INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

New to Juniper SSG 5 - policy being ignored

New to Juniper SSG 5 - policy being ignored

(OP)
I have installed an new policy (trusted to untrusted) in screenos to allow outgoing Mail traffic from an additional server.  It is listed before the policy to deny from the subnet.  When I enable debugging and have that server try to send email, it skips right past my new policy and goes to the policy to deny.  Any help would be greatly appreciated.  The server is defined and the policy installs fine.

RE: New to Juniper SSG 5 - policy being ignored

You might want to post more detail, your statement is too nebulous. Post a print of the policy table so we can see it, and provide better suggestions.

....JIM....
 

RE: New to Juniper SSG 5 - policy being ignored

(OP)
Sorry for the lack of detail.  Below is the policy table
Total regular policies 20, Default deny.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
   112 Untrust  Trust    192.168.0.0~ 10.1.68.0/24 ANY                  Tunnel enabled ---X-X
   111 Trust    Untrust  10.1.68.0/24 192.168.0.0~ ANY                  Tunnel enabled ---X-X
   110 Untrust  Trust    Any          Any          ANY                  Permit disabl~ ---X-X
   104 Untrust  Trust    Any          VIP(etherne~ HTTPS                Permit enabled ---X-X
   106 Trust    Untrust  10.1.68.10/~ Any          DNS                  Permit enabled ---X-X
                         10.1.68.11/~                          
   114 Trust    Untrust  10.1.68.210~ Any          IMAP                 Permit enabled ---X-X
                                                   MAIL        
    24 Trust    Untrust  10.1.68.10/~ Any          IMAP                 Permit enabled ---XXX
                                                   MAIL        
    11 Untrust  Trust    Dial-Up VPN  10.1.68.0/24 ANY                  Tunnel enabled ---XXX
    14 Untrust  Trust    Any          VIP(etherne~ Terminal Service     Permit enabled ---X-X
   107 Trust    Untrust  10.1.68.0/24 Any          DNS                  Deny   enabled ---XXX
                                                   IMAP        
                                                   MAIL        
                                                   NTP         
                                                   POP3        
                                                   TELNET      
   108 Trust    Untrust  10.1.68.10/~ Any          ANY                  Permit enabled ---X-X
     6 Trust    Untrust  10.1.68.0/24 Any          ANY                  Permit enabled ---XXX
   109 Trust    Untrust  Any          Any          ANY                  Permit enabled ---X-X
     3 Trust    Untrust  Any          Any          ANY                  Reject enabled ---X-X
     1 Trust    Untrust  10.1.68.0/24 Any          Cisco VPN            Permit disabl~ ---XXX
                                                   FTP         
                                                   HTTP        
                                                   HTTPS       
                                                   ICMP-ANY    
                                                   IKE         
                                                   IKE-NAT     
                                                   Terminal Se~
   100 Trust    Untrust  Any          Any          MS-RPC-EPM           Permit disabl~ ---X-X
                                                   MS-EXCHANGE
   101 Untrust  Trust    Any          VIP(etherne~ SMTP                 Permit enabled ---X-X
   103 Untrust  Trust    Any          VIP(etherne~ IMAP                 Permit enabled ---X-X
     5 Untrust  Trust    Any          Any          ANY                  Reject enabled ---X-X
   113 Untrust  DMZ      Any          MIP(207.250~ HTTPS                Permit enabled ---X-X

I expected it to hit rule 114, but the deug shows it getting to policy 107 and getting dropped, denied by policy.

Thanks
Vic Lepouce

RE: New to Juniper SSG 5 - policy being ignored

In analyzing the policy list, yours is slightly different compared to my SSG20. Mine has OS version 6.1.0r2. Now what I see, is yours has an option column of some sort at the end called ASTLCB. Since mine does not have this, I don't know its function. Also it appears that some fields truncated the addresses, so you can't see the subnet of the Src-addresses. But comparing policy 114 with policy 24, the only difference I see is the C option is missing, where policies 24 and 107 have it selected. Does policy 24 work? Could this be the problem?

....JIM....
 

RE: New to Juniper SSG 5 - policy being ignored

(OP)
Sorry for the delay,

Policy 24 does work from what I am able to tell.

The attributes are as follows:
A - Deep Inspection attack objects
S - Policy scheduling
T - Traffic shapping
L - Loggin
C - Counting
B - HA session backup

If it has an X it is enabled.  

Do you think the Counting has to enabled?  I will try to take a look at it in the morning and see if it has an effect.

Thanks,
Vic Lepouce

RE: New to Juniper SSG 5 - policy being ignored

(OP)
I changed policy 114 to count without success.  I removed policy 114 and added the 10.1.68.24 to policy 24 without success.  I am attaching the config in hopes that it will help isolate the issue for anyone looking.

Total Config size 14988:
set clock ntp
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "MS-RPC-EPM" timeout 200
set service "MS-EXCHANGE-DATABASE" timeout 200
set service "MS-EXCHANGE-DIRECTORY" timeout 200
set service "MS-EXCHANGE-INFO-STORE" timeout 200
set service "MS-EXCHANGE-MTA" timeout 200
set service "MS-EXCHANGE-STORE" timeout 200
set service "MS-EXCHANGE-SYSATD" timeout 200
set service "Terminal Service" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "Terminal Service" + udp src-port 0-65535 dst-port 3389-3389
set service "Mdaemon Webclient nonssl" protocol tcp src-port 80-80 dst-port 3000-3000
set service "Cisco VPN" protocol udp src-port 0-65535 dst-port 10000-10000
unset alg sip enable
unset alg mgcp enable
unset alg sccp enable
set alg appleichat enable
unset alg appleichat re-assembly enable
unset alg h323 enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "Microsoft IAS" id 1
set auth-server "Microsoft IAS" server-name "10.1.68.10"
set auth-server "Microsoft IAS" account-type auth xauth
set auth-server "Microsoft IAS" radius secret "secret=="
set auth default auth server "Microsoft IAS"
set auth radius accounting port 1646
set auth radius accounting action cleanup-session
set admin name "netscreen"
set admin password "secret+n"
set admin manager-ip 10.1.68.0 255.255.255.0
set admin port 8080
set admin mail traffic-log
set admin auth web timeout 15
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin auth banner console login "Welcome, Do you belong here?"
set admin format dos
set vip multi-port
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface "bgroup1" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 207.250.XX.XXX/24
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.1.0.1/24
set interface ethernet0/1 route
set interface bgroup0 ip 10.1.68.3/24
set interface bgroup0 nat
set interface ethernet0/0 bandwidth egress mbw 900 ingress mbw 900
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
unset interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
unset interface ethernet0/1 manage ping
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip interface-ip 25 "SMTP" 10.1.68.10
set interface ethernet0/0 vip interface-ip 3389 "Terminal Service" 10.1.68.10
set interface ethernet0/0 vip interface-ip 143 "IMAP" 10.1.68.10
set interface ethernet0/0 vip interface-ip 443 "HTTPS" 10.1.68.10
set interface "ethernet0/0" mip 207.250.XX.XXX host 10.1.0.2 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss 1320
set flow path-mtu
unset flow no-tcp-seq-check
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain ghilaser.com
set hostname GH-Firewall
set webauth server "Microsoft IAS"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.1.68.10 src-interface bgroup0
set dns host dns2 10.1.68.11 src-interface bgroup0
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set dns proxy
set dns proxy enable
set dns server-select domain cam.local outgoing-interface bgroup0 primary-server 10.51.68.111
set address "Trust" "10.1.68.0/24" 10.1.68.0 255.255.255.0
set address "Trust" "10.1.68.10/255.255.255.0" 10.1.68.10 255.255.255.0
set address "Trust" "10.1.68.10/32" 10.1.68.10 255.255.255.255
set address "Trust" "10.1.68.11/32" 10.1.68.11 255.255.255.255
set address "Trust" "10.1.68.2/32" 10.1.68.2 255.255.255.255
set address "Trust" "10.1.68.210/32" 10.1.68.210/255.255.255.255
set address "Trust" "GHI01" 10.1.68.3 255.255.255.255 "Main Server"
set address "Trust" "Internal Subnet" 10.1.68.0 255.255.255.0
set address "Trust" "Production Subnet" 10.1.68.0 255.255.255.0
set address "Untrust" "192.168.0.0/24" 192.168.0.0 255.255.255.0
set address "Untrust" "Remote Backup Site" 7665480d2c5.ddns.rbsnet.net
set ippool "vpn_pool" 172.17.21.110 172.17.21.130
set user "vpnusers" uid 15
set user "vpnusers" ike-id u-fqdn "vpnusers@xxxxxx.com" share-limit 10
set user "vpnusers" type ike
set user "vpnusers" "enable"
set user-group "netscreen" id 4
set user-group "netscreen" location external
set user-group "netscreen" type auth xauth
set user-group "vpngroup" id 3
set user-group "vpngroup" user "vpnusers"
set ike gateway "vpngateway" dialup "vpngroup" Aggr outgoing-interface "ethernet0/0" preshare "secret==" proposal "pre-g2-3des-sha"
unset ike gateway "vpngateway" nat-traversal udp-checksum
set ike gateway "vpngateway" nat-traversal keepalive-frequency 5
set ike gateway "vpngateway" xauth
set ike gateway "vpngateway" xauth server auth-method chap pap
unset ike gateway "vpngateway" xauth do-edipi-auth
set ike gateway "xxxxxx@xxxxxxxx.com" address 0.0.0.0 id "xxxxxx@xxxxxxxx.com" Aggr outgoing-interface "ethernet0/0" preshare "B3r6LnczNfjriZs9cxCYvz0REFn5xxxxxxXXXXXXXXWs=" proposal "pre-g2-3des-sha" "rsa-g2-3des-md5" "pre-g2-des-sha" "pre-g2-des-md5"
set ike gateway "xxxxxx@xxxxxxxx.com" nat-traversal udp-checksum
set ike gateway "xxxxxx@xxxxxxxx.com" nat-traversal keepalive-frequency 0
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "vpn_pool"
set xauth default dns1 10.1.68.10
set xauth default dns2 10.1.68.11
set xauth default wins1 10.1.68.10
set xauth default wins2 10.1.68.11
set xauth default auth server "Microsoft IAS"
set vpn "vpngateway1" gateway "vpngateway" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "XXXXXXXXXX" gateway "xxxxxx@xxxxxxxx.com" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-des-sha"  "nopfs-esp-des-md5"
set vpn "XXXXXXXXXX" monitor
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 112 from "Untrust" to "Trust"  "192.168.0.0/24" "10.1.68.0/24" "ANY" tunnel vpn "XXXXXXXXXX" id 0x9 pair-policy 111 log
set policy id 112
exit
set policy id 111 from "Trust" to "Untrust"  "10.1.68.0/24" "192.168.0.0/24" "ANY" tunnel vpn "XXXXXXXXXX" id 0x9 pair-policy 112 log
set policy id 111
exit
set policy id 110 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 110 disable
set policy id 110
exit         
set policy id 104 name "Webmail" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "HTTPS" permit log url-filter
set policy id 104
exit
set policy id 106 from "Trust" to "Untrust"  "10.1.68.10/32" "Any" "DNS" permit log
set policy id 106
set src-address "10.1.68.11/32"
set log session-init
exit
set policy id 24 from "Trust" to "Untrust"  "10.1.68.10/32" "Any" "IMAP" permit log count
set policy id 24
set src-address "10.1.68.210/32"
set service "MAIL"
exit
set policy id 11 name "vpn" from "Untrust" to "Trust"  "Dial-Up VPN" "10.1.68.0/24" "ANY" nat src tunnel vpn "vpngateway1" id 0x6 log count
set policy id 11
exit
set policy id 14 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "Terminal Service" permit log
set policy id 14
exit
set policy id 107 name "All" from "Trust" to "Untrust"  "10.1.68.0/24" "Any" "DNS" deny log count
set policy id 107
set service "IMAP"
set service "MAIL"
set service "NTP"
set service "POP3"
set service "TELNET"
set log session-init
exit
set policy id 108 from "Trust" to "Untrust"  "10.1.68.10/32" "Any" "ANY" permit log
set policy id 108
exit
set policy id 6 name "All" from "Trust" to "Untrust"  "10.1.68.0/24" "Any" "ANY" permit log count
set policy id 6
set log session-init
exit
set policy id 109 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 109
exit
set policy id 3 from "Trust" to "Untrust"  "Any" "Any" "ANY" reject log
set policy id 3
exit
set policy id 1 name "Web Browsing" from "Trust" to "Untrust"  "10.1.68.0/24" "Any" "Cisco VPN" permit log count
set policy id 1 disable
set policy id 1
set service "FTP"
set service "HTTP"
set service "HTTPS"
set service "ICMP-ANY"
set service "IKE"
set service "IKE-NAT"
set service "Terminal Service"
exit
set policy id 100 from "Trust" to "Untrust"  "Any" "Any" "MS-RPC-EPM" permit log
set policy id 100 disable
set policy id 100
set service "MS-EXCHANGE"
exit
set policy id 101 name "Inbound Mail" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "SMTP" permit log
set policy id 101
exit
set policy id 103 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "IMAP" permit log
set policy id 103
exit
set policy id 5 from "Untrust" to "Trust"  "Any" "Any" "ANY" reject log
set policy id 5
exit         
set policy id 113 from "Untrust" to "DMZ"  "Any" "MIP(207.250.XXX.XXX)" "HTTPS" permit log
set policy id 113
exit
set log module system level emergency destination console
set log module system level alert destination console
set log module system level critical destination console
set log module system level error destination console
set log module system level notification destination console
set log module system level debugging destination console
unset log module system level warning destination internal
unset log module system level information destination internal
unset log module system level emergency destination email
unset log module system level alert destination email
unset log module system level critical destination email
unset log module system level notification destination email
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
unset log module system level emergency destination syslog
unset log module system level alert destination syslog
unset log module system level critical destination syslog
unset log module system level error destination syslog
unset log module system level warning destination syslog
unset log module system level notification destination syslog
unset log module system level information destination syslog
unset log module system level debugging destination syslog
unset log module system level emergency destination webtrends
unset log module system level alert destination webtrends
unset log module system level critical destination webtrends
unset log module system level notification destination webtrends
unset log module system level emergency destination NSM
unset log module system level alert destination NSM
unset log module system level critical destination NSM
unset log module system level error destination NSM
unset log module system level warning destination NSM
unset log module system level notification destination NSM
unset log module system level information destination NSM
unset log module system level debugging destination NSM
set firewall log-self
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
unset ssl enable
set ssl port 4343
set ntp server "ntp3.cs.wisc.edu"
set ntp server src-interface "ethernet0/0"
set ntp server backup1 "ntp1.cs.wisc.edu "
set ntp server backup1 src-interface "ethernet0/0"
set ntp server backup2 "10.1.68.10"
set ntp server backup2 src-interface "bgroup0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 207.250.XX.XXX preference 20 permanent
set route 192.168.180.0/24 interface bgroup0 gateway 10.1.68.4
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Any help would be greatly appreciated.

Thanks,
Vic Lepouce

RE: New to Juniper SSG 5 - policy being ignored

(OP)
Changed the policy and added to it.  Now works!!!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close