Screen OS

 View Only
last person joined: one year ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Help with SSG5 DMZ Setup...

    Posted 04-30-2008 22:29

    All,

     

    I'm a newbie trying to setup our SSG5.  I must setup our web servers to be placed within the DMZ zone.  I'm not quite sure where I should begin.  I tried for 2 weeks now trying to set this up but I've been unsuccessful.  If any veteran out there can help me out or point me to a quick DMZ guide 101, that would be great.  All I'm trying to to is place 2 web servers within the DMZ so http/https are possible for both incoming and outgoing.  Also, how do I get DMZ hosts to communicate with hosts in the trusted zone?  I thank everyone in advance.


    #SSG5
    #DMZ


  • 2.  RE: Help with SSG5 DMZ Setup...
    Best Answer

    Posted 04-30-2008 23:33

    If your DMZ is publicly addressed, this should be pretty straight forward.

     

    1.) You will need an interface assigned to the DMZ zone

     

    On the Juniper SSG5 interface ethernet0/1 is set to the DMZ zone by default.

     

    2.) You will need the IP address setup on that interface.

     

    set interface ethernet0/1 ip x.x.x.x/x    

     

    3.) You will need policies applied to allow access.

                            

    Create a group for the services.

     

    set group service "Web_Services"

    set group service "Web_Services" add "HTTPS"  

    set group service "Web_Services" add "HTTP"

     

    Create an address group for your web servers on your DMZ.  Here is an example.

     

    set address "DMZ" "httpserver1" 10.10.10.10 255.255.255.255

    set address "DMZ" "httpserver2" 10.10.10.11 255.255.255.255

    set group address "DMZ" "Web_Sites"

    set group address "DMZ" "Web_Sites" add "httpserver1"

    set group address "DMZ" "Web_Sites" add "httpserver2" 

     

    Then create a policy.  If you cross a zone boundary you must apply a policy to allow traffic.

     

    set policy from "Trust" to "DMZ"  "Any" "Web_Sites" "Web_Services"  permit log count 

    set policy from "Untrust" to "DMZ"  "Any" "Web_Sites" "Web_Services"  permit log count  

     

    If you need the web servers to access outbound

     

    set policy from "DMZ" to "Untrust"  "Web_Sites" "Any" "Web_Services"  permit log count   

     

     

    If you have a private address DMZ, and need to perform one to one NAT.  Then you can create MIPs.  I go under the assumption that you have e0/0 configured as your untrust IP and that you have a allocation assigned to that range.

     

     

    set interface "ethernet0/0" mip X.X.X.X/X host 172.16.1.5 netmask 255.255.255.255 vr "trust-vr"  

     

    Then apply the policies listed above to the MIP object.  

     

    set policy id 6 from "Untrust" to "DMZ"  "Any" "MIP(X.X.X.X)" "Web_Services" permit log count

     

     

    Hopefully this helps. 

     

    Message Edited by shadow on 04-30-2008 11:34 PM


  • 3.  RE: Help with SSG5 DMZ Setup...

    Posted 05-01-2008 22:37

    Thank you.  I will give this a try.



  • 4.  RE: Help with SSG5 DMZ Setup...

    Posted 05-13-2008 19:39
    For some reason, I am unable to go out to Internet from DMZ and reach the machines inside the DMZ.  I most important thing is that I am not sure what I need to put as the Default gateway?  thank you in advance.


  • 5.  RE: Help with SSG5 DMZ Setup...

    Posted 05-13-2008 20:00

    Your untrust interface has a gateway setting that you set for your default gateway

     

    set interface ethernet0/0 gateway x.x.x.x

     

    1.) Can you post a bit more info on your config.  Can you do a "get int" and a "get policy" and post it.  

     

     

     

     

     



  • 6.  RE: Help with SSG5 DMZ Setup...

    Posted 05-13-2008 20:04

    Below is my config file. BTW, I'm using the WebUI since I am unable to ssh into my SSG. Thank you in advance.

    =====================

    set clock timezone -5
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646


    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "DMZ" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst
    set zone "Untrust" block
    unset zone "Untrust" tcp-rst
    set zone "DMZ" tcp-rst
    set zone "VLAN" block
    unset zone "VLAN" tcp-rst
    set zone "Trust" screen icmp-flood
    set zone "Trust" screen udp-flood
    set zone "Trust" screen winnuke
    set zone "Trust" screen tear-drop
    set zone "Trust" screen ping-death
    set zone "Trust" screen icmp-fragment
    set zone "Trust" screen icmp-large
    set zone "Trust" screen icmp-id
    set zone "Untrust" screen icmp-flood
    set zone "Untrust" screen udp-flood
    set zone "Untrust" screen winnuke
    set zone "Untrust" screen port-scan
    set zone "Untrust" screen ip-sweep
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ip-spoofing
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "Untrust" screen icmp-large
    set zone "Untrust" screen ip-spoofing drop-no-rpf-route
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set zone "DMZ" screen winnuke
    set zone "DMZ" screen port-scan
    set zone "DMZ" screen ip-sweep
    set zone "DMZ" screen tear-drop
    set zone "DMZ" screen ip-spoofing
    set zone "DMZ" screen ping-death
    set zone "DMZ" screen icmp-fragment
    set zone "DMZ" screen icmp-large
    set zone "DMZ" screen icmp-id
    set zone "DMZ" screen ip-spoofing drop-no-rpf-route
    set zone "Untrust" screen icmp-flood threshold 10
    set zone "Untrust" screen udp-flood threshold 10
    set interface "ethernet0/0" zone "Untrust"
    set interface "ethernet0/1" zone "DMZ"
    set interface "wireless0/0" zone "Trust"
    set interface "bgroup0" zone "Trust"
    set interface bgroup0 port ethernet0/2
    set interface bgroup0 port ethernet0/3
    set interface bgroup0 port ethernet0/4
    set interface bgroup0 port ethernet0/5
    set interface bgroup0 port ethernet0/6
    unset interface vlan1 ip
    set interface ethernet0/0 ip 70.164.42.140/27
    set interface ethernet0/0 route
    set interface ethernet0/1 ip 70.184.245.176/28
    set interface ethernet0/1 route
    set interface wireless0/0 ip 192.168.2.1/24
    set interface wireless0/0 nat
    set interface bgroup0 ip 192.168.1.1/24
    set interface bgroup0 nat
    set interface ethernet0/0 gateway 70.164.42.129
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    set interface ethernet0/1 ip manageable
    set interface wireless0/0 ip manageable
    set interface bgroup0 ip manageable
    unset interface ethernet0/1 manage ping
    unset interface bgroup0 manage telnet
    set interface bgroup0 manage mtrace
    set interface wireless0/0 dhcp server service
    set interface bgroup0 dhcp server service
    set interface wireless0/0 dhcp server auto
    set interface bgroup0 dhcp server auto
    set interface wireless0/0 dhcp server option dns1 68.10.18.42

    set interface wireless0/0 dhcp server option dns2 68.10.18.50

    set interface bgroup0 dhcp server option dns1 68.100.16.30
    set interface bgroup0 dhcp server option dns2 68.10.16.30
    set interface wireless0/0 dhcp server ip 192.168.2.33 to 192.168.2.126
    set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.126
    set interface bgroup0 dhcp server ip 192.168.1.3 mac 008077946365
    unset interface wireless0/0 dhcp server config next-server-ip
    unset interface bgroup0 dhcp server config next-server-ip
    set interface "serial0/0" modem settings "USR" init "AT&F"
    set interface "serial0/0" modem settings "USR" active
    set interface "serial0/0" modem speed 115200
    set interface "serial0/0" modem retry 3
    set interface "serial0/0" modem interval 10
    set interface "serial0/0" modem idle-time 10
    set flow tcp-mss
    unset flow tcp-syn-check
    set domain bcmcgroup.com
    set hostname linx
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns3 0.0.0.0
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol websense
    exit
    set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
    set policy id 1
    exit
    set policy id 2 from "Trust" to "DMZ" "Any" "WEB_SITES" "WEB_HOSTING_SERVICES" permit log count
    set policy id 2
    exit
    set policy id 3 from "Untrust" to "DMZ" "Any" "WEB_SITES" "WEB_HOSTING_SERVICES" permit log count
    set policy id 3
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    set wlan 0 channel 8
    set wlan 1 channel auto
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    Message Edited by send2kb on 05-13-2008 08:13 PM
    Message Edited by send2kb on 05-15-2008 08:19 AM


  • 7.  RE: Help with SSG5 DMZ Setup...

    Posted 05-14-2008 22:29

    I would suggest running debug flow basic to find out how the firewall is treating the traffic. Example below:

     

    set ff src-ip <ip of webserver>

    set ff dst-ip <ip of webserver>

    debug flow basic

    clear db

     

    # try reaching your web server

     

    undebug all

    get db stream

     

    Post your output for review.

     

    -Richard



  • 8.  RE: Help with SSG5 DMZ Setup...

    Posted 05-15-2008 08:18
    I got everything working last night.  Shadow and rKim thank you so much for your help.  I reviewed what I did and basically I did not follow Shadow's instructions correctly.  Again, THANK YOU.


  • 9.  RE: Help with SSG5 DMZ Setup...

    Posted 01-31-2009 09:39
    could you tell us how to solve the problem, actually i have the same problem , canno access internet from DMZ. i did the policy,routing and it seems to be working but the internet does not work in the dmz clients.


  • 10.  RE: Help with SSG5 DMZ Setup...

    Posted 01-03-2011 08:37

    Dear ALL,

     

    That was a good tips for me ... I will do that next .... but I get before this steps.

     

    I put the server to the DMZ .... and the ethernet0/0 is in DHCP client for the Internet connection.  Here is the interface configure.

     

     

    set interface ethernet0/0 ip xxx.xxx.43.151/25
    set interface ethernet0/0 route
    set interface ethernet0/1 ip 172.16.0.126/25
    set interface ethernet0/1 nat
    set interface bgroup0 ip 192.168.1.1/24
    set interface bgroup0 nat

     

     

    And here is the policy configure: 

     

     

    set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 

    set policy id 1

    exit         

    set policy id 2 from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit 

    set policy id 2

    exit

    set policy id 3 from "Trust" to "DMZ"  "Any" "Any" "ANY" permit 

    set policy id 3

    exit

    My problem is that the server in DMZ can access ethernet0/0 any services .... such as DNS, HTTP ...etc.  Any idea what happen !?  Please advise.
    Edwin

     



  • 11.  RE: Help with SSG5 DMZ Setup...

    Posted 01-03-2011 18:38

    The problem is likely that your interface nat for the dmz zone does not work.  This really only works from the trust zone interface.  You need to configure policy nat for the general outbound traffic from other zones or apply an outbound public ip rule that does the same function for your server.

     

    set interface ethernet0/1 nat

    Becomes:

     

    set interface ethernet0/1 route

     

    set policy id 2 from "DMZ" to "Untrust"  "Any" "Any" "ANY" permit 

    set policy id 2

    exit

     

    Becomes:

    set policy id 2 from "DMZ" to "Untrust"  "Any" "Any" "ANY" nat src permit

    set policy id 2

    exit