Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  NAT ScreenOS Cookbook Errors?

    Posted 05-20-2009 13:36

    I've been trying to configure a MIP for access to my SA700 and following the ScreenOS Cookbook directions I run into errors.  The commands from the Cookbook (also given in KB10923) are as follows:

     

    Configure inbound and outbound policies:

    set address trust host-a-prv 192.168.1.50/32
    set policy id 1 from Untrust to Trust any MIP(1.1.1.50) http permit
    set policy id 2 from Trust to Untrust host-a-prv any any permit

     When I attempt the same I get the following issues:

     


    Wintermute-> set address trust host-a-prv 192.168.1.5/32
    Wintermute-> set policy id 1 from untrust to trust any MIP (172.24.120.20) http permit
                                                                                                                            ^-------unknown keyword http
    Wintermute-> set policy id 1 from untrust to trust any MIP (172.24.120.20) ?
    deny                 deny packets
    nat                  enable nat
    permit               permit packets
    reject               drop packets and send notification to the sender
    tunnel               encrypt packets
    Wintermute-> set policy id 1 from untrust to trust any MIP (172.24.120.20) permit
    ### Zone Untrust->Trust : following address(es) not defined: (dst MIP)

    Wintermute->

     

    As you can see, my SSG5  running 6.2.0r1.0 (my personal firewall is sitting behind our perimeter firewall thus the private to private addressing) doesn't like the "http" modifier, but even removing it I run into the issue of MIP not being set properly (which is what I am in the process of trying to do).

     

    Any insight would be greatly appreciated!


    #NAT
    #screenos
    #KB10923
    #MIP


  • 2.  RE: NAT ScreenOS Cookbook Errors?
    Best Answer

    Posted 05-20-2009 13:41

    Think the CLI you typed has some err, I did it on mine.I think there is an extra space you typed.

    Try on the firewall this instead:

     

     set policy id 1 from untrust to trust any "MIP(172.24.120.20)" http permit

     

     



  • 3.  RE: NAT ScreenOS Cookbook Errors?

    Posted 05-20-2009 14:09
    I think you're right WL. Otherwise using the gui to create the policy might be an option.


  • 4.  RE: NAT ScreenOS Cookbook Errors?

    Posted 06-05-2009 14:38
    Brilliant Gents!!!  That pesky space seems to have been the culprit.  Perplexing since I copied the code verbatim from the guide.


  • 5.  RE: NAT ScreenOS Cookbook Errors?

    Posted 05-21-2009 09:54
    I think you had an extra whitespace on the cli.  There shouldn't be a space between MIP and (172.24.120.20)