Poll

Which is easier?

IPTables
0 (0%)
CiscoASA
0 (0%)
Netscreen-Based-Devices
0 (0%)

Total Members Voted: 0

Voting closed: December 24, 2013, 02:45:34 pm

Author Topic: Production Netscreen 50 Firewall / Passive Fail-Over & WAN Untrust to LAN Trust  (Read 4535 times)

magnusT

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
I come from a Cisco ASA/IPTables firewall background, and am recently required to configure a Juniper Netscreen 50 security appliance. Although I am a tech who has read the RFC's regarding standard network technologies, proprietary and open-source, I am stuck on this firewall issue.

What are the steps to configuring Port Forwarding/Port Triggering on Juniper Netscreen ScreenOS 5.0~ based security appliances? I have followed the exact steps, short of CLI Reset and Reconfiguration from Scratch. I have found many, "exact steps," that differentiate slightly.

The steps I followed thus far can be described as follows:

Quote
07:15 < kab0n> Hi...
07:16 < kab0n> I configured port forwarding on a netscreen firewall by A) Creating a Custom Service, B) Creating a
               NAT Rule, and C) Opening the Firewall & Configuring Packet Filtering, as well as D) CLI: set vip
               multi-port
07:16 < kab0n> Still, none of the port forwards work...
07:16 < kab0n> Any advice?

I need to map a list of ports from the Untrust ETH3 interface to the Trust ETH1 interface.

Please see below my existing configuration:

Quote
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "FTP-DCP" protocol tcp src-port 1024-65535 dst-port 5000-5000
set service "FTP-SSL()" protocol tcp src-port 1024-65535 dst-port 990-990
set service "POP3-SSL()" protocol tcp src-port 1024-65535 dst-port 995-995
set service "SMTP-SSL()" protocol tcp src-port 1024-65535 dst-port 587-587
set service "RDP_Nodule_1()" protocol tcp src-port 1024-65535 dst-port 63375-63375
set service "RDP_Nodule_2()" protocol tcp src-port 1024-65535 dst-port 63390-63390
set service "RDP_Nodule_3()" protocol tcp src-port 1024-65535 dst-port 60259-60259
set service "RDP_Nodule_4()" protocol tcp src-port 1024-65535 dst-port 56571-56571
set service "RDP_Nodule_5()" protocol tcp src-port 1024-65535 dst-port 57250-57250
set service "RDP_Nodule_6()" protocol tcp src-port 1024-65535 dst-port 63425-63425
set service "RDP_Nodule_7()" protocol tcp src-port 1024-65535 dst-port 63415-63415
set service "RDP_Nodule_8()" protocol tcp src-port 1024-65535 dst-port 58200-58200
set service "RDP_Nodule_9()" protocol tcp src-port 1024-65535 dst-port 58201-58201
set service "RDP_Nodule_10()" protocol tcp src-port 1024-65535 dst-port 58202-58202
set service "RDP_Nodule_11()" protocol tcp src-port 1024-65535 dst-port 58203-58203
set service "RDP_Nodule_12()" protocol tcp src-port 1024-65535 dst-port 58204-58204
set service "RDP_Nodule_13()" protocol tcp src-port 1024-65535 dst-port 58205-58205
set service "RDP_Nodule_14()" protocol tcp src-port 1024-65535 dst-port 58206-58206
set service "RDP_Nodule_15()" protocol tcp src-port 1024-65535 dst-port 58207-58207
set service "RDP_Nodule_16" protocol tcp src-port 1024-65535 dst-port 3389-3389
set service "rdp2_Nodule_17" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "Admin Redacted"
set admin password "Hash Redacted"
set admin user "User Redacted" password "Hash Redacted" privilege "all"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip LAN.IP/24
set interface ethernet1 nat
set interface ethernet3 ip WAN.IP/29
set interface ethernet3 route
set interface "ethernet3" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage snmp
set interface ethernet3 manage web
set interface ethernet3 vip untrust 5000 "FTP-DCP" 10.64.0.137 manual
set interface ethernet3 vip untrust 990 "FTP-SSL()" 10.64.0.137 manual
set interface ethernet3 vip untrust 21 "FTP" 10.64.0.137 manual
set interface ethernet3 vip untrust 995 "POP3-SSL()" 10.64.0.137 manual
set interface ethernet3 vip untrust 110 "POP3" 10.64.0.137 manual
set interface ethernet3 vip untrust 587 "SMTP-SSL()" 10.64.0.137 manual
set interface ethernet3 vip untrust 25 "MAIL" 10.64.0.137 manual
set interface ethernet3 vip untrust 443 "HTTPS" 10.64.0.137 manual
set interface ethernet3 vip untrust 63375 "RDP_Nodule_1()" 10.64.0.141 manual
set interface ethernet3 vip untrust 63390 "RDP_Nodule_2()" 10.64.0.136 manual
set interface ethernet3 vip untrust 60259 "RDP_Nodule_3()" 10.64.0.112 manual
set interface ethernet3 vip untrust 56571 "RDP_Nodule_4()" 10.64.0.121 manual
set interface ethernet3 vip untrust 57250 "RDP_Nodule_5()" 10.64.0.133 manual
set interface ethernet3 vip untrust 63425 "RDP_Nodule_6()" 10.64.0.139 manual
set interface ethernet3 vip untrust 63415 "RDP_Nodule_7()" 10.64.0.140 manual
set interface ethernet3 vip untrust 58200 "RDP_Nodule_8()" 10.64.0.200 manual
set interface ethernet3 vip untrust 58201 "RDP_Nodule_9()" 10.64.0.201 manual
set interface ethernet3 vip untrust 58202 "RDP_Nodule_10()" 10.64.0.202 manual
set interface ethernet3 vip untrust 58203 "RDP_Nodule_11()" 10.64.0.203
set interface ethernet3 vip untrust 58204 "RDP_Nodule_12()" 10.64.0.204 manual
set interface ethernet3 vip untrust 58205 "RDP_Nodule_13()" 10.64.0.205 manual
set interface ethernet3 vip untrust 58206 "RDP_Nodule_14()" 10.64.0.206 manual
set interface ethernet3 vip untrust 58207 "RDP_Nodule_15()" 10.64.0.207 manual
set interface ethernet3 vip untrust 3389 "RDP_Nodule_16" 10.64.0.141 manual
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 209.244.0.3
set dns host dns2 167.206.7.4
set dns host dns3 0.0.0.0
set address "Trust" "10.64.0.112/255.255.255.0" 10.64.0.112 255.255.255.0
set address "Trust" "10.64.0.133/255.255.255.0" 10.64.0.133 255.255.255.0
set address "Trust" "10.64.0.136/255.255.255.0" 10.64.0.136 255.255.255.0
set address "Trust" "10.64.0.137/255.255.255.0" 10.64.0.137 255.255.255.0
set address "Trust" "10.64.0.139/255.255.255.0" 10.64.0.139 255.255.255.0
set address "Trust" "10.64.0.140/255.255.255.0" 10.64.0.140 255.255.255.0
set address "Trust" "10.64.0.141/255.0.0.0" 10.64.0.141 255.0.0.0
set address "Trust" "10.64.0.141/255.255.255.0" 10.64.0.141 255.255.255.0
set address "Trust" "10.64.0.200/255.255.255.0" 10.64.0.200 255.255.255.0
set address "Trust" "10.64.0.201/255.255.255.0" 10.64.0.201 255.255.255.0
set address "Trust" "10.64.0.202/255.255.255.0" 10.64.0.202 255.255.255.0
set address "Trust" "10.64.0.203/255.255.255.0" 10.64.0.203 255.255.255.0
set address "Trust" "10.64.0.204/255.255.255.0" 10.64.0.204 255.255.255.0
set address "Trust" "10.64.0.205/255.255.255.0" 10.64.0.205 255.255.255.0
set address "Trust" "10.64.0.206/255.255.255.0" 10.64.0.206 255.255.255.0
set address "Trust" "10.64.0.207/255.255.255.0" 10.64.0.207 255.255.255.0
set address "Trust" "RDP_Nodule_X(forgot which this is while making edits)" GLOBAL.IP 255.255.255.255
set address "Untrust" "10.64.0.112/255.0.0.0" 10.64.0.112 255.0.0.0
set address "Untrust" "10.64.0.112/255.255.255.0" 10.64.0.112 255.255.255.0
set address "Untrust" "10.64.0.133/255.0.0.0" 10.64.0.133 255.0.0.0
set address "Untrust" "10.64.0.133/255.255.255.0" 10.64.0.133 255.255.255.0
set address "Untrust" "10.64.0.136/255.0.0.0" 10.64.0.136 255.0.0.0
set address "Untrust" "10.64.0.136/255.255.255.0" 10.64.0.136 255.255.255.0
set address "Untrust" "10.64.0.137/255.0.0.0" 10.64.0.137 255.0.0.0
set address "Untrust" "10.64.0.139/255.0.0.0" 10.64.0.139 255.0.0.0
set address "Untrust" "10.64.0.139/255.255.255.0" 10.64.0.139 255.255.255.0
set address "Untrust" "10.64.0.140/255.0.0.0" 10.64.0.140 255.0.0.0
set address "Untrust" "10.64.0.140/255.255.255.0" 10.64.0.140 255.255.255.0
set address "Untrust" "10.64.0.141/255.0.0.0" 10.64.0.141 255.0.0.0
set address "Untrust" "10.64.0.141/255.255.255.0" 10.64.0.141 255.255.255.0
set address "Untrust" "10.64.0.200/255.0.0.0" 10.64.0.200 255.0.0.0
set address "Untrust" "10.64.0.200/255.255.255.0" 10.64.0.200 255.255.255.0
set address "Untrust" "10.64.0.201/255.0.0.0" 10.64.0.201 255.0.0.0
set address "Untrust" "10.64.0.201/255.255.255.0" 10.64.0.201 255.255.255.0
set address "Untrust" "10.64.0.202/255.0.0.0" 10.64.0.202 255.0.0.0
set address "Untrust" "10.64.0.202/255.255.255.0" 10.64.0.202 255.255.255.0
set address "Untrust" "10.64.0.203/255.0.0.0" 10.64.0.203 255.0.0.0
set address "Untrust" "10.64.0.203/255.255.255.0" 10.64.0.203 255.255.255.0
set address "Untrust" "10.64.0.204/255.0.0.0" 10.64.0.204 255.0.0.0
set address "Untrust" "10.64.0.204/255.255.255.0" 10.64.0.204 255.255.255.0
set address "Untrust" "10.64.0.205/255.0.0.0" 10.64.0.205 255.0.0.0
set address "Untrust" "10.64.0.206/255.0.0.0" 10.64.0.206 255.0.0.0
set address "Untrust" "10.64.0.206/255.255.255.0" 10.64.0.206 255.255.255.0
set address "Untrust" "10.64.0.207/255.0.0.0" 10.64.0.207 255.0.0.0
set address "Untrust" "10.64.0.207/255.255.255.0" 10.64.0.207 255.255.255.0
set address "Untrust" "10.65.0.205/255.255.255.0" 10.65.0.205 255.255.255.0
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 21 from "Untrust" to "Trust"  "Any" "Any" "RDP_Nodule_X()" permit log count
set policy id 21 disable
set policy id 21
exit
set policy id 19 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "rdp2" permit
set policy id 19
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "FTP" permit
set policy id 1
set service "HTTP"
set service "HTTPS"
set service "POP3"
set service "SMTP"
set service "FTP-DCP"
set service "FTP-SSL()"
set service "POP3-SSL()"
set service "SMTP-SSL()"
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" nat dst ip 10.64.0.141 permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 3
exit
set policy id 4 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 4
exit
set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 5
exit
set policy id 6 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "ESSEX RDP()" permit
set policy id 6
exit
set policy id 7 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "BUTLER RDP()" permit
set policy id 7
exit
set policy id 8 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 8
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 9
exit
set policy id 10 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "WXPVID02 RDP()" permit
set policy id 10
exit
set policy id 11 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 11
exit
set policy id 12 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 12
exit
set policy id 13 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 13
exit
set policy id 14 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 14
exit
set policy id 15 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 15
exit
set policy id 16 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" permit
set policy id 16
exit
set policy id 18 from "Untrust" to "Trust"  "VIP(ethernet3)" "Any" "ANY" permit
set policy id 18 disable
set policy id 18
exit
set policy id 20 name "Test" from "Untrust" to "Trust"  "VIP(ethernet3)" "RDP_Nodule_X" "ANY" nat dst ip 10.64.0.141 permit
set policy id 20 disable
set policy id 20
exit
set policy id 22 from "Untrust" to "Trust"  "Any" "Any" "RDP_Nodule_X()" permit
set policy id 22
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set ssh enable
set config lock timeout 5
set license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway DEFAULT.GATEAY
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

I hope we solve this, so I can document it for people in the future who have this problem. I could not solve it with Google. Thanks for your time.

marty

  • Sr. Member
  • ****
  • Posts: 337
  • Karma: +1/-0
    • View Profile
I see you are using VIP as Untrust and using port redirction from Untrust to Trust. Dont know what is the model of the device that you are using hope that is able to support these many number of VIP's, normally SOHO onese were able to support only 5-6 VIP's, but as per your config it seems you were able to configure these many hence you are good to go.

What is the issue you are facing ? From internet/external/untrust side are you unable to connect to any of the VIP on respective ports?

Can you do a debug and post the output filter the debug with the VIP and respective port that you were trying to connect.
Marty

magnusT

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
 Marty:

On debugging the Policy,  I am receiving the message that the IP / Port translation works (at least it says here that it's coming in and going out how I want it to...)

However, it says that the connection closes, or, "ages out."

So, no TCP handshake, and no session is established.

marty

  • Sr. Member
  • ****
  • Posts: 337
  • Karma: +1/-0
    • View Profile
magnus-

Can you paste the debug here....you can strike off the IP's or mask them as xxxx/yyyy/zzzz for src and VIP/real destination respectively.
Marty

magnusT

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Thanks for looking at this. I will be here the rest of the day. :)

DEBUG:
Quote
STAMP: 2013-12-24 14:50:31
SOURCE ADDRESS / PORT 74.138.199.147:52530
DESTINATION ADDRESS / PORT 216.41.209.86:63375
TRANSLATED SOURCE ADDRESS / PORT 74.138.199.147:52530
TRANSLATED DESTINATION ADDRESS / PORT 10.64.0.141:63375
SERVICE TCP PORT 63375
DURATION 21 sec.
BYTES SENT 206
BYTES RECEIVED 0
CLOsE REASON: Close - AGE OUT

marty

  • Sr. Member
  • ****
  • Posts: 337
  • Karma: +1/-0
    • View Profile
1) Thanks for posting the log. Can you run a debug and paste the same as well.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB12208 -  This link will help you out on setting up the debug and stopping the same.
You can use below filters to filter the debug.
set ff dst-ip 216.41.209.86 and dst-port 63375
set ff dst-ip 10.64.0.141 and dst-port 63375

2) I noticed in your config you have additionally created and nat-dst policy any particular reason for same as you are already using a VIP to publish your inside server publically. i would suggest to remove the below policy "unset policy id 2".

set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "RDP_Nodule_X()" nat dst ip 10.64.0.141 permit
set policy id 2
exit

3) Since you have configured multiple VIP's are all the VIP's having issue or it is just this particular VIP listening on port 63375 ?
Marty

magnusT

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Now, we've got a working configuration. All I've done is set create services, create VIPs, create policies. Now, the we are getting a TCP RESET in the debug filter.

marty

  • Sr. Member
  • ****
  • Posts: 337
  • Karma: +1/-0
    • View Profile
Can you paste the debug ?
Marty

magnusT

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Do these devices have a limit to how many items can be configured per VIP?
(i.e., I have configured 3 items per port forward, a service, a VIP, and a policy.)

Now, when I am configuring new policies, lines of my configuration are being replaced... So is there some kind of limit here?

marty

  • Sr. Member
  • ****
  • Posts: 337
  • Karma: +1/-0
    • View Profile
Yep every device has got a limit of how many number of VIP/MIP/DIP can be configured...depending on your model number of firewall check the device details.
Marty