Solved

Port Forwarding not working on Juniper SSG5

Posted on 2014-07-30
16
1,954 Views
Last Modified: 2014-10-01
Hi,

I'm using a SSG5 with firmare 6.3.0r17.0.

LAN IP: 192.168.1.254
WAN IP: 192.168.178.22  (external traffic is being transparant forward from modem to this WAN IP of the SSG5)


I am trying to port forward external traffic on port 80 and 25 to my internal computer 192.168.1.134

i added a VIP on the untrust interface for the 80 and 25 port
i disables Server Auto Detection
i add an ANY to ANY accept policy (temporaly accept everything)
i use a VPN to another site thats working fine

Can someone with knowledge on Juniper SSG5 port forwarding help me out? I read all howto's many times and restarted the Juniper also. Thank you very much.

See below my actual confg:
 
unset key protection enable
set clock ntp
set clock timezone 1
set clock dst recurring start-weekday last 0 3 02:00 end-weekday last 0 10 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP [3389]" protocol tcp src-port 0-65535 dst-port 3389-3389 
set service "IMAP-S [993]" protocol tcp src-port 0-65535 dst-port 993-993 
set service "RDP [8888]" protocol tcp src-port 0-65535 dst-port 8888-8888 
set service "GRE [2048]" protocol 47 src-port 0-65535 dst-port 2048-2048 
set service "PPTP [1723]" protocol tcp src-port 0-65535 dst-port 1723-1723 
set service "RDP [8001]" protocol tcp src-port 0-65535 dst-port 8001-8001 
set service "RDP [8002]" protocol tcp src-port 0-65535 dst-port 8002-8002 
set service "RDP [8003]" protocol tcp src-port 0-65535 dst-port 8003-8003 
set service "RDP [8004]" protocol tcp src-port 0-65535 dst-port 8004-8004 
set service "ISL" protocol tcp src-port 0-65535 dst-port 7615-7615 
set service "Juniper HTTP" protocol tcp src-port 0-65535 dst-port 8000-8000 
set service "Juniper HTTPS" protocol tcp src-port 0-65535 dst-port 8443-8443 
set service "POP SSL [995]" protocol tcp src-port 0-65535 dst-port 995-995 
set service "Citrix" protocol tcp src-port 0-65535 dst-port 1494-1494 
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netadmin"
set admin password "nDVUCjrGFaMOcg2AysmEoUCtEUFVsn"
set admin user "job" password "nPIPPPr9HgcBciSNhsTORpBt1MOAon" privilege "all"
set admin user "job" role security
set admin port 8000
set admin telnet port 8023
set admin ssh port 8022
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.178.22/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.1.254/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/0 monitor track-ip ip
unset interface ethernet0/0 monitor track-ip dynamic
set interface ethernet0/0 vip interface-ip 25 "SMTP" 192.168.1.134 manual
set interface ethernet0/0 vip interface-ip 80 "HTTP" 192.168.1.134 manual
set interface ethernet0/0 dhcp client enable
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server enable
set interface bgroup0 dhcp server option lease 1440 
set interface bgroup0 dhcp server option gateway 192.168.1.254 
set interface bgroup0 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option domainname labnagel.local 
set interface bgroup0 dhcp server option dns1 194.109.6.66 
set interface bgroup0 dhcp server option dns2 194.109.9.99 
set interface bgroup0 dhcp server ip 192.168.1.101 to 192.168.1.199 
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config updatable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain fritz.box
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns ddns
set dns ddns enable
set address "Untrust" "BPA Glasverbinding" a.a.a.192 255.255.255.224
set address "Untrust" "mx01.solcon.nl" b.b.b.235 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx02.solcon.nl" b.b.b.236 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx03.solcon.nl" b.b.b.237 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx04.solcon.nl" b.b.b.238 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx101.solcon.nl" b.b.b.176 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx102.solcon.nl" b.b.b.177 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx103.solcon.nl" b.b.b.178 255.255.255.255 "Solcon Mailserver"
set address "Untrust" "mx104.solcon.nl" b.b.b.179 255.255.255.255 "Solcon Mailserver"
set group address "Untrust" "Solcon Mailservers"
set group address "Untrust" "Solcon Mailservers" add "BPA Glasverbinding"
set group address "Untrust" "Solcon Mailservers" add "mx01.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx02.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx03.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx04.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx101.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx102.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx103.solcon.nl"
set group address "Untrust" "Solcon Mailservers" add "mx104.solcon.nl"
set ippool "VPN_L2TP_Pool" 172.32.77.50 172.32.77.99
set user "beerepoot" uid 1
set user "beerepoot" type l2tp
set user "beerepoot" remote ippool "VPN_L2TP_Pool"
set user "beerepoot" password "Password"
unset user "beerepoot" type auth
set user "beerepoot" "enable"
set crypto-policy
exit
set ike p1-proposal "VLN-PRE-G2-AES256-SHA2" preshare group2 esp aes256 sha2-256 second 28800
set ike p2-proposal "VLN-NPFS-AES256-SHA2" no-pfs esp aes256 sha2-256 second 3600
set ike gateway "GW-Onderdijk" address x.x.x.218 Main outgoing-interface "ethernet0/0" preshare "PSK" proposal "VLN-PRE-G2-AES256-SHA2"
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-Onderdijk" gateway "GW-Onderdijk" no-replay tunnel idletime 0 proposal "VLN-NPFS-AES256-SHA2" 
set vpn "VPN-Onderdijk" monitor optimized rekey
set vpn "VPN-Onderdijk" id 0x1 bind interface tunnel.1
unset interface tunnel.1 acvpn-dynamic-routing
set l2tp default ippool "VPN_L2TP_Pool"
set l2tp default ppp-auth chap
set l2tp "VPN_L2TP_Tunnel" id 1 outgoing-interface ethernet0/0 keepalive 60
set l2tp "VPN_L2TP_Tunnel" remote-setting ippool "VPN_L2TP_Pool"
set l2tp "VPN_L2TP_Tunnel" auth server "Local" user "beerepoot"
set url protocol websense
exit
set vpn "VPN-Onderdijk" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.11.0/24 "ANY" 
set policy id 1 name "VPN_L2TP_Policy" from "Untrust" to "Trust" "Dial-Up VPN" "Any" "ANY" tunnel l2tp "VPN_L2TP_Tunnel" log 
set policy id 1
exit
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "HTTP" permit 
set policy id 2
set service "HTTPS"
exit
set policy id 3 from "Trust" to "Untrust" "Any" "Any" "FTP" permit 
set policy id 3 application "FTP"
set policy id 3
exit
set policy id 4 from "Trust" to "Untrust" "Any" "Any" "DNS" permit 
set policy id 4 application "DNS"
set policy id 4
exit
set policy id 5 from "Trust" to "Untrust" "Any" "Any" "SMTP" permit 
set policy id 5 application "SMTP"
set policy id 5
exit
set policy id 6 from "Trust" to "Untrust" "Any" "Any" "POP SSL [995]" permit 
set policy id 6 application "POP3"
set policy id 6
set service "POP3"
exit
set policy id 7 from "Trust" to "Untrust" "Any" "Any" "NTP" permit 
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust" "Any" "Any" "RDP [3389]" permit 
set policy id 8
set service "RDP [8001]"
set service "RDP [8002]"
set service "RDP [8003]"
set service "RDP [8004]"
set service "RDP [8888]"
exit
set policy id 9 from "Trust" to "Untrust" "Any" "Any" "IMAP-S [993]" permit 
set policy id 9 application "IMAP"
set policy id 9
exit
set policy id 10 from "Trust" to "Untrust" "Any" "Any" "Juniper HTTP" permit 
set policy id 10 application "HTTP"
set policy id 10
set service "Juniper HTTPS"
exit
set policy id 11 from "Trust" to "Untrust" "Any" "Any" "PPTP" permit 
set policy id 11 application "PPTP"
set policy id 11
exit
set policy id 12 from "Trust" to "Untrust" "Any" "Any" "ISL" permit 
set policy id 12
exit
set policy id 13 from "Trust" to "Untrust" "Any" "Any" "PING" permit 
set policy id 13
exit
set policy id 15 from "Trust" to "Untrust" "Any" "Any" "Citrix" permit 
set policy id 15
exit
set policy id 14 from "Trust" to "Untrust" "Any" "Any" "ANY" reject log 
set policy id 14
exit
set policy id 16 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log 
set policy id 16
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl port 8443
set ntp server "194.109.22.18"
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162102011002943"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.11.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
Comment
Question by:sitpro
  • 7
  • 6
  • 2
16 Comments
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
First thing I would say, If you have more than one public IP, then MIP is the way to go. Much easier and straight forward to use. If you do not have multiple public IPs, then for multiple ports you have to run the following from the command line

set vip multi-port
save
reset
0
 

Author Comment

by:sitpro
Comment Utility
i don't have multiple public ip's. What does the "set vip multi-port" do? Can i do that in the live environment? Can i do that by webinterface?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
With a single public IP you need to use VIPs, as you have done.

set vip multi-port is required as soon as you have more than one VIP port defined for a single (!) service entry (see http://kb.juniper.net/InfoCenter/index?page=content&id=KB5471 for details). This should not apply here, as you are using one port per VIP service.
It never harms to set it in general. You have to do in CLI (telnet or SSH), and reboot.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
set interface ethernet0/0 manage web and set interface ethernet0/0 vip interface-ip 80 "HTTP" 192.168.1.134 manual are conflicting. You should not allow management on the public interface, so switch that off in GUI.
0
 

Author Comment

by:sitpro
Comment Utility
@Clemo:

set vip multi-port is required as soon as you have more than one VIP port defined for a single (!) service entry (see http://kb.juniper.net/InfoCenter/index?page=content&id=KB5471 for details). This should not apply here, as you are using one port per VIP service.
It never harms to set it in general. You have to do in CLI (telnet or SSH), and reboot.

If im using only one port (example port 80) then i dont need to use the command "set vip multi-port" ?
0
 
LVL 18

Expert Comment

by:Sanga Collins
Comment Utility
@sitpro

That is correct
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
According to the description you should only need it for something like "All HTTP services" with port 8000 to 8010, or the like. But I'm never certain about that, so I always recommend to set vip multi-port as soon as there are more than one port to define for VIP, no matter whether in a single service entry or in multiple ones.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:sitpro
Comment Utility
Did below action:

# Enables multiple virtual port creation
set vip multi-port
save
# Reboot firewall
reset

But still the forward isnt working. Also a forward to an other machine (printer with webserver) isnt working.
0
 

Author Comment

by:sitpro
Comment Utility
This is now the configuration thats not working:

unset key protection enable
set clock ntp
set clock timezone 1
set clock dst recurring start-weekday last 0 3 02:00 end-weekday last 0 10 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP [3389]" protocol tcp src-port 0-65535 dst-port 3389-3389 
set service "IMAP-S [993]" protocol tcp src-port 0-65535 dst-port 993-993 
set service "RDP [8888]" protocol tcp src-port 0-65535 dst-port 8888-8888 
set service "GRE [2048]" protocol 47 src-port 0-65535 dst-port 2048-2048 
set service "PPTP [1723]" protocol tcp src-port 0-65535 dst-port 1723-1723 
set service "RDP [8001]" protocol tcp src-port 0-65535 dst-port 8001-8001 
set service "RDP [8002]" protocol tcp src-port 0-65535 dst-port 8002-8002 
set service "RDP [8003]" protocol tcp src-port 0-65535 dst-port 8003-8003 
set service "RDP [8004]" protocol tcp src-port 0-65535 dst-port 8004-8004 
set service "ISL" protocol tcp src-port 0-65535 dst-port 7615-7615 
set service "Juniper HTTP" protocol tcp src-port 0-65535 dst-port 8000-8000 
set service "Juniper HTTPS" protocol tcp src-port 0-65535 dst-port 8443-8443 
set service "POP SSL [995]" protocol tcp src-port 0-65535 dst-port 995-995 
set service "Citrix" protocol tcp src-port 0-65535 dst-port 1494-1494 
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin telnet port 8023
set admin ssh port 8022
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.178.22/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.1.254/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/0 monitor track-ip ip
unset interface ethernet0/0 monitor track-ip dynamic
set interface ethernet0/0 vip interface-ip 25 "SMTP" 192.168.1.140 manual
set interface ethernet0/0 vip interface-ip 80 "HTTP" 192.168.1.140 manual
set interface ethernet0/0 dhcp client enable
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server enable
set interface bgroup0 dhcp server option lease 1440 
set interface bgroup0 dhcp server option gateway 192.168.1.254 
set interface bgroup0 dhcp server option netmask 255.255.255.0 
set interface bgroup0 dhcp server option domainname labnagel.local 
set interface bgroup0 dhcp server option dns1 194.109.6.66 
set interface bgroup0 dhcp server option dns2 194.109.9.99 
set interface bgroup0 dhcp server ip 192.168.1.101 to 192.168.1.199 
unset interface bgroup0 dhcp server config next-server-ip
unset interface bgroup0 dhcp server config updatable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain fritz.box
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns ddns
set dns ddns enable
exit
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-Onderdijk" gateway "GW-Onderdijk" no-replay tunnel idletime 0 proposal "VLN-NPFS-AES256-SHA2" 
unset interface tunnel.1 acvpn-dynamic-routing
set l2tp default ippool "VPN_L2TP_Pool"
set l2tp default ppp-auth chap
set l2tp "VPN_L2TP_Tunnel" id 1 outgoing-interface ethernet0/0 keepalive 60
set l2tp "VPN_L2TP_Tunnel" remote-setting ippool "VPN_L2TP_Pool"
set l2tp "VPN_L2TP_Tunnel" auth server "Local" user "beerepoot"
set url protocol websense
exit
set policy id 1 name "VPN_L2TP_Policy" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel l2tp "VPN_L2TP_Tunnel" log 
set policy id 1
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "HTTP" permit 
set policy id 2
set service "HTTPS"
exit
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "FTP" permit 
set policy id 3 application "FTP"
set policy id 3
exit
set policy id 4 from "Trust" to "Untrust"  "Any" "Any" "DNS" permit 
set policy id 4 application "DNS"
set policy id 4
exit
set policy id 5 from "Trust" to "Untrust"  "Any" "Any" "SMTP" permit 
set policy id 5 application "SMTP"
set policy id 5
exit
set policy id 6 from "Trust" to "Untrust"  "Any" "Any" "POP SSL [995]" permit 
set policy id 6 application "POP3"
set policy id 6
set service "POP3"
exit
set policy id 7 from "Trust" to "Untrust"  "Any" "Any" "NTP" permit 
set policy id 7
exit
set policy id 8 from "Trust" to "Untrust"  "Any" "Any" "RDP [3389]" permit 
set policy id 8
set service "RDP [8001]"
set service "RDP [8002]"
set service "RDP [8003]"
set service "RDP [8004]"
set service "RDP [8888]"
exit
set policy id 9 from "Trust" to "Untrust"  "Any" "Any" "IMAP-S [993]" permit 
set policy id 9 application "IMAP"
set policy id 9
exit
set policy id 10 from "Trust" to "Untrust"  "Any" "Any" "Juniper HTTP" permit 
set policy id 10 application "HTTP"
set policy id 10
set service "Juniper HTTPS"
set service "SSH"
exit
set policy id 11 from "Trust" to "Untrust"  "Any" "Any" "PPTP" permit 
set policy id 11 application "PPTP"
set policy id 11
exit
set policy id 12 from "Trust" to "Untrust"  "Any" "Any" "ISL" permit 
set policy id 12
exit
set policy id 13 from "Trust" to "Untrust"  "Any" "Any" "PING" permit 
set policy id 13
exit
set policy id 15 from "Trust" to "Untrust"  "Any" "Any" "Citrix" permit 
set policy id 15
exit
set policy id 14 from "Trust" to "Untrust"  "Any" "Any" "ANY" reject log 
set policy id 14
exit
set policy id 16 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set policy id 16
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl port 8443
set ntp server "194.109.22.18"
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162102011002943"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 192.168.11.0/24 interface tunnel.1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This line sounds suspicious:
WAN IP: 192.168.178.22  (external traffic is being transparant forward from modem to this WAN IP of the SSG5)
.

I don't think so, or are you really seing public IPs for incoming traffic?
The SSG will NAT all outgoing traffic to its "public" IP of 192.168.178.22, and the "modem" has to map that again. I don't expect incoming connection requests to work here.

First step for diagnostics is to enable session logging on your policy 16 (Untrust to Trust, allow all), and then see if there are incoming attempts, and which IPs they use.
0
 

Author Comment

by:sitpro
Comment Utility
i understand what you saying. The config now is:

Internet > Fritzbox > Juniper > LAN

Fritzbox LAN:               192.168.178.1
SSG5 WAN (untrust)    192.168.178.254
SSG5 LAN (trust):         192.168.1.254
Local server:                 192.168.1.34

As you see all internet traffic is beining forward to the untrust interface of the SSG5, see picture. This network was setup by an other person who's not working anymore here.

Is there a way to config the SSG5 with this WAN and LAN ip?
Fritzbox.png
Interfaces-Juniper.png
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
Comment Utility
A Fritz!Box - I knew that subnet of 178 ... ;-). Groeten uit Duitsland aan Nederland.

"Exposed Host" on Fritz!Box means nothing else than that all ports not forwarded explicitely to another host are forwarded to that host. It does not mean your Fritz!Box does not perform NAT. However, it should indeed allow incoming traffic that way, and the SSG will do the firewall stuff.

Your SSG config and what you posted last doesn't fit together - the Untrust interface is 192.168.178.22, not 192.168.178.254. It doesn't matter much, but I want to make sure we are on the same page.

Your Untrust interface eth0/0 is still managable and has "web" active, so forwarding HTTP won't work. SMTP should, however, and you should be able to use e.g. Telnet with port 25 for testing.
As said, you should enable session logging on the policy you want to test, to see attempts.

On another note you should disable UPnP on Fritz!Box for security reasons, unless you really need it.
0
 

Author Comment

by:sitpro
Comment Utility
Groeten terug aan Duitsland ;)

You're right about the Untrust interface is 192.168.178.22.

And the Untrust interface eth0/0 is still managable and has "web" active, but not on port 80, so http should work. But the strange thing is that there are no entrys in the "From Untrust To Trust" in Reports > Policies > Traffic Log.

So i'm confused about this
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Did you check with SMTP, to exclude web management to infere (there were bugs in certain ScreenOS releases to that regard).
0
 

Author Closing Comment

by:sitpro
Comment Utility
we used a new router.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now