Access to Mail Server behind Netscreen5GT (Solved)
-
Hello Forum,
We are a completely new user to Juniper and NetScreen with a new Netscreen 5GT ADSL as it is out of the box (i checked the NAT box in the startup wizard). It would be great if I could get some assistance with setup please…
- We have a single NS5GT set in Untrust/Trust mode.
- Our DSL provider assigns us a fixed IP when we authenticate (with PPPoA).
- Windows Server 2003 running exchange in the Trusted zone on 192.168.1.1.
- Internet-based mail service that receives mail and forwards to our external fixed IP.
What i need to do is allow port 25 on the external (DSL) interface thru to port 25 on the exchange server. Can someone point me in s starting direction here please?
Thanks and much appreciated.
Simon
-
Thanks for the support! I have this all working as expected now!! Here was my final settings:
set service “RDP” protocol tcp src-port 1-65535 dst-port 3389-3389
set interface trust ip 192.168.1.254/24
set interface adsl1 vip untrust 25 “MAIL” 192.168.1.1
set interface adsl1 vip untrust 3389 “RDP” 192.168.1.1 (note that the RDP wasnt working before as i had not put in this VIP, i just had the mail one)set address “Trust” “EXCHServ” 192.168.1.1 255.255.255.255
set address “Untrust” “ISPMailServer” 203.109.1XX.XXX 255.255.255.255
set address “Untrust” “RDPAllowedHost” 203.167.1XX.XXX 255.255.255.255set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
set policy id 2 name “MAIL” from “Untrust” to “Trust” “ISPMailServer” “VIP::1” “MAIL” permit log
set policy id 3 name “RDP” from “Untrust” to “Trust” “RDPAllowedHost” “VIP::1” “RDP” permit log
-
that should work
-
the source port on RDP is not 3389 its actually a random port. destination is 3389
Ahh… This is now:
set service “RDP” protocol tcp src-port 1-65535 dst-port 3389-3389
Thanks for the tip. Simon
-
First off, Id say your way of naming Address objects is confusing - use a friendly name such as ‘My Mail Server’ rather than ‘192.168.1.1/32’ which is prone to problems when the IP gets changed but the label stays the same but you forget etc. Also hard to read in a config file.
You have the 203.108.x.x address defined twice in the Trust and Untrust zones - it should only be in the Untrust zone - dont set an address in both zones - it does allow you for some reason, but dont do it. It should be obvious - all Trust zone Adresses will be 192.168.1.x hosts, and Untrust zone addresses will be the real IPs of the hosts you want to allow access for.
OK… Taken onboard. Is this correct taking into account your reply above?:
set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
set address “Untrust” “ISP Mail Server” 203.109.1xx.xxx 255.255.255.255
set address “Untrust” “RDP Allowed Host” 203.167.1xx.xxx 255.255.255.255set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
set policy id 2 name “MAIL” from “Untrust” to “Trust” “ISP Mail Server” “VIP::1” “MAIL” permit log
set policy id 3 name “RDP” from “Untrust” to “Trust” “RDP Allowed Host” “VIP::1” “RDP” permit logAre you getting all your mail Mail from just one external server (e.g. your ISP mail server is forwarding to you) rather than receiving mail from any random SMTP host? I assume so as you haven’t selected an ‘ANY’ as the source for the MAIL policy but you sall its all working.
Yep!
Thanks
Simon
-
the source port on RDP is not 3389 its actually a random port. destination is 3389
-
Hi,
First off, Id say your way of naming Address objects is confusing - use a friendly name such as ‘My Mail Server’ rather than ‘192.168.1.1/32’ which is prone to problems when the IP gets changed but the label stays the same but you forget etc. Also hard to read in a config file.
You have the 203.108.x.x address defined twice in the Trust and Untrust zones - it should only be in the Untrust zone - dont set an address in both zones - it does allow you for some reason, but dont do it. It should be obvious - all Trust zone Adresses will be 192.168.1.x hosts, and Untrust zone addresses will be the real IPs of the hosts you want to allow access for.
Are you getting all your mail Mail from just one external server (e.g. your ISP mail server is forwarding to you) rather than receiving mail from any random SMTP host? I assume so as you haven’t selected an ‘ANY’ as the source for the MAIL policy but you sall its all working.
-
We are getting ahead now!, i have the mail VIP working sweet! The remote desktop is not working correctly and i thing i know why, but need someone to confirm it to me:
Here is the custom service for RDP:
set service “RDP” protocol tcp src-port 3389-3389 dst-port 3389-3389 timeout 60
Here are the VIPS:
set interface adsl1 vip untrust 25 “MAIL” 192.168.1.1
set interface adsl1 vip untrust 3389 “RDP” 192.168.1.1Here is the Policys:
set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
set policy id 2 name “RDP” from “Untrust” to “Trust” “203.167.1XX.XX/32” “VIP::1” “RDP” permit log
set policy id 3 name “MAIL” from “Untrust” to “Trust” “203.109.1XX.XX/32” “VIP::1” “MAIL” permit logI think my issue is here:
set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
set address “Trust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255set address “Untrust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255
set address “Untrust” “203.167.1XX.XX/32” 203.167.1XX.XX 255.255.255.255The external mail server is 203.109.1XX.XX, which works thru to 192.168.1.1.
The IP that is allowed access to the Remote Desktop service on 192.168.1.1 is 203.167.1XX.XX - Is this supposed to be listed in the above as well, e.g:
set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
set address “Trust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255
set address “Trust” “203.167.1XX.XX/32” 203.167.1XX.XX 255.255.255.255 (new line)NEARLY THERE!
Thanks for the help so far!
Simon
-
Hi, its like this with Netscreen - and most firewalls, theres just one little thing wrong somewhere and it flops.
To confirm:
- You want to direct MAIL and RDP to 192.168.1.1 using VIPs
- You are using the static ADSL IP to accept and forward these services
1. I can’t see a policy for outbound traffic, which you should have, e.g.:
set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
(Your ID will be different but just add a ‘Trust to Untrust’ policy, with service ‘Any’ and just test this works by browsing the Internet)
2. Looking at the MAIL policy line you have:
set policy id 1 name “mail” from “Trust” to “Untrust” “203.109.1XX.X/32” “VIP::1” “MAIL” permit log
This is going the wrong way. Its saying MAIL is going from Trust to Untrust. It should be from UNTRUST to TRUST using your VIP. So remove it from the Trust->Untrust policy list and recreate in the Untrust->Trust policy list.
The VIP setup looks ok - but I can’t read these logs commands easily - too many lines. Im prefer the GUI.
So, you setup:
- the VIP mappings (looks ok)
- have an outbound (Trust->Untrust) policy to allow ‘All’ data out (refine down to specific outbound services like Mail etc later
- setup two inbound (Untrust->trust) policies for Mail and RDP using the VIP
Make those changes and see what you get.
Note that if you have spare IP addresses I tend to use MIPs - they generate less waffle in the log and are a tad more flexible, but you do need a freee real IP. I only use VIPs where there is only one real IP (that of the ADSL inteface) available.
-
Hi, yes you are on OS 5 documentation.
Your VIP outline sounds fine - forwarding the MAIL service (port 25) to your internal server.
OK… Would someone please take a look at the config and suggest where i have gone wrong here? We are trying to add a VIP from the ADSL => Trusted (192.168.1.1) for both MAIL (25) from one external IP and RDP (3389) from another external IP. Config here:
set clock timezone 0
set vrouter trust-vr sharable
unset vrouter “trust-vr” auto-route-export
set service “rdp” protocol tcp src-port 3389-3389 dst-port 3389-3389 timeout 60
set auth-server “Local” id 0
set auth-server “Local” server-name "Local"
set auth default auth server "Local"
set admin name "netscreen"
set admin password "XXXXXXXXXXX"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone “Trust” vrouter "trust-vr"
set zone “Untrust” vrouter "trust-vr"
set zone “VLAN” vrouter "trust-vr"
set zone “Trust” tcp-rst
set zone “Untrust” block
unset zone “Untrust” tcp-rst
set zone “MGT” block
set zone “VLAN” block
set zone “VLAN” tcp-rst
set zone “Untrust” screen tear-drop
set zone “Untrust” screen syn-flood
set zone “Untrust” screen ping-death
set zone “Untrust” screen ip-filter-src
set zone “Untrust” screen land
set zone “V1-Untrust” screen tear-drop
set zone “V1-Untrust” screen syn-flood
set zone “V1-Untrust” screen ping-death
set zone “V1-Untrust” screen ip-filter-src
set zone “V1-Untrust” screen land
set interface “trust” zone "Trust"
set interface “adsl1” pvc 0 100 mux vc zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.1.254/24
set interface trust nat
set interface adsl1 ip 203.109.2XX.XX/32 (This is our DSL IP address)
set interface adsl1 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface adsl1 ip manageable
set interface adsl1 vip untrust 25 “MAIL” 192.168.1.1
set interface adsl1 vip untrust 3389 “rdp” 192.168.1.1
set flow tcp-mss
set hostname ns5gt-adsl
set dns host dns1 203.0.178.191
set dns host dns2 203.109.252.43
set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
set address “Trust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255
set address “Untrust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255 (External IP with access MAIL)
set address “Untrust” “203.167.1XX.XX/32” 203.167.1XX.XX 255.255.255.255 (External IP with access RPD)
set ike respond-bad-spi 1
set pki authority default scep mode “auto"
set pki x509 default cert-path partial
set policy id 2 name “rdp” from “Untrust” to “Trust” “203.167.1XX.X/32” “192.168.1.1/32” “rdp” permit log
set policy id 1 name “mail” from “Trust” to “Untrust” “203.109.1XX.X/32” “VIP::1” “MAIL” permit log
set pppoa name “adsl1” username "ourdslusername@isp.com” password "XXXXXXXXXXXXXXXXX"
set pppoa name “adsl1” interface adsl1
set global-pro policy-manager primary outgoing-interface adsl1
set global-pro policy-manager secondary outgoing-interface adsl1
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exitThanks!!! Simon
-
Hi, yes you are on OS 5 documentation.
Your VIP outline sounds fine - forwarding the MAIL service (port 25) to your internal server.
Thanks for that!.. Im a little confused here. The documentation talks about adding a VIP to the untrusted interface. As this is a ADSL unit as well… Is the untrusted interface the ADSL interface? or are thry sperate?
Simon
-
Hi, yes you are on OS 5 documentation.
Your VIP outline sounds fine - forwarding the MAIL service (port 25) to your internal server.
-
If using webUI look on the main page near top-left corner. If CLI then get system.
Ive got:
Hardware Version: 1010(0)
Firmware Version: 5.0.0r6.e (Firewall+VPN)Does this mean that we are using v5.0.0 screenOS, docs here?:
http://www.juniper.net/techpubs/software/screenos/screenos5x/index.html
-
Sounds like you need to configure a VIP
Cool - had a read thru… A quick couple of questions please:
Because we have a ADSL version of the 5GT, is our interface in the untrusted zone the static IP that is assigned by our ISP? If this is the case, i need to do the following:
1).
Virtual IP: 203.109.xxx.xx (our ISP assigned static IP)
Virtual Port: 25
Map to Service: MAIL (25)
Map to IP: 192.168.1.1 (Internal Exchange Server)2).
Source Address: IP.OF.THE.EXTERNAL.MAIL.SERVER
Destination Address: VIP(192.168.1.1)
Service: MAIL
Action: PermitHave i got this correct?
Thanks
Simon
-
If using webUI look on the main page near top-left corner. If CLI then get system.
-
Sounds like you need to configure a VIP. Refer to the Concepts & Examples guide here:
http://www.juniper.net/techpubs/software/screenos/
Select the document based on your current ScreenOS version. In particular refer to the NAT guide.
Thanks for the pointers. I’ll have a look thru the docs as above.
Question: Is there an easy way to find out what version of screenOS we are running?
Thanks
Simon
-
Sounds like you need to configure a VIP. Refer to the Concepts & Examples guide here:
http://www.juniper.net/techpubs/software/screenos/
Select the document based on your current ScreenOS version. In particular refer to the NAT guide.