Using netscreen to route only public address


  • Global Moderator

    Your right, I calculated in the wrong subnet but the idea is clear I think?
    Define a / 30 within your /27 range. Make sure not to use the broadcast address of your /30 net and things will be routed!! Make sure policy allow out. If neccesary test with any any any permit ion both directions, that way your sure no policies deny traffic. Then set-up real policy. If things still don’t work do a debug and post the output.



  • switched to ‘home-work’ mode to use e? interfaces.

    You’re suggesting to put the same ip address on both interfaces ?

    set int e? ip  34.60.76.130/30

    on the other interface you set 34.60.76.130/27 (int in DMZ zone?)
    set int e? ip 34.60.76.130/27

    If I setup second interface to .160/27 in route mode i’m not able to go in/out from e2 (untrust if)


  • Global Moderator

    You start with set trsut-vr ignore-subnet-conflict
    on int1 you set 34.60.76.130/30

    -> set int e? ip  34.60.76.130/30  (int in untrust zone)

    Your missing 4 ip’s to use two, but he?

    on the other interface you set 34.60.76.130/27 (int in DMZ zone?)

    set int e? ip 34.60.76.130/27

    your host ip can be between 34.60.76.132 and 34.60.76.158.

    add your default route:

    set route 0.0.0.0/0 gateway 34.60.76.129

    set your interface in route mode

    set int e? route

    and set your policy.

    Should work like this.

    If not you could drop a personall messages with real config and and IP’s and I can take a look at it. Also include a “get route” outpu in that case please.



  • thx screenie, tried and didn’t work …

    so, let’s take a concrete example :

    Let’s say we have : 34.60.76.128/27 available ip’s.
    34.60.76.129 is the gateway.

    Now can you tell me exactly what to setup to able to route between trust and untrust interface ?

    thanks


  • Global Moderator

    When you want to splitup One public range in smaller ranges on two interface you could do the following:

    set vr trust-vr ignore-subnet-conflict

    Then configure whole range on one interface and partial range within the whole range on other interface.

    It shouldn’t be a big problem to route trough the NetScreen!



  • i can’t MIP two public addresses ? otherwise what’s the point of NAT’ing public IP’s ?

    i enabled debug for nat and here’s the error

    ## 2008-01-09 12:02:18 : search gate for if Untrust:x.x.x.129->224.0.0.5,1,1,89
    ## 2008-01-09 12:02:18 : in nat_search_hole, no gate found
    


  • Did you enable ping in the interface section? (Network | Interfaces | Trust | Edit) ?

    I’m going to backtrack and recommend using a MIP instead - it’ll take about 10 seconds and is much easier. Just map one outside IP to one inside IP and you’re done. Much cleaner.
    Network | Interfaces | Trust | MIP | New | put in the outside & inside IPs. Done.

    Debug is a whole other subject, here the .short version…

    “debug ?” shows all the possibilities.
    “debug flow basic” and “debug ike detail” (for VPN) are really useful.
    “undebug all” - To turn off debug
    Best to set a flow filter to focus on traffic you want (and minimize performance hit)
    “set ffilter ?” give options
    Flow filters use an OR algorithm if you set multiple filters
    debug info is sent to the debug buffer.
    “get db stream” gets the buffer (can be redirected)
    “clear db stream” clears the buffer
    "get ff" gets current flow filters
    "clear ff" clears flow filters. Repeat as needed

    For you…
    “clear db s"
    setup a filter
    "debug flow basic"
    generate traffic
    "get db s”



  • of course, i’d be just ‘sooo’ happy if it worked with that simple ‘all permitting’ config; i’ll do security later (that server is not even in production, just testing labs).

    now right, changed to :

    
    set interface trust ip x.x.x.161/27
    set interface trust nat
    set interface untrust ip x.x.x.132/27
    set interface untrust route
    set interface untrust gateway x.x.x.129
    set vrouter "untrust-vr"
    set route x.x.x.162/32 interface trust
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    
    

    host is set up to :

    
    iface x.x.x.162 / 27
    gateway x.x.x.161
    
    

    and still … not working…

    note : pinging .161 from Internet doesn’t work eighter

    isn’t there any verbose debugging mode to see what’s happening behind the scene ?



  • You need to create real policies
    From trust only allow what is needed outbound. Why expose Windows shares?
    From untrust only allow what is needed inbound - e.g. DNS, SMTP, HTTP, and lock it down to a destination IP.

    Set untrust to route, trust to NAT.
    Use a host route for the server, not a network route, and use an interface…
    set route A.B.C.129 /32 interface trust



  • right, policy is set to :

    permit any to any from trust to untrust
    permit any to any from untrust to trust

    that should work right ?

    trust is set to ‘nat’ mode (if i set it to ‘route’, host in trust side can’t go out)
    untrust is set to ‘route’ mode

    I set up a route on untrust :

    set vrouter "untrust-vr"
    set route x.x.x.160/27 vrouter "trust-vr" preference 20 metric 1
    exit
    
    

    but guess … still not able to the host from the cold outsid world  😞



  • all you need is policy and a route to the inside IP, no MIP req’d.



  • Thanks for the reply but I don’t want to use private addresses but public address in both side of the firewall, is that possible ?

    As suggested by splitting the 64 pool into two of 32, one each side of the interface (first 32 to untrust, last 32 to trust) and then route traffic between them.

    That’s my point  🙂



  • Great, your config looks fine. Put it back in route/nat mode - this is the easiest.

    If you are using real IPs for the external (not 192.168.x.x) then a MIP would work fine.
    There’s various tradeoffs with VIP, DIP, and MIPs - just depends what you’re doing.

    Just set a MIP to one of your external addresses and map it to an internal address, then create a policy to allow some service to the MIP. Here’s a few lines from my config.

    set interface “ethernet0/0” mip 208.201.244.194 host 192.168.1.2 netmask 255.255.255.255 vr "trust-vr"
    set policy id 3 from “Untrust” to “Trust”  “Any” “MIP(208.201.244.194)” “DNS” permit

    You  want to get rid of that ANY/ANY from the Untrust to the Trust - that exposes your whole network to the Internet.

    Two MIPs are no big deal, again, depends what you’re doing. A VIP might work for you too.



  • got something working out (this firewall is still dark mystery for me):

    trust x.x.x.161/27 (nat)
    untrust x.x.x.132/27 (route) (default route to isp’s gw)

    polices to permit anything from untrust to trust, and trust to untrust.

    I’m able to ‘go out’ from trust to the outside world but not back from the outside world back to the host.

    • setting both (route) modes, doesn’t work.

    should I add MIP ? MIP’ing two public addresses seems stupid to me.



  • still not …

    server in trust area is set to : x.x.x.162 / 27 gateway x.x.x.161
    untrust in nat mode

    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    set ignore-subnet-conflict
    exit
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst 
    unset zone "Untrust" block 
    unset zone "Untrust" tcp-rst 
    set zone "MGT" block 
    set zone "VLAN" block 
    unset zone "VLAN" tcp-rst 
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface "trust" zone "Trust"
    set interface "untrust" zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip x.x.x.161/27
    set interface trust route
    set interface untrust ip x.x.x.132/27
    set interface untrust nat
    set interface untrust gateway x.x.x.129
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface untrust manage-ip x.x.x.133
    set interface trust ip manageable
    unset interface untrust ip manageable
    set interface untrust manage ping
    set interface untrust manage ssh
    set interface untrust manage telnet
    set interface untrust manage snmp
    set interface untrust manage ssl
    set interface untrust manage web
    set interface untrust manage mtrace
    set interface untrust vip untrust
    set interface trust dhcp server service
    set interface trust dhcp server auto
    unset interface trust dhcp server config next-server-ip
    set flow tcp-mss
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 x.x.x.140 src-interface untrust
    set dns host dns2 0.0.0.0
    set dns host dns3 0.0.0.0
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol websense
    exit
    set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
    set policy id 1
    exit
    set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 
    set policy id 2
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set nsmgmt bulkcli reboot-wait 0
    set ssh version v2
    set config lock timeout 5
    set ntp server "x.x.x.x"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    set route 0.0.0.0/0 interface untrust gateway x.x.x.129 preference 20 permanent
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    
    


  • Both interfaces are in route mode. If you do this you will need to NAT the outgoing packets to the egress IP.
    Alternatively “set interface untrust nat” and let the 5GT do it for you.
    I assume you also fixed the routing…
    set route 0.0.0.0/0 interface untrust gateway x.x.x.129
    Make sure you “unset” any earlier stuff (get conf | i 0.0.0.0)

    If it still doesn’t work repost the config



  • Okay, splitted the network to /27

    
    set interface trust ip x.x.x.161/27
    set interface trust route
    set interface untrust ip x.x.x.132/27
    set interface untrust route
    set interface untrust gateway x.x.x.129
    
    

    put .161 as gateway on server that’s on trust side, and ip to .162
    still not working.

    
    ns5gt-> ping x.x.x.129 from trust
    Type escape sequence to abort
    
    Sending 5, 100-byte ICMP Echos to x.x.x.129, timeout is 1 seconds from trust
    .....
    Success Rate is 0 percent (0/5)
    
    


  • these two networks overlap
    set interface trust ip X.X.X.134/26
    set interface untrust ip X.X.X.132/26

    I don’t think that’s going to work. I think the intention was to split the 64 IPs into two blocks of 32, e.g.
    192.168.1.1 /27
    192.168.1.33 /27
    You need unique “trust” and “untrust” networks for routing to work.

    set route 0.0.0.0/0 interface null gateway X.X.X.129 preference 20 permanent

    Interface null? Please see my notes above.



  • oh just noticed that untrust if was in ‘nat’ mode, changing it to ‘route’ mode didn’s solve eighter.



  • Here’s the config file

    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    set ignore-subnet-conflict
    exit
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "XXXXX"
    set admin password "XXXXX"
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst 
    unset zone "Untrust" block 
    unset zone "Untrust" tcp-rst 
    set zone "MGT" block 
    set zone "VLAN" block 
    unset zone "VLAN" tcp-rst 
    set zone "Untrust" screen tear-drop
    set zone "Untrust" screen syn-flood
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface "trust" zone "Trust"
    set interface "untrust" zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip X.X.X.134/26
    set interface trust route
    set interface untrust ip X.X.X.132/26
    set interface untrust nat
    set interface untrust gateway X.X.X.129
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface untrust manage-ip X.X.X.133
    set interface trust ip manageable
    unset interface untrust ip manageable
    set interface untrust manage ping
    set interface untrust manage ssh
    set interface untrust manage telnet
    set interface untrust manage snmp
    set interface untrust manage ssl
    set interface untrust manage web
    set interface untrust manage mtrace
    set interface untrust vip untrust
    set interface trust dhcp server service
    set interface trust dhcp server auto
    unset interface trust dhcp server config next-server-ip
    set interface "untrust" mip X.X.X.139 host 192.168.1.2 netmask 255.255.255.255 vr "trust-vr"
    set flow tcp-mss
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 X.X.X.140 src-interface untrust
    set dns host dns2 0.0.0.0
    set dns host dns3 0.0.0.0
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol websense
    exit
    set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
    set policy id 1
    exit
    set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit 
    set policy id 2
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set nsmgmt bulkcli reboot-wait 0
    set ssh version v2
    set config lock timeout 5
    set ntp server "x.x.x"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    set route 0.0.0.0/0 interface null gateway X.X.X.129 preference 20 permanent
    exit
    set vrouter "trust-vr"
    set access-list 1
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    
    

    ping x.x.x.129 (the gateway) from trust didn’t work.


 

53
Online

38.5k
Users

12.7k
Topics

44.5k
Posts