Production Netscreen 50 Firewall / Passive Fail-Over & WAN Untrust to LAN Trust



  • I come from a Cisco ASA/IPTables firewall background, and am recently required to configure a Juniper Netscreen 50 security appliance. Although I am a tech who has read the RFC’s regarding standard network technologies, proprietary and open-source, I am stuck on this firewall issue.

    What are the steps to configuring Port Forwarding/Port Triggering on Juniper Netscreen ScreenOS 5.0~ based security appliances? I have followed the exact steps, short of CLI Reset and Reconfiguration from Scratch. I have found many, “exact steps,” that differentiate slightly.

    The steps I followed thus far can be described as follows:

    07:15 < kab0n> Hi…
    07:16 < kab0n> I configured port forwarding on a netscreen firewall by A) Creating a Custom Service, B) Creating a
                  NAT Rule, and C) Opening the Firewall & Configuring Packet Filtering, as well as D) CLI: set vip
                  multi-port
    07:16 < kab0n> Still, none of the port forwards work…
    07:16 < kab0n> Any advice?

    I need to map a list of ports from the Untrust ETH3 interface to the Trust ETH1 interface.

    Please see below my existing configuration:

    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set service “FTP-DCP” protocol tcp src-port 1024-65535 dst-port 5000-5000
    set service “FTP-SSL()” protocol tcp src-port 1024-65535 dst-port 990-990
    set service “POP3-SSL()” protocol tcp src-port 1024-65535 dst-port 995-995
    set service “SMTP-SSL()” protocol tcp src-port 1024-65535 dst-port 587-587
    set service “RDP_Nodule_1()” protocol tcp src-port 1024-65535 dst-port 63375-63375
    set service “RDP_Nodule_2()” protocol tcp src-port 1024-65535 dst-port 63390-63390
    set service “RDP_Nodule_3()” protocol tcp src-port 1024-65535 dst-port 60259-60259
    set service “RDP_Nodule_4()” protocol tcp src-port 1024-65535 dst-port 56571-56571
    set service “RDP_Nodule_5()” protocol tcp src-port 1024-65535 dst-port 57250-57250
    set service “RDP_Nodule_6()” protocol tcp src-port 1024-65535 dst-port 63425-63425
    set service “RDP_Nodule_7()” protocol tcp src-port 1024-65535 dst-port 63415-63415
    set service “RDP_Nodule_8()” protocol tcp src-port 1024-65535 dst-port 58200-58200
    set service “RDP_Nodule_9()” protocol tcp src-port 1024-65535 dst-port 58201-58201
    set service “RDP_Nodule_10()” protocol tcp src-port 1024-65535 dst-port 58202-58202
    set service “RDP_Nodule_11()” protocol tcp src-port 1024-65535 dst-port 58203-58203
    set service “RDP_Nodule_12()” protocol tcp src-port 1024-65535 dst-port 58204-58204
    set service “RDP_Nodule_13()” protocol tcp src-port 1024-65535 dst-port 58205-58205
    set service “RDP_Nodule_14()” protocol tcp src-port 1024-65535 dst-port 58206-58206
    set service “RDP_Nodule_15()” protocol tcp src-port 1024-65535 dst-port 58207-58207
    set service “RDP_Nodule_16” protocol tcp src-port 1024-65535 dst-port 3389-3389
    set service “rdp2_Nodule_17” protocol tcp src-port 0-65535 dst-port 3389-3389
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "Admin Redacted"
    set admin password "Hash Redacted"
    set admin user “User Redacted” password “Hash Redacted” privilege "all"
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set vip multi-port
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “DMZ” tcp-rst
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “ethernet1” zone "Trust"
    set interface “ethernet2” zone "DMZ"
    set interface “ethernet3” zone "Untrust"
    unset interface vlan1 ip
    set interface ethernet1 ip LAN.IP/24
    set interface ethernet1 nat
    set interface ethernet3 ip WAN.IP/29
    set interface ethernet3 route
    set interface “ethernet3” pmtu ipv4
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet1 ip manageable
    set interface ethernet3 ip manageable
    set interface ethernet3 manage ping
    set interface ethernet3 manage ssh
    set interface ethernet3 manage snmp
    set interface ethernet3 manage web
    set interface ethernet3 vip untrust 5000 “FTP-DCP” 10.64.0.137 manual
    set interface ethernet3 vip untrust 990 “FTP-SSL()” 10.64.0.137 manual
    set interface ethernet3 vip untrust 21 “FTP” 10.64.0.137 manual
    set interface ethernet3 vip untrust 995 “POP3-SSL()” 10.64.0.137 manual
    set interface ethernet3 vip untrust 110 “POP3” 10.64.0.137 manual
    set interface ethernet3 vip untrust 587 “SMTP-SSL()” 10.64.0.137 manual
    set interface ethernet3 vip untrust 25 “MAIL” 10.64.0.137 manual
    set interface ethernet3 vip untrust 443 “HTTPS” 10.64.0.137 manual
    set interface ethernet3 vip untrust 63375 “RDP_Nodule_1()” 10.64.0.141 manual
    set interface ethernet3 vip untrust 63390 “RDP_Nodule_2()” 10.64.0.136 manual
    set interface ethernet3 vip untrust 60259 “RDP_Nodule_3()” 10.64.0.112 manual
    set interface ethernet3 vip untrust 56571 “RDP_Nodule_4()” 10.64.0.121 manual
    set interface ethernet3 vip untrust 57250 “RDP_Nodule_5()” 10.64.0.133 manual
    set interface ethernet3 vip untrust 63425 “RDP_Nodule_6()” 10.64.0.139 manual
    set interface ethernet3 vip untrust 63415 “RDP_Nodule_7()” 10.64.0.140 manual
    set interface ethernet3 vip untrust 58200 “RDP_Nodule_8()” 10.64.0.200 manual
    set interface ethernet3 vip untrust 58201 “RDP_Nodule_9()” 10.64.0.201 manual
    set interface ethernet3 vip untrust 58202 “RDP_Nodule_10()” 10.64.0.202 manual
    set interface ethernet3 vip untrust 58203 “RDP_Nodule_11()” 10.64.0.203
    set interface ethernet3 vip untrust 58204 “RDP_Nodule_12()” 10.64.0.204 manual
    set interface ethernet3 vip untrust 58205 “RDP_Nodule_13()” 10.64.0.205 manual
    set interface ethernet3 vip untrust 58206 “RDP_Nodule_14()” 10.64.0.206 manual
    set interface ethernet3 vip untrust 58207 “RDP_Nodule_15()” 10.64.0.207 manual
    set interface ethernet3 vip untrust 3389 “RDP_Nodule_16” 10.64.0.141 manual
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 209.244.0.3
    set dns host dns2 167.206.7.4
    set dns host dns3 0.0.0.0
    set address “Trust” “10.64.0.112/255.255.255.0” 10.64.0.112 255.255.255.0
    set address “Trust” “10.64.0.133/255.255.255.0” 10.64.0.133 255.255.255.0
    set address “Trust” “10.64.0.136/255.255.255.0” 10.64.0.136 255.255.255.0
    set address “Trust” “10.64.0.137/255.255.255.0” 10.64.0.137 255.255.255.0
    set address “Trust” “10.64.0.139/255.255.255.0” 10.64.0.139 255.255.255.0
    set address “Trust” “10.64.0.140/255.255.255.0” 10.64.0.140 255.255.255.0
    set address “Trust” “10.64.0.141/255.0.0.0” 10.64.0.141 255.0.0.0
    set address “Trust” “10.64.0.141/255.255.255.0” 10.64.0.141 255.255.255.0
    set address “Trust” “10.64.0.200/255.255.255.0” 10.64.0.200 255.255.255.0
    set address “Trust” “10.64.0.201/255.255.255.0” 10.64.0.201 255.255.255.0
    set address “Trust” “10.64.0.202/255.255.255.0” 10.64.0.202 255.255.255.0
    set address “Trust” “10.64.0.203/255.255.255.0” 10.64.0.203 255.255.255.0
    set address “Trust” “10.64.0.204/255.255.255.0” 10.64.0.204 255.255.255.0
    set address “Trust” “10.64.0.205/255.255.255.0” 10.64.0.205 255.255.255.0
    set address “Trust” “10.64.0.206/255.255.255.0” 10.64.0.206 255.255.255.0
    set address “Trust” “10.64.0.207/255.255.255.0” 10.64.0.207 255.255.255.0
    set address “Trust” “RDP_Nodule_X(forgot which this is while making edits)” GLOBAL.IP 255.255.255.255
    set address “Untrust” “10.64.0.112/255.0.0.0” 10.64.0.112 255.0.0.0
    set address “Untrust” “10.64.0.112/255.255.255.0” 10.64.0.112 255.255.255.0
    set address “Untrust” “10.64.0.133/255.0.0.0” 10.64.0.133 255.0.0.0
    set address “Untrust” “10.64.0.133/255.255.255.0” 10.64.0.133 255.255.255.0
    set address “Untrust” “10.64.0.136/255.0.0.0” 10.64.0.136 255.0.0.0
    set address “Untrust” “10.64.0.136/255.255.255.0” 10.64.0.136 255.255.255.0
    set address “Untrust” “10.64.0.137/255.0.0.0” 10.64.0.137 255.0.0.0
    set address “Untrust” “10.64.0.139/255.0.0.0” 10.64.0.139 255.0.0.0
    set address “Untrust” “10.64.0.139/255.255.255.0” 10.64.0.139 255.255.255.0
    set address “Untrust” “10.64.0.140/255.0.0.0” 10.64.0.140 255.0.0.0
    set address “Untrust” “10.64.0.140/255.255.255.0” 10.64.0.140 255.255.255.0
    set address “Untrust” “10.64.0.141/255.0.0.0” 10.64.0.141 255.0.0.0
    set address “Untrust” “10.64.0.141/255.255.255.0” 10.64.0.141 255.255.255.0
    set address “Untrust” “10.64.0.200/255.0.0.0” 10.64.0.200 255.0.0.0
    set address “Untrust” “10.64.0.200/255.255.255.0” 10.64.0.200 255.255.255.0
    set address “Untrust” “10.64.0.201/255.0.0.0” 10.64.0.201 255.0.0.0
    set address “Untrust” “10.64.0.201/255.255.255.0” 10.64.0.201 255.255.255.0
    set address “Untrust” “10.64.0.202/255.0.0.0” 10.64.0.202 255.0.0.0
    set address “Untrust” “10.64.0.202/255.255.255.0” 10.64.0.202 255.255.255.0
    set address “Untrust” “10.64.0.203/255.0.0.0” 10.64.0.203 255.0.0.0
    set address “Untrust” “10.64.0.203/255.255.255.0” 10.64.0.203 255.255.255.0
    set address “Untrust” “10.64.0.204/255.0.0.0” 10.64.0.204 255.0.0.0
    set address “Untrust” “10.64.0.204/255.255.255.0” 10.64.0.204 255.255.255.0
    set address “Untrust” “10.64.0.205/255.0.0.0” 10.64.0.205 255.0.0.0
    set address “Untrust” “10.64.0.206/255.0.0.0” 10.64.0.206 255.0.0.0
    set address “Untrust” “10.64.0.206/255.255.255.0” 10.64.0.206 255.255.255.0
    set address “Untrust” “10.64.0.207/255.0.0.0” 10.64.0.207 255.0.0.0
    set address “Untrust” “10.64.0.207/255.255.255.0” 10.64.0.207 255.255.255.0
    set address “Untrust” “10.65.0.205/255.255.255.0” 10.65.0.205 255.255.255.0
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol websense
    exit
    set policy id 21 from “Untrust” to “Trust”  “Any” “Any” “RDP_Nodule_X()” permit log count
    set policy id 21 disable
    set policy id 21
    exit
    set policy id 19 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “rdp2” permit
    set policy id 19
    exit
    set policy id 1 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “FTP” permit
    set policy id 1
    set service "HTTP"
    set service "HTTPS"
    set service "POP3"
    set service "SMTP"
    set service "FTP-DCP"
    set service "FTP-SSL()"
    set service "POP3-SSL()"
    set service "SMTP-SSL()"
    exit
    set policy id 2 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” nat dst ip 10.64.0.141 permit
    set policy id 2
    exit
    set policy id 3 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 3
    exit
    set policy id 4 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 4
    exit
    set policy id 5 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 5
    exit
    set policy id 6 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “ESSEX RDP()” permit
    set policy id 6
    exit
    set policy id 7 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “BUTLER RDP()” permit
    set policy id 7
    exit
    set policy id 8 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 8
    exit
    set policy id 9 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 9
    exit
    set policy id 10 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “WXPVID02 RDP()” permit
    set policy id 10
    exit
    set policy id 11 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 11
    exit
    set policy id 12 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 12
    exit
    set policy id 13 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 13
    exit
    set policy id 14 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 14
    exit
    set policy id 15 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 15
    exit
    set policy id 16 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” permit
    set policy id 16
    exit
    set policy id 18 from “Untrust” to “Trust”  “VIP(ethernet3)” “Any” “ANY” permit
    set policy id 18 disable
    set policy id 18
    exit
    set policy id 20 name “Test” from “Untrust” to “Trust”  “VIP(ethernet3)” “RDP_Nodule_X” “ANY” nat dst ip 10.64.0.141 permit
    set policy id 20 disable
    set policy id 20
    exit
    set policy id 22 from “Untrust” to “Trust”  “Any” “Any” “RDP_Nodule_X()” permit
    set policy id 22
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set nsmgmt bulkcli reboot-wait 0
    set ssh version v2
    set ssh enable
    set config lock timeout 5
    set license-key auto-update
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 gateway DEFAULT.GATEAY
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    I hope we solve this, so I can document it for people in the future who have this problem. I could not solve it with Google. Thanks for your time.



  • Yep every device has got a limit of how many number of VIP/MIP/DIP can be configured…depending on your model number of firewall check the device details.



  • Do these devices have a limit to how many items can be configured per VIP?
    (i.e., I have configured 3 items per port forward, a service, a VIP, and a policy.)

    Now, when I am configuring new policies, lines of my configuration are being replaced… So is there some kind of limit here?



  • Can you paste the debug ?



  • Now, we’ve got a working configuration. All I’ve done is set create services, create VIPs, create policies. Now, the we are getting a TCP RESET in the debug filter.



    1. Thanks for posting the log. Can you run a debug and paste the same as well.
      http://kb.juniper.net/InfoCenter/index?page=content&id=KB12208 -  This link will help you out on setting up the debug and stopping the same.
      You can use below filters to filter the debug.
      set ff dst-ip 216.41.209.86 and dst-port 63375
      set ff dst-ip 10.64.0.141 and dst-port 63375

    2. I noticed in your config you have additionally created and nat-dst policy any particular reason for same as you are already using a VIP to publish your inside server publically. i would suggest to remove the below policy “unset policy id 2”.

    set policy id 2 from “Untrust” to “Trust”  “Any” “VIP(ethernet3)” “RDP_Nodule_X()” nat dst ip 10.64.0.141 permit
    set policy id 2
    exit

    1. Since you have configured multiple VIP’s are all the VIP’s having issue or it is just this particular VIP listening on port 63375 ?


  • Thanks for looking at this. I will be here the rest of the day. 🙂

    DEBUG:

    STAMP: 2013-12-24 14:50:31
    SOURCE ADDRESS / PORT 74.138.199.147:52530
    DESTINATION ADDRESS / PORT 216.41.209.86:63375
    TRANSLATED SOURCE ADDRESS / PORT 74.138.199.147:52530
    TRANSLATED DESTINATION ADDRESS / PORT 10.64.0.141:63375
    SERVICE TCP PORT 63375
    DURATION 21 sec.
    BYTES SENT 206
    BYTES RECEIVED 0
    CLOsE REASON: Close - AGE OUT



  • magnus-

    Can you paste the debug here….you can strike off the IP’s or mask them as xxxx/yyyy/zzzz for src and VIP/real destination respectively.



  • Marty:

    On debugging the Policy,  I am receiving the message that the IP / Port translation works (at least it says here that it’s coming in and going out how I want it to…)

    However, it says that the connection closes, or, “ages out.”

    So, no TCP handshake, and no session is established.



  • I see you are using VIP as Untrust and using port redirction from Untrust to Trust. Dont know what is the model of the device that you are using hope that is able to support these many number of VIP’s, normally SOHO onese were able to support only 5-6 VIP’s, but as per your config it seems you were able to configure these many hence you are good to go.

    What is the issue you are facing ? From internet/external/untrust side are you unable to connect to any of the VIP on respective ports?

    Can you do a debug and post the output filter the debug with the VIP and respective port that you were trying to connect.


 

27
Online

38.4k
Users

12.7k
Topics

44.5k
Posts