Configuring Juniper SSG5 on Comcast Business Line Using SMC Device



  • I’m trying to configure my new Juniper SSG5 on a Comcast Business Line Using their SMC Device which they came and set up. My tech installed 2 subnets but the ip that the SMC device is sending the firewall is not the static ip assigned to me by comcast and that I’m trying to set up in the firewall (I’m leasing 13 static ips).  They gave me the internal IP of the SMC as my gateway IP which is 10.1.xx.x. Shouldn’t the gateway be an IP whose first 3 octets match the public IP address that I’m setting up?  I can’t get out to the Internet nor can they ping me.  Any ideas?



  • I know this is an antique topic, but it rates high in Google when searching for Comcast Business Class and Juniper SSG5. I got it working, and I will share my configurations.

    This is not ‘pretty’ but seems to work well so far. On the SMC3DG modem, I have a /29 of static IP’s. Set it up mostly like ‘bridge mode’, but don’t disable the dhcp server offering 10.1.10.0/24 addresses. Here is my edited config file for the ssg5 (running 6.3.0r15.0)

    unset key protection enable
    set clock timezone 0
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set alg appleichat enable
    unset alg appleichat re-assembly enable
    set alg sctp enable
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "root"
    set admin password "something_here"
    set admin ssh port 2222
    set admin auth web timeout 60
    set admin auth dial-in timeout 3
    set admin auth server "Local"
    set admin auth remote root
    set admin privilege read-write
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    unset zone “V1-Trust” tcp-rst
    unset zone “V1-Untrust” tcp-rst
    set zone “DMZ” tcp-rst
    unset zone “V1-DMZ” tcp-rst
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “vlan1” zone "Untrust"
    set interface “ethernet0/0” zone "V1-Untrust"
    set interface “ethernet0/1” zone "V1-Trust"
    set interface “bgroup0” zone "V1-Trust"
    set interface bgroup0 port ethernet0/2
    set interface bgroup0 port ethernet0/3
    set interface bgroup0 port ethernet0/4
    set interface bgroup0 port ethernet0/5
    set interface bgroup0 port ethernet0/6
    set interface vlan1 ip 10.1.10.2/24
    set interface vlan1 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface vlan1 ip manageable
    set interface vlan1 manage ping
    set interface vlan1 manage ssh
    set interface vlan1 manage web
    set interface vlan1 manage mtrace
    set zone V1-Untrust manage ping
    set zone V1-Untrust manage ssh
    set zone V1-Untrust manage telnet
    set zone V1-Untrust manage snmp
    set zone V1-Untrust manage ssl
    set zone V1-Untrust manage web
    set interface “serial0/0” modem settings “USR” init "AT&F"
    set interface “serial0/0” modem settings “USR” active
    set interface “serial0/0” modem speed 115200
    set interface “serial0/0” modem retry 3
    set interface “serial0/0” modem interval 10
    set interface “serial0/0” modem idle-time 10
    set flow tcp-mss
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set address “V1-Trust” “50.x.x.146_Laptop” 50.x.x.146 255.255.255.255
    set address “V1-Trust” “50.x.x.147_Michelle” 50.x.x.147 255.255.255.255
    set address “V1-Trust” “50.x.x.148_Server” 50.x.x.148 255.255.255.255
    set address “V1-Trust” “50.x.x.149_WiFi” 50.x.x.149 255.255.255.255
    set address “V1-Untrust” “66.x.x.161/32_someoutsidebox” 66.x.x.161 255.255.255.255
    set group address “V1-Trust” "All Trusted IPs"
    set group address “V1-Trust” “All Trusted IPs” add "50.x.x.146_Laptop"
    set group address “V1-Trust” “All Trusted IPs” add "50.x.x.147_Michelle"
    set group address “V1-Trust” “All Trusted IPs” add "50.x.x.148_Server"
    set group address “V1-Trust” “All Trusted IPs” add "50.x.x.149_WiFi"
    set crypto-policy
    exit
    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set url protocol websense
    exit
    set policy id 1 from “V1-Trust” to “V1-Untrust”  “Any” “Any” “ANY” permit
    set policy id 1
    exit
    set policy id 2 from “V1-Untrust” to “V1-Trust”  “Any” “All Trusted IPs” “PING” permit
    set policy id 2
    exit
    set policy id 3 from “V1-Untrust” to “V1-Trust”  “66.x.x.161/32_someoutsidebox” “All Trusted IPs” “SSH” permit
    set policy id 3
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set ssh enable
    set scp enable
    set config lock timeout 5
    unset license-key auto-update
    set telnet client enable
    set snmp port listen 161
    set snmp port trap 162
    set snmpv3 local-engine id "0162082009006430"
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    Don’t do what I was doing, copying the config verbatim and pasting it into your SSG5. There will be errors, and much resetting of defaults. Basically I think the important bits are:

    set interface “vlan1” zone "Untrust"
    set interface “ethernet0/0” zone "V1-Untrust"
    set interface “ethernet0/1” zone "V1-Trust"
    set interface “bgroup0” zone "V1-Trust"
    set interface bgroup0 port ethernet0/2
    set interface bgroup0 port ethernet0/3
    set interface bgroup0 port ethernet0/4
    set interface bgroup0 port ethernet0/5
    set interface bgroup0 port ethernet0/6
    set interface vlan1 ip 10.1.10.2/24
    set interface vlan1 route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface vlan1 ip manageable
    set interface vlan1 manage ping
    set interface vlan1 manage ssh
    set interface vlan1 manage web
    set interface vlan1 manage mtrace

    And don’t forget to add your static addresses to the V1-Trust group.

    Least I hope that’s enough. It works for me anyway.

    Now I don’t know why this works exactly. The managment interface of the firewall is 10.1.10.2, and each system gets a 10.1.10.x dynamic IP. To use your static IP’s just set it on your system manually. On mac, this is easy, ditto Linux. On Windows, both the 10. and static must be statically assigned. This gives all systems access to the firewall and things that don’t need a static IP (like TiVo’s, Wii’s and smartphones/tablets) on the 10. network, yet for some reason http://whatismyip.com reports the public static IP for those systems bound to them. As you can see, I enabled inbound SSH to my laptop and that works too, So I call that a WIN.



  • I finally got a chance to test this last night.  I deleted the entire local configuration and took my ns50 outer firewall back to its defaults prior to starting connected to the smc device.  (Previously the box was doing a bunch of NAT and port forwarding cruft that I won’t need now since I have multiple public IPs.)  Once I bound ethernet3 to the untrust zone and set its IP to one of my static IPs (further subnetting the /28 into a /30 for the untrust zone and using the other /29 on the netscreen’s trust zone interface where the machines will sit – the other /30 is reserved for later), I was able to get out to the internet fine.

    For the record, I can’t ping the external interface of the netscreen, but that’s to be expected as there are not yet any policies defined on the device to allow traffic.



  • yea, that’s the issue… I need a device without that firewall feature.  Modem with WAN on it will do it… that’s how Qwest DSL does it.  Question…why in the world would comcast provide a device without WAN capability on it?  Is it because they don’t want to take on the customer support for trouble shooting these third party (juniper) devices?  It doesn’t make sense.  They have it on their residential routers just not on these SMC routers.


  • administrators

    Do you have a spare cable modem?  Replace it with a dumb modem without the firewall features, call Comcast and tell them you switched it out with your own device.  They will ask you for the MAC on the new device and you should be up and running.

    The Linksys cable modems have always worked best for me.



  • tried the bridged mode logging into the SMC at (10.1.xx.x), username:cusadmin, password:highspeed, disabled firewall features…and then I uplink my own firewall into the SMCs LAN port…and assign my first usable static IP address on the WAN interface of my firewall.  Couldn’t get it to work still.



  • I hear that you have ot have the techs set the device up in “bridged” mode.  Is there anything even remotely resembling OOB access to the SMC device?  Somehow I doubt it.



  • I have spent the last 3 days with a tech and on the phone with comcast.  This is what I’ve learned…it can’t be done.  That darn SMC wants to be the primary firewall and my juniper will always be the secondary.  Plus the SMC doesn’t have a WAN port on it like the residential ones do.  I logged into the SMC ui and there is no WAN link to control it.  I need WAN to WAN but am getting LAN (SMC) to WAN (juniper).

    Yes, use /28 for the 13.  Trying the Natting…didn’t work.  They say businesses are using the SMC device just fine but I’m thinking what they’re not telling you is that yes these companies are using their business services and enjoying those static ips and download/upload speeds but they don’t realize that SMC device is acting as their primary firewall which I don’t want.  I want to use a more robust firewall that is an industry standard such as the juniper firewall.  Businesses are happy because “hey, it acts as a router AND a firewall…cool we’re safe!”…in fact, no not really. Their susceptible to being hacked.

    I disabled the SMC firewall inside the ui…doesn’t matter.  Won’t work.  Packets of data are not being routed.  I’m going to ask if I can downgrade to a modem with a WAN on it and ask them if I can control my own firewall.  Otherwise, Qwest DSL here I come…I know other developers who have web, dns servers using Qwest just fine (as long as your zip is within the right distance of course).  There is a WAN on the Qwest modem.  I can’t ip mip nor ip vip with this comcast SMC configuration.  They got me giddy on the download and uploads speeds but IT WON’T WORK! - my 2 cents

    Let me know how far you get.



  • I’m about to do the exact same thing tomorrow (except I’m using an NS50). I’m hoping that they have the sense to realize that I don’t want their crappy device natting anything.  Just give me my /28 and get on with it.  I will let you know what I find.


 

57
Online

38.4k
Users

12.7k
Topics

44.5k
Posts