Question about Juniper Networks SECURE SERVICES GATEWAY 320 SYS BASE 256MB 3 PIM AC SCREENOS 19IN (SSG-320M-SB) Firewall

1 Answer

Cannot Access Internet from the DMZ

I have a SSG -320 firewall. I having problems connecting from the DMZ zone to the untrust zone. Also, from the untrust zone to the DMZ. If anyone has any suggestions I would appreciate it.

Thanks,

Cliff

Posted by on

  • Gopi Venkatesan
    Gopi Venkatesan May 11, 2010

    Please post the issue in detail

×

1 Answer

  • Level 2:

    An expert who has achieved level 2 by getting 100 points

    MVP:

    An expert that gotĀ 5 achievements.

    Governor:

    An expert whose answer gotĀ voted for 20 times.

    Hot-Shot:

    An expert who has answered 20 questions.

  • Expert
  • 73 Answers

If there is proper policy in place then there wont be any issue.

if at all you need to access your DMZ from internet you need to configure VIP or MIP on the firewall and also a policy needs to be written to permit the traffic.

If you need more help you shall contact me.

Posted on Mar 26, 2009

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

Leds status


Green for full duplex, amber for half or error and red for down

Jan 30, 2014 | Juniper Networks SSG 550M (SSG-550M-SH)...

1 Answer

How can i filter URL's


if you are using juniper netscreeen 5gt then please follow the below link :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4320

Sep 16, 2013 | Juniper Networks SSG 140 (SSG-140-SB)...

2 Answers

How to block facebook website on juniper srx210 firewall


Remember, you need to configure DNS on the ScreenOS device before the address book items can resolve the DNS to an IP address. In this example, we assume the hostname is SSG5, the domain name is abc.com, the primary DNS is 1.1.1.1, and the secondary DNS is 1.1.1.2
Click Network > DNS Host Name: SSG5 Domain Name: abc.com Primary DNS Server: 1.1.1.1 Secondary DNS Server: 1.1.1.2 Click Apply Click Objects > Addresses > List Select Untrust Click New Address Name: www.facebook.com Click domain name, and enter www.facebook.com Zone: Untrust Click OK
Click Objects > Addresses > Group Zone: Untrust Click New Group Name: Facebook Move www.facebook.com from Available Members to Group Members by clicking the << button Click OK
Click Policies Select From Trust to Untrust, then click New Source Address: Click Address Book, and select ANY Destination Address: Click Address Book, and select facebook Service: ANY Action: DENY Click OK
hope this helps you

Apr 20, 2011 | Juniper Networks SRX210 (SRX210B) Firewall

1 Answer

Ploblems with dmz-outside (webpage). pix


Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Feb 28, 2009 | Cisco PIX Firewall 506

1 Answer

Traceroute does not work


You have to allow the following:
ICMP type 8 (Echo) from your DMZ to the Internet (a.k.a outbound)
ICMP type 0 (Echo reply) from the Internet to your DMZ (a.k.a inbound)

This will be done by adding the rules in the firewall section of your DFL-700.

Mar 13, 2008 | D-Link NetDefend DFL-700 Firewall

1 Answer

Cyberguard SG300


From the main configuration screen select Network Setup, and then click on the Connections Tab. In the tabline below that click on Aliases.

At this point you input the Alias IP address and the netmask and add it, selecting port 25. The firewall now knows that it is to forward all traffic on port 25 to the computer that has the IP address you put in.

You should be aware that doing the above opens a direct access point into your network! Port 25 is the port used for SMTP (Sendmail) and it is the most vulnerable and most hacked service on the Internet! You should seriously consider not doing this.

A better option would be to goto the DMZ tab and configure a DMZ net on your firewall - you will need to obtain a second routable IP address from your ISP to do this though. By creating the DMZ and then routing port 25 to a machine inside the DMZ you isolate the machine running SMTP from all of the other machines inside your protected network and so make a compromise much less likely.

All of the systems inside your protected network will still have demand access to the machine in our DMZ, but the machine in your DMZ would be unable to initialize access to the protected network, which is a much safer setup.

Oct 19, 2007 | Cyberguard SG300 (00852503000366) Firewall

2 Answers

Policy-based VPN over vrrp


Hi krisva2,

If any of the articles show just the Juniper logo and menu bar you will need to shutoff your ad blocker.


Is Virtual Router Redundancy Protocol (VRRP) supported on Juniper firewalls? (KB ID: KB10892)
http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm


This is probably what is going on with your setup but without more information I could not be 100% sure.
Established sessions need to re-establish when the VPN Redundant Gateway fail-over occurs (KB ID: KB6372)


Enjoy!

Aug 16, 2007 | Juniper Networks (SSG-5-SH-BT) Firewall

2 Answers

Sonicwall Pro 300 DMZ Problem


If you're within a network and try connecting to computers on it with the WAN public IP, it simply won't work - you must use the network IP. On an external Internet connection, it should connect fine to the public IP. If you have access to an external machine (remote desktop), or if you know of an FTP proxy, you can try it that way. I also believe http://www.webftp.co.uk/ a web based FTP client would act as somewhat of a proxy, you could try that with the public IP and see how you go.

Aug 09, 2007 | SonicWALL PRO 300 Firewall

1 Answer

DMZ HOST IN FVS 124-G


The Netgear FVS124-G is a superb combo VPN firewall DSL/Cable small business router. Loads of features and Dual Wan to boot. I highly recommend it's use in small businesses But... Keeping the necessary firewall, you are missing another component in a properly segmented network, a VLAN switch. It is highly customizable and gives you the configurability and speed you are asking for. Look at it's features here: ftp://downloads.netgear.com/files/FSxxxT_GSxxxT_smartswitch_UserManual.pdf The normal network security plan is: Internet -->Firewall-->Router (or Firewall/Router)-->VLan Switch-->Individual computers or VLan subnets. Using these two components together makes a more configurable and MUCH easier to setup network than using, say, one Sonicwall, or one CISCO PIX-501-BUN-K9 (which doesn't do VLan and you have to know Pix commands) You get FREE pre-sales and FREE post-sales support from Netgear, so call them on what makes sense for your situation. Sales Support (408) 907-8000 OR Email at: sales@netgear.com ZT3000 "Beta tester of "0"s and "1's"

Aug 03, 2007 | NetGear ProSafe FVS124G (FVS124GNA)...

Not finding what you are looking for?
Juniper Networks SECURE SERVICES GATEWAY 320 SYS BASE 256MB 3 PIM AC SCREENOS 19IN (SSG-320M-SB) Firewall Logo

Related Topics:

485 people viewed this question

Ask a Question

Usually answered in minutes!

Top Juniper Networks Network Security & Firewall Devices Experts

phil

Level 2 Expert

567 Answers

john smith

Level 2 Expert

366 Answers

Sudeep Chatterjee
Sudeep Chatterjee

Level 3 Expert

3267 Answers

Are you a Juniper Networks Network Security and Firewall Device Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...