Cannot reset netscreen ssg5



  • Hello there,
    I just got today Juniper SSG5 firewall, and I wanted to configure it in transparent mode…I connected it to my laptop on ethernet 0/2, the laptop got the IP from Juniper DHCP server, all fine, i went thru the settings, configured policies etc…Finally, i had to reset it to the default settings…I made sure I pressed the pinhole, for 6 seconds, waited for 2, then pressed for another 6 seconds…The sequence of blinking was like on the guide, but I could not connect anymore to 192.168.1.1. I tried the reset sequence for at least 3-4 times, each time with the same result…My computer has a static IP on the 192 range (DHCP does not work now, /release and /renew don’t do anything), and I cannot connect to it, or ping it, or telnet.  Restarted the computer, enabled/ disabled network connection I will try tomorrow to connect thru serial cable, the last resort…I don’t know what could have been happened there, maybe I am doing something wrong…
    Any ideas? Thanks very much.



  • you can also type unset all or simply login w/ serial # to do a factory reset.



  • Thank you very much Max and Greg…I am testing it right now, I am on good path 😉



  • A little trick, be sure to unassign the ip address on thebgroup0, to manage the firewall you need to assign the ip to VLAN 1

    Here is a sample config you can past in, change the ip 1.1.1.1/21 toyour ip and 5.5.5.5 to your gateway and this will get you going.  Hope this helps!

    unset interface bgroup0 ip
    set clock ntp
    set clock timezone -5
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “DMZ” tcp-rst
    set zone “VLAN” block
    set zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen icmp-flood
    set zone “V1-Untrust” screen udp-flood
    set zone “V1-Untrust” screen winnuke
    set zone “V1-Untrust” screen port-scan
    set zone “V1-Untrust” screen ip-sweep
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ip-spoofing
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set zone “V1-Untrust” screen syn-frag
    set zone “V1-Untrust” screen tcp-no-flag
    set zone “V1-Untrust” screen unknown-protocol
    set zone “V1-Untrust” screen ip-bad-option
    set zone “V1-Untrust” screen ip-record-route
    set zone “V1-Untrust” screen ip-timestamp-opt
    set zone “V1-Untrust” screen ip-security-opt
    set zone “V1-Untrust” screen ip-loose-src-route
    set zone “V1-Untrust” screen ip-strict-src-route
    set zone “V1-Untrust” screen ip-stream-opt
    set zone “V1-Untrust” screen icmp-fragment
    set zone “V1-Untrust” screen syn-fin
    set zone “V1-Untrust” screen fin-no-ack
    set zone “V1-Untrust” screen syn-ack-ack-proxy
    set zone “V1-Untrust” screen icmp-id
    set interface “ethernet0/0” zone "V1-Untrust"
    set interface “ethernet0/1” zone "V1-Trust"
    set interface “bgroup0” zone "V1-Trust"
    set interface bgroup0 port ethernet0/2
    set interface bgroup0 port ethernet0/3
    set interface bgroup0 port ethernet0/4
    set interface bgroup0 port ethernet0/5
    set interface bgroup0 port ethernet0/6
    set interface vlan1 ip 1.1.1.1/21
    set interface vlan1 nat
    set interface “vlan1” pmtu ipv4
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface vlan1 ip manageable
    unset interface vlan1 manage telnet
    set interface vlan1 manage mtrace
    set zone V1-Untrust manage ping
    set zone V1-Untrust manage ssh
    set zone V1-Untrust manage snmp
    set zone V1-Untrust manage ssl
    set zone V1-Untrust manage web
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 0.0.0.0/0 interface vlan1 gateway 5.5.5.5
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    save
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit



  • To put the device in transparent mode, you need to put all interfaces into v1-trust or v1-untrust zones. By default the trust and untrust zones are used which are considered layer3 zones. v1-trust and v1-untrust are predefined layer2 zones.

    Couple of other notes. If you want custom layer2 zones, the zone name must begin with L2 (example: L2-customzone). Also you cannot mix transparent and nat/route modes on one box. Either all interfaces belong to layer2 zones or all belong to layer3 zones. The configuration is allowed, but you will not get any support from JTAC if something doesn’t work right because Juniper officially doesn’t suport mixed modes.



  • Thanks Greg, console did the trick, and no, the device didn’t reset these 5 times…in console i saw the messages, waiting for the second push etc…and you need to press in a certain way, it took me 10 minutes to reset the bloody thing 🙂

    Now, I am trying to configure eh NS SSG5 in transparent mode, and i cannot get it right…First, all the guides say clearly NAT, Route, Transparent…There is no Transparent option on Interfaces…It is simple: i have a server with a public IP, which will connect to ethernet 0/2, then ethernet 0/0 is the untrust zone, going outside, on ISP network
    I have added the IP of my server on the trusted zone, I have configured the eth0/0 to have a manageable IP on the same network as my server, i have 2 computers for test (one connected to eth0/0, being the outside world, and 2nd has the IP of my server, connected to eth0/2)
    I cannot communicate between them 😞
    I cannot even ping in/out (rules created for allowing ping/icmp)…
    On the Interfaces list, i have configured ethernet 0/0 with the manageable IP, but when I want to Edit properties of bgroup0 (where ethernet 0/2 belongs to), it does not let me put any IP belonging to that, neither vlan1…
    I don’t know what to do anymore, other than reset it again 😉 and start again
    Thanks a lot



  • Connect to the serial port, I normally use the serial number to reset to the default configuration.

    Greg


 

36
Online

38.4k
Users

12.7k
Topics

44.5k
Posts