How to open port 25 from untrust to trust for mail



  • Good day,
      I seem to have resolved my issues earlier, the juniper wasn’t at fault.  What I’m looking at now is that I’ve setup outgoing mail no problem.  I am unable to setup incoming mail.  I’ve tried a few things but nothing seems to resolve this.

    I’ve used GRC.com to scan my ports and port 25 is in stealth mode.  I’ve tried to setup a VIP on it but not knowing how to do this properly.  I’m using ssg 320M, any help would be greatly appreciated.

    Thanks
    humv



  • I have sent you a personal msg, check that.



  • Well, things have gone from OK to complete shit now.  The connection was working this morning but now I have nothing.  I am unable to get DNS resolution for our DNS server.  So needless to say this stops all connectivity out.  I did a debug flow basic for port 53 and I see the dns leaving but nothing coming back in.  Obviously port 53 won’t be the incoming port for the dns server, but this leaves me an idea if dns is getting out.

    Further to this,
    While consoled into the juniper I cannot ping our default gateway, I figure that could be an issue.  I looked at routing and one of the entries actually reads the default gateway as 128 rather than 129.  I can’t find any way to change this……  If I had hair I would be pulling it out.

    Further, Further to my last,
    I was talking with a co-worker today and he believes that since we have a recursive dns server for us to get to.  Not sure if this is the correct terminology.  Our ISP providers DNS is suppose to just redirect the DNS request to other DNS servers???

    Thanks again.

    Further, Further, Further,
      It is sporadic for being able to get out.  One minute you can get out, (Dns working), next minute not.



  • Then try MIP instead of a VIP.



  • We replace a PIX with the juniper, so nothing on the ISA has changed.  We configured the same IP address as the PIX onto the juniper.



  • Ok gotcha…

    NetScreen

    External - 207.x.x.x/28
    Internal - 10.254.0.2/30

    ISA

    External - 10.254.0.1
    Internal - 10.2.0.1

    Behind the ISA is the mail server - 10.2.0.2

    Using the Policy that you have configured.

    set policy id 9 name “Mail” from “Untrust” to “Trust”  “Any” “VIP(ethernet0/2)”
    “SMTP” permit log
    set policy id 9

    Fine the SMTP packet would reach the external interface of your ISA, but is there some kind of mapping as well configured on the ISA which would pass the SMTP request to the internal mail server ?

    I dont know much about ISA does it have any kind of setting like MIP/VIP.



  • I work on the other stuff.  No my internal IP address for the mail server is 10.2.0.2.  Internal IP of ISA 10.2.0.1, External IP of ISA 10.254.0.1, External of the Juniper 10.254.0.2.  I really appreciate the help.

    Thanks
    humv



  • Ok.

    So all your Trust Lan is behind e0/0, which is already in NAT mode.

    set interface ethernet0/0 ip 10.254.0.2/30
    set interface ethernet0/0 nat

    Your Untrust e0/2 is in Route mode.

    set interface ethernet0/2 ip 207.x.x.x/28
    set interface ethernet0/2 route

    Why are you again doing NAT in your policies remove NAT Src, interface based NAT would take care of Natting part, also you have too many policies from Trust to Untrust.

    set policy id 5 from “Trust” to “Untrust”  “10.254.0.1/32” “Any” “DNS” nat src p
    ermit log count
    set policy id 5
    exit
    set policy id 3 name “HTTP Internal to External” from “Trust” to “Untrust”  “10.
    254.0.1/32” “Any” “HTTP” nat src permit log count
    set policy id 3
    set service "HTTPS"
    exit
    set policy id 8 name “Outgoing Mail” from “Trust” to “Untrust”  "10.254.0.0/30"
    “Any” “SMTP” permit log
    set policy id 8
    exit
    set policy id 9 name “Mail” from “Untrust” to “Trust”  “Any” “VIP(ethernet0/2)”
    “SMTP” permit log
    set policy id 9
    exit

    Best would be to remove VIP to use MIP instead, No it wont effect the rest of the users trying to get a connection through the firewall.

    Can you also confirm one thing 10.254.0.1/32 is that your mail server ??



  • Sorry, small communication issue,

    E0/3 is only for managment in the future.  Currently it is sitting with no connection to it.

    set interface ethernet0/2 vip interface-ip 25 “SMTP” 10.254.0.1 - this is the incoming connection I’m trying to get smtp threw.

    Not sure if this changes your suggestions.  From what I can tell MIP is more of a 1 to 1 connection external ip to internal ip for items like servers.  Does this effect the rest of the users trying to get a connection threw the firewall.

    Thanks
    again
    humv



  • Why are you using VIP for this if you have no particular reasons then you can change it to MIP.

    If you want to use VIP, then you need to configure a policy from your internal SMTP Server to Internet with service SMTP and NAT Src.

    MIP takes care of both ways communication/NAT Internal to External and External to Internal.

    VIP works only one way External to Internal, but for the return traffic you need to have outward NAT, as your SMTP Server is behind e0/3 which in Route mode the reverse traffic needs to be natted.

    set interface ethernet0/3 ip 10.254.x.x/30
    set interface ethernet0/3 route

    So Solution is: -

    1. Either configure MIP instead of VIP.
    2. Or create a reverse policy with NAT Src.
    3. Or change the e0/3 to NAT mode instead of Route mode.

    Try either of the above solutions and let us know the results.



  • Here you go…. :?

    Total Config size 5377:
    set clock timezone -7
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "agamemnon"
    set admin password "nKJhPzrhJFvJcyaI8s7OJFOtv1MCnn"
    set admin http redirect
    set admin auth timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “DMZ” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “DMZ” tcp-rst
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “ethernet0/0” zone "Trust"
    set interface “ethernet0/1” zone "DMZ"
    set interface “ethernet0/2” zone "Untrust"
    set interface “ethernet0/3” zone "MGT"
    set interface ethernet0/0 ip 10.254.0.2/30
    set interface ethernet0/0 nat
    unset interface vlan1 ip
    set interface ethernet0/2 ip 207.x.x.x/28
    set interface ethernet0/2 route
    set interface ethernet0/3 ip 10.254.x.x/30
    set interface ethernet0/3 route
    set interface ethernet0/2 gateway 207.x.x.x
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface ethernet0/0 ip manageable
    unset interface ethernet0/2 ip manageable
    set interface ethernet0/0 manage ping
    set interface ethernet0/0 manage ssh
    set interface ethernet0/0 manage telnet
    set interface ethernet0/0 manage snmp
    set interface ethernet0/0 manage ssl
    set interface ethernet0/0 manage web
    unset interface ethernet0/0 manage ident-reset
    set interface ethernet0/0 manage mtrace
    set interface ethernet0/1 manage ping
    unset interface ethernet0/1 manage ssh
    unset interface ethernet0/1 manage telnet
    unset interface ethernet0/1 manage snmp
    unset interface ethernet0/1 manage ssl
    unset interface ethernet0/1 manage web
    unset interface ethernet0/1 manage ident-reset
    unset interface ethernet0/2 manage ping
    unset interface ethernet0/2 manage ssh
    unset interface ethernet0/2 manage telnet
    unset interface ethernet0/2 manage snmp
    unset interface ethernet0/2 manage ssl
    unset interface ethernet0/2 manage web
    unset interface ethernet0/2 manage ident-reset
    set interface ethernet0/3 manage ping
    unset interface ethernet0/3 manage ssh
    set interface ethernet0/3 manage telnet
    unset interface ethernet0/3 manage snmp
    unset interface ethernet0/3 manage ssl
    set interface ethernet0/3 manage web
    unset interface ethernet0/3 manage ident-reset
    set interface vlan1 manage ping
    set interface vlan1 manage ssh
    set interface vlan1 manage telnet
    set interface vlan1 manage snmp
    set interface vlan1 manage ssl
    set interface vlan1 manage web
    unset interface vlan1 manage ident-reset
    set interface vlan1 manage mtrace
    set interface ethernet0/2 vip interface-ip 25 “SMTP” 10.254.0.1
    unset flow no-tcp-seq-check
    set flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set hostname Janus
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set address “Trust” “10.2.0.2/32” 10.2.0.2 255.255.255.255
    set address “Trust” “10.254.0.0/30” 10.254.0.0 255.255.255.252
    set address “Trust” “10.254.0.1/32” 10.254.0.1 255.255.255.255
    set address “Untrust” “DNS Server 1” 207.x.x.x 255.255.255.255
    set address “Untrust” “DNS Server 2” 198.x.x.x 255.255.255.255
    set ike respond-bad-spi 1
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    set url protocol websense
    exit
    set policy id 5 from “Trust” to “Untrust”  “10.254.0.1/32” “Any” “DNS” nat src p
    ermit log count
    set policy id 5
    exit
    set policy id 3 name “HTTP Internal to External” from “Trust” to “Untrust”  “10.
    254.0.1/32” “Any” “HTTP” nat src permit log count
    set policy id 3
    set service "HTTPS"
    exit
    set policy id 8 name “Outgoing Mail” from “Trust” to “Untrust”  "10.254.0.0/30"
    “Any” “SMTP” permit log
    set policy id 8
    exit
    set policy id 9 name “Mail” from “Untrust” to “Trust”  “Any” “VIP(ethernet0/2)”
    “SMTP” permit log
    set policy id 9
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    unset license-key auto-update
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit



  • Can you paste the config here…so we can check if everything is fine in your config.



  • Well,
      I had some issues with being able to get threw the juniper.  I followed the instructions, I am using a VIP.

    ****** 6143936.0: <untrust 2="" ethernet0="">packet received [64]******
      ipid = 46264(b4b8), @04e172e4
      packet passed sanity check.
      ethernet0/2:192.197.71.118/51910->207.x.x.x/25,6 <root>no session found
      flow_first_sanity_check: in <ethernet0 2="">, out <n a="">self check, not for us
      chose interface ethernet0/2 as incoming nat if.
      packet dropped: for self but not interested
      existing vector list 0-368d884.
      existing vector list 0-368d884.
      existing vector list 0-368d884.
      existing vector list 0-368d884.
      existing vector list 0-368d884.
    ****** 6143939.0: <untrust 2="" ethernet0="">packet received [64]******
      ipid = 52073(cb69), @04e182e4
      packet passed sanity check.
      ethernet0/2:192.197.71.118/51910->207.x.x.x/25,6 <root>no session found
      flow_first_sanity_check: in <ethernet0 2="">, out <n a="">self check, not for us
      chose interface ethernet0/2 as incoming nat if.
      packet dropped: for self but not interested
      existing vector list 0-368d884.
      existing vector list 0-368d884.
      existing vector list 0-368d884.
      existing vector list 0-368d884.
      existing vector list 0-368d884.

    Any help would be greatly appreciated.

    Thanks
    humv</n></ethernet0></root></untrust></n></ethernet0></root></untrust>



  • You can use either MIP or VIP.

    Below link talks on when to use a VIP and when to use MIP. In that link itself you would find the internal links on how to configure a MIP and how to configure a VIP.

    http://kb.juniper.net/index?page=content&id=KB4751&actp=search&searchid=1262735216032

    @humv
    You said “I seem to have resolved my issues earlier, the juniper wasn’t at fault.”…
    So it was your ISA Server which causing the problem, what was the issue there was it due to forwarding and routing mode ???


 

20
Online

38.4k
Users

12.7k
Topics

44.5k
Posts