Quantcast
Channel: ScreenOS Firewalls (NOT SRX) topics
Viewing all 763 articles
Browse latest View live

Translated Source Address Using Default Gateway Not Alternate Public IP

February 2, 2018, 5:30 am
$
0
0

Please keep laughs to a minimum, I have an ancient 204 series and I'm having issues routing out through a second interface on a second public subnet. I have two separate public subnet ranges, one on int eth3 and one on int eth4 . I have mail servers behind each interface. One interface is working fine going out as the correct public IP and coming in as the same public IP.  However, interface eth4 receives traffic on the public IP correctly, but all outgoing traffic gets translated to the default gateway of the eth3 IP address.  I'm pretty sure my routes are messed up. I want to limit as much downtime for the live email server (#1) if possible. I do have active VPNs going to two different networks as well. Thanks everyone for any type of help.

 

Interface Setup

eth1  -  192.168.0.0/24 (NAT Mode)

eth3  -  24.24.24.69 (NAT Mode)

          - MIP on this interface is 24.24.24.61 (This one works and translates)

eth4  -  212.24.24.42 (NAT Mode)

          - MIP on this interface is 212.24.24.45 (This one does not translate properly)

 

Email Server #1: 24.24.24.61

Email Server #2: 212.24.24.45

 

Current Traffic (Working)

eth3                           eth1

24.24.24.61     -->    192.168.0.61

eth1                           eth3

192.168.0.61    -->    24.24.24.61 

 

Current Traffic (Outgoing Not Translating as MIP)

eth4                           eth1

212.24.24.45    -->    192.168.0.45

eth1                           eth4

192.168.0.45   -->    24.24.24.69 (default gateway on wrong interface)

 

Routing Entries (Destination)

trust-vr

192.168.0.0/24   int eth1   Protocol C

192.168.0.1/24   int eth1   Protocol H

24.24.24.0/24     int eth3   Protocol C

24.24.24.69/32   int eth3   Protocol H

212.24.24.0/24   int eth4   Protocol C

212.24.24.42/32 int eth4   Protocol H

0.0.0.0/0   Gateway 24.24.24.1  int eth3    Protocol S

24.24.24.61/32   int eth1   Protocol S    (Email Server #1)

 

untrust-vr

(nothing)

Search

Multiple Ethernet adapters (mac addresses) and one reserved ip address

February 5, 2018, 11:52 pm
$
0
0

Hello!

Cannot find anything on the subject: how to configure an ip reservation for a machine with multiple Ethernet cards on Juniper SSG5? For example a server with 2 Ethernet cards wit separate mac addresses. They are set up as failover, so if one of them fails, the other one takes over. I want to preserve the ip of the server, naturally.

In advance thank you for any help!

Cannot access Juniper SSG5 through https

February 6, 2018, 4:25 am
$
0
0

Hi,

As mentioned in the topic, I cannot access the device through https. SSL is on, connection over http works without problems as long as I do not activate the "redirect to https" option. What else needs to be setup for https to work?

Thanks in advance for any tips.

VPN Phase-1 issues between a Juniper ISG-1000 and a Virtual Pal Alto.

February 7, 2018, 1:59 am
$
0
0

Folks,

 

We are working on a VPN tunnel establishment from a Juniper firewall to a Palo Alto Firewall. The Juniper Firewall gives us the below error:

 

“Rejected an IKE packet on ethernet1/2 from w.x.y.z:500 to a.b.c.d:500 with cookies 13e5ee6b5ad69332 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.”

 

a.b.c.d = Public IP of the Juniper box

w.x.y.z = Public IP of the Palo Alto.

 

The catch here is that the Palo Alto is in the Amazon but VPN tunnels from this Palo Alto to other Palo Alto's works fine.

 

We need some assistance to troubleshoot this issue.

 

 

 

Thanks,

N!!!!

VPN client receives incorrect subnet mask

February 7, 2018, 10:34 pm
$
0
0

Hi!

I configured my vpn connection to the SSG5 device according to this:

https://www.shrew.net/support/Howto_Juniper_SSG

The connection works with one small problem - my client obtains 255.255.255.255 subnet mask and my network is 255.255.255.0 . Where can I correct it?

Thank you in advance!

Netscreen VPN Debugging tools

March 2, 2018, 1:42 am
$
0
0

Hi All 

 

i was wondering if anyone could point me in the direction of some decent debugging tools/commands for a netscreen firewall (details below ), i'm specifcally looking to isolate system messages for a specific tunnel similar to what you can do on a cisco ASA. 

 

Model : NetScreen-5400-III

Firmware : 6.3.0r22-1-7.0 

Licenses

March 8, 2018, 11:38 pm
$
0
0

Hello everyone. 

 

Can anyone guide me , from  where to buy licenses and how much it cost per year. 

Anti-Virus , Spam , Filtering. 

 

I've tried to contact with them few times, but it's like a ghost town. Message says "our representative will contact with you shortly but that was before a month. 

 

Firewall it's SSG550m , if that matter.

 

Best Regards.

What does the "ASP tcp proxy" do?

March 12, 2018, 5:12 am
$
0
0

Hi!

 

While running a debug flow basic to troubleshoot a connection I encountered the following line:

packet dropped, ASP tcp proxy will rebuild a new one

Can anyone enlighten me as to what the ASP tcp proxy does and what happens to packets that are being rebuilt?

 

I cannot find any info on what ASP stands for. I get what a tcp proxy is but I am unfamiliar with this one and how it is implemented on netscreen.

 

I found the command 

get asp stat

but I dont know what the output means.

 

Thanks in advance!

 

Regards

  Lasford

 

 

 

 

Search

SIP and Video on SSG320M

March 13, 2018, 5:26 am
$
0
0

Hi!

 

Is it possible to send video traffic over the SIP ALG?

Someone hinted that my predecessor already tried getting video over SIP to work but our firewalls were not able to handle it at the time.

I only recently started working with ScreenOS firewalls (SSG320M) thus I am pretty inexperienced and I do not know if there have been any changes since.

 

Is it possible?

If so - how does it have to be configured? 

 

 

Thanks in advance!

 

Regards 

  Lasdorf

 

 

 

 

Need Help : Routing 2 different LANs to 2 different internet providers

March 20, 2018, 5:35 am
$
0
0

Hello evrybody,

i have juniper SSG20 , 

i want that the lan of VoIP uses an interface for lan who routes to a wan interface and the Data lan interface touted to another interface.

for exemple :

Ethernet 0/0 = internet : 55.55.55.54

Ethernet 0/1 = internet ip : 55.55.55.55

Ethernet 0/2 = voip lan : 10.0.0.1

Ethernet 0/3 = data lan : 192.168.1.1

and what i want to do is to route  the outgoing traffic of ethernet 0/2 to ethernet 0/0 and ethernet0/3 to ethernet0/1.

the current configuration is using only one untrust interface but that makes problems for the voice quality.

i wish that i well explained my problem , 

Thank you !

Internet dropping

March 22, 2018, 8:06 am
$
0
0

Hi community,

 

Last monday we started having issues regarding packet loss when opening multiple websites.

A simple representation of our network is ISP=>WAN(modem)=>Juniper=>Switch1=>Multiple switches => Clients.

 

We were able to narrow down the problem by connecting directly onto the modem and forcing web traffic, this resulted into 0 issues.

After that we shut down the connection from Juniper to Switch 1 and connected the pc directly to the juniper, this resulted into extreme packet loss (internet connection nearly completely dropping).

 

Were not sure what causes it, however we do know how to force it. This is simply done by opening multiple websites (3+). We do know this causes the Juniper (SSG5) to drop the connection to bare minimum.

 

We had no issues previously, no connections have been changed, no config has been changed in the last 6 months either.

Any idea's?

 

Thanks in advance.

SSG550 Traffic from DMZ to Untrust failed

March 27, 2018, 7:44 pm
$
0
0

Traffic can't go out/in from DMZ to Untrust zone. I created policy to permit a host in DMZ to any in Untrust zone but nothing happen.

I tried source NAT policy for the host in DMZ zone to Untrust zone also failed, can't ping outside.

I tried MIP to DMZ host also failed...

I just need to let a DMZ host to talk to outside.

Untrust int is NAT mode, DMZ is Route mode. 

No debug option available also, very funny....

 

Please help

 

Model SSG550

firmware 6.2.0r5.0

Self-signed Certificates on NSRP Cluster

March 29, 2018, 1:34 am
$
0
0

Hi!

 

Our self-signed certificates on SSG320's have expired and I have generated new ones.

While the new certificates are working fine (although the cipher suits are insanely outdated Smiley Sad ) on the masters,

they have not been synced to the primary backup devices.

 

I tried creating a new cert for the primary backup device, which worked but it also erased the working cert on the master device.

 

How do I make sure the certificates are synced in an NSRP cluster? 

 

Thanks in advance!

Regards

  Lasford

SSG140 maxed out at about 75MB when traffic shaping is turned on

March 30, 2018, 1:14 pm
$
0
0

All,

I'm seeing an issue where simply turning on traffic shaping without any policy or bandwith configuration on the interface results in a max throughput of about 75MB.

 

I have a 300mb internet connection connected to gig interface 0/8 and an inside gig switch connected to eth 0/9 (let's call these untrust and trust). Both interfaces are set to route but egress traffic (to the internet) NATs on a DIP port-xlate with a pool of SNAT IP's.

 

If I run some simple speed tests through the 140 I get throughput of about 300/300MB. As soon as I run "set traffice mode on" the throughput drops to about 75MB even though there are no max ingress/egress bandwidth settings on any interface and no shaping policies. If I set the max ingress/egress on the interface it doesn't have any impact unless I select something lower than about 75MB. I'm trying to max the interface at 300/300mb as I'm pushing too much traffic to the ISP and they're dropping packets. So I want to cap the two gig interfaces at 300/300mb

 

I'm running the latest firmware (6.3.0r25.0)

 

Any help is appreciated

Thanks!

Mark

OSPF help with 'recv bad LSR from neighbor'

March 30, 2018, 8:48 pm
$
0
0

I'm trying to get OSPF over an IPSec tunnel between an SSG-20 and a Ubiquiti EdgeRouter. The tunnel is fine and works well with static routing, but OSPF is not working. They are exchanging OSPF data, but on the Juniper I get

 

## 2018-03-30 22:34:31 : ospf: send LSU pkt to 10.10.10.99 on tunnel.9 len 1072
## 2018-03-30 22:34:31 : ospf: send pkt to 10.10.10.99 on tunnel.9 len 1072
## 2018-03-30 22:34:31 : ospf: process rx pak len 32 from 10.10.10.99 on tunnel.9 in vr trust-vr router-id 0.0.0.1
## 2018-03-30 22:34:31 : ospf: recv pkt on tunnel.9, 10.10.10.99->224.0.0.5
## 2018-03-30 22:34:31 : ospf: recv DBD from nbr 10.10.10.99 on tunnel.9 seq 0x81db7..
                flags INIT,MORE,MASTER len 0 mtu 1436 state FULL
## 2018-03-30 22:34:31 : ospf: NBR seqmismatch event, case else
## 2018-03-30 22:34:31 : ospf: recv bad LSR from neighbor 10.10.10.99 10.10.10.99 (Id) on tunnel.9
## 2018-03-30 22:34:31 : ospf: neighbor 10.10.10.99 10.10.10.99 (Id) on tunnel.9 state change FULL->EX_START
## 2018-03-30 22:34:31 : ospf: hold down timer, rebuild router LSA later
## 2018-03-30 22:34:31 : ospf: send DBD to 10.10.10.99 on tunnel.9 seq 0x81db6 flag INIT,MORE,MASTER len 32
## 2018-03-30 22:34:31 : ospf: send pkt to 10.10.10.99 on tunnel.9 len 32

There is no sign of trouble on the EdgeRouter other than the fact that OSPF never fully connects. My only clue is what you see above.

 

 

Any ideas?

Search

purpose of bgroup

April 5, 2018, 1:26 am
$
0
0

What is the use of bgroup for the interfaces? they work like link agg? I can't find a good guideline that explain this. any help?

Translating IP

April 5, 2018, 4:39 am
$
0
0

Hello all, 

 

Please help me figure out how to create rule for my purpose.

 

I would like to retranslate public IP to private IP when trying to connect to external IP from internal network.

 

Let's say i have public ip address set of 173.11.120.0/24, untrust ethernet public ip for example is 173.11.120.1

And private address pool is 172.16.16.0/24 with trust interface IP 172.16.16.1

 

My Server has ip 172.16.16.2 and has VPN server running on it.

 

I would like to make 173.11.120.2 external IP with port 1723 (PPTP service for example) mapped to 172.16.16.2 private IP

 

Accessing it from outside my networks are fine, using VIP of Untrust interface (VIP 173.11.120.2 with 1723 port mapped to 172.16.16.2) and everything works well. But when i try to connect from local subnet on Trust zone (from 172.16.16.0/24) to 173.11.120.2 i have no luck.

 

So connection looks like: 

172.16.16.0/24 -> 173.11.120.2 -> 172.16.16.2

 

Would be like if someone explains step by step how to make it working. 

 

With best regards,

Aleksei

Modify the routing behavior of an SSG5-Serial firewall.

April 17, 2018, 6:27 am
$
0
0

Folks,

Presently we have configured VPN on a Juniper SSG5-Serial firewall. The default route this firewall gets is over it's Untrust Interface because the Untrust Interface receives an DHCP IP address. This default route get added as a Connected route and is of course preferred.

Our goal is to ensure that the default route is a static route which is added on a tunnel Interface. How can we achieve that? If we add a default static route with preference as 20 this does not get preferred.

 

Thanks!!

N.

NS5200 and MIP Problem

April 17, 2018, 10:11 am
$
0
0

Hope someone can see what i am missing or doing wrong. My Scenario is the folowing, i have a NS5200  running on 6.3.0r25.0. It hangs of my 

Cisco Router via a port 2/1 and has an Address of xx.xx.176.6/30 where the cisco is xx.xx.176.5/30. All works fine and i can hit all route IP's both ways. On 2/7 i have a subnet of 192.168.8.1/24 which has connection to all my ILO ports of my Servers. Problem is i need to access them from the outside which means i have to map Public IP's to these. My intention is to use a subnet i have xx.xx.190.xx/24 to do so. As i cant add a secondery subnet to my public interface i went the folowing route based on docs i found.

here is the relevant config

set interface "ethernet2/1" zone "Untrust"
set interface "ethernet2/7" zone "Trust"

set interface ethernet2/1 ip xx.xx.176.6/30
set interface ethernet2/1 route
set interface ethernet2/7 ip 192.168.8.1/24
set interface ethernet2/7 nat

set address "Trust" "ilo-35" xx.xx.190.35 255.255.255.255

set policy id 6 from "Untrust" to "Trust" "Any" "ilo-35" "ANY" nat dst ip 192.168.8.35 permit log count
set policy id 6

set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet2/1 gateway xx.xx.176.5
set route 209.0.190.35/32 interface ethernet2/7

 

Need less to say it isn't working. So what am i missing ? if i look at the counters i never see the policy beeing hit etc.

Has SSG20 firewall implanted the NTP RFC standard

April 25, 2018, 11:42 pm
$
0
0

Dear all,

 

at Honeywell we sell safety Systems. One of our customers is using the SSG20 firewall as an NTP server to synchronize the time with our safety system. Does the SSG20 firewall have the NTP RFC standard implemented ?

 

Kind regards,

 

Hett Schepers

Viewing all 763 articles
Browse latest View live
Search