Looking for a Pro Juniper

[Ratatapa]

If Someone knows how to configure Juniper routers SSG5, PM me please need help

Thx

[Ratatapa]

Gonna pump with a more Vlan general question in case someone is good with vlans



I have a project for Work and I can't even do the first step

I have a Juniper SSG5 with 6 interfaces

Ethernet0/0 is the Untrust zone (going to the internet)
Ethernet0/5 to 0.5 is bound Bgroup0 Trust zone (Lan)
Ethernet0/6 will be my Vlan interface

Bgroup0 will be for PC for Employees with strict Web secure
Vlan will be for customers full open

So the goal of this project is Bgroup0 can go to the internet
Vlan can go too but cannot communicate with Bgroup0

I need to set the Vlan to Vlan ID 5


IP adresses

Bgroup 0 (lan) 192.168.10.0/24
Vlan5 (192.168.100.0/24)

So Ethernet0/0 has his IP adress and Gateway fixed
bgroup0 has his internet fixed also and policies and it<s working So Bgroup is done

Vlan5 cannot access the internet


I created a Zone called Vlan5
Then created a subinterface Ethernet0/6.5 IP Adress 192.168.100.1/24 Zone : Vlan5 Vlan Tag5
Interface Ethernet0/6 is in the null zone

Then I went and created a DHCP server on the Ethernet0.6/5

Range : 192.168.100.100-110/24
Gateway : 192.168.100.1
DNS : The ISP DNS server

Then I checked the Active Routes, and the routes we have is 0.0.0.0/24 goes to (the Ethernet0/0 Gateway IP adress


Then I went and add policies

From Vlan5 to Untrust Any to Any Service ANY
From Untrust to Vlan 5 Any to Any Service ANY


Now with the Pings from Vlan5 I can ping the Vlan Gateway and my Ethernet0/0 IP but nothing else, I cannot ping the internet and I cannot Browse either.

But the Bgroup0 can access the Internet.

Why is that?

Thx

[Mafai]

http://www.juniper.net/us/en/trainin...ng/ssghic.html

also post your full config file (minus the pw)

[Ratatapa]

Spoiler: show

unset key protection enable
set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set vrouter name "test" id 1025
unset vrouter "test" nsrp-config-sync
set vrouter "test"
unset auto-route-export
set preference nhrp 100
set preference ospf-e2 254
exit
set service "svc_sec_imap" protocol tcp src-port 0-65535 dst-port 993-993
set service "svc_http_8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "svc_rdp" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "svc_smb-tcp-445" protocol tcp src-port 0-65535 dst-port 445-445
set service "svc_smb-udp-445" protocol udp src-port 0-65535 dst-port 445-445
set service "svc_auto123" protocol tcp src-port 0-65535 dst-port 80-85
set service "svc_trm-desjardins-2111" protocol tcp src-port 0-65535 dst-port 2111-2111
set service "svc_trm-desjardins-9871" protocol tcp src-port 0-65535 dst-port 9871-9871
set service "svc_encan-adesa-6789" protocol tcp src-port 0-65535 dst-port 6789-6789
set service "svc_encan-adesa-8000" protocol tcp src-port 0-65535 dst-port 8000-8000
set service "svc_jetdirect-tcp" protocol tcp src-port 0-65535 dst-port 9100-9103
set service "svc_jetdirect-udp" protocol udp src-port 0-65535 dst-port 9300-9300
set service "svc_lallier-webchat" protocol tcp src-port 0-65535 dst-port 1935-1935
set service "svc_napster-6699" protocol tcp src-port 0-65535 dst-port 6699-6699
set service "svc_napster-7777" protocol tcp src-port 0-65535 dst-port 7777-7777
set service "svc_napster-8875" protocol tcp src-port 0-65535 dst-port 8875-8875
set service "svc_rsynch" protocol tcp src-port 0-65535 dst-port 873-873
set service "svc_open-vpn-tcp" protocol tcp src-port 0-65535 dst-port 1194-1194
set service "svc_open-vpn-udp" protocol udp src-port 0-65535 dst-port 1194-1194
set service "svc_vnc-5500" protocol tcp src-port 0-65535 dst-port 5500-5500
set service "svc_protectron" protocol tcp src-port 0-65535 dst-port 40080-40080
set service "svc_sds_conf_1503-tcp" protocol tcp src-port 0-65535 dst-port 1503-1503
set service "svc_sds_conf_1503-udp" protocol udp src-port 0-65535 dst-port 1503-1503
set service "svc_sds_conf_1533-tcp" protocol tcp src-port 0-65535 dst-port 1533-1533
set service "svc_sds_conf_1533-udp" protocol udp src-port 0-65535 dst-port 1533-1533
set service "svc_sds_conf_8081-tcp" protocol tcp src-port 0-65535 dst-port 8081-8081
set service "svc_sds_conf_8081-udp" protocol udp src-port 0-65535 dst-port 8081-8081
set service "svc_sds_conf_8082-tcp" protocol tcp src-port 0-65535 dst-port 8082-8082
set service "svc_sds_conf_8082-udp" protocol udp src-port 0-65535 dst-port 8082-8082
set service "svc_sds_conf_9092-tcp" protocol tcp src-port 0-65535 dst-port 9092-9092
set service "svc_sds_conf_9092-udp" protocol udp src-port 0-65535 dst-port 9092-9092
set service "svc_sds_conf_9094-tcp" protocol tcp src-port 0-65535 dst-port 9094-9094
set service "svc_sds_conf_9094-udp" protocol udp src-port 0-65535 dst-port 9094-9094
set service "svc_sdslive" protocol tcp src-port 0-65535 dst-port 1024-60000
set service "svc_sds-merlin-hal" protocol tcp src-port 0-65535 dst-port 1001-1001
set service "svc_sds-client-8470" protocol tcp src-port 0-65535 dst-port 8470-8476
set service "svc_sds-client-449" protocol tcp src-port 0-65535 dst-port 449-449
set service "svc_sds-client-1025" protocol tcp src-port 0-65535 dst-port 1025-1025
set service "svc_super-vitre" protocol tcp src-port 0-65535 dst-port 8181-8181
set service "svc_loyalt-track" protocol tcp src-port 0-65535 dst-port 80-80
set service "svc_torrent" protocol tcp src-port 0-65535 dst-port 6881-6999
set service "svc_vmware-902" protocol tcp src-port 0-65535 dst-port 902-903
set service "svc_websense" protocol tcp src-port 0-65535 dst-port 15880-15880
set service "svc_websense" + tcp src-port 0-65535 dst-port 15868-15868
set service "svc_websense" + tcp src-port 0-65535 dst-port 15871-15871
set service "svc_eset" protocol tcp src-port 0-65535 dst-port 2221-2224
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "****"
set admin password "*****"

set admin manager-ip 192.168.100.0 255.255.255.0
set admin auth web timeout 90
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "vlan3"
set zone id 101 "vlan5"
set zone id 102 "L2-vlan6" L2 124
set zone id 127 "Int-VLAN5"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "vlan3" tcp-rst
unset zone "vlan5" tcp-rst
unset zone "L2-vlan6" tcp-rst
set zone "Int-VLAN5" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface "tunnel.4" zone "Untrust"
set interface "tunnel.5" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.0.34/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.100.1/24
set interface bgroup0 nat
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface tunnel.2 ip unnumbered interface ethernet0/0
set interface tunnel.3 ip unnumbered interface ethernet0/0
set interface tunnel.4 ip unnumbered interface ethernet0/0
set interface tunnel.5 ip unnumbered interface ethernet0/0
set interface ethernet0/0 gateway 192.168.0.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface bgroup0 manage-ip 192.168.100.3
unset interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface bgroup0 manage mtrace
set zone L2-vlan6 manage ping
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname akia-ceq-fw-01
set pki authority default scep mode "auto"
set pki x509 default cert-path partial


set policy id 201 from "Trust" to "Untrust" "Any" "Any" "Any" permit
set policy id 201
exit
set policy id 202 from "unTrust" to "trust" "Any" "Any" "Any" permit
set policy id 202
exit
exit
set policy id 2128 from "vlan5" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2128
exit
set policy id 2129 from "vlan5" to "Untrust" "Any" "Any" "g_svc_http-all" permit
set policy id 2129
exit
set policy id 2130 from "Untrust" to "vlan5" "Any" "Any" "ANY" permit
set policy id 2130
exit
set policy id 2133 from "Int-VLAN5" to "Untrust" "Any" "Any" "HTTP" permit
set policy id 2133
exit
set policy id 2134 from "Int-VLAN5" to "Untrust" "Any" "Any" "DNS" permit
set policy id 2134
exit
set policy id 2131 from "Int-VLAN5" to "Untrust" "Any" "Any" "ANY" permit
set policy id 2131
exit
set policy id 2135 from "Untrust" to "Int-VLAN5" "Any" "Any" "DNS" permit
set policy id 2135
exit
set policy id 2136 from "Untrust" to "Int-VLAN5" "Any" "Any" "HTTP" permit
set policy id 2136
exit
set policy id 2132 from "Untrust" to "Int-VLAN5" "Any" "Any" "ANY" permit
set policy id 2132
exit

set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 45
unset license-key auto-update
set telnet client enable
set ntp server "129.6.15.29"
set ntp server src-interface "ethernet0/0"
set ntp max-adjustment 30
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162112008005001"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route

set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "test"
exit

It doesn<t show trust VR routes but there is a Default route 0.0.0.0 to 192.168.0.1 which is the gateway of the ethernet0/0 interface


I have to say that I modified the setup because I needed the internet on personnal PC so how I am connected at home for the tests is


ISP to Linksys120n Wan port

Linsksys 120n Lan port to Juniper SSG5 Wan port (0/0)

My pcs of test to the interface on the Juniper

P.S Before you say Personal routers doesn<t let VLAN passes, I tried without the Router and same stuff happens Bgroup PC can go but not Vlan

[Mafai]

I see you created the zones for the vlan, but you never did set vlan or set the interfaces the vlan applies to

[Ratatapa]

I did made a mistake in that file

I set the interface ethernet0.6/5 to the zone int-vlan5 and put DHCP on that interface for the PC

[Ratatapa]

My problem seems to be from Nat or Route me thinks