NetScreen 204

I apologize if this is the wrong place to post this, but I just bought a NetScreen 204 for 99.00 on ebay to replace a home-grown pfSense firewall whose PC bit the dust. As a fallback, I'm using an old Netgear ProSafe box with several bad ports.

Here's my issue: I have a web server on my local network that is currently visible to the internet and want to configure the NetScreen to continue to allow access to it. Without getting into the advanced stuff, this will allow me to bring the NetScreen on-line. I've orderedConfiguring Juniper Networks NetScreen & SSG Firewalls from Amazon and it should arrive by the end of the month which should give me the knowledge to do a proper setup.

Can one of you gurus point me to a resource that a newbie like me can get this box working?

Thanks!

Jon

Find more posts tagged with

Comments

zoidberg

Here's the Getting Started guide: http://www.juniper.net/techpubs/hardware/netscreen-appliances/netscreen-appliances50/gs_204_208.pdf

I just skimmed it, but didn't see anything about NAT, which I'm assuming you want to setup for your web server. How far along are you in getting the NS running? If you haven't started, use this guide, and hopefully it will get your basic connectivity and management access. Once you have that, play around with the WebGUI and you might be able to figure it out. If not, let us know where you're getting stuck and we can try to help out.

Here's a link for configuring NAT as well: Juniper Networks - Hosting a Web Server Behind a NetScreen or SSG Device in NAT Mode - Knowledge Base

Hope both those links are accessible without a Juniper.net account.

NIPSTech

I was able to get to both links. I tried the second one to configurethe NAT but it didn't work either. This shouldn't be rocket science and I've successfully done it before on a Netgear FVS-318 as well as on a pfSense firewall, which was my firewall of choice since it's open-source, easy to set up and was working like a charm until the PC it was running on bit the dust. Some other thing's I tried were to set up a NAT policy to send HPPT requests from the untrusted zone to the web server's IP address. That didn't work either.

If you want any screen shots/config files just let me know.

Thank You!
Jon

deth1k

So tell us what exactly are you trying to do? port forward to your web server? if so you need to create a "VIP", to get to it, just navigate to your interfaces, under your "Untrust" and create a "VIP" use "Same interface" feature and select port and service you will be forwarding to as well as IP which has to be static. Then go to Policies and create a policy from "Untrust" to "Trust", source being ANY, and destination being your "VIP".

oh also forgot to mention, your Untrust should be in Routed mode wheres your Trust should be in NAT mode.

NIPSTech

I tried all your suggestions and the web server is still timing out. I went ahead and attached some screen shots...maybe you can see what is going on. I have a spare NIC I can throw into the web server so I can add it to the DMZ if necessary. All I'll need to do is configure it with a different IP address and plug it into the DMZ. I'm not sure how to set up its default gateway and DNS servers, but I know I can get IIS to work with multiple ip addresses if I set each web site to use "All Unassigned" and it should bind to both NICs. The web server is IIS6 running on a W2k3 Standard server.

Untrust.jpg

VIP1.jpg

VIP2.jpg

Policy.jpg

deth1k

one thing is to get rid of application bit in your policy. also enable logging within the policy.i'll take a look at this tomorrow for ya in more detail. also i asume you've create trust to unrust policy to allow outbound traffic.

NIPSTech

I do have an outbound policy to allow all from trust to untrust. If you notice in the screenshot of th VIP Services screen it shows that the status is down. Why would that be?

deth1k

VIP is down meaning firewall can't reach IP address you are forwarding your port to. Console onto othe FW and try pinging your web server. Hang on a sec, i've just noticed your Untrust IP is different to what your VIP is configured with, which option did you chose when created your VIP? If you are planning to port forward then you should use "use the same as external ip" whereas if you need 1:1 NAT, you should create a MIP.

deth1k

this is what i mean as far as vip goes

Screenshot from 2012-05-15 10:07:26.jpg

NIPSTech

IP address all zeros?
I just got tasked with something for work that requires me to keep my internet connection as stable as possible so I won't be making any changes on the NetScreen until later tonight...work takes priority LOL! I was actually thinking of using the Netgear FVS-318 Router to get to the internet, connecting one NIC on the web server directly to it and also connection the NetScreen to another port to handle the rest of the network traffic. Also connecting the other NIC in the server to the trust zone on the Netscreen to handle all the Active Directory traffic for the internal network. Sounds good on paper, but in reality I'm sure I'm going to have some issues.

deth1k

nah, i was referring to tick box where it said use the same as untrust interface ip address.