set route source 10.137.20.0/24 interface ethernet0/0 gateway 61.144.17.113
set access-list extended 10 src-ip 10.137.20.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 1-65535 protocol any entry 10
set access-list extended 10 src-ip 10.137.20.0/24 dst-ip 0.0.0.0/0 protocol icmp entry 20
set match-group name Match_Group_10
set match-group Match_Group_10 ext-acl 10 match-entry 10
set action-group name Action_10
set action-group Action_10 next-interface ethernet0/0 next-hop 61.144.17.113 action-entry 10
set pbr policy name pbr_trust
set pbr policy pbr_trust match-group Match_Group_10 action-group Action_10 10
set pbr policy_route
exit        
set interface ethernet0/9.1 pbr pbr_trust
set zone Trust pbr server_vlan
set zone Untrust pbr server_vlan
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
SSG140->
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38851113
Since I dont know what zones and IP are going where, can you explain how you want this to work. (IE which VLAN going out of which internet etc ...)
0
 

Author Comment

by:beardog1113
ID: 38853481
hello
vlan150 go to untrust_ADSL_12
all other user vlan go to untrust_ADSL_20
both circuit are ADSL and they works fine.

vlan101(server vlan) go to untrust, this circuit is fixed public IP(not ADSL), servers can't go to internet via this circuit, i think the reason is route set route 0.0.0.0/0 interface ethernet0/0 gateway 61.144.17.113 preference 0 not take effect.

thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38855162
Ok your zone "Untrust_Server" is still not configured in the untrust-vr. When you go look at your routing tables you will see there is trust-vr and untrust-vr route tables. The virtual router allows you to configure 2 active default gateways.

you must remove the untrust_server zone )or create a new one with a different name, and during the creation process make sure you select "Untrust-VR"

You can then create vlan101 zone also in the untrust-VR.

Once you have your servers and static IP in the untrust-VR you can then make route statements so that vlan150, all other VLAN and Vlan101 can all talk to each other.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38855379
i loaded your config into a device. Here is the route table.

IPv4 Dest-Routes for <trust-vr> (14 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
         14          0.0.0.0/0         eth0/0   61.144.17.113   S    0      1     Root
          5   58.62.241.251/32         eth0/2         0.0.0.0   C    0      0     Root
          6   58.62.241.251/32         eth0/2         0.0.0.0   H    0      0     Root
          3   59.41.112.119/32         eth0/1         0.0.0.0   C    0      0     Root
          4   59.41.112.119/32         eth0/1         0.0.0.0   H    0      0     Root
*        10   10.137.35.254/32       eth0/9.2         0.0.0.0   H    0      0     Root
*         9     10.137.35.0/24       eth0/9.2         0.0.0.0   C    0      0     Root
*         7     10.137.20.0/24       eth0/9.1         0.0.0.0   C    0      0     Root
*        12     192.168.0.0/16       eth0/9.1     10.137.20.1   S   20      1     Root
*        13      172.16.0.0/12       eth0/9.1     10.137.20.1   S   20      1     Root
*         8    10.137.20.46/32       eth0/9.1         0.0.0.0   H    0      0     Root
          2   61.144.17.117/32         eth0/0         0.0.0.0   H    0      0     Root
          1   61.144.17.112/29         eth0/0         0.0.0.0   C    0      0     Root
*        11         10.0.0.0/8       eth0/9.1     10.137.20.1   S   20      1     Root

Open in new window


Then I moved vlan101 and the static to the untrust-vr

IPv4 Dest-Routes for <untrust-vr> (5 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
          3          0.0.0.0/0         eth0/0   61.144.17.113   S   20      1     Root
          4     10.137.20.0/24       eth0/9.1         0.0.0.0   C    0      0     Root
          5    10.137.20.46/32       eth0/9.1         0.0.0.0   H    0      0     Root
          2   61.144.17.117/32         eth0/0         0.0.0.0   H    0      0     Root
          1   61.144.17.112/29         eth0/0         0.0.0.0   C    0      0     Root



IPv4 Dest-Routes for <trust-vr> (11 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*        16      10.11.12.1/32         eth0/4         0.0.0.0   H    0      0     Root
          5   58.62.241.251/32         eth0/2         0.0.0.0   C    0      0     Root
          6   58.62.241.251/32         eth0/2         0.0.0.0   H    0      0     Root
          3   59.41.112.119/32         eth0/1         0.0.0.0   C    0      0     Root
          4   59.41.112.119/32         eth0/1         0.0.0.0   H    0      0     Root
         10   10.137.35.254/32       eth0/9.2         0.0.0.0   H    0      0     Root
          9     10.137.35.0/24       eth0/9.2         0.0.0.0   C    0      0     Root
         12     192.168.0.0/16       eth0/9.1     10.137.20.1   S   20      1     Root
         13      172.16.0.0/12       eth0/9.1     10.137.20.1   S   20      1     Root
*        15      10.11.12.0/24         eth0/4         0.0.0.0   C    0      0     Root
         11         10.0.0.0/8       eth0/9.1     10.137.20.1   S   20      1     Root

SSG140->

Open in new window



Do you see the difference? In the trust-vr the default route is not showing simply because I amnot on your network to pullit down from the DSL provider.


BTW after loading your config I also realized VLAN150 and all other vlans probably go out of untrust_adsl_12 (or which ever one gets the default gateway first) the traffic will never utilize both connections as long as you have it setup this way.
0
 

Author Comment

by:beardog1113
ID: 38862179
hello, then lets make the question more simply
how can i make the below three bold route active together?
thank you

trust-vr
        IP/Netmask       Gateway       Interface       Protocol       Preference       Metric       Vsys       Description       Configure
*      10.137.20.0/24             ethernet0/9.1      C                    Root              -
*      10.137.20.46/32             ethernet0/9.1      H                    Root              -
*      10.137.35.0/24             ethernet0/9.2      C                    Root              -
*      10.137.35.254/32             ethernet0/9.2      H                    Root              -
*      10.0.0.0/8      10.137.20.1      ethernet0/9.1      S      20      1      Root              Remove
*      192.168.0.0/16      10.137.20.1      ethernet0/9.1      S      20      1      Root              Remove
*      172.16.0.0/12      10.137.20.1      ethernet0/9.1      S      20      1      Root              Remove
*      219.136.212.245/32             ethernet0/1      C                    Root              -
*      219.136.212.245/32             ethernet0/1      H                    Root              -
*      0.0.0.0/0      219.136.212.1      ethernet0/1      C             10      Root              -
*      58.62.104.211/32             ethernet0/2      C                    Root              -
*      58.62.104.211/32             ethernet0/2      H                    Root              -
*      0.0.0.0/0      58.62.104.1      ethernet0/2      C             10      Root              -
       61.144.17.112/29             ethernet0/0      C                    Root              -
*      61.144.17.117/32             ethernet0/0      H                    Root              -
       0.0.0.0/0      61.144.17.113      ethernet0/0      S             1      Root              Remove
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38862434
The only way is by configuring each public interface in a separate virtual router. One in trust-vr, another in untrust-vr, and the third in a new vr with a name of your choosing.
0
 

Author Comment

by:beardog1113
ID: 38862885
hello
then both below routing items are active together in trust-vr, it is generated automatically once ADSL dial up.
any ideas?

thanks
 *      0.0.0.0/0      219.136.212.1      ethernet0/1      C             10      Root    
*      0.0.0.0/0      58.62.104.1      ethernet0/2      C             10      Root              -          -
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 38864620
If you go to Routing > Virtual Routers > edit:trust-vr

Check to see if Maximum ECMP Routes is enabled (either 2, 3 or 4). This will allow two active routes in a VR in a 'load balancing config'

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4622&actp=LIST

THe problem with this setup is you do not get to choose where traffic is going to go out to the internet. The juniper takes care of that. I believe if you check http://whatismyip.com from a computer on your network 2 or 3 times you will see the public IP alternating between eth0/1 and eth0/2 no matter which VLAN you are connecting from.
0
 

Author Comment

by:beardog1113
ID: 38872303
hello
configuration on my firewall, ECMP is "disable", then in my case, which option i should select? 2, 3 or 4?
i think i should select 3 right?

thanks
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 38873609
try setting it to 3. Please note, this will not accomplish your goal of getting specific LAN traffic to go out of the new Internet service. All traffic will rotate through all gateways.
0
 

Author Comment

by:beardog1113
ID: 38876037
hello
i am using the policy control which VLAN go to internet through which internet circuit.
since except server vlan, all vlan could go to internet without problem, i think that is fine right?
btw, what is "ECMP"?

thanks
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now