We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
COURSE of the MONTH
8 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
SSG5: No Inbound Trust Internet Access
Posted on 2014-11-09
Currently, I have an SSG5 with the latest firmware that has a very simple setup (I have left it simple until I can get the basics working), but I cannot seem to get Untrust-->Trust traffic working.
Setup
SSG5: has been through the GUI setup wizard and has the three basic zones, Untrust (port 0/0), DMZ (0/1) and Trust (0/2-0/6). Untrust is a /29 (xx.xx.xx.130/29, which we will call untrust.130) with the SSG5's web GUI on the first usable IP. DMZ is 10.0.0.1 and connected to nothing, while Trust is on a /27 (xx.xx.xx.128/27 which we will call trust.128) with the zone set to .130 w/the manageable IP on .144 (there are other serers on this /27 and .50 is the first free one other than .130). A patch cable runs from 0/0 to the primary switch in the rack, which has an uplink out of the data center.
Server: There is a server plugged into 0/4 (which would be trust) running Linux that is assigned xx.xx.xx.150 in the Trust /27. IPTables is disabled, and there is a Lantronix KVM plugged into the server so I make any network changes while troubleshooting. Before plugging it into the firewall, I could ping it, SSH to it, and so on. In all descriptions, this is what I am always trying to reach or traffic OUT of.
Policies
Global: ANY/ANY/PING, ANY/ANY/TRACEROUTE, and an ANY/ANY/IPGROUP with IPGROUP being an address group with company static IPs such as offices, and so on.
Trust --> Untrust: ANY/ANY/ANY -- Source Translation (Use Egress Interface IP) ** See Note below
Untrust --> Trust: ANY/ANY/ANY
Problems
Cannot ping in or out (using google.com or 8.8.8.8) and cannot SSH in or out. I *can* ping untrust.130. So although I can access untrust fine from the outside (I can hit the SSG GUI, ping the SSG GUI IP, ping google.com from the SSG5,etc), and I cannot access trust from the outside, or access the outside from trust.
Note: Now, if I go to the untrust interface and change it from route (both interfaces were set to route) to NAT *or* change the Trust --> Untrust policy to Source Translation (Use Egress Interface IP), then I can ping google.com, and ping 8.8.8.8. But I still cannot reach trust from the outside.
Setup
SSG5: has been through the GUI setup wizard and has the three basic zones, Untrust (port 0/0), DMZ (0/1) and Trust (0/2-0/6). Untrust is a /29 (xx.xx.xx.130/29, which we will call untrust.130) with the SSG5's web GUI on the first usable IP. DMZ is 10.0.0.1 and connected to nothing, while Trust is on a /27 (xx.xx.xx.128/27 which we will call trust.128) with the zone set to .130 w/the manageable IP on .144 (there are other serers on this /27 and .50 is the first free one other than .130). A patch cable runs from 0/0 to the primary switch in the rack, which has an uplink out of the data center.
Server: There is a server plugged into 0/4 (which would be trust) running Linux that is assigned xx.xx.xx.150 in the Trust /27. IPTables is disabled, and there is a Lantronix KVM plugged into the server so I make any network changes while troubleshooting. Before plugging it into the firewall, I could ping it, SSH to it, and so on. In all descriptions, this is what I am always trying to reach or traffic OUT of.
Policies
Global: ANY/ANY/PING, ANY/ANY/TRACEROUTE, and an ANY/ANY/IPGROUP with IPGROUP being an address group with company static IPs such as offices, and so on.
Trust --> Untrust: ANY/ANY/ANY -- Source Translation (Use Egress Interface IP) ** See Note below
Untrust --> Trust: ANY/ANY/ANY
Problems
Cannot ping in or out (using google.com or 8.8.8.8) and cannot SSH in or out. I *can* ping untrust.130. So although I can access untrust fine from the outside (I can hit the SSG GUI, ping the SSG GUI IP, ping google.com from the SSG5,etc), and I cannot access trust from the outside, or access the outside from trust.
Note: Now, if I go to the untrust interface and change it from route (both interfaces were set to route) to NAT *or* change the Trust --> Untrust policy to Source Translation (Use Egress Interface IP), then I can ping google.com, and ping 8.8.8.8. But I still cannot reach trust from the outside.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month8 days, 14 hours left to enroll
764 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.