Access to Mail Server behind Netscreen5GT (Solved)



  • Hello Forum,

    We are a completely new user to Juniper and NetScreen with a new Netscreen 5GT ADSL as it is out of the box (i checked the NAT box in the startup wizard). It would be great if I could get some assistance with setup please…

    • We have a single NS5GT set in Untrust/Trust mode.
    • Our DSL provider assigns us a fixed IP when we authenticate (with PPPoA).
    • Windows Server 2003 running exchange in the Trusted zone on 192.168.1.1.
    • Internet-based mail service that receives mail and forwards to our external fixed IP.

    What i need to do is allow port 25 on the external (DSL) interface thru to port 25 on the exchange server. Can someone point me in s starting direction here please?

    Thanks and much appreciated.

    Simon



  • Thanks for the support! I have this all working as expected now!! Here was my final settings:

    set service “RDP” protocol tcp src-port 1-65535 dst-port 3389-3389

    set interface trust ip 192.168.1.254/24

    set interface adsl1 vip untrust 25 “MAIL” 192.168.1.1
    set interface adsl1 vip untrust 3389 “RDP” 192.168.1.1 (note that the RDP wasnt working before as i had not put in this VIP, i just had the mail one)

    set address “Trust” “EXCHServ” 192.168.1.1 255.255.255.255
    set address “Untrust” “ISPMailServer” 203.109.1XX.XXX 255.255.255.255
    set address “Untrust” “RDPAllowedHost” 203.167.1XX.XXX 255.255.255.255

    set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
    set policy id 2 name “MAIL” from “Untrust” to “Trust” “ISPMailServer” “VIP::1” “MAIL” permit log
    set policy id 3 name “RDP” from “Untrust” to “Trust” “RDPAllowedHost” “VIP::1” “RDP” permit log



  • that should work



  • @kalex:

    the source port on RDP is not 3389 its actually a random port. destination is 3389

    Ahh… This is now:

    set service “RDP” protocol tcp src-port 1-65535 dst-port 3389-3389

    Thanks for the tip. Simon



  • @Amorphous:

    First off, Id say your way of naming Address objects is confusing - use a friendly name such as ‘My Mail Server’ rather than ‘192.168.1.1/32’ which is prone to problems when the IP gets changed but the label stays the same but you forget etc. Also hard to read in a config file.

    You have the 203.108.x.x address defined twice in the Trust and Untrust zones - it should only be in the Untrust zone - dont set an address in both zones - it does allow you for some reason, but dont do it. It should be obvious - all Trust zone Adresses will be 192.168.1.x hosts, and Untrust zone addresses will be the real IPs of the hosts you want to allow access for.

    OK… Taken onboard. Is this correct taking into account your reply above?:

    set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
    set address “Untrust” “ISP Mail Server” 203.109.1xx.xxx 255.255.255.255
    set address “Untrust” “RDP Allowed Host” 203.167.1xx.xxx 255.255.255.255

    set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
    set policy id 2 name “MAIL” from “Untrust” to “Trust” “ISP Mail Server” “VIP::1” “MAIL” permit log
    set policy id 3 name “RDP” from “Untrust” to “Trust” “RDP Allowed Host” “VIP::1” “RDP” permit log

    @Amorphous:

    Are you getting all your mail Mail from just one external server (e.g. your ISP mail server is forwarding to you) rather than receiving mail from any random SMTP host? I assume so as you haven’t selected an ‘ANY’ as the source for the MAIL policy but you sall its all working.

    Yep!

    Thanks

    Simon



  • the source port on RDP is not 3389 its actually a random port. destination is 3389



  • Hi,

    First off, Id say your way of naming Address objects is confusing - use a friendly name such as ‘My Mail Server’ rather than ‘192.168.1.1/32’ which is prone to problems when the IP gets changed but the label stays the same but you forget etc. Also hard to read in a config file.

    You have the 203.108.x.x address defined twice in the Trust and Untrust zones - it should only be in the Untrust zone - dont set an address in both zones - it does allow you for some reason, but dont do it. It should be obvious - all Trust zone Adresses will be 192.168.1.x hosts, and Untrust zone addresses will be the real IPs of the hosts you want to allow access for.

    Are you getting all your mail Mail from just one external server (e.g. your ISP mail server is forwarding to you) rather than receiving mail from any random SMTP host? I assume so as you haven’t selected an ‘ANY’ as the source for the MAIL policy but you sall its all working.



  • We are getting ahead now!, i have the mail VIP working sweet! The remote desktop is not working correctly and i thing i know why, but need someone to confirm it to me:

    Here is the custom service for RDP:

    set service “RDP” protocol tcp src-port 3389-3389 dst-port 3389-3389 timeout 60

    Here are the VIPS:

    set interface adsl1 vip untrust 25 “MAIL” 192.168.1.1
    set interface adsl1 vip untrust 3389 “RDP” 192.168.1.1

    Here is the Policys:

    set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit
    set policy id 2 name “RDP” from “Untrust” to “Trust” “203.167.1XX.XX/32” “VIP::1” “RDP” permit log
    set policy id 3 name “MAIL” from “Untrust” to “Trust” “203.109.1XX.XX/32” “VIP::1” “MAIL” permit log

    I think my issue is here:

    set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
    set address “Trust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255

    set address “Untrust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255
    set address “Untrust” “203.167.1XX.XX/32” 203.167.1XX.XX 255.255.255.255

    The external mail server is 203.109.1XX.XX, which works thru to 192.168.1.1.

    The IP that is allowed access to the Remote Desktop service on 192.168.1.1 is 203.167.1XX.XX - Is this supposed to be listed in the above as well, e.g:

    set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
    set address “Trust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255
    set address “Trust” “203.167.1XX.XX/32” 203.167.1XX.XX 255.255.255.255 (new line)

    NEARLY THERE!

    Thanks for the help so far!

    Simon



  • Hi, its like this with Netscreen - and most firewalls, theres just one little thing wrong somewhere and it flops.

    To confirm:

    • You want to direct MAIL and RDP to 192.168.1.1 using VIPs
    • You are using the static ADSL IP to accept and forward these services

    1. I can’t see a policy for outbound traffic, which you should have, e.g.:

    set policy id 1 from “Trust” to “Untrust” “Any” “Any” “ANY” permit

    (Your ID will be different but just add a ‘Trust to Untrust’ policy, with service ‘Any’ and just test this works by browsing the Internet)

    2. Looking at the MAIL policy line you have:

    set policy id 1 name “mail” from “Trust” to “Untrust” “203.109.1XX.X/32” “VIP::1” “MAIL” permit log

    This is going the wrong way. Its saying MAIL is going from Trust to Untrust. It should be from UNTRUST to TRUST using your VIP. So remove it from the Trust->Untrust policy list and recreate in the Untrust->Trust policy list.

    The VIP setup looks ok - but I can’t read these logs commands easily - too many lines. Im prefer the GUI.

    So, you setup:

    • the VIP mappings (looks ok)
    • have an outbound (Trust->Untrust) policy to allow ‘All’ data out (refine down to specific outbound services like Mail etc later
    • setup two inbound (Untrust->trust) policies for Mail and RDP using the VIP

    Make those changes and see what you get.

    Note that if you have spare IP addresses I tend to use MIPs - they generate less waffle in the log and are a tad more flexible, but you do need a freee real IP. I only use VIPs where there is only one real IP (that of the ADSL inteface) available.



  • @Amorphous:

    Hi, yes you are on OS 5 documentation.

    Your VIP outline sounds fine - forwarding the MAIL service (port 25) to your internal server.

    OK… Would someone please take a look at the config and suggest where i have gone wrong here? We are trying to add a VIP from the ADSL => Trusted (192.168.1.1) for both MAIL (25) from one external IP and RDP (3389) from another external IP. Config here:

    set clock timezone 0
    set vrouter trust-vr sharable
    unset vrouter “trust-vr” auto-route-export
    set service “rdp” protocol tcp src-port 3389-3389 dst-port 3389-3389 timeout 60
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set admin name "netscreen"
    set admin password "XXXXXXXXXXX"
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “adsl1” pvc 0 100 mux vc zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 192.168.1.254/24
    set interface trust nat
    set interface adsl1 ip 203.109.2XX.XX/32 (This is our DSL IP address)
    set interface adsl1 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface adsl1 ip manageable
    set interface adsl1 vip untrust 25 “MAIL” 192.168.1.1
    set interface adsl1 vip untrust 3389 “rdp” 192.168.1.1
    set flow tcp-mss
    set hostname ns5gt-adsl
    set dns host dns1 203.0.178.191
    set dns host dns2 203.109.252.43
    set address “Trust” “192.168.1.1/32” 192.168.1.1 255.255.255.255
    set address “Trust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255
    set address “Untrust” “203.109.1XX.XX/32” 203.109.1XX.XX 255.255.255.255 (External IP with access MAIL)
    set address “Untrust” “203.167.1XX.XX/32” 203.167.1XX.XX 255.255.255.255 (External IP with access RPD)
    set ike respond-bad-spi 1
    set pki authority default scep mode “auto"
    set pki x509 default cert-path partial
    set policy id 2 name “rdp” from “Untrust” to “Trust” “203.167.1XX.X/32” “192.168.1.1/32” “rdp” permit log
    set policy id 1 name “mail” from “Trust” to “Untrust” “203.109.1XX.X/32” “VIP::1” “MAIL” permit log
    set pppoa name “adsl1” username "ourdslusername@isp.com” password "XXXXXXXXXXXXXXXXX"
    set pppoa name “adsl1” interface adsl1
    set global-pro policy-manager primary outgoing-interface adsl1
    set global-pro policy-manager secondary outgoing-interface adsl1
    set ssh version v2
    set config lock timeout 5
    set ntp server "0.0.0.0"
    set ntp server backup1 "0.0.0.0"
    set ntp server backup2 "0.0.0.0"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit

    Thanks!!! Simon



  • @Amorphous:

    Hi, yes you are on OS 5 documentation.

    Your VIP outline sounds fine - forwarding the MAIL service (port 25) to your internal server.

    Thanks for that!.. Im a little confused here. The documentation talks about adding a VIP to the untrusted interface. As this is a ADSL unit as well… Is the untrusted interface the ADSL interface? or are thry sperate?

    Simon



  • Hi, yes you are on OS 5 documentation.

    Your VIP outline sounds fine - forwarding the MAIL service (port 25) to your internal server.



  • @MaxPipeline:

    If using webUI look on the main page near top-left corner. If CLI then get system.

    Ive got:

    Hardware Version: 1010(0)
    Firmware Version: 5.0.0r6.e (Firewall+VPN)

    Does this mean that we are using v5.0.0 screenOS, docs here?:
    http://www.juniper.net/techpubs/software/screenos/screenos5x/index.html



  • @MaxPipeline:

    Sounds like you need to configure a VIP

    Cool - had a read thru… A quick couple of questions please:

    Because we have a ADSL version of the 5GT, is our interface in the untrusted zone the static IP that is assigned by our ISP? If this is the case, i need to do the following:

    1).

    Virtual IP: 203.109.xxx.xx (our ISP assigned static IP)
    Virtual Port: 25
    Map to Service: MAIL (25)
    Map to IP: 192.168.1.1 (Internal Exchange Server)

    2).

    Source Address: IP.OF.THE.EXTERNAL.MAIL.SERVER
    Destination Address: VIP(192.168.1.1)
    Service: MAIL
    Action: Permit

    Have i got this correct?

    Thanks

    Simon



  • If using webUI look on the main page near top-left corner. If CLI then get system.



  • @MaxPipeline:

    Sounds like you need to configure a VIP. Refer to the Concepts & Examples guide here:

    http://www.juniper.net/techpubs/software/screenos/

    Select the document based on your current ScreenOS version. In particular refer to the NAT guide.

    Thanks for the pointers. I’ll have a look thru the docs as above.

    Question: Is there an easy way to find out what version of screenOS we are running?

    Thanks

    Simon



  • Sounds like you need to configure a VIP. Refer to the Concepts & Examples guide here:

    http://www.juniper.net/techpubs/software/screenos/

    Select the document based on your current ScreenOS version. In particular refer to the NAT guide.


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts