Juniper NAT Query

howler

howler

howler

Associate
Joined
5 Oct 2004
Posts
1,647
Here's the problem

I have a non-standard service that I need to forward to and internal server

I tried configuring this using policy based nat destination but it would not work.

The only way I seem to be able to do it is to configure a VIP on my untrust interface and then set up a policy to permit the traffic to the server in the trust zone

However...

This firewall will also eventually serve as the main internet gateway so from my trust to un-trust zones I need to use NAT source, is it ok to run VIP and NAT source at the same time or will that cause issues?
 
i work with juniper kit day in day out so i should be able to help you out. nat is certainly a bit tricky to get your head around on the juniper kit since there are so many options to choose from.

typically to permit inbound services we utilise a mip, or mapped ip address...which in 'generic' terms means a static 1:1 translation. things to consider also are what mode your interfaces are in (either nat, or route) and also the hierarchy that nat works in on juniper kit.

can you knock up a very rough network diagram and post a sanitised configuration?

edit: right, ok...

i'm going to assume you are using the webui to complete configuration tasks... by default your trust interface will be in nat mode, and your untrust interface will be in route mode. if you are wanting to 'port forward' it sounds like you only have a single public address. if this is the case, go to your untrust interface, select the mip option, and create a new mip. in the mapped ip portion put your public ip address (if you do have multiple public addresses then can you can actually use one of these here if you wish) and in the host portion put your internal host ip address. then, go to your policies and create a new policy from untrust -> trust. in the source choose 'any' (or restrict it if you wish), in the destination choose 'MIP(insert public address used here)', in the service choose the service you want to use, and then finally make sure you choose permit and any logging options you require. it's also a good idea to have an explicit deny policy with logging turned on directly beneath so you can see if anything funny is going on. hope this helps.

edit2: as for your last part - because your trust interface will be in nat mode by default, everything going from trust -> untrust will be source translated to the untrust interface ip address by default. if you go ahead with my suggestion of using a mip above then yes you can use mip and interface based translation simultaneously.
 
Last edited:
that is exactly what I have done except I have used VIP instead

So because my trust interface is in NAT mode I don't need a nat source policy going from trust to untrust?

I only have 1 public address and need to forward 3 different ports, is there any advantage to me changing to MIP over VIP?

One possibly daft question, there will also be loads of VPN's on the firewall, the VIP/MIP won't affect that in any way I take it?

Thanks
 
fairly sure my understanding is correct here... a mip is a 1:1 mapping, a vip is a 1:many mapping... so, i hate to answer a question with another question... these 3 ports that you need to forward... are they all going to be to the same internal host? and are you going to want to forward ports to other internal hosts in the future? i suppose, as it's working for you and it will offer you more flexibility in the future you may as well stay with a vip.

yes, as your in trust/nat:untrust/route mode you do not need to perform a policy based nat source from trust to untrust. it's taken care of by the interface based nat.

how are you looking to do your vpn's? i personally prefer a route based ipsec vpn on the juniper kit. are you looking to do site-site, or hub-spoke? are you using all static addressing on your untrust interfaces, or do you have some dynamic too? if you are looking to do hub-spoke are you also going to want to do spoke-spoke communication through the hub? the address translation shouldn't interfere.
 
at the moment one machine but it potentially could be more in the future so I might leave it as is

I have already set up a policy based ipsec vpn and all untrust interfaces are static IP's.

At present the VPN's are site-site but I may have a rethink of that

What would I gain/lose from route based VPN?
 
another question about your networks when it comes to vpns...are all the networks on your trust interfaces using unique addressing, or do you have some overlap? overlap is obviously a pain but there ways around it on the netscreen kit utilising nat-dst. i would strongly encourage the use of unique addressing where possible though just to keep the configuration as simple as possible!

i would say the type of vpn you use is going to depend upon your own personal preference - with me it's just route based vpn's because that's largely what i've worked with. for example, i was messing around in the lab the other day and in about half an hour i had a hub-spoke ipsec vpn running between a ns50 and three ns5gt's using a single tunnel and next-hop tunnel binding. i also used ospf to take care of the routing since static routing is a pain when you want to do spoke-spoke communication.

i seem to recall from the training course i went on that policy based vpn was just a bit more fiddly to setup, although i could be wrong - as i say, i've largely worked with route based...so it's whatever works for you and your network really. have a look at the concepts and examples guide - see if there is anything in there that you think fits your environment more appropriately.
 
I could only remember how to do policy based VPN from my training course and don't have any overlapping addressing

Might have a play with some hub and spoke stuff this afternoon I think so I can make use of dynamic routing protocols

Thanks very much for your help
 
no worries, give me a nudge if you need anything else... i've still got the hub-spoke vpn setup if you want me to post some configuration examples?
 
here's the hub config:

Code: 
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
exit
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 0
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface ethernet1 ip 192.168.1.1/24
set interface ethernet1 nat
set interface ethernet3 ip 1.1.10.2/24
set interface ethernet3 route
set interface tunnel.1 ip 172.16.0.1/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet3 ip manageable
set interface ethernet3 manage ping
set interface ethernet3 manage ssh
set interface ethernet3 manage telnet
set interface ethernet3 manage snmp
set interface ethernet3 manage ssl
set interface ethernet3 manage web
set interface ethernet3 manage mtrace
set interface ethernet1 dhcp server service
set interface ethernet1 dhcp server auto
set interface ethernet1 dhcp server option gateway 192.168.1.1 
set interface ethernet1 dhcp server ip 192.168.1.33 to 192.168.1.126 
unset interface ethernet1 dhcp server config next-server-ip
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "A-LAN" 192.168.1.0 255.255.255.0
set address "Untrust" "B-LAN" 192.168.2.0 255.255.255.0
set address "Untrust" "C-LAN" 192.168.3.0 255.255.255.0
set address "Untrust" "D-LAN" 192.168.4.0 255.255.255.0
set ike gateway "GatewayB" address 1.1.20.2 Main outgoing-interface "ethernet3" preshare "91MDqH9UNgGRlOsi9zCLVn8WV8nEX1dBAQ==" proposal "pre-g2-aes128-sha"
set ike gateway "GatewayC" address 1.1.30.2 Main outgoing-interface "ethernet3" preshare "Fyu/n99QNe9GRBsC8hC0q2xajWnVB2zUYA==" proposal "pre-g2-aes128-sha"
set ike gateway "GatewayD" address 1.1.40.2 Main outgoing-interface "ethernet3" preshare "4WBL7rEbNj0xR+sgrnCLH+ruCCn9BqrkQw==" proposal "pre-g2-aes128-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-to-GatewayB" gateway "GatewayB" replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "VPN-to-GatewayB" monitor rekey
set vpn "VPN-to-GatewayB" id 1 bind interface tunnel.1
set vpn "VPN-to-GatewayC" gateway "GatewayC" replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "VPN-to-GatewayC" monitor rekey
set vpn "VPN-to-GatewayC" id 2 bind interface tunnel.1
set vpn "VPN-to-GatewayD" gateway "GatewayD" replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "VPN-to-GatewayD" monitor rekey
set vpn "VPN-to-GatewayD" id 3 bind interface tunnel.1
set url protocol websense
exit
set vpn "VPN-to-GatewayB" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.2.0/24 "ANY" 
set vpn "VPN-to-GatewayC" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.3.0/24 "ANY" 
set vpn "VPN-to-GatewayD" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.4.0/24 "ANY" 
set policy id 7 from "Untrust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 7
set log session-init
exit
set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set policy id 6
set log session-init
exit
set policy id 5 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 5
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "A-LAN" "B-LAN" "ANY" permit log 
set policy id 1
set dst-address "C-LAN"
set dst-address "D-LAN"
set log session-init
exit
set policy id 2 from "Untrust" to "Trust"  "B-LAN" "A-LAN" "ANY" permit log 
set policy id 2
set src-address "C-LAN"
set src-address "D-LAN"
set log session-init
exit
set policy id 3 from "Trust" to "Untrust"  "A-LAN" "Any" "ANY" permit log 
set policy id 3
set log session-init
exit
set policy id 4 from "Untrust" to "Untrust"  "B-LAN" "B-LAN" "ANY" permit log 
set policy id 4
set src-address "C-LAN"
set src-address "D-LAN"
set dst-address "C-LAN"
set dst-address "D-LAN"
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet3 gateway 1.1.10.1
exit
set interface ethernet1 protocol ospf area 0.0.0.0
set interface ethernet1 protocol ospf passive
set interface ethernet1 protocol ospf enable
set interface ethernet1 protocol ospf retransmit-interval 5
set interface ethernet1 protocol ospf cost 1
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf demand-circuit
set interface tunnel.1 protocol ospf link-type p2mp
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
and here are the spoke configs:

spoke b

Code: 
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
exit
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 0
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "adsl1" pvc 8 35 mux llc protocol bridged zone "Null"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.2.1/24
set interface trust nat
set interface untrust ip 1.1.20.2/24
set interface untrust route
set interface tunnel.1 ip 172.16.0.2/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust manage mtrace
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.2.1 
set interface trust dhcp server option netmask 255.255.255.0 
set interface trust dhcp server ip 192.168.2.33 to 192.168.2.126 
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "B-LAN" 192.168.2.0 255.255.255.0
set address "Untrust" "A-LAN" 192.168.1.0 255.255.255.0
set address "Untrust" "C-LAN" 192.168.3.0 255.255.255.0
set address "Untrust" "D-LAN" 192.168.4.0 255.255.255.0
set ike gateway "GatewayA" address 1.1.10.2 Main outgoing-interface "untrust" preshare "rJdGowCdNrHTOBsSSHCH2QGHY3neWtiTBA==" proposal "pre-g2-aes128-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-to-GatewayA" gateway "GatewayA" replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "VPN-to-GatewayA" monitor rekey
set vpn "VPN-to-GatewayA" id 1 bind interface tunnel.1
set url protocol websense
exit
set vpn "VPN-to-GatewayA" proxy-id local-ip 192.168.2.0/24 remote-ip 192.168.1.0/24 "ANY" 
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 3
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "B-LAN" "A-LAN" "ANY" permit log 
set policy id 1
set dst-address "C-LAN"
set dst-address "D-LAN"
set log session-init
exit
set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set policy id 4
set log session-init
exit
set policy id 2 from "Untrust" to "Trust"  "A-LAN" "B-LAN" "ANY" permit log 
set policy id 2
set src-address "C-LAN"
set src-address "D-LAN"
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway 1.1.20.1
exit
set interface trust protocol ospf area 0.0.0.0
set interface trust protocol ospf enable
set interface trust protocol ospf retransmit-interval 5
set interface trust protocol ospf cost 1
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf demand-circuit
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
spoke c

Code: 
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
exit
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 0
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "adsl1" pvc 8 35 mux llc protocol bridged zone "Null"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.3.1/24
set interface trust nat
set interface untrust ip 1.1.30.2/24
set interface untrust route
set interface tunnel.1 ip 172.16.0.3/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust manage mtrace
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option netmask 255.255.255.0 
set interface trust dhcp server ip 192.168.3.33 to 192.168.3.126 
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "C-LAN" 192.168.3.0 255.255.255.0
set address "Untrust" "A-LAN" 192.168.1.0 255.255.255.0
set address "Untrust" "B-LAN" 192.168.2.0 255.255.255.0
set address "Untrust" "D-LAN" 192.168.4.0 255.255.255.0
set ike gateway "GatewayA" address 1.1.10.2 Main outgoing-interface "untrust" preshare "KgppPnx5NVjC4KsDCFC7QItK+mntDKiOgw==" proposal "pre-g2-aes128-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-to-GatewayA" gateway "GatewayA" replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "VPN-to-GatewayA" monitor rekey
set vpn "VPN-to-GatewayA" id 1 bind interface tunnel.1
set url protocol websense
exit
set vpn "VPN-to-GatewayA" proxy-id local-ip 192.168.3.0/24 remote-ip 192.168.1.0/24 "ANY" 
set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set policy id 4
set log session-init
exit
set policy id 3 from "Trust" to "Untrust"  "Any" "A-LAN" "ANY" permit log 
set policy id 3
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "C-LAN" "A-LAN" "ANY" permit log 
set policy id 1
set dst-address "B-LAN"
set dst-address "D-LAN"
set log session-init
exit
set policy id 2 from "Untrust" to "Trust"  "A-LAN" "C-LAN" "ANY" permit log 
set policy id 2
set src-address "B-LAN"
set src-address "D-LAN"
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway 1.1.30.1
exit
set interface trust protocol ospf area 0.0.0.0
set interface trust protocol ospf enable
set interface trust protocol ospf retransmit-interval 5
set interface trust protocol ospf cost 1
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf demand-circuit
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
spoke d

Code: 
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
set protocol ospf
set enable
exit
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 0
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "adsl1" pvc 8 35 mux llc protocol bridged zone "Null"
set interface "tunnel.1" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.4.1/24
set interface trust nat
set interface untrust ip 1.1.40.2/24
set interface untrust route
set interface tunnel.1 ip 172.16.0.4/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface untrust manage mtrace
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option netmask 255.255.255.0 
set interface trust dhcp server ip 192.168.4.33 to 192.168.4.126 
unset interface trust dhcp server config next-server-ip
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "D-LAN" 192.168.4.0 255.255.255.0
set address "Untrust" "A-LAN" 192.168.1.0 255.255.255.0
set address "Untrust" "B-LAN" 192.168.2.0 255.255.255.0
set address "Untrust" "C-LAN" 192.168.3.0 255.255.255.0
set ike gateway "GatewayA" address 1.1.10.2 Main outgoing-interface "untrust" preshare "qomAgrL6Nen5uEsqOLCqNyUtsdnZf7OS4Q==" proposal "pre-g2-aes128-sha"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN-to-GatewayA" gateway "GatewayA" replay tunnel idletime 0 proposal "g2-esp-aes128-sha" 
set vpn "VPN-to-GatewayA" monitor rekey
set vpn "VPN-to-GatewayA" id 1 bind interface tunnel.1
set url protocol websense
exit
set vpn "VPN-to-GatewayA" proxy-id local-ip 192.168.4.0/24 remote-ip 192.168.1.0/24 "ANY" 
set policy id 4 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log 
set policy id 4
set log session-init
exit
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 3
set log session-init
exit
set policy id 1 from "Trust" to "Untrust"  "D-LAN" "A-LAN" "ANY" permit log 
set policy id 1
set dst-address "B-LAN"
set dst-address "C-LAN"
set log session-init
exit
set policy id 2 from "Untrust" to "Trust"  "A-LAN" "D-LAN" "ANY" permit log 
set policy id 2
set src-address "B-LAN"
set src-address "C-LAN"
set log session-init
exit
set nsmgmt bulkcli reboot-timeout 60
set nsmgmt bulkcli reboot-wait 0
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface untrust gateway 1.1.40.1
exit
set interface trust protocol ospf area 0.0.0.0
set interface trust protocol ospf passive
set interface trust protocol ospf enable
set interface trust protocol ospf retransmit-interval 5
set interface trust protocol ospf cost 10
set interface tunnel.1 protocol ospf area 0.0.0.0
set interface tunnel.1 protocol ospf demand-circuit
set interface tunnel.1 protocol ospf enable
set interface tunnel.1 protocol ospf cost 10
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
to add extra spokes is simply rinse and repeat because i've used a single tunnel interface at the hub and the the nhtb/routing are dynamic - makes overall administration a piece of ****. the only customisation you might need is if you do actually want to restrict a certain network getting to a certain network. in the example above i chose to leave intrazone blocking enabled on the untrust zone which is why i have an intrazone policy for the spoke to spoke communication...if you turn intrazone blocking off then you don't need a policy assuming you want every spoke to get to every spoke...if you don't then of course you can then still use a policy but just block instead of permit.

hope this helps! :)

edit: i should mention that the hub was an ns50, and the three spokes were 5gt's...and i was running 5.4.0r10 of screenos...just incase you have similar kit and you want to copy/paste the configs onto them.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom